8/20/2019 Chapter 8 Slater
1/77
Chapter 8
Information Systems Controls for System Reliability— Part 1: Information Security
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice$all
8%1
8/20/2019 Chapter 8 Slater
2/77
&earning 'b(ecti)es
*iscuss ho+ the C',I- frame+or. can beuse! to !e)elop soun! internal controlo)er an organi/ations informationsystems#
plain the factors that inuenceinformation systems reliability#
*escribe ho+ a combination ofpre)enti)e" !etecti)e" an! correcti)econtrols can be employe! to pro)i!ereasonable assurance about information
security#Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%2
8/20/2019 Chapter 8 Slater
3/77
3IS Controls
C'S' an! C'S'%R4 a!!ress generalinternal control
C',I- a!!resses information technology
internal control
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%5
8/20/2019 Chapter 8 Slater
4/77
Acquire and
Implement
Deliver and
Support
Monitor and
Evaluate
Criteria• Effectiveness• Efficiency• Confidentiality• Integrity
• Availability• Compliance• Reliability
• Application systems
• Information• Infrastructure• People
IT Resources
Business Objectives
Plan and
Organise
C',I -
6rame+or.
I - & i f e C y c l e
© 2007 IT Governance Institute All rig!ts reserved www.itgi.org 4
8/20/2019 Chapter 8 Slater
5/77
Information for 4anagement Shoul!,e:
7ecti)eness
Information must be rele)ant an!timely#
ciency
Information must be pro!uce! in a
cost%e7ecti)e manner#
Con9!entiality
Sensiti)e information must beprotecte! from unauthori/e!!isclosure#
Integrity Information must be accurate"
complete" an! )ali!#
3)ailability
Information must bea)ailable +hene)er nee!e!#
Compliance
Controls must ensure
compliance +ith internalpolicies an! +ith eternallegal an! regulatoryreuirements#
Reliability
4anagement must ha)eaccess to appropriateinformation nee!e! tocon!uct !aily acti)ities an!to eercise its 9!uciary an!go)ernance responsibilities#
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%;
8/20/2019 Chapter 8 Slater
6/77
C',I- an! -rust 6rame+or.s
C',I- 6rame+or. pro)i!es a comprehensi)e gui!ance forcontrolling an! managing IS#
C',I- speci9es !etaile! control ob(ecti)es for 5< I-processes =9gure 8%1>#
3u!itors are only intereste! in a subset of C',I-" S'?only a!!resses the issue of system reliability for 9nancialstatements#
-he -rust Ser)ices 6rame+or. !e)elope! by the 3ICP3 an!CIC3 =Cana!ian> relates to systems reliability =security"con9!entiality" pri)acy" process integrity" a)ailability>#
@
8/20/2019 Chapter 8 Slater
7/77
-he 9)e basic principlesthat contribute to systemsreliability:
S"STEMS
#E$IA%I$IT"
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
8/77
-he 9)e basic principlesthat contribute to systemsreliability: Security
SE&'#IT"
S"STEMS
#E$IA%I$IT"
• Access to t!e s(stem and its data is
controlled
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
9/77
-he 9)e basic principlesthat contribute to systemsreliability: Security
Confdentiality
SE&'#IT"
& O ) * I D E ) T I A $ I T "
S"STEMS
#E$IA%I$IT"
• Sensitive in+ormation is protected
+rom unaut!ori,ed disclosure
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
10/77
-he 9)e basic principlesthat contribute to systemsreliability: Security
Con9!entiality
Privacy
SE&'#IT"
& O ) * I D E ) T I A $ I T "
P # I - A & "
S"STEMS
#E$IA%I$IT"
• Personal in+ormation a.out
customers collected t!roug! e/
