Chapter 8 Slater

8/20/2019 Chapter 8 Slater

1/77

Chapter 8

Information Systems Controls for System Reliability— Part 1: Information Security

Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice$all

8%1


2/77

&earning 'b(ecti)es

*iscuss ho+ the C',I- frame+or. can beuse! to !e)elop soun! internal controlo)er an organi/ations informationsystems#

plain the factors that inuenceinformation systems reliability#

*escribe ho+ a combination ofpre)enti)e" !etecti)e" an! correcti)econtrols can be employe! to pro)i!ereasonable assurance about information

security#Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%2


3/77

3IS Controls

C'S' an! C'S'%R4 a!!ress generalinternal control

C',I- a!!resses information technology

internal control

Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%5


4/77

Acquire and

Implement

Deliver and

Support

Monitor and

Evaluate

Criteria• Effectiveness• Efficiency• Confidentiality• Integrity

• Availability• Compliance• Reliability

• Application systems

• Information• Infrastructure• People

IT Resources

Business Objectives

Plan and

Organise

C',I -

6rame+or.

I - & i f e C y c l e

© 2007 IT Governance Institute All rig!ts reserved www.itgi.org 4


5/77

Information for 4anagement Shoul!,e:

7ecti)eness

Information must be rele)ant an!timely#

ciency

Information must be pro!uce! in a

cost%e7ecti)e manner#

Con9!entiality

Sensiti)e information must beprotecte! from unauthori/e!!isclosure#

Integrity Information must be accurate"

complete" an! )ali!#

3)ailability

Information must bea)ailable +hene)er nee!e!#

Compliance

Controls must ensure

compliance +ith internalpolicies an! +ith eternallegal an! regulatoryreuirements#

Reliability

4anagement must ha)eaccess to appropriateinformation nee!e! tocon!uct !aily acti)ities an!to eercise its 9!uciary an!go)ernance responsibilities#

Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%;


6/77

C',I- an! -rust 6rame+or.s

C',I- 6rame+or. pro)i!es a comprehensi)e gui!ance forcontrolling an! managing IS#

C',I- speci9es !etaile! control ob(ecti)es for 5< I-processes =9gure 8%1>#

3u!itors are only intereste! in a subset of C',I-" S'?only a!!resses the issue of system reliability for 9nancialstatements#

-he -rust Ser)ices 6rame+or. !e)elope! by the 3ICP3 an!CIC3 =Cana!ian> relates to systems reliability =security"con9!entiality" pri)acy" process integrity" a)ailability>#

@


7/77

-he 9)e basic principlesthat contribute to systemsreliability:

S"STEMS

#E$IA%I$IT"

-rust Ser)ices 6rame+or.


8/77

-he 9)e basic principlesthat contribute to systemsreliability: Security

SE&'#IT"

S"STEMS

#E$IA%I$IT"

• Access to t!e s(stem and its data is

controlled



9/77


Confdentiality

SE&'#IT"

& O ) * I D E ) T I A $ I T "

S"STEMS

#E$IA%I$IT"

• Sensitive in+ormation is protected

+rom unaut!ori,ed disclosure



10/77


Con9!entiality

Privacy

SE&'#IT"

& O ) * I D E ) T I A $ I T "

P # I - A & "

S"STEMS

#E$IA%I$IT"

• Personal in+ormation a.out

customers collected t!roug! e/

commerce is collected used

disclosed and maintained in an

appropriate manner



11/77

-he 9)e basic principles thatcontribute to systems reliability:

Security

Con9!entiality

Pri)acy Processing integrity

SE&'#IT"

& O ) * I D E ) T I A $ I T "

P # I - A & "

P # O & E S

S I ) G I

) T E G # I T "

S"STEMS

#E$IA%I$IT"

• Data is processed1

– Accuratel(

– &ompletel(

– In a timel( manner

– it! proper aut!ori,ation



12/77

-he 9)e basic principles thatcontribute to systems reliability:

Security

Con9!entiality

'nline pri)acy Processing integrity

Availability

SE&'#IT"

& O ) * I D E ) T I A $ I T "

P # I - A & "

P # O & E S

S I ) G I

) T E G # I T "

A - A I $ A % I $ I T "

S"STEMS

#E$IA%I$IT"

• T!e s(stem is availa.le to meetoperational and contractual

o.ligations



13/77

Aote the importance ofsecurity in this picture#It is the foun!ation ofsystems reliability#Security proce!ures: Restrict system access to

only authori/e! users an!protect: -he con9!entiality of

sensiti)e organi/ational!ata#

-he pri)acy of personali!entifying information

collecte! from customers#

SE&'#IT"

& O ) * I D E ) T I A $ I T "

P # I - A & "

P # O & E S

S I ) G I

) T E G # I T "

A - A I $ A % I $ I T "

S"STEMS

#E$IA%I$IT"



14/77

IA-R'*BC-I'A

Security proce!uresalso: Pro)i!e for processing

integrity by pre)enting: Submission of unauthori/e!

or 9ctitious transactions#

Bnauthori/e! changes tostore! !ata or programs#

Protect against a )ariety ofattac.s" inclu!ing )irusesan! +orms" therebyensuring the system is

a)ailable +hen nee!e!#

SE&'#IT"

& O ) * I D E ) T I A $ I T "

P # I - A & "

P # O & E S

S I ) G I

) T E G # I T "

A - A I $ A % I $ I T "

S"STEMS

#E$IA%I$IT"



15/77


Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%1;


16/77

6BA*34A-3& IA6'R43-I'ASCBRI- C'ACP-S

-here are t+o fun!amental informationsecurity concepts that +ill be !iscusse! inthis chapter:

Security as a management issue, not atechnology issue.

*efense in !epth D time%base! mo!el ofsecurity#


17/77

Security E Systems Reliability

6oun!ation of the -rust Ser)ices 6rame+or. Security is a 4anagement issue" not a technology

issue

S'? 502 states: C' an! the C6' responsible to certify that

the 9nancial statements fairly present theresults of the companys acti)ities#

-he accuracy of an organi/ations 9nancialstatements !epen!s upon the reliability ofits information systems#

Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%1F


18/77

4anagements Role in IS Security

-able 8%1

Create security a+are culture

In)entory an! )alue company information resources

3ssess ris." select ris. response

*e)elop an! communicate security:

Plans" policies" an! proce!ures

3cuire an! !eploy I- security resources

4onitor an! e)aluate e7ecti)eness

Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%18


19/77

6BA*34A-3& IA6'R43-I'ASCBRI- C'ACP-S

-here are t+o fun!amental informationsecurity concepts that +ill be !iscusse! inthis chapter:

Security is a management issue" not atechnology issue#

Deense in depth and the time-basedmodel o security.


20/77

-I4%,3S* 4'*& '6SCBRI-

-he time-based model of security focuses on implementing a set ofpre)enti)e" !etecti)e" an! correcti)e

controls that enable an organi/ation torecogni/e that an attac. is occurring an!ta.e steps to th+art it before any assetsha)e been compromise!#

3ll three types of controls are necessary: Preventive

• $imit actions to t!ose in accord

3it! t!e organi,ation4s securit(

polic( and disallo3s all ot!ers


21/77

-I4%,3S* 4'*& '6SCBRI-



3ll three types of controls are necessary: Pre)enti)e

Detective

• Identi+( 3!en preventive controls

!ave .een .reac!ed


22/77

-I4%,3S* 4'*& '6SCBRI-



3ll three types of controls are necessary: Pre)enti)e

*etecti)e

Corrective

• #epair damage +rom pro.lems t!at

!ave occurred

• Improve preventive and detective

controls to reduce li5eli!ood o+ similar

incidents


23/77

-I4%,3S* 4'*& '6SCBRI-

-he time%base! mo!el e)aluates thee7ecti)eness of an organi/ations securityby measuring an! comparing therelationship among three )ariables: P G -ime it ta.es an attac.er to brea. through

the organi/ations pre)enti)e controls# * G -ime it ta.es to !etect that an attac. is in

progress# C G -ime to respon! to the attac.#

-hese three )ariables are e)aluate! asfollo+s: If P H =* C>" then security proce!ures are

e7ecti)e# 'ther+ise" security is ine7ecti)e#


24/77

*6AS IA *P-$

-he i!ea of !efense%in%!epth is to employmultiple layers of controls to a)oi! ha)inga single point of failure#

