Chapter 8
Security Life Cycle
1. Assess threats and select risk response 2. Develop and communicate policy 3. Acquire and implement solutions 4. Monitor performance
Steps in an IS System Attack (Also what penetration testers do)
1. Conduct Reconnaissance 2. Attempt Social Engineering 3. Scan & Map Target 4. Research 5. Execute Attack 6. Cover Tracks
Digital certificate
¤ A digital certificate is an electronic document, created and digitally signed by a trusted third party. • Certifies the identity of the owner of a particular public key. ¤ Digital certificates provide an automated method for obtaining an organization's or individual's public key.
Computer Incident Response Team (CIRT)
¤ A key component to being able to respond to security incidents promptly and effectively is the establish of a computer Incident response team (CIRT). ¤ CIRT is responsible for dealing with major incidents. • Should include technical specialists and senior operations management. • Some potential responses have significant economic consequences (e.g., whether to temporarily shut down an e-commerce server) that require management input.
Anti-malware controls consist of:
1. Malicious software awareness education 2. Installation of anti-malware protection tools on all devices 3. Centralized management of patches and updates to anti-malware software 4. Regular review of new malware threats 5. Filtering of incoming traffic to block potential sources of malware 6. Training employees not to install shared or unapproved software
CIRT Incidence Response Process Consist of 4 Steps:
1. Recognition that a problem exists: Typically occurs when an IDS signals an alert or as a result of a system administrator's log analysis. 2. Containment of the problem: Once an intrusion is detected, prompt action is needed to stop it and contain the damage. 3. Recovery: Damage must be repaired and may involve restoring data from backup and reinstalling corrupted programs. 4. Follow-up: Once recovery is in process, the CIRT should lead an analysis of how the incident occurred. • Steps should be taken to modify existing security policy and minimize the likelihood of a similar incident. • An important decision is whether to try to catch and punish the perpetrator. - If the perpetrator is to be pursued, forensic experts should be involved immediately to ensure that all possible evidence is collected and maintained in a manner that makes it admissible in court.
Fundamental Information Security Concepts
1. Security as a management issue, not a technology issue. 2. Defense-in-depth & time-based model of security.
Trust Services Framework Five Basic Principles that contribute to systems reliability
1. Security: Access to the system and its data is controlled. 2. Confidentiality: Sensitive information is protected from unauthorized disclosure. 3. Privacy: Data is processed accurately and completely in a timely manner with proper authorization 4. Processing integrity 5. Availability: The system is available to meet operational and contractual obligations.
Intrusion detection systems (IDS)
¤ A major weakness of log analysis is that it is labor-intensive and prone to human error. ¤ Intrusion detection systems (IDS) represent an attempt to automate part of the monitoring. • Notifies users they need to act if something is out of the normal range. ¤ An Intrusion Detection System creates a log of network traffic that was permitted to pass the firewall. • Analyzes the logs for signs of attempted or successful intrusions. • Most common analysis is to compare logs to a database containing patterns of traffic associated with known attacks. • An alternative technique builds a model representing "normal" network traffic and uses various statistical techniques to identify unusual behavior.
Time-Based Model of Security: Focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.
¤ All three types of controls are necessary: 1. Preventive: Limit actions to those in accord with the organization's security policy and disallows all others. 2. Detective: Identify when preventive controls have been breached. 3. Corrective (Response): Repair damage from problems that have occurred and improve preventive and detective controls to reduce the likelihood of similar incidents. ¤ The time-based model evaluates the effectiveness of an organization's security by measuring and comparing the relationship between three variables: • P = Time it takes an attacker to break through the organization's preventive controls. • D = Time it takes to detect that an attack is in progress. • R = Time to respond to the attack. ¤ If P > (D + R), then security procedures are effective. • If P < (D + R), then security is ineffective.
Making Authentication controls more effective
¤ Although none of the three basic authentication methods is foolproof by itself, the use of two or three in conjunction, known as multi-factor authentication, is quite effective. • Example: Using a palm print and a PIN number together is much more effective than using either method alone. ¤ Multi-Modal Authentication: Using multiple credentials of the same type. • Biometrics of using both Face and Voice etc.
Preventive: IT Solutions
¤ Anti-malware controls ¤ Network access controls ¤ Device and software hardening controls ¤ Encryption
Authentication and Authorization on Devices
¤ Authentication and authorization can be applied to devices as well as users. ¤ Every workstation, printer, or other computing device needs a network interface card (NIC) to connect to the organization's network. ¤ Each network device has a unique identifier, referred to as its media access control (MAC) address. ¤ It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC addresses for authorization. • For example, payroll or EFT applications should be set only to run from authorized terminals.
Authorization controls
¤ Authorization controls are implemented by creating an access control matrix. ¤ Specifies what part of the IS a user can access and what actions they are permitted to perform. ¤ When an employee tries to access a particular resource, the system performs a compatibility test that matches the user's authentication credentials against the matrix to determine if the action should be allowed.