commerce is collected used
disclosed and maintained in an
appropriate manner
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
11/77
-he 9)e basic principles thatcontribute to systems reliability:
Security
Con9!entiality
Pri)acy Processing integrity
SE&'#IT"
& O ) * I D E ) T I A $ I T "
P # I - A & "
P # O & E S
S I ) G I
) T E G # I T "
S"STEMS
#E$IA%I$IT"
• Data is processed1
– Accuratel(
– &ompletel(
– In a timel( manner
– it! proper aut!ori,ation
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
12/77
-he 9)e basic principles thatcontribute to systems reliability:
Security
Con9!entiality
'nline pri)acy Processing integrity
Availability
SE&'#IT"
& O ) * I D E ) T I A $ I T "
P # I - A & "
P # O & E S
S I ) G I
) T E G # I T "
A - A I $ A % I $ I T "
S"STEMS
#E$IA%I$IT"
• T!e s(stem is availa.le to meetoperational and contractual
o.ligations
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
13/77
Aote the importance ofsecurity in this picture#It is the foun!ation ofsystems reliability#Security proce!ures: Restrict system access to
only authori/e! users an!protect: -he con9!entiality of
sensiti)e organi/ational!ata#
-he pri)acy of personali!entifying information
collecte! from customers#
SE&'#IT"
& O ) * I D E ) T I A $ I T "
P # I - A & "
P # O & E S
S I ) G I
) T E G # I T "
A - A I $ A % I $ I T "
S"STEMS
#E$IA%I$IT"
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
14/77
IA-R'*BC-I'A
Security proce!uresalso: Pro)i!e for processing
integrity by pre)enting: Submission of unauthori/e!
or 9ctitious transactions#
Bnauthori/e! changes tostore! !ata or programs#
Protect against a )ariety ofattac.s" inclu!ing )irusesan! +orms" therebyensuring the system is
a)ailable +hen nee!e!#
SE&'#IT"
& O ) * I D E ) T I A $ I T "
P # I - A & "
P # O & E S
S I ) G I
) T E G # I T "
A - A I $ A % I $ I T "
S"STEMS
#E$IA%I$IT"
-rust Ser)ices 6rame+or.
8/20/2019 Chapter 8 Slater
15/77
-rust Ser)ices 6rame+or.
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%1;
8/20/2019 Chapter 8 Slater
16/77
6BA*34A-3& IA6'R43-I'ASCBRI- C'ACP-S
-here are t+o fun!amental informationsecurity concepts that +ill be !iscusse! inthis chapter:
Security as a management issue, not atechnology issue.
*efense in !epth D time%base! mo!el ofsecurity#
8/20/2019 Chapter 8 Slater
17/77
Security E Systems Reliability
6oun!ation of the -rust Ser)ices 6rame+or. Security is a 4anagement issue" not a technology
issue
S'? 502 states: C' an! the C6' responsible to certify that
the 9nancial statements fairly present theresults of the companys acti)ities#
-he accuracy of an organi/ations 9nancialstatements !epen!s upon the reliability ofits information systems#
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%1F
8/20/2019 Chapter 8 Slater
18/77
4anagements Role in IS Security
-able 8%1
Create security a+are culture
In)entory an! )alue company information resources
3ssess ris." select ris. response
*e)elop an! communicate security:
Plans" policies" an! proce!ures
3cuire an! !eploy I- security resources
4onitor an! e)aluate e7ecti)eness
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%18
8/20/2019 Chapter 8 Slater
19/77
6BA*34A-3& IA6'R43-I'ASCBRI- C'ACP-S
-here are t+o fun!amental informationsecurity concepts that +ill be !iscusse! inthis chapter:
Security is a management issue" not atechnology issue#
Deense in depth and the time-basedmodel o security.
