Chapter 4 (Protection of Information Assets)

Information Management and AuditingInformation Assets Protection

Effective information security arrangement is the foundation for protecting assets and privacy. The security objective of information assets could be enlisted as under: Information integrity. Confidentiality of sensitive data. Adherence to piracy or copy right arrangement. Continued availability of data. Conformity to applicable laws.

KEY ELEMENTS:Following are the key elements of information security management: Senior management commitment and support. Policies and procedures. Organization of the responsibilities. Security awareness and education. Monitoring and compliance. Incident handing and response.

KEY TERMS: CSIRT – Computer Security Incident Response team. CERT – Computer Emergency Response Team.These teams should be formulated, with clearly defined responsibilities, for incident handling.

ROLES AND RESPONSIBILITIES:All defined and documented responsibilities and accountabilities must be established and communicated to all members. These responsibilities include:ROLE RESPONSIBILITIESa) Executive

management:Overall protection of information assets.

b) Process owners: Ensures appropriate security measures consistent with organizational established policies.

c) Users: Follow the procedures. (See below)

d) Data owners: Determine classification levels to ensure degree of CIA1.

e) Chief Privacy Officer:

Articulate privacy laws to protect customers’ and employees’ privacy issues.

f) IS security committee:

Devise security guidelines, policies, and procedures.

g) Security specialist: Promulgate and assist with the design and implementation of security policies.

h) IT developers: Implement information security.

i) IS auditors: Provide independent assurance to management as to the effectiveness of information security.

j) External Parties: Include all external stakeholders.

1 Confidentiality, Integrity, and Availability

1Prepared by: Muhammad

Umar Munir


Some procedures that USERS follow are as under: Reading and agreeing security policies. Keeping login (username, and password) secret. Locking their screen when idle. Reporting suspected security violations. Maintaining good physical security. Adhering to applicable laws.

Key point:Management should assign ownership and accountability for major information assets.

INFORMATION ASSETS INVENTORIES:Inventory records of major information asset would include the following: Identification. Location. Security

classification. Asset

group. Owner.

INFORMATION ASSETS CLASSIFICATION:Different information has different degrees of sensitivity. Assigning classes of sensitivity helps establish access control. Classification should be simple and should consider legal/contractual terms.

KeyPoint:Classification reduces risk of OVERPROTECTING or UNDERPROTECTING the information.

Data classification should define: Access person. Access level (read, write, execute etc). Person to define access person and level. Approvals required.

SYSTEM ACCESS:The ability to do something with a computer is termed as system access such as CREATE, MODIFY, DELETE, EXECUTE, CONNECT etc.TYPES OF SYSTEM ACCESS CONTROLS:System access could be logical or physical:a) Logical system access control:

It provides technical means of controlling… Information users can utilize. Program or transactions they can run. Modification they can make.It can be through O/S, separate software, or application built-in etc.

b) Physical system access control:It restricts entry and exit of personnel. They include badges, memory cards, guard keys, locks, and biometrics.

Keynote:System access (logical or physical) should be on a documented need-to-know basis.


Umar Munir


Other points: Information owner is responsible to establish system access. Access capabilities are implemented by security administrator. Review of access responsibilities should periodically be reviewed. Non-employees (contract employees, vendor employees, maintenance personnel,

clients, auditors, and consultants) should also adhere to the security policies.

IMPORTANT:Access controls could either be mandatory or discretionary: Mandatory access control is a mechanism to enforce corporate security policy

or security rules dealing with information resource sharing. Discretionary access controls are data data-owner-defined sharing of access

control.

PRIVACY ISSUES:Privacy defined:Adherence to trust and obligation of any information relating to an identified/identifiable individual is called privacy.

Critical points: Management is responsible to adhere to privacy issues. IS auditor is NOT responsible of the contents of database. IS auditors could also take expert opinion.

IS auditor e has to review management’s privacy policies, which include: Nature of information. Documentation. Accountability of privacy issues. Reduction in privacy modifications.

CRITICAL SUCCESS FACTORS: Managerial commitment and support. Updated policies and procedures reflecting business objectives.

CRIMES AND EXPOSURES:Committing crimes can damage reputation, morale, and viability of an organization. Threats related to crimes could be classified as under: Financial loss. Legal repercussions (consequences). Loss of credibility (competitive edge). Blackmail/industrial espionage. Disclosure of confidential sensitive information. Sabotage – bad corporate image.

CRIME PERPETRATORSFollowing could be the computer crime perpetrators:a) Hackers – person able to explore the system details and exploit.b) Script kiddies – person who uses written scripts and programs to perform their

own tasks.c) Crackers – person who illegally tries to break security measures. d) Employees (authorized or unauthorized).e) IS personnel – custodian of information.f) End users.


Umar Munir


g) Former employees – especially who leave organization on unfavorable terms.h) Interested or educated outsiders – competitors, foreigners, criminals etc.i) Temporary personnel.j) Third parties – vendors, consultants etc. k) Accidental ignorant.

LOGICAL ACCESS – ExposuresIn applying management-designed policies and procedures for protecting information assets, logical access controls are primary means of managing and protecting these resources. Trojan horses/backdoors:

It involves hiding malicious code in an authorized computer program. The code is executed whenever the program is executed. For example, cutting unnoticeable amount of payroll cheque and transferring to perpetrator’s account.

Rounding down:Drawing off small (fractional) amounts to perpetrator’s account is called rounding down.

Salami techniques:It truncates some parts of the amount rather than rounding it off.

Viruses:It is a malicious program code inserted into other executable code that can self-replicate and spread from computer to computer.

Worms:These are destructive programs that may destroy data or utilize tremendous computer and communication resources but do not replicate like viruses.

Logic bombs:These are similar to computer viruses but they do not self-replicate.

Trap doors:These are exits out of an authorized program that allow insertion of specific logic, such as program interrupts, to permit a view of data during processing.

Asynchronous attacks:They occur in multiprocessing environments where data move asynchronously.

Data leakages:It involves leaking information out of the computer.

Wire tapping:It involves eavesdropping (spy) on information being transmitted over telecommunication lines.

KeyNote:The IS auditor needs to get through understanding of organization’s IT environment to effectively assess logical access controls.

LOGICAL ACCESS – PathsGeneral nodes of access are the following:1) Network connectivity:

Access is gained by physically connecting a PC to a segment of an organization’s network. Such access required user identification and authentication.

2) Remote access:A user dials in remotely to an organization’s server through formal logon process.


Umar Munir


A networked environment would include the following traditional entry points:a) Operator console – These are the privileged computer terminals to perform

most computer operations. They should physically be secured.b) Online terminal – Through proper login system.

LOGICAL ACCESS – Control softwareTo achieve CIA of information, access control software is used. This software prevents unauthorized access to organization’s critical data/processes. The greatest degree of protection is at network and O/S platforms.

GENERAL O/S CONTROLS Applying user identification and authentication mechanisms. Restricting logon IDs to specific terminals. Establishing rules. Creating individual accountability. Creating or changing user profiles. Logging events. Reporting capabilities.

DATABASE/APPLICATION CONTROLS Creating or changing data files and database profiles. Verifying user authorization at application level. Verifying user authorization at field level for data modification.Access control software is provided at different levels within an IS architecture, each having certain degree of security.

LOGICAL ACCESS – AuditingIS auditor needs to perform the following evaluations: General understanding of security risks through documentations, enquiry,

observation etc. Document and evaluate control over potential access paths. Control tests are performed to ensure functionality. Whether control objectives are achieved. Whether security environment is adequate and as per standards.Following are the STEPS: Familiarization with the IS environment: Document access paths: Interview systems personnel: Review reports from access control software: Reviewing application systems operations manual: IDENTIFICATION AND AUTHENTICATION:It is the process of proving one’s identity. There is high risk of unauthorized access in the absence of I&A procedures.

I&A VULNERABILITIES Weak authentication methods. Potential for users to bypass authentication mechanism. Lack of confidentiality and integrity for stored authentication information. Lack of encryption of authentication information.

I&A TECHNIQUESI&A techniques are generally categorized on the following bases:


Umar Munir


1) Something you know – passwords.2) Something you have – token card.3) BIOMETRICS.

a. Something you are – biometric features (physical)b. Something you do – signature and voice recognition (behavioral)

SOMETHING YOU KNOWThe I&A based on something you know consists of IDs and passwords. Login ID provides individual identification, given uniquely to each user. Password provides individual authentication.

Password features: Should be easy to remember, but difficult to guess by perpetrator. Initial password could either be system generated or administrator assigned. The system shout force user to change password at initial login. In case of wrong password entry for specific times, account should be locked. The account deactivated in case of forgotten password, the system administrator

activates after inquiry. Passwords should periodically be changed.

I&A – best practices: Login IDs not used for a number of days should be locked, either manually or

automatically. Login session should end when there is no activity for some time, say 10 minutes.

SOMETHING YOU HAVEMicroprocessor controlled smart card generates one time password good for only one logon session. User enters this password and he has memorized to get system access.

BIOMETRICSBiometrics features are the best means of authenticating user’s identity based on unique, measurable attribute for verifying the identity of human being.

Physical biometric features could be classified as under:a) Palm. b) Hand

geometry.c) Iris. d) Retina. e) Fingerprint. f) Face.

Behavioral oriented features include:a) Signature recognition or signature dynamics.b) Voice recognition.

SINGLE-SIGN-ON (SSO)Users have to access number of resources during a typical workday; therefore, users have to get authenticated himself number of times. Users normally cannot memorize many passwords and there is an increased likelihood that the password information could be communicated through written near workstation area.SSO means consolidating all organization’s platform-based administration, making authentication and authorization functions into a single centralized administrative function. SSO server handling this information is called primary domain. Advantages: Multiple passwords are no longer required. Improves manager’s ability to manage user accounts. It improves efficiency.


Umar Munir


Disadvantages: Difficult for all operating systems to support. Costly. Centralize failure could cause huge disruption.

Social engineering:No matter how strong the security system of an organization is, it doesn’t work unless its employees are committed and aware of security implications. Management should install a program for ongoing employee awareness regarding security issues.

AUTHORIZATION ISSUESAccess rules specify WHO can access WHAT. Access should be documented. Computer access can be of varying degrees of levels, for example: Read, write, and copy only. Write, execute, update, or delete only. Execute only. Combination of above.

A least dangerous access type is READ ONLY.

ACCESS CONTROL LISTS:Access control lists (ACL) refer to the register of: Authorized usernames. Access permitted.

REMOTE ACCESS SECURITY: Organizations require remote connectivity to their information system.

N E T W O R K I N F R A S T R U C T U R E S E C U R I T YCommunication network include devices. Control is established through network control terminal and specialized communication software. Following are the controls over communication network:

LAN SECURITY:LANs facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data.

INFORMATION REQUIRED: LAN topology and network design. LAN administrator and his/her functions. Group of users. Applications used in LAN. Standards and procedures.

RISKS AND ISSUES:The administrative and control functions available with network software might be limited. Software vendors and network users have recognized the need to provide


Umar Munir


diagnostic capabilities to identify the cause of problems when the network goes down or functions in an unusual manner. The use of logon Ids and passwords with associated administration facilities is only now becoming standard.

DIAL-UP ACCESS CONTROLS:It is possible to break LAN security through the dial-in route. Without dial-up access controls, a caller can dial in and try passwords until they gain access. Once in, they can hide pieces of software anywhere, pass through wide area network (WAN) links to other systems and generally create as much or as little havoc as they like. To minimize the risk of unauthorized dial-in access, remote users should never store their passwords in plain text login scripts on notebooks and laptops.

Dial back procedures:When a dialup line is used, access should be restricted by a dial-back mechanism, user calling line identity to verify the calling number, or strong two-factor authentication. Dial-back interrupts the telecommunications dialup connection to the computer by dialing back the caller to validate user authority. Once a dialup connection is made, logical access controls should provide the same restrictions as if the user were using a terminal from within the organization.When a call is answered by the modem, the caller must enter a code. The modem hangs up the connection, looks up the connection, and calls back if authenticated.

CLIENT/SERVER SECURITY:A client/server system typically contains numerous access points. Security procedures for these server environments are usually not as well understood nor as protected as a mainframe-based processing environment. Client/server systems utilize distributed techniques, creating increased risk of access to data and processing. To effectively secure the client/server environment, all access points should be identified.