If one layer fails" another may function as

planne!#

Information security in)ol)es using acombination of 9re+alls" pass+or!s" an!

other pre)enti)e proce!ures to restrictaccess#

Re!un!ancy also applies to !etecti)e an!

correcti)e controls#


25/77

*6AS IA *P-$

• 4a(or types of preventive controls use! for!efense in !epth inclu!e: Authentication controls =pass+or!s" to.ens"

biometrics" 43C a!!resses> Authorization controls =access control matrices an!

compatibility tests> raining Physical access controls =loc.s" guar!s" biometric

!e)ices> !emote access controls =IP pac.et 9ltering by bor!er

routers an! 9re+alls using access control listsJ intrusion

pre)ention systemsJ authentication of !ial%in usersJ+ireless access controls> "ost and application hardening procedures

=9re+alls" anti%)irus soft+are" !isabling of unnecessaryfeatures" user account management" soft+are !esign"e#g#" to pre)ent bu7er o)ero+s>

#ncryption


26/77

*6AS IA *P-$KKSP1<AIL$-

4a(or types of Detective Controls use! for !efense in !epthinclu!e:

*etecti)e controls inclu!e:

&og analysis

Intrusion !etection systems

4anagerial reports

Security testing =)ulnerability scanners" penetration tests" +ar!ialing>


27/77

*6AS IA *P-$KKK

4a(or types of Corrective controls use! for !efense in !epthinclu!e:

Correcti)e controls inclu!e:

Computer inci!ent response teams =CIR->

Chief Information Security 'cer =CIS'>

Patch 4anagement


28/77

PRMA-IM C'A-R'&S

4a(or types of pre)enti)e controls use! for!efense in !epth inclu!e: Authentication controls $pass%ords, to&ens,

biometrics, 'AC addresses( Authorization controls $access control matrices

and compatibility tests( -raining Physical access controls =loc.s" guar!s" biometric

!e)ices> Remote access controls =IP pac.et 9ltering by bor!er

routers an! 9re+alls using access control listsJ intrusionpre)ention systemsJ authentication of !ial%in usersJ+ireless access controls>

$ost an! application har!ening proce!ures =9re+alls"anti%)irus soft+are" !isabling of unnecessary features"user account management" soft+are !esign" e#g#" topre)ent bu7er o)ero+s>

ncryption


29/77

PRMA-IM C'A-R'&S

-he ob(ecti)e of pre)enti)e controls is to pre)ent securityinci!ents from happening#

In)ol)es t+o relate! functions:

3uthentication

6ocuses on )erifying the i!entity of the person or !e)iceattempting to gain access#

3uthori/ation

Restricts access of authenticate! users to speci9c portionsof the system an! speci9es +hat actions they are permitte!

to perform#


30/77

PRMA-IM C'A-R'&S

Bsers can be authenticate! by )erifying:

Something they know" such as pass+or!s or PIAs#

Something they have" such as smart car!s or I* ba!ges#

Some physical characteristic =biometric i!enti9er>" such as

9ngerprints or )oice#


31/77

PRMA-IM C'A-R'&S

Pass+or!s are probably the most commonly use!authentication metho! an! also the most contro)ersial#

3n e7ecti)e pass+or! must satisfy a number of reuirements:

&ength

4ultiple character types Ran!om

Secret


32/77

PRMA-IM C'A-R'&S

ach authentication metho! has its limitations#

Pass%ords

• &an .e guessed lost 3ritten do3n or given a3a(


33/77


34/77

PRMA-IM C'A-R'&S

ach authentication metho! has its limitations#

Pass+or!s

Physical i!enti9cation techniues

*iometric techni)ues

• E6pensive and o+ten cum.ersome

• )ot (et 008 accurate sometimes re9ecting legitimate users

and allo3ing unaut!ori,ed people

• Some tec!niques li5e +ingerprints ma( carr( negative

connotations t!at !inder acceptance

• Securit( concerns surround t!e storage o+ t!is data

– I+ t!e data is compromised it could create serious li+e/long

pro.lems +or t!e donor

– 'nli5e pass3ords or to5ens .iometric identi+iers cannot .e

replaced or c!anged


35/77

PRMA-IM C'A-R'&S

3lthough none of the three basicauthentication metho!s is foolproof byitself" the use of t+o or three in

con(unction" .no+n as multi-factorauthentication" is uite e7ecti)e#

ample: Bsing a palm print an! a PIA

number together is much more e7ecti)ethan using either metho! alone#


36/77

PRMA-IM C'A-R'&S

Authorization controls are implemente!by creating an access control matrix # Speci9es +hat part of the IS a user can access

an! +hat actions they are permitte! toperform#

Nhen an employee tries to access a particularresource" the system performs a compatibilitytest that matches the users authenticationcre!entials against the matri to !etermine ifthe action shoul! be allo+e!#


37/77

PRMA-IM C'A-R'&S

Nho hastheauthorityto !elete

Program2O

Code

Number Password A B C 1 2 3 4

2:;< A%& 0 0 0 0 0 0

2:;= DE* 0 2 0 0 0 0 0

2:$M 0 0 0 0

2:


38/77

PRMA-IM C'A-R'&S

3uthentication an! authori/ation can be applie!to !e)ices as +ell as users# )ery +or.station" printer" or other computing !e)ice

nee!s a net+or. interface car! =AIC> to connect to the

organi/ations net+or.# ach net+or. !e)ice has a uniue i!enti9er" referre! to

as its me!ia access control =43C> a!!ress#

It is possible to restrict net+or. access to only those!e)ices +hich ha)e a recogni/e! 43C a!!ress or to use

43C a!!resses for authori/ation# 6or eample" payroll or 6- applications shoul! be set

only to run from authori/e! terminals#


39/77

PRMA-IM C'A-R'&S

#ncryption

-he 9nal layer ofpre)enti)econtrols#

Encryption

HardeningControl Remote Access

ontrol Physical Access

Training


40/77

PRMA-IM C'A-R'&S

ncrypting sensiti)e store! !ata pro)i!esone last barrier that must be o)ercome byan intru!er#

3lso strengthens authenticationproce!ures an! plays an essential role inensuring an! )erifying the )ali!ity of e%business transactions#

-herefore" accountants" au!itors" an!systems professionals nee! to un!erstan!encryption#

PRMA-IMPlaintext


41/77

PRMA-IMC'A-R'&S

T!is is a

contract

+or

Encr(ption

algorit!m

.9 m 2ep08+g

Decr(ption

algorit!m

T!is is a

contract

+or

Plain

text

Ci!"ertext

#e$

Encryption is theprocess of transformingnormal tet" calle!

plaintext " intounrea!able gibberish"

calle! ciphertext #

Decryption re)ersesthis process#

-o encrypt or !ecrypt"both a .ey an! analgorithm are nee!e!#

%

%#e$


42/77

PRMA-IM C'A-R'&S

"ashing Hashing ta.es plaintet of any length an!

transforms it into a short co!e calle! a hash#

S$3%2;@ creates 2;@ bit hash regar!less of tetlength#

$ashing !i7ers from encryption in that: ncryption al+ays pro!uces ciphertet similar in

length to the plaintet" but hashing pro!uces a hash

o a f+ed short length.

#ncryption is reversible, but hashing is not youcannot transorm a hash bac& into its originalplainte+t#


43/77

PRMA-IM C'A-R'&S

Digital signatures 3symmetric encryption an! hashing are use! to

create !igital signatures#

3 digital signature is information encrypte!+ith the creators pri)ate .ey# -hat information can only be !ecrypte! using the

correspon!ing public .ey#

So successful !ecryption +ith an entitys public .ey

pro)es the message coul! only ha)e been create! bythe entity that hol!s the correspon!ing pri)ate .ey#

-he pri)ate .ey is .no+n only to its o+ner" so only theo+ner coul! ha)e create! the message#


44/77

PRMA-IM C'A-R'&S

3 digital certicate is an electronic !ocument"create! an! !igitally signe! by a truste! thir!party# Certi9es the i!entity of the o+ner of a particular public

.ey# *igital certi9cates pro)i!e an automate! metho! for

obtaining an organi/ations or in!i)i!uals public .ey#


45/77

*-C-IM C'A-R'&S

Pre)enti)e controls are ne)er 100 e7ecti)e in bloc.ing allattac.s#

So organi/ations implement !etecti)e controls to enhancesecurity by:

4onitoring the e7ecti)eness of pre)enti)e controlsJ an!

*etecting inci!ents in +hich pre)enti)e controls ha)e beencircum)ente!#


46/77

*-C-IM C'A-R'&S

3uthentication an! authori/ation controls =bothpre)enti)e an! !etecti)e> go)ern access to thesystem an! limit the actions that can beperforme! by authori/e! users#

3ctual system use =detective control> must beeamine! to assess compliance through: &og analysis


4anagerial reports

Perio!ically testing the e7ecti)eness of eisting securityproce!ures


47/77

*-C-IM C'A-R'&S

3uthentication an! authori/ation controlsrepresent the organi/ations policies go)erningaccess to the system an! limits the actions thatcan be performe! by authori/e! users#

3ctual system use must be eamine! to assesscompliance through: og analysis


4anagerial reports



48/77

*-C-IM C'A-R'&S

og analysis

4ost systems come +ith etensi)e capabilities for logging +hoaccesses the system an! +hat speci9c actions each userperforme!#

&ogs form an au!it trail of system access#

3re of )alue only if routinely eamine!#

Log analysis is the process of eamining logs to monitorsecurity#


49/77

*-C-IM C'A-R'&S

-he log may in!icate unsuccessfulattempts to log in to !i7erent ser)ers#

-he person analy/ing the log must try to

!etermine the reason for the faile!attempt# Coul! be: -he person +as a legitimate user +ho forgot

his pass+or!#

Nas a legitimate user but not authori/e! toaccess that particular ser)er#

-he user I* +as in)ali! an! represente! anattempte! intrusion#


50/77


51/77

*-C-IM C'A-R'&S

ntrusion detection systems 3 ma(or +ea.ness of log analysis is that it is

labor intensi)e an! prone to human error#

Intrusion !etection systems =I*S> represent anattempt to automate part of the monitoring#


52/77

*-C-IM C'A-R'&S

3n Intrusion *etection System creates alog of net+or. trac that +as permitte! topass the 9re+all#

3naly/es the logs for signs of attempte! orsuccessful intrusions#

4ost common analysis is to compare logs to a!atabase containing patterns of tracassociate! +ith .no+n attac.s#

3n alternati)e techniue buil!s a mo!elrepresenting Qnormal net+or. trac an! uses)arious statistical techniues to i!entifyunusual beha)ior#


53/77

*-C-IM C'A-R'&S


3ctual system use must be eamine! to assesscompliance through: &og analysis


'anagerial reports



54/77

*-C-IM C'A-R'&S

'anagerial reports 4anagement reports are another important

!etecti)e control#

4anagement can use C',I- to set up a reportscorecar!#

C',I- pro)i!es:

4anagement gui!elines that i!entify

crucial success factors associate! +itheach ob(ecti)e#

ey performance in!icators that can beuse! to assess their e7ecti)eness#


55/77

*-C-IM C'A-R'&S

C',I- .ey performance in!icators: Aumber of inci!ents +ith business impact

Percent of users +ho !o not comply +ith

pass+or! stan!ar!s Percent of cryptographic .eys compromise!

an! re)o.e!


