IM-Chapter 7

Policy Development

. Management needs to develop a comprehensive set of security policies before designing and implementing specific control procedures. Otherwise, it will most likely end up purchasing a mishmash of security products that do not protect every information system resource.

Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems

...

Understanding Targeted Attacks:

...

four essential criteria for successfully implementing each of the five principles that contribute to systems reliability:

1 Developing and documenting policies 2 Effectively communicating policies to all authorized users 3 Designing and employing appropriate control procedures to implement policies 4 Monitoring the system and taking corrective action to maintain compliance with policies

multifactor authentication

Although none of the three basic authentication methods, by itself, is foolproof, the use of two or all three methods in conjunction, a process referred to as multifactor authentication, is quite effective. For example, requiring a user to both insert a smart card in a card reader and enter a password provides much stronger authentication than using either method alone.

COBIT shows that achieving the organization's business and governance objectives requires adequate controls over IT resources to ensure that information provided to manage- ment satisfies seven key criteria:

1 Effectiveness—the information must be relevant and timely. 2 Efficiency—the information must be produced in a cost-effective manner. 3 Confidentiality—sensitive information must be protected from unauthorized disclosure. 4 Integrity—the information must be accurate, complete, and valid. 5 Availability—the information must be available whenever needed. 6 Compliance—controls must ensure compliance with internal policies and with external legal and regulatory requirements. 7 Reliability—management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.

Three areas deserve special attention

1 Host configuration 2 User accounts 3 Software design

Three important factors determine the strength of any encryption system:

1 Key length 2 Key management policies 3 Nature of the encryption algorithm

Users can be authenticated by verifying

1 Something they know, such as passwords or personal identification numbers (PINs) 2 Something they have, such as smart cards or ID badges 3 Some physical characteristic (referred to as a biometric identifier), such as their fingerprints or voice

2 Managing User Accounts and Privileges

COBIT control objective DS 5.4 stresses the need to carefully manage all user accounts, especially those accounts that have unlimited (administrative) rights on that computer.

Encryption...

Encrypting sensitive data while it is stored provides one last barrier that must be overcome by an intruder who has obtained unauthorized access to that information resource. Encryption also strength- ens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions

vulnerabilities

Every program running on a host represents a potential point of attack because it probably contains flaws, called vulnerabilities, that can be exploited to either crash the system or take control of it Therefore, any optional programs and features that are not used should be disabled.

1 Security Is a Management Issue, Not a Technology Issue

Management is responsible for the accuracy of the various internal reports and financial statements produced by the organization's information systems.

The time-based model of security evaluates the effectiveness of an organization's security by measuring and comparing the relationship among the following three variables:

P = the time it takes an attacker to break through the organization's preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack

The Trust Services Framework developed jointly by the AICPA and the Canadian Institute of Chartered Accountants focuses specifically on five aspects of information systems controls and governance that most directly pertain to systems reliability:

Security Confidentiality Privacy Processing Integrity Availability

Types of Encryption Systems

Symmetric encryption systems Asymmetric Encryption Systems

Training...

The effectiveness of specific con- trol procedures depends on how well employees understand and follow the organiza- tion's security policies. Thus, training is a critical preventive control.

3 Defense-in-Depth

The idea of defense-in-depth is to employ multiple layers of controls in order to avoid having a single point of failure

Defense-in-depth

The use of multiple perimeter filtering devices is actually more efficient than trying to use only one device. Thus, border routers quickly filter out obviously bad packets and pass the rest to the main firewall. The firewall does more detailed checking, allowing in only those packets purporting to contain specific types of data for specific types of programs and dropping all others. The IPS then performs deep packet inspection on the packets passed by the firewall to verify that the data they contain does indeed conform to the organization's security policies.

SQL injection attacks occur whenever

Web application software that interfaces with a database server does not filter user input thereby permitting an attacker to send SQL commands and execute them on the database server.

Every IP packet consists of two parts:

a header and a body

Remote Authentication Dial-In User Service (RADIUS)

a standard method for verifying the identity of users attempt- ing to obtain dial-in access

routers

are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next

hardening.

turning off of unnecessary features

users who need administrative powers on a particular computer should be assigned

two accounts: one with administrative rights and another that has only limited privileges. Users should log in under their limited account to perform routine daily duties, and only log in to their administrative account when they need to perform some action

Asymmetric encryption systems

use two keys. One key, called the public key, is widely distributed and available to everyone; the other, called the private key, is kept secret and known only to the owner of that pair of keys.

compatibility test

when an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and per- form the requested action

Together, the border router and firewall act as filters to control

which informa- tion is allowed to enter and leave the organization's information system

access control matrix

which is a table specifying which portions of the system users are permitted to access and what actions they can perform (see Figure 7-3)

social engineering

which use deception to obtain unauthorized access to information resources. For example, employees should be trained to never divulge passwords or other information about their accounts or their workstation configurations to anyone who contacts them by telephone, e-mail, or instant messaging and claims to be part of the organization's information systems security function

Once inside the building, physical access to rooms housing computer equipment must

be restricted

Most programs set aside a fixed amount of memory, referred to as a

buffer, to hold user input

The use of overlapping, complementary and redundant controls also

buys time for the organiza- tion to detect and react to attacks. For example, banks use a combination of locked doors, bars on windows, security guards, and safes to provide multiple preventive con- trols designed to restrict physical access to cash.

war dialing

calls every telephone number assigned to the organization to identify those which are connected to modems. (Hackers do this also, to identify targets). Any rogue modems discovered by war dialing should be disconnected, with sanctions applied to the employees responsible for installing them.

border router

connects an organization's information system to the Interne

Thus, most rules in the border router's ACL focus on

dropping packets

Therefore, the public key can be distributed by

e-mail or even be posted on a Web site so that anyone who wants to can send encrypted information to the owner of that public key

The time-based model of security provides a means for management to

identify the most cost-effective approach to improving security by comparing the effects of additional investments in preventive, detective, or corrective controls.

Cross-site scripting attacks occur

if web application software does not carefully filter user input before returning any of that data to the browser, in which case the vic- tim's browser will execute any embedded malicious script.

stateful packet filtering

maintains a table that lists all established connections between the organiza- tion's computers and the Internet. The firewall consults this table to determine whether an incoming packet is part of an ongoing communication initiated by an internal com- puter. This information enables the firewall to reject specially crafted attack packets that would have passed a simple static packet filter by pretending to be a response to an internally initiated request, when in fact no such preceding request occurred.

Execute the attack

obtain unauthorized access to the system.

________ are probably the most commonly used authentication method

passwords

It does not matter who knows the public key, because any text encrypted with it can only be decrypted by using the corresponding

private key

Since the private key is possessed by only one party, this makes it possible to

prove who created a document, thereby providing a means for creating legally binding elec- tronic agreements.

Control Objectives for Information and related Technology (COBIT) framework

provides com- prehensive guidance for effectively controlling and managing information systems

Also, any number of parties can use the same ______ to send encrypted messages because only the owner of the corresponding private key can decrypt the messages

public key

Finally, information can be encrypted with the private key and then decrypted with the corresponding:

public key

The function of the border router is to

quickly identify and drop certain types of packets and to pass all other packets to the firewall, where they will be subjected to more detailed testing before being allowed to enter the organization's internal network.

Longer keys provide stronger encryption by

reducing the number of repeating blocks of ciphertext This makes it harder to spot patterns in the ciphertext that reflect patterns in the original plaintext.

Authorization

restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform For example, an employee in the marketing department may not be authorized to access the payroll system. In addi- tion, that employee may be permitted to only read, but not change, the prices of inven- tory items.

Border routers typically perform what is called static packet filtering, which

screens individual IP packets based solely on the contents of the source and/or destination fields in the IP packet header.

Transmission Control Protocol (TCP)

specifies the procedures for dividing files and documents into packets to be sent over the Internet and the methods for reassembly of the original document or file at the des- tination.

Internet Protocol (IP)

specifies the structure of those packets and how to route them to the proper destination.

The added control provided by deep packet inspec- tion, however, comes at the cost of

speed. It takes more time to examine the body of an IP packet, which could contain more than a thousand bytes of data, than to examine only the 20 bytes in the header of an IPv4 packet.

The main drawback to asymmetric encryption systems is

speed. Asymmetric encryption is much (thousands of times) slower than symmetric encryption. Thus, asym- metric encryption is too slow to be used to exchange large amounts of data over the Internet.

Those three variables are then evaluated as follows: If P > D + C, then

the organiza- tion's security procedures are effective. Otherwise, security is ineffective.

The header contains

the packet's origin and destination addresses, as well as information about the type of data contained in the body of the packet

Encryption

the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext

Symmetric encryption systems

the same key both to encrypt and to decrypt. DES and AES are examples of symmetric encryption systems

piggybacking

to allow other people to follow them through restricted access entrances

A third factor affecting encryption strength concerns the nature of the algorithm. A strong algorithm is

difficult, if not impossible, to break by using brute-force guess- ing techniques. Secrecy is not necessary for strength.Most people can just look it up but it does no good

a stronger way to authenticate devices involves the use of

digital certificates that employ encryption techniques to assign unique identifiers to each device.

Research

Once the attacker has identified specific targets and knows what ver- sions of software are running on them, the next step is to conduct research to find known vulnerabilities for those programs and how to take advantage of those vulnerabilities.

IPSs use several techniques to identify undesirable packets

One involves checking packet contents against a database of patterns (signatures) of known attack methods. Another involves developing a profile of "normal" traffic and using statisti- cal analysis to identify packets that do not fit that profile.

Scan and map the target

The objective is to identify computers that can be remotely accessed and the types of software they are running. A number of automated tools, like nmap, are used to identify computers accessible from the Internet.

Effective Communication of Policies

ecurity policies must be communicated to and be understood by employees, customers, suppliers, and other authorized users. To be effective, this communication must involve more than just handing people a written document and asking them to sign an acknowledgement that they received and read it. Instead, users must receive regular, periodic reminders about security policies and training in how to comply with them.