8/20/2019 Chapter 8 Slater
20/77
-I4%,3S* 4'*& '6SCBRI-
-he time-based model of security focuses on implementing a set ofpre)enti)e" !etecti)e" an! correcti)e
controls that enable an organi/ation torecogni/e that an attac. is occurring an!ta.e steps to th+art it before any assetsha)e been compromise!#
3ll three types of controls are necessary: Preventive
• $imit actions to t!ose in accord
3it! t!e organi,ation4s securit(
polic( and disallo3s all ot!ers
8/20/2019 Chapter 8 Slater
21/77
-I4%,3S* 4'*& '6SCBRI-
-he time-based model of security focuses on implementing a set ofpre)enti)e" !etecti)e" an! correcti)e
controls that enable an organi/ation torecogni/e that an attac. is occurring an!ta.e steps to th+art it before any assetsha)e been compromise!#
3ll three types of controls are necessary: Pre)enti)e
Detective
• Identi+( 3!en preventive controls
!ave .een .reac!ed
8/20/2019 Chapter 8 Slater
22/77
-I4%,3S* 4'*& '6SCBRI-
-he time-based model of security focuses on implementing a set ofpre)enti)e" !etecti)e" an! correcti)e
controls that enable an organi/ation torecogni/e that an attac. is occurring an!ta.e steps to th+art it before any assetsha)e been compromise!#
3ll three types of controls are necessary: Pre)enti)e
*etecti)e
Corrective
• #epair damage +rom pro.lems t!at
!ave occurred
• Improve preventive and detective
controls to reduce li5eli!ood o+ similar
incidents
8/20/2019 Chapter 8 Slater
23/77
-I4%,3S* 4'*& '6SCBRI-
-he time%base! mo!el e)aluates thee7ecti)eness of an organi/ations securityby measuring an! comparing therelationship among three )ariables: P G -ime it ta.es an attac.er to brea. through
the organi/ations pre)enti)e controls# * G -ime it ta.es to !etect that an attac. is in
progress# C G -ime to respon! to the attac.#
-hese three )ariables are e)aluate! asfollo+s: If P H =* C>" then security proce!ures are
e7ecti)e# 'ther+ise" security is ine7ecti)e#
8/20/2019 Chapter 8 Slater
24/77
*6AS IA *P-$
-he i!ea of !efense%in%!epth is to employmultiple layers of controls to a)oi! ha)inga single point of failure#
If one layer fails" another may function as
planne!#
Information security in)ol)es using acombination of 9re+alls" pass+or!s" an!
other pre)enti)e proce!ures to restrictaccess#
Re!un!ancy also applies to !etecti)e an!
correcti)e controls#
8/20/2019 Chapter 8 Slater
25/77
*6AS IA *P-$
• 4a(or types of preventive controls use! for!efense in !epth inclu!e: Authentication controls =pass+or!s" to.ens"
biometrics" 43C a!!resses> Authorization controls =access control matrices an!
compatibility tests> raining Physical access controls =loc.s" guar!s" biometric
!e)ices> !emote access controls =IP pac.et 9ltering by bor!er
routers an! 9re+alls using access control listsJ intrusion
pre)ention systemsJ authentication of !ial%in usersJ+ireless access controls> "ost and application hardening procedures
=9re+alls" anti%)irus soft+are" !isabling of unnecessaryfeatures" user account management" soft+are !esign"e#g#" to pre)ent bu7er o)ero+s>
#ncryption
8/20/2019 Chapter 8 Slater
26/77
*6AS IA *P-$KKSP1<AIL$-
4a(or types of Detective Controls use! for !efense in !epthinclu!e:
*etecti)e controls inclu!e:
&og analysis
Intrusion !etection systems
4anagerial reports
Security testing =)ulnerability scanners" penetration tests" +ar!ialing>
8/20/2019 Chapter 8 Slater
27/77
*6AS IA *P-$KKK
4a(or types of Corrective controls use! for !efense in !epthinclu!e:
Correcti)e controls inclu!e:
Computer inci!ent response teams =CIR->
Chief Information Security 'cer =CIS'>
Patch 4anagement
8/20/2019 Chapter 8 Slater
28/77
PRMA-IM C'A-R'&S
4a(or types of pre)enti)e controls use! for!efense in !epth inclu!e: Authentication controls $pass%ords, to&ens,
biometrics, 'AC addresses( Authorization controls $access control matrices
and compatibility tests( -raining Physical access controls =loc.s" guar!s" biometric
!e)ices> Remote access controls =IP pac.et 9ltering by bor!er
routers an! 9re+alls using access control listsJ intrusionpre)ention systemsJ authentication of !ial%in usersJ+ireless access controls>
$ost an! application har!ening proce!ures =9re+alls"anti%)irus soft+are" !isabling of unnecessary features"user account management" soft+are !esign" e#g#" topre)ent bu7er o)ero+s>
ncryption
8/20/2019 Chapter 8 Slater
29/77
PRMA-IM C'A-R'&S
-he ob(ecti)e of pre)enti)e controls is to pre)ent securityinci!ents from happening#
In)ol)es t+o relate! functions:
3uthentication
6ocuses on )erifying the i!entity of the person or !e)iceattempting to gain access#
3uthori/ation
Restricts access of authenticate! users to speci9c portionsof the system an! speci9es +hat actions they are permitte!
to perform#
8/20/2019 Chapter 8 Slater
30/77
PRMA-IM C'A-R'&S
Bsers can be authenticate! by )erifying:
Something they know" such as pass+or!s or PIAs#
Something they have" such as smart car!s or I* ba!ges#
Some physical characteristic =biometric i!enti9er>" such as
9ngerprints or )oice#
8/20/2019 Chapter 8 Slater
31/77
PRMA-IM C'A-R'&S
Pass+or!s are probably the most commonly use!authentication metho! an! also the most contro)ersial#
3n e7ecti)e pass+or! must satisfy a number of reuirements:
&ength
4ultiple character types Ran!om
Secret
8/20/2019 Chapter 8 Slater
32/77
PRMA-IM C'A-R'&S
ach authentication metho! has its limitations#
Pass%ords
• &an .e guessed lost 3ritten do3n or given a3a(
8/20/2019 Chapter 8 Slater
33/77
8/20/2019 Chapter 8 Slater
34/77
PRMA-IM C'A-R'&S
ach authentication metho! has its limitations#
Pass+or!s
Physical i!enti9cation techniues
*iometric techni)ues
• E6pensive and o+ten cum.ersome
• )ot (et 008 accurate sometimes re9ecting legitimate users
and allo3ing unaut!ori,ed people
• Some tec!niques li5e +ingerprints ma( carr( negative
connotations t!at !inder acceptance
• Securit( concerns surround t!e storage o+ t!is data
– I+ t!e data is compromised it could create serious li+e/long
pro.lems +or t!e donor
– 'nli5e pass3ords or to5ens .iometric identi+iers cannot .e
replaced or c!anged
8/20/2019 Chapter 8 Slater
35/77
PRMA-IM C'A-R'&S
3lthough none of the three basicauthentication metho!s is foolproof byitself" the use of t+o or three in
con(unction" .no+n as multi-factorauthentication" is uite e7ecti)e#
ample: Bsing a palm print an! a PIA
number together is much more e7ecti)ethan using either metho! alone#
8/20/2019 Chapter 8 Slater
36/77
PRMA-IM C'A-R'&S
Authorization controls are implemente!by creating an access control matrix # Speci9es +hat part of the IS a user can access
an! +hat actions they are permitte! toperform#
Nhen an employee tries to access a particularresource" the system performs a compatibilitytest that matches the users authenticationcre!entials against the matri to !etermine ifthe action shoul! be allo+e!#
8/20/2019 Chapter 8 Slater
37/77
PRMA-IM C'A-R'&S
Nho hastheauthorityto !elete
Program2O
Code
Number Password A B C 1 2 3 4
2:;< A%& 0 0 0 0 0 0
2:;= DE* 0 2 0 0 0 0 0
2:$M 0 0 0 0
2:
8/20/2019 Chapter 8 Slater
38/77
PRMA-IM C'A-R'&S
3uthentication an! authori/ation can be applie!to !e)ices as +ell as users# )ery +or.station" printer" or other computing !e)ice
nee!s a net+or. interface car! =AIC> to connect to the
organi/ations net+or.# ach net+or. !e)ice has a uniue i!enti9er" referre! to
as its me!ia access control =43C> a!!ress#
It is possible to restrict net+or. access to only those!e)ices +hich ha)e a recogni/e! 43C a!!ress or to use
43C a!!resses for authori/ation# 6or eample" payroll or 6- applications shoul! be set
only to run from authori/e! terminals#
8/20/2019 Chapter 8 Slater
39/77
PRMA-IM C'A-R'&S
#ncryption
-he 9nal layer ofpre)enti)econtrols#
Encryption
HardeningControl Remote Access
ontrol Physical Access
Training
8/20/2019 Chapter 8 Slater
40/77
PRMA-IM C'A-R'&S
ncrypting sensiti)e store! !ata pro)i!esone last barrier that must be o)ercome byan intru!er#
3lso strengthens authenticationproce!ures an! plays an essential role inensuring an! )erifying the )ali!ity of e%business transactions#
-herefore" accountants" au!itors" an!systems professionals nee! to un!erstan!encryption#
PRMA-IMPlaintext
8/20/2019 Chapter 8 Slater
41/77
PRMA-IMC'A-R'&S
T!is is a
contract
+or
Encr(ption
algorit!m
.9 m 2ep08+g
Decr(ption
algorit!m
T!is is a
contract
+or
Plain
text
Ci!"ertext
#e$
Encryption is theprocess of transformingnormal tet" calle!
plaintext " intounrea!able gibberish"
calle! ciphertext #
Decryption re)ersesthis process#
-o encrypt or !ecrypt"both a .ey an! analgorithm are nee!e!#
%
%#e$
8/20/2019 Chapter 8 Slater
42/77
PRMA-IM C'A-R'&S
"ashing Hashing ta.es plaintet of any length an!
transforms it into a short co!e calle! a hash#
S$3%2;@ creates 2;@ bit hash regar!less of tetlength#
$ashing !i7ers from encryption in that: ncryption al+ays pro!uces ciphertet similar in
length to the plaintet" but hashing pro!uces a hash
o a f+ed short length.
#ncryption is reversible, but hashing is not youcannot transorm a hash bac& into its originalplainte+t#
8/20/2019 Chapter 8 Slater
43/77
PRMA-IM C'A-R'&S
Digital signatures 3symmetric encryption an! hashing are use! to
create !igital signatures#
3 digital signature is information encrypte!+ith the creators pri)ate .ey# -hat information can only be !ecrypte! using the
correspon!ing public .ey#
So successful !ecryption +ith an entitys public .ey
pro)es the message coul! only ha)e been create! bythe entity that hol!s the correspon!ing pri)ate .ey#
-he pri)ate .ey is .no+n only to its o+ner" so only theo+ner coul! ha)e create! the message#
8/20/2019 Chapter 8 Slater
44/77
PRMA-IM C'A-R'&S
3 digital certicate is an electronic !ocument"create! an! !igitally signe! by a truste! thir!party# Certi9es the i!entity of the o+ner of a particular public
.ey# *igital certi9cates pro)i!e an automate! metho! for
obtaining an organi/ations or in!i)i!uals public .ey#
8/20/2019 Chapter 8 Slater
45/77
*-C-IM C'A-R'&S
Pre)enti)e controls are ne)er 100 e7ecti)e in bloc.ing allattac.s#
So organi/ations implement !etecti)e controls to enhancesecurity by:
4onitoring the e7ecti)eness of pre)enti)e controlsJ an!
*etecting inci!ents in +hich pre)enti)e controls ha)e beencircum)ente!#
8/20/2019 Chapter 8 Slater
46/77
*-C-IM C'A-R'&S
3uthentication an! authori/ation controls =bothpre)enti)e an! !etecti)e> go)ern access to thesystem an! limit the actions that can beperforme! by authori/e! users#
3ctual system use =detective control> must beeamine! to assess compliance through: &og analysis
Intrusion !etection systems
4anagerial reports
Perio!ically testing the e7ecti)eness of eisting securityproce!ures
8/20/2019 Chapter 8 Slater
47/77
*-C-IM C'A-R'&S
3uthentication an! authori/ation controlsrepresent the organi/ations policies go)erningaccess to the system an! limits the actions thatcan be performe! by authori/e! users#
3ctual system use must be eamine! to assesscompliance through: og analysis
Intrusion !etection systems
4anagerial reports
Perio!ically testing the e7ecti)eness of eisting securityproce!ures
8/20/2019 Chapter 8 Slater
48/77
*-C-IM C'A-R'&S
og analysis
4ost systems come +ith etensi)e capabilities for logging +hoaccesses the system an! +hat speci9c actions each userperforme!#
&ogs form an au!it trail of system access#
3re of )alue only if routinely eamine!#
Log analysis is the process of eamining logs to monitorsecurity#
8/20/2019 Chapter 8 Slater
49/77
*-C-IM C'A-R'&S
-he log may in!icate unsuccessfulattempts to log in to !i7erent ser)ers#
-he person analy/ing the log must try to
!etermine the reason for the faile!attempt# Coul! be: -he person +as a legitimate user +ho forgot
his pass+or!#
Nas a legitimate user but not authori/e! toaccess that particular ser)er#
-he user I* +as in)ali! an! represente! anattempte! intrusion#
8/20/2019 Chapter 8 Slater
50/77
8/20/2019 Chapter 8 Slater
51/77
*-C-IM C'A-R'&S
ntrusion detection systems 3 ma(or +ea.ness of log analysis is that it is
labor intensi)e an! prone to human error#
Intrusion !etection systems =I*S> represent anattempt to automate part of the monitoring#
8/20/2019 Chapter 8 Slater
52/77
*-C-IM C'A-R'&S
3n Intrusion *etection System creates alog of net+or. trac that +as permitte! topass the 9re+all#
3naly/es the logs for signs of attempte! orsuccessful intrusions#
4ost common analysis is to compare logs to a!atabase containing patterns of tracassociate! +ith .no+n attac.s#
3n alternati)e techniue buil!s a mo!elrepresenting Qnormal net+or. trac an! uses)arious statistical techniues to i!entifyunusual beha)ior#
8/20/2019 Chapter 8 Slater
53/77
*-C-IM C'A-R'&S
3uthentication an! authori/ation controlsrepresent the organi/ations policies go)erningaccess to the system an! limits the actions thatcan be performe! by authori/e! users#
3ctual system use must be eamine! to assesscompliance through: &og analysis
Intrusion !etection systems
'anagerial reports
Perio!ically testing the e7ecti)eness of eisting securityproce!ures
8/20/2019 Chapter 8 Slater
54/77
*-C-IM C'A-R'&S
'anagerial reports 4anagement reports are another important
!etecti)e control#
4anagement can use C',I- to set up a reportscorecar!#
C',I- pro)i!es:
4anagement gui!elines that i!entify
crucial success factors associate! +itheach ob(ecti)e#
ey performance in!icators that can beuse! to assess their e7ecti)eness#
8/20/2019 Chapter 8 Slater
55/77
*-C-IM C'A-R'&S
C',I- .ey performance in!icators: Aumber of inci!ents +ith business impact
Percent of users +ho !o not comply +ith
pass+or! stan!ar!s Percent of cryptographic .eys compromise!
an! re)o.e!
8/20/2019 Chapter 8 Slater
56/77
*-C-IM C'A-R'&S
3lthough regular re)ie+ of perio!icperformance reports can help ensure thatsecurity controls are a!euate" sur)eys
in!icate that many organi/ations fail toregularly monitor security#
8/20/2019 Chapter 8 Slater
57/77
*-C-IM C'A-R'&S
3uthentication an! authori/ation controlsrepresent the organi/ations policies go)erningaccess to the system an! limits the actions thatcan be performe! by authori/e! users#
3ctual system use must be eamine! to assesscompliance through: &og analysis
Intrusion !etection systems
4anagerial reports
Periodically testing the e/ectiveness o e+istingsecurity procedures
8/20/2019 Chapter 8 Slater
58/77
*-C-IM C'A-R'&S
Security testing -he e7ecti)eness of eisting security proce!ures shoul!
be teste! perio!ically#
'ne approach is vulnerability scans" +hich use
automate! tools !esigne! to i!entify +hether asystem possesses any +ell%.no+n )ulnerabilities#
Security Nebsites such as the Center for InformationSecurity =+++#cisecurity#org> pro)i!e:
,enchmar.s for security best practices#
-ools to measure ho+ +ell a system conforms#
http://www.cisecurity.org/http://www.cisecurity.org/
8/20/2019 Chapter 8 Slater
59/77
*-C-IM C'A-R'&S
Penetration testing pro)i!es a rigorous +ay totest the e7ecti)eness of an organi/ationsinformation security#
-his testing in)ol)es an authori/e! attempt byeither an internal au!it team or eternal securityconsulting 9rm to brea. into the organi/ations IS#
8/20/2019 Chapter 8 Slater
60/77
Steps in an IS System 3ttac.