56/77

*-C-IM C'A-R'&S

3lthough regular re)ie+ of perio!icperformance reports can help ensure thatsecurity controls are a!euate" sur)eys

in!icate that many organi/ations fail toregularly monitor security#


57/77

*-C-IM C'A-R'&S


3ctual system use must be eamine! to assesscompliance through: &og analysis


4anagerial reports

Periodically testing the e/ectiveness o e+istingsecurity procedures


58/77

*-C-IM C'A-R'&S

Security testing -he e7ecti)eness of eisting security proce!ures shoul!

be teste! perio!ically#

'ne approach is vulnerability scans" +hich use

automate! tools !esigne! to i!entify +hether asystem possesses any +ell%.no+n )ulnerabilities#

Security Nebsites such as the Center for InformationSecurity =+++#cisecurity#org> pro)i!e:

,enchmar.s for security best practices#

-ools to measure ho+ +ell a system conforms#

http://www.cisecurity.org/http://www.cisecurity.org/


59/77

*-C-IM C'A-R'&S

Penetration testing pro)i!es a rigorous +ay totest the e7ecti)eness of an organi/ationsinformation security#

-his testing in)ol)es an authori/e! attempt byeither an internal au!it team or eternal securityconsulting 9rm to brea. into the organi/ations IS#


60/77

Steps in an IS System 3ttac.

Con!uctReconnaissance

3ttempt Socialngineering

Scan D 4ap -arget

Research

ecute 3ttac.

Co)er -rac.s

Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%@0


61/77

*-C-IM C'A-R'&S

-he teams try e)ery possible +ay tocompromise a companys system"inclu!ing:

4asuera!ing as custo!ians" temporary+or.ers" or confuse! !eli)ery personnel to getinto oces to locate pass+or!s or accesscomputers#

Bsing sey !ecoys to !istract guar!s#

Climbing through roof hatches an! !roppingthrough ceiling panels#

Some claim they can get into T0 or more

of the companies they attac.#

C' C C' ' S


62/77

C'RRC-IM C'A-R'&S

C'RRC-IM C'A-R'&S

C',I- speci9es the nee! to i!entify an!han!le security inci!ents#

-+o of the -rust Ser)ices frame+or.criteria for e7ecti)e security are theeistence of proce!ures to:

React to system security breaches an! otherinci!ents#

-a.e correcti)e action on a timely basis#

C'RRC-IM C'A-R'&S


63/77

C'RRC-IM C'A-R'&S

-hree .ey components that satisfy the prece!ing criteriaare:

#stablishment o a computer incident response team.

*esignation of a speci9c in!i)i!ual +ith organi/ation%+i!eresponsibility for security#

3n organi/e! patch management system#

C'RRC-IM C'A-R'&S


64/77

C'RRC-IM C'A-R'&S

Computer emergency response team 3 .ey component to being able to respon! to security

inci!ents promptly an! e7ecti)ely is the establish of acomputer incident response team (!"#$#

Responsible for !ealing +ith ma(or inci!ents#

Shoul! inclu!e technical specialists an! senior operationsmanagement#

Some potential responses ha)esigni9cant economic conseuences=e#g#" +hether to temporarily shut !o+n

an e%commerce ser)er> that reuiremanagement input#

C'RRC-IM C'A-R'&S


65/77

C'RRC-IM C'A-R'&S

-he CIR- shoul! lea! the organi/ations inci!ent responseprocess through four steps:

!ecognition that a problem e+ists

• T(picall( occurs 3!en an IDS signals an alert

or as a result o+ a s(stem administrator4s log

anal(sis

C'RRC-IM C'A-R'&S


66/77

C'RRC-IM C'A-R'&S


Recognition that a problem eists

Containment o the problem

• Once an intrusion is detected prompt action

is needed to stop it and contain t!e damage

C'RRC-IM C'A-R'&S


67/77

C'RRC-IM C'A-R'&S



Containment of the problem

!ecovery

•Damage must .e repaired

• Ma( involve restoring data +rom .ac5up and

reinstalling corrupted programs discussed

more in &!apter @F

C'RRC-IM C'A-R'&S

• Once recover( is in process t!e &I#Ts!ould lead anal(sis o+ !o3 t!e incident


68/77

C'RRC-IM C'A-R'&S



Containment of the problem

Reco)ery

0ollo%-up

s!ould lead anal(sis o+ !o3 t!e incident

occurred

• Steps s!ould .e ta5en to modi+( e6isting

securit( polic( and minimi,e t!e li5eli!ood o+

a similar incident• An important decision is 3!et!er to tr( to

catc! and punis! t!e perpetrator

– I+ t!e perpetrator 3ill .e pursued +orensic

e6perts s!ould .e involved immediatel(

to ensure t!at all possi.le evidence iscollected and maintained in a manner

t!at ma5es it admissi.le in court

C'RRC-IM C'A-R'&S


69/77

C'RRC-IM C'A-R'&S


stablishment of a computer inci!ent response team#

Designation o a specifc individual %ith organization-%ide responsibility or security.

3n organi/e! patch management system#

C'RRC-IM C'A-R'&S


70/77

C'RRC-IM C'A-R'&S

3 chief infomation security ocer =CIS'>: Shoul! be in!epen!ent of other IS functions an! report

to either the C'' or C'#

4ust un!erstan! the companys technology en)ironmentan! +or. +ith the CI' to !esign" implement" an!

promote soun! security policies an! proce!ures# *isseminates info about frau!" errors" security breaches"

improper system use" an! conseuences of theseactions#

Nor.s +ith the person in charge of buil!ing security" as

that is often the entitys +ea.est lin.# Shoul! impartially assess an! e)aluate the I-

en)ironment" con!uct )ulnerability an! ris.assessments" an! au!it the CI's security measures#

C'RRC-IM C'A-R'&S


71/77

C'RRC-IM C'A-R'&S


stablishment of a computer inci!ent response team#

*esignation of a speci9c in!i)i!ual +ith organi/ation%+i!eresponsibility for security#

An organized patch management system.

C'RRC-IM C'A-R'&S


72/77

C'RRC-IM C'A-R'&S

Patch management 3nother important correcti)e control in)ol)es

9ing .no+n )ulnerabilities an! installing latestup!ates to:

3nti%)irus soft+are

6ire+alls

'perating systems

3pplication programs -he number of reporte! )ulnerabilities rises

each year#

C'RRC-IM C'A-R'&S


73/77

C'RRC-IM C'A-R'&S

$ac.ers usually publish instructions for!oing so =.no+n as exploits> on theInternet#

3lthough it ta.es s.ill to !isco)er theeploit" once publishe!" it can be eecute!by almost anyone#

3ttac.ers +ho eecute these programme!eploits are referre! to as script kiddies#

3 patch is co!e release! by soft+are

!e)elopers to 9 )ulnerabilities that ha)e

C'RRC-IM C'A-R'&S


74/77

C'RRC-IM C'A-R'&S

%atch management is the process forregularly applying patches an! up!ates toall of an organi/ations soft+are#

Challenging to !o because: Patches can ha)e unanticipate! si!e e7ects

that cause problems" +hich means they shoul!be teste! before being !eploye!#

-here are li.ely to be many patches each yearfor each soft+are program" +hich may meanthat hun!re!s of patches +ill nee! to beapplie! to thousan!s of machines#

C'RRC-IM C'A-R'&S


75/77

C'RRC-IM C'A-R'&S

Intrusion pre)ention systems may pro)i!egreat promise if they can be uic.lyup!ate! to respon! to ne+ )ulnerabilitiesan! bloc. ne+ eploits" so that the entitycan buy time to: -horoughly test the patches#

3pply the patches#

*efense


76/77

=Shoul! be part of Pre)entati)eControls>KK

,or!er router Connects an organi/ations information system to

the Internet

6ire+all Soft+are or har!+are use! to 9lter information

*emilitari/e! Uone =*4U> Separate net+or. that permits controlle! access

from the Internet to selecte! resources

Intrusion Pre)ention Systems =IPS> 4onitors patterns in the trac o+" rather than only

inspecting in!i)i!ual pac.ets" to i!entify an!automatically bloc. attac.s

Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all8%F@

Ae+ Consi!erations


77/77

Ae+ Consi!erations

Mirtuali/ation 4ultiple systems are

run on onecomputer

Clou! Computing

Remotely accesse!resources

Soft+are

applications *ata storage

$ar!+are

Ris.s Increase! eposure if

breach occurs

Re!uce!authenticationstan!ar!s

'pportunities

Implementing strongaccess controls in theclou! or o)er the ser)er

that hosts a )irtualnet+or. pro)i!es goo!security o)er all thesystems containe! therein

Chapter 8 Slater

Documents

Transcript of Chapter 8 Slater