Monitoring and Taking Remedial Action

effective control over information systems involves a continuous cycle of developing policies to address identified threats, communicating those policies to all employees, implementing specific control procedures to mitigate risk, monitoring per- formance, and taking corrective actions in response to identified problems

internal firewalls

egment different departments within the organization. Recall that many security incidents involve employees, not outsiders. These internal firewalls help to restrict what data and portions of the organization's information system particular employees can access.

firewall,

ehind the border router is the main firewall, which is either aspecial-purpose hardware device or software running on a general-purpose computer.

Either the public or private key can be used to

encrypt, but only the other key can decrypt the ciphertext.

However, if the pro- gram does not carefully check the size of data being input, an attacker may:

enter many times the amount of data that was anticipated and overflow the buffer. The excess data may be written to an area of memory normally used to store and execute commands. In such cases, an attacker may be able to take control of the machine by sending carefully crafted commands in the excess data

2 The Time-Based Model of Security

focuses on the relationship between preventive, detective, and corrective controls.

Authentication

focuses on verifying the identity of the person or device attempting to access the system. The objective of authentication controls is to ensure that only legit- imate users can access the system.

Host and Application Hardening...

infor- mation system security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (known as hosts)

key escrow

involves making copies of all encryption keys used by employees and storing those copies securely. Key escrow is less desirable than using built-in master keys because the organization now has to protect both the origi- nal and duplicate copies of the encryption keys. used for when an employee leaves the company who created the key

deep packet inspection

ire- walls that examine the data in the body of an IP packet can provide more effective access control than those that look only at information in the IP header

firewalls use ACLs to determine what to do with each packet that arrives. A major difference, however, is that

irewalls are designed to only permit packets that meet specific conditions to pass. Thus, unlike border routers, the final rule in a firewall ACL usually specifies that any packet not allowed entry by a previous rule should be dropped.

demilitarized zone (DMZ)

is a separate network that permits controlled access from the Internet to selected resources, such as the organization's e-commerce Web server.

Cover tracks

After penetrating the victim's information system, most attackers will try to cover their tracks and create "back doors" that can be used to obtain access in the event that their initial attack is discovered

Attempt social engineering

Attackers will often try to use the information obtained during their initial reconnaissance to socially engineer (i.e., "trick") an unsuspecting employee into granting them access.

Preventive Controls

Authentication Controls Authorization Controls Training Controlling Physical Access Controlling Remote Access Encryption Host and Application Hardening

3 Software Design

Buffer over- flows, SQL injection, and cross-site scripting are common examples of attacks against the software running on Web sites

Reconnaissance

Computer attackers similarly begin by collecting information about their target. Much valuable information can be obtained by perusing an organi- zation's financial statements, SEC filings, Web site, and press releases. The objective of this initial reconnaissance is to learn as much as possible about the target and to identify potential vulnerabilities.

all wireless access points should be located in the

DMZ. This treats all wireless access as if it was coming in from the Internet and forces all wireless traffic to go through the main firewall and any intrusion prevention systems that are used to pro- tect the perimeter of the internal network

intrusion prevention systems (IPS),

Deep packet inspection is the heart of a new type of filter called intrusion pre- vention systems (IPS), which are designed to identify and drop packets that are part of an attack.

The Design and Employment of Appropriate Control Procedures

Determining the optimal level of investment in security, therefore, involves evaluat- ing the cost/benefit trade-offs of alternative control procedures. This requires knowl- edge not only of the technical merits of each potential security investment but also the risks of various threats and the potential costs of different types of incidents.

1 Host Configuration

Hosts can be made more secure by modifying their configurations.

Each NIC has a unique identifier, referred to as its

MAC address. It is possible to restrict network access to only those devices that have recognized MAC addresses

Controlling Remote Access

Most organizations provide employees, customers, and suppliers with remote access to their information systems. Usually this access occurs via the Internet, but some organizations still maintain proprietary WANs or provide direct dial-up access by modem

Authentication and authorization can, and should, be applied not only to users but also to devices. Every workstation, printer, or other computing device needs a:

Network interface card to connect to the organization's internal network

Controlling Physical Access...

Physical access controls are another important layer of preventive controls. In fact, controlling physical access to the system is absolutely essential to achieve any degree of information security.

four basic management activities, which COBIT refers to as domains:

Plan and Organize (PO) Acquire and Implement (AI) Deliver and Support (DS). Monitor and Evaluate (ME)

_________ increases effectiveness because even if one procedure fails or is circumvented, another may function as planned

Redundancy

Wireless Access

This ease of access provides another venue for attack and extends the perimeter that must be protected

protocols

Well-defined rules and proce- dures called protocols dictate how to perform the break down and reconstruction of packets

Chief Information Officer (CIO)

being both responsible and accountable for ensuring that information policies and controls are defined and communicated to all employees.

Computers represent plaintext and ciphertext as a series of

binary digits

access control list (ACL)

determines which packets are allowed entry and which are dropped.

Physical access control begins with

entry points to the building itself. Ideally, there should only be one regular entry point that is unlocked during normal office hours.

Decryption

everses this process, transform- ing ciphertext back into plaintext.