INTERNET SECURITY:IMPACT OF INTERNET THREATS: Loss of income. Increased cost of recovery. Increased cost of retrospectively securing systems. Loss of information. Loss of trade secrets. Damage to reputation. Legal and regulatory noncompliance. Failure to meet contractual commitments.

CAUSAL FACTORS FOR INTERNET ATTACKS: Availability of tools and techniques on the Internet. Lack of security awareness and training. Exploitation of security vulnerabilities. Inadequate security over firewalls.

FIREWALL:Every time a corporation connects its internal computer network to the Internet, it faces potential danger. Because of the Internet’s openness, every corporate network connected to it is vulnerable to attack. Hackers on the Internet could theoretically break into the corporate network and do harm in a number of ways: steal or damage important data, damage individual computers, etc.


Umar Munir


Firewalls are hardware and software combinations that are built using routers, servers and a variety of software. They should sit in the most vulnerable point between a corporate network and the Internet and they can be as simple or complex as a corporate information security policy demands.

WHY? Block access on the Internet. Limit traffic. Prevent certain users. Monitor communication. Encrypt packets.

TYPES:1) Router Packet Filtering:

A screening router examines the header of every packet of data traveling between the Internet and the corporate network. Packet headers have information in them, including the IP address of the sender and receiver, and the authorized port numbers (application or service) allowed to use the information transmitted.

Advantages DisadvantagesSimple. Vulnerable to attack due to direct

exchange of packets.2) Application Firewall Systems:

There are two types. They are referred to as Application or circuit level firewall systems and provide greater protection capabilities than packet filtering routers. These firewalls allow information to flow between systems but do not allow the direct exchange of packets.

Advantages DisadvantagesProvides security for commonly used protocols and hide internal network

from outside untrusted network.

Poor performance as usage increases.

3) Statefull Inspection Firewalls:It keeps track of destination IP address of each packet that leaves the organization’s internal network.

Advantages DisadvantagesEfficient Complex to administer.

FIREWALL ISSUES:Problems faced by organizations that have implemented firewalls are: A false sense of security exists where management feels that no further security

checks and controls are needed on the internal network. The circumvention of firewalls through the use of modems connecting users

directly to Internet service providers. Misconfigured firewalls allowing unknown and dangerous services to pass through

freely. The misunderstanding of what constitutes a firewall. Monitoring activities do not occur on a regular basis. Firewall policies are not regularly maintained.


Umar Munir


INTRUSION DETECTION:An intrusion detection system works in conjunction with routers and firewalls by monitoring network usage anomalies. It protects company’s IS from both internal and external misuse. It notifies the administrator when it detects a perceived threat.CATEGORIES:There are two broad categories of IDS:

a) Network-based IDS:They identify attacks within the monitored network and issue warnings to operator.

IDS is complement, not substitute, to firewall.b) Host-based IDS:


Umar Munir


They are configured for specific environments and monitor various internal resources and O/S to warn possible attacks.

COMPONENTS:

TYPES:a) Signature-based:

Detect intrusions based on stored signatures.b) Statistical based:

Detects intrusions based on expected behavior. c) Neural based:

Monitors general patterns of network activity with added learning capability.

ENCRYPTION:Encryption is a method of converting a plaintext message to a cipher text message which cannot be understood without converting back, decryption. The process is performed through a mathematical function and a special password called KEY.

WHY?Encryption is performed to… Protect unauthorized access of important data. Detect accidental or intentional modification of data. Verify authenticity of a transaction or document.ELEMENTS:There are three elements of an encryption system:1) Algorithm – a mathematical function. 2) Keys – a unique piece of information to be used in the process, similar to

password.3) Key length – a predetermined length for the key.CRYPTOGRAPHIC SYSTEMS:There are two cryptographic systems:a) Private key cryptographic systems:

They are based on symmetric encryption algorithms which use a secret (private) key to encrypt the plaintext to the ciphertext. They also use the same key to decrypt the ciphertext to the corresponding plaintext. DES (Data Encryption Standard) is a private cryptographic system.

b) Public key cryptographic systems:They are based on an asymmetric encryption process, two keys work together as a pair. One key is used to encrypt data; the other is used to decrypt data. Either key can be used to encrypt or decrypt, but once the key has been used to encrypt data, only its partner can be used to decrypt the data.