BlockChain
¤ Blockchain uses the SHA-256 to hash ¤ Example: Merkle Tree • Transactions are hashed two at a time • Each two hash combination is then hashed again • If any changes are made to earlier transactions, the root hash will be different
Network Access Control Perimeter Defense
¤ Border router: Connects an organization's information system to the Internet helps route packets of data using source and destination address information in packets. ¤ Firewall: Software or hardware used to filter information based on packet data. ¤ Border Routers and Firewalls use Packet Filtering • Packet Filtering is a process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet ¤ Demilitarized Zone (DMZ): Separate network that permits controlled access from the Internet to selected resources
COBIT and Trust Frameworks (IT Internal Controls)
¤ COBIT Framework provides comprehensive guidance for controlling and managing information systems. ¤ Auditors are only interested in a subset of COBIT, SOX only addresses the issue of system reliability for financial statements. ¤ The Trust Services Framework developed by the AICPA and CICA (Canadian) relates to systems reliability • Security, confidentiality • Privacy • Process integrity • Availability
Corrective Controls Preventive Controls Responding to Attacks
¤ COBIT specifies the need to identify and handle security incidents. ¤ Two of the Trust Services framework criteria for effective security are the existence of procedures to: • React to system security breaches and other incidents. • Take corrective action on a timely basis. ¤ Two key components that satisfy the preceding criteria are: • Establishment of a computer Incident response team (CIRT) • Designation of a specific individual with organization-wide responsibility for security (CISO).
AIS Control Frameworks and their Purpose
¤ COSO and COSO-ERM address general internal control ¤ COBIT addresses information technology internal controls
Preventive: People
¤ Culture of security: Tone set at the top with management ¤ Training ensures that employees follow safe computing practices so that they • Never open unsolicited e-mail attachments • Use only approved software • Do not share passwords • Physically protect laptops/cellphones ¤ Training also protect against social engineering
Patch Management: The process of regularly applying patches and updates to the software.
¤ Patch management is challenging to do because: • Patches can have unanticipated side effects that cause problems, which means they should be tested before being deployed. • There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines. ¤ Patch management is another important control involves fixing known vulnerabilities and installing the latest updates to: • Anti-virus software • Firewalls • Operating systems • Application programs ¤ The number of reported vulnerabilities rises each year.
Preventive Process: Change Controls and Change Management is a formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability Good change management and control requires:
¤ Documentation of all change requests, identifying the nature of the change, its rationale, date of request, and outcome of the request. This includes all approval of changes requested by management. ¤ Testing of all changes in a separate system, not the one used for daily business processes. ¤ Conversion controls to ensure that data is accurately and completely transferred from the old to the new system. ¤ Updating of all documentation (program instructions, system descriptions, procedures manuals, etc.) to reflect the newly implemented changes. ¤ Include a special process for timely review, approval, and documentation of emergency changes as soon after the crisis as is practical. ¤ Development and documentation of "backout" plans to facilitate reverting to previous configurations if the new change creates unexpected problems. ¤ Careful monitoring and review of user rights and privileges during the change process to ensure that proper segregation of duties is maintained.
Authentication Controls Limitations
¤ Each authentication method has its limitations. ¤ Passwords: Can be guessed, lost, written down, or given away. ¤ Physical identification techniques: Include cards, badges, and USB devices, cell phones which can be lost, stolen, or duplicated. ¤ Biometric techniques • Expensive and often cumbersome. • Not yet 100% accurate, sometimes rejecting legitimate users and allowing unauthorized people. • Some techniques like fingerprints may carry negative connotations that hinder acceptance. • Security concerns surround the storage of this data. - If the data is compromised, it could create serious, life-long problems for the donor. - Unlike passwords or tokens, biometric identifiers cannot be replaced or changed.
Encryption
¤ Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. • Decryption reverses this process. • To encrypt or decrypt, both a key and an algorithm are needed. ¤ Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder. ¤ Also strengthens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions. ¤ Therefore, accountants, auditors, and systems professionals need to understand encryption.
Security / Systems Reliability
¤ Foundation of the Trust Services Framework is Security • Security is a Management issue, not a technology issue ¤ SOX 302 states: • CEO and the CFO responsible to certify that the financial statements fairly present the results of the company's activities. • The accuracy of an organization's financial statements depends upon the reliability of its information systems.
Exploits and Patches
¤ Hackers usually publish instructions for attacking a system (known as exploits) on the Internet. ¤ Although it takes skill to discover the exploit, once published, it can be executed by almost anyone. ¤ Attackers who execute these programmed exploits are referred to as script kiddies. ¤ A patch is code released by software developers to fix vulnerabilities that have been discovered.
Hashing
¤ Hashing takes plaintext of any length and transforms it into a short code called a hash. ¤ SHA-256 creates 256 bit hash regardless of text length. ¤ Hashing differs from encryption in that: • Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short length. • Encryption is reversible, but hashing is not • You cannot transform a hash back into its original plaintext.
Defense in Depth: To employ multiple layers of controls to avoid having a single point of failure.
¤ If one layer fails, another may function as planned. ¤ Information security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access. ¤ Redundancy also applies to detective and corrective controls.