Con!uctReconnaissance
3ttempt Socialngineering
Scan D 4ap -arget
Research
ecute 3ttac.
Co)er -rac.s
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all 8%@0
8/20/2019 Chapter 8 Slater
61/77
*-C-IM C'A-R'&S
-he teams try e)ery possible +ay tocompromise a companys system"inclu!ing:
4asuera!ing as custo!ians" temporary+or.ers" or confuse! !eli)ery personnel to getinto oces to locate pass+or!s or accesscomputers#
Bsing sey !ecoys to !istract guar!s#
Climbing through roof hatches an! !roppingthrough ceiling panels#
Some claim they can get into T0 or more
of the companies they attac.#
C' C C' ' S
8/20/2019 Chapter 8 Slater
62/77
C'RRC-IM C'A-R'&S
C'RRC-IM C'A-R'&S
C',I- speci9es the nee! to i!entify an!han!le security inci!ents#
-+o of the -rust Ser)ices frame+or.criteria for e7ecti)e security are theeistence of proce!ures to:
React to system security breaches an! otherinci!ents#
-a.e correcti)e action on a timely basis#
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
63/77
C'RRC-IM C'A-R'&S
-hree .ey components that satisfy the prece!ing criteriaare:
#stablishment o a computer incident response team.
*esignation of a speci9c in!i)i!ual +ith organi/ation%+i!eresponsibility for security#
3n organi/e! patch management system#
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
64/77
C'RRC-IM C'A-R'&S
Computer emergency response team 3 .ey component to being able to respon! to security
inci!ents promptly an! e7ecti)ely is the establish of acomputer incident response team (!"#$#
Responsible for !ealing +ith ma(or inci!ents#
Shoul! inclu!e technical specialists an! senior operationsmanagement#
Some potential responses ha)esigni9cant economic conseuences=e#g#" +hether to temporarily shut !o+n
an e%commerce ser)er> that reuiremanagement input#
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
65/77
C'RRC-IM C'A-R'&S
-he CIR- shoul! lea! the organi/ations inci!ent responseprocess through four steps:
!ecognition that a problem e+ists
• T(picall( occurs 3!en an IDS signals an alert
or as a result o+ a s(stem administrator4s log
anal(sis
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
66/77
C'RRC-IM C'A-R'&S
-he CIR- shoul! lea! the organi/ations inci!ent responseprocess through four steps:
Recognition that a problem eists
Containment o the problem
• Once an intrusion is detected prompt action
is needed to stop it and contain t!e damage
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
67/77
C'RRC-IM C'A-R'&S
-he CIR- shoul! lea! the organi/ations inci!ent responseprocess through four steps:
Recognition that a problem eists
Containment of the problem
!ecovery
•Damage must .e repaired
• Ma( involve restoring data +rom .ac5up and
reinstalling corrupted programs discussed
more in &!apter @F
C'RRC-IM C'A-R'&S
• Once recover( is in process t!e &I#Ts!ould lead anal(sis o+ !o3 t!e incident
8/20/2019 Chapter 8 Slater
68/77
C'RRC-IM C'A-R'&S
-he CIR- shoul! lea! the organi/ations inci!ent responseprocess through four steps:
Recognition that a problem eists
Containment of the problem
Reco)ery
0ollo%-up
s!ould lead anal(sis o+ !o3 t!e incident
occurred
• Steps s!ould .e ta5en to modi+( e6isting
securit( polic( and minimi,e t!e li5eli!ood o+
a similar incident• An important decision is 3!et!er to tr( to
catc! and punis! t!e perpetrator
– I+ t!e perpetrator 3ill .e pursued +orensic
e6perts s!ould .e involved immediatel(
to ensure t!at all possi.le evidence iscollected and maintained in a manner
t!at ma5es it admissi.le in court
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
69/77
C'RRC-IM C'A-R'&S
-hree .ey components that satisfy the prece!ing criteriaare:
stablishment of a computer inci!ent response team#
Designation o a specifc individual %ith organization-%ide responsibility or security.
3n organi/e! patch management system#
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
70/77
C'RRC-IM C'A-R'&S
3 chief infomation security ocer =CIS'>: Shoul! be in!epen!ent of other IS functions an! report
to either the C'' or C'#
4ust un!erstan! the companys technology en)ironmentan! +or. +ith the CI' to !esign" implement" an!
promote soun! security policies an! proce!ures# *isseminates info about frau!" errors" security breaches"
improper system use" an! conseuences of theseactions#
Nor.s +ith the person in charge of buil!ing security" as
that is often the entitys +ea.est lin.# Shoul! impartially assess an! e)aluate the I-
en)ironment" con!uct )ulnerability an! ris.assessments" an! au!it the CI's security measures#
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
71/77
C'RRC-IM C'A-R'&S
-hree .ey components that satisfy the prece!ing criteriaare:
stablishment of a computer inci!ent response team#
*esignation of a speci9c in!i)i!ual +ith organi/ation%+i!eresponsibility for security#
An organized patch management system.
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
72/77
C'RRC-IM C'A-R'&S
Patch management 3nother important correcti)e control in)ol)es
9ing .no+n )ulnerabilities an! installing latestup!ates to:
3nti%)irus soft+are
6ire+alls
'perating systems
3pplication programs -he number of reporte! )ulnerabilities rises
each year#
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
73/77
C'RRC-IM C'A-R'&S
$ac.ers usually publish instructions for!oing so =.no+n as exploits> on theInternet#
3lthough it ta.es s.ill to !isco)er theeploit" once publishe!" it can be eecute!by almost anyone#
3ttac.ers +ho eecute these programme!eploits are referre! to as script kiddies#
3 patch is co!e release! by soft+are
!e)elopers to 9 )ulnerabilities that ha)e
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
74/77
C'RRC-IM C'A-R'&S
%atch management is the process forregularly applying patches an! up!ates toall of an organi/ations soft+are#
Challenging to !o because: Patches can ha)e unanticipate! si!e e7ects
that cause problems" +hich means they shoul!be teste! before being !eploye!#
-here are li.ely to be many patches each yearfor each soft+are program" +hich may meanthat hun!re!s of patches +ill nee! to beapplie! to thousan!s of machines#
C'RRC-IM C'A-R'&S
8/20/2019 Chapter 8 Slater
75/77
C'RRC-IM C'A-R'&S
Intrusion pre)ention systems may pro)i!egreat promise if they can be uic.lyup!ate! to respon! to ne+ )ulnerabilitiesan! bloc. ne+ eploits" so that the entitycan buy time to: -horoughly test the patches#
3pply the patches#
*efense
8/20/2019 Chapter 8 Slater
76/77
=Shoul! be part of Pre)entati)eControls>KK
,or!er router Connects an organi/ations information system to
the Internet
6ire+all Soft+are or har!+are use! to 9lter information
*emilitari/e! Uone =*4U> Separate net+or. that permits controlle! access
from the Internet to selecte! resources
Intrusion Pre)ention Systems =IPS> 4onitors patterns in the trac o+" rather than only
inspecting in!i)i!ual pac.ets" to i!entify an!automatically bloc. attac.s
Copyright © 2012 Pearson !ucation" Inc# publishing as Prentice $all8%F@
Ae+ Consi!erations
8/20/2019 Chapter 8 Slater
77/77
Ae+ Consi!erations
Mirtuali/ation 4ultiple systems are
run on onecomputer
Clou! Computing
Remotely accesse!resources
Soft+are
applications *ata storage
$ar!+are
Ris.s Increase! eposure if
breach occurs
Re!uce!authenticationstan!ar!s
'pportunities
Implementing strongaccess controls in theclou! or o)er the ser)er
that hosts a )irtualnet+or. pro)i!es goo!security o)er all thesystems containe! therein
Top Related