Umar Munir

http://www.nortropic.com/lis341/turner/whatis.html

http://www.nortropic.com/lis341/turner/whatis.html


QUANTUM CRYPTOGRAPHY:It is the next generation of cryptography that will solve existing problems associated with current cryptographic systems. Proven in laboratory research as a commercially viable technology, Quantum cryptography taps the natural uncertainty of the quantum world (using interaction of light pulses as a way of transmitting keys and secure information).

DIGITAL SIGNATURES:It is an electronic identification of a person or entity created by using a public key algorithm and intended to verify to a recipient the integrity of the data and the identity of the sender. To verify the integrity of the data, a cryptographic hashing algorithm is computed against the entire message, which generates a small fixed string message usually about 128 bytes in length. This process, also referred to as a digital signature algorithm, creates a message digest (i.e., smaller extrapolated version of the original message).

AUDITING NETWORK INFRASTRUCTURE SECURITYIS auditor needs to evaluate the following with reference to network infrastructure:


Umar Munir


REMOTE ACCESS AUDIT:There are some tools used to audit remote access:

POINTS OF PRESENCE:When auditing an organization’s presence over the Internet, IS auditor should review the use of Internet in the following areas:a) Email.b) Marketing.c) ECommerce.d) Delivery channels.e) Information gathering.

NETWORK PENETRATION TESTS: (Simulation of real hacking attack)These are effective methods to determine real-time risks in an information processing environment. IS auditor attempts to avoid the security features of a system and exploits the vulnerabilities to gain access that would otherwise be unauthorized. These tests try to imitate the real hacking situation. Formal top managerial approval is required.

TYPES:There are five types of penetration tests:

RISKS: Doesn’t ensure discovery of all vulnerabilities. Miscommunication. Disclosure of sensitive information. Potential of damaging information assets by inexperienced testators.


Umar Munir


FULL NETWORK ASSESSMENT REVIEWS:After penetration testing, full review of network vulnerabilities is done which include: Security policy and procedures. Network and firewall configuration. Logical access controls. Encryption. Firewall. Virus scanning. Audit logging.

NETWORK CHANGES:Controls to prevent unauthorized changes are: Segregation of duties. Restricting access to development environments. Restricting source code access.

COMPUTER FORENSICS:It is a process of identifying, preserving, analysing, and presenting audit evidence in a manner which legally acceptable in any legal proceedings.

ENVIRONMENTAL EXPOSURE AND CONTROLSEXPOSURES:Environmental exposures are due to natural events such are lightening, storms, earthquakes, hurricanes, and extreme weather conditions. Such conditions sometimes cause many problems.

Power failure types:a) Total power failure – blackout:

It refers to complete loss of electric power due to weather conditions or inability of WAPDA.

b) Severe reduced voltage – burnout:It refers to inability of WAPDA to provide required voltage.

c) Sags, spikes, and surges:Sag means decrease and spikes and surge means increase in voltage.

d) Electromagnetic interference: It is caused by electrical storms or noisy equipment.

CONTROLS: Alarm controls panels. Water detectors. Handheld fire

extinguishers. Manual fire alarms.

Smoke detectors. Fire suppression systems. Strategic computer Inspection.


Umar Munir


rooms. Fireproof environment. Electrical surge detectors. UPS. Emergency power-switch off. Eating/drinking

prohibition. Documented evacuation

procedures.PHYSICAL ACCESS EXPOSURES AND CONTROLSEXPOSURES:

Controls: Bolting door locks. Combination door

locks. Electronic door

locks. Biometric door locks. Manual logging. Electronic logging. Identification badges. Video cameras. Security guards. Controlled visitor

access. Bounded personnel. Deadman doors.

Alarm system.

AUDITING:Touring IPF (computer room, programmers’ area, tape library, printer stations, and management offices) is useful in understanding overall installation. Documents to assist: Emergency evacuation procedures. Inspection tags. Fire suppression system test results. Key lock logs.Areas: All operator consoles. Printer rooms. Computer storage

rooms. UPS/generator. Communication

equipment. Tape library.

Offsite backup storage.


Umar Munir

Chapter 4 (Protection of Information Assets)

Documents

Transcript of Chapter 4 (Protection of Information Assets)