Defense in Depth: Response
¤ Major types of Corrective controls used for defense in depth include: 1. Computer incident response teams (CIRT) 2. Chief Information Security Officer (CISO) 3. Patch Management
Defense in Depth: Detection
¤ Major types of Detective Controls used for defense in depth include: 1. Log analysis 2. Intrusion detection systems (IDS) 3. Continuous Monitoring
Defense in Depth: Protection
¤ Major types of preventive controls used for defense in depth include: 1. People - Training them 2. Process: Access Controls (Authentication controls and Authorization controls) 3. Process: Penetration Testing 4. Process: Change Controls 5. IT Solutions: • Physical access controls • Network access controls • Hardening procedures • Encryption 6. Physical Security
Monitoring
¤ Management should monitor both employee compliance with the organization's information security policies and overall performance of business processes.
Device and Software Hardening
¤ Many hardware and software applications ship with default passwords and settings. ¤ These hardware devices are often referred to as endpoints (Printers, Routers, etc.). ¤ These settings need to be changed upon installation so hackers cannot easily use the default user accounts and passwords to gain entry to the system.
Intrusion Prevention Systems (IPS)
¤ Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks ¤ May provide great promise if they can be quickly updated to respond to new vulnerabilities and block new exploits so that the entity can buy time to: • Thoroughly test the patches. • Apply the patches.
Log analysis
¤ Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. ¤ Logs form an audit trail of system access. They are of value only if routinely examined. ¤ Log analysis is the process of examining logs to monitor security.
Authentication Controls: Passwords
¤ Passwords are probably the most commonly used authentication method and also the most controversial. ¤ An effective password must satisfy a number of requirements: • Length • Multiple character types • Random • Secret
Penetration Testers
¤ Penetration testers follow the same steps in an IS System Attack to prevent them from happening. ¤ The penetration testers teams try every possible way to compromise a company's system, including: • Masquerading as custodians, temporary workers, or confused delivery personnel to get into offices to locate passwords or access computers. • Using sexy decoys to distract guards. • Climbing through roof hatches and dropping through ceiling panels. • Piggybacking ¤ Some claim they can get into 90% or more of the companies they attack.
Preventive Controls: Penetration Testing
¤ Penetration testing provides a rigorous way to test the effectiveness of an organization's information security. ¤ This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization's IS.
Detective Controls
¤ Preventive controls are never 100% effective in blocking all attacks. ¤ So organizations implement detective controls to enhance security by: • Monitoring the effectiveness of preventive controls; and • Detecting incidents in which preventive controls have been circumvented. ¤ Actual system use (detective control) must be examined to assess compliance through: • Log analysis • Intrusion detection systems (IDS) • Monitoring
The Importance of Security in the Trust Services Framework
¤ Security is the foundation of systems reliability. ¤ Security procedures restrict system access to only authorized users and protect: • The confidentiality of sensitive organizational data. • The privacy of personal identifying information collected from customers. ¤ Security procedures also provide for processing integrity by preventing: • Submission of unauthorized or fictitious transactions. • Unauthorized changes to stored data or programs. ¤ Security procedures protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed.
Chief Information Security Officer (CISO)
¤ Should be independent of other IS functions and report to either the COO or CEO. ¤ Must understand the company's technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. ¤ Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions. ¤ Works with the person in charge of building security, as that is often the entity's weakest link. ¤ Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO's security measures.
Digital signatures
¤ Technique used to authenticate remote users, such as online shopping businesses. ¤ Asymmetric encryption and hashing are used to create digital signatures. ¤ A digital signature is information encrypted with the creator's private key. • That information can only be decrypted using the corresponding public key. • So successful decryption with an entity's public key proves the message could only have been created by the entity that holds the corresponding private key. • The private key is known only to its owner, so only the owner could have created the message.
Preventive Controls: Security testing
¤ The effectiveness of existing security procedures should be tested periodically. ¤ One approach is vulnerability scans, which use automated tools designed to identify whether a system possesses any well-known vulnerabilities. ¤ Security Websites such as the Center for Information Security (www.cisecurity.org) provide: • Benchmarks for security best practices. • Tools to measure how well a system conforms.
Preventive Controls (Process: Use Access Controls)
¤ The objective of preventive controls is to prevent security incidents from happening. ¤ Involves two related functions: Authentication and Authorization. • Authentication: Focuses on verifying the identity of the person or device attempting to gain access. • Authorization: Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. ¤ Users can be authenticated by verifying: • Something they know, such as passwords or PINs. • Something they have, such as smart cards or ID badges. • Some physical characteristics (biometric identifier), such as fingerprints or voice.
New Considerations for Other Technology
¤ Virtualization: Multiple "virtual computer" systems are run on one computer ¤ Cloud Computing: Remotely accessed resources of software applications, data storage, and hardware ¤ Risks to Virtualization and Cloud Computing • Increased exposure if a breach occurs • Reduced authentication standards ¤ Opportunities for Virtualization and Cloud Computing • Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein