Chapter 8_Slater.pptx

Chapter 8Information Systems Controls for System Reliability— Part 1: Information Security

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

8-1

Learning Objectives

Discuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems.

Explain the factors that influence information systems reliability.

Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-2

AIS Controls

COSO and COSO-ERM address general internal control

COBIT addresses information technology internal control


Acquire andImplement

Deliver andSupport

Monitor and Evaluate

Criteria• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

• Application systems

• Information• Infrastructure• People

IT Resources

Business Objectives

Plan andOrganise

COBITFramework

IT Life Cycle

2007 IT Governance Institute. All rights reserved. www.itgi.org 4

Information for Management Should Be:

Effectiveness Information must be relevant and

timely.

Efficiency Information must be produced in a

cost-effective manner.

Confidentiality Sensitive information must be

protected from unauthorized disclosure.

Integrity Information must be accurate,

complete, and valid.

Availability Information must be

available whenever needed.

Compliance Controls must ensure

compliance with internal policies and with external legal and regulatory requirements.

Reliability Management must have

access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.


COBIT and Trust Frameworks

COBIT Framework provides a comprehensive guidance for controlling and managing IS.

COBIT specifies detailed control objectives for 34 IT processes (figure 8-1).

Auditors are only interested in a subset of COBIT, SOX only addresses the issue of system reliability for financial statements.

The Trust Services Framework developed by the AICPA and CICA (Canadian) relates to systems reliability (security, confidentiality, privacy, process integrity, availability).

6

The five basic principles that contribute to systems reliability:

SYSTEMSRELIABILITY

Trust Services Framework

The five basic principles that contribute to systems reliability: Security

SECURITY

SYSTEMSRELIABILITY

• Access to the system and its data is controlled.


The five basic principles that contribute to systems reliability: Security Confidentiality

SECURITY

CO

NF

IDE

NT

IALI

TY

SYSTEMSRELIABILITY

• Sensitive information is protected from unauthorized disclosure.


The five basic principles that contribute to systems reliability: Security Confidentiality Privacy

SECURITY

CO

NF

IDE

NT

IALI

TY

PR

IVA

CY

SYSTEMSRELIABILITY

Personal information about customers collected through e-commerce is collected, used, disclosed, and maintained in an appropriate manner.


The five basic principles that contribute to systems reliability: Security Confidentiality Privacy Processing integrity

SECURITY

CO

NF

IDE

NT

IALI

TY

PR

IVA

CY

PR

OC

ES

SIN

G I

NT

EG

RIT

YSYSTEMSRELIABILITY

• Data is processed:– Accurately– Completely– In a timely manner– With proper authorization


The five basic principles that contribute to systems reliability: Security Confidentiality Online privacy Processing integrity Availability

SECURITY

CO

NF

IDE

NT

IALI

TY

PR

IVA

CY

PR

OC

ES

SIN

G I

NT

EG

RIT

Y

AV

AIL

AB

ILIT

Y

SYSTEMSRELIABILITY

The system is available to meet operational and contractual obligations.


Note the importance of security in this picture. It is the foundation of systems reliability. Security procedures: Restrict system access to

only authorized users and protect: The confidentiality of

sensitive organizational data.

The privacy of personal identifying information collected from customers.

SECURITY

CO

NF

IDE

NT

IALI

TY

PR

IVA

CY

PR

OC

ES

SIN

G I

NT

EG

RIT

Y

AV

AIL

AB

ILIT

Y

SYSTEMSRELIABILITY


INTRODUCTION

Security procedures also: Provide for processing

integrity by preventing: Submission of unauthorized

or fictitious transactions. Unauthorized changes to

stored data or programs.

Protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed.

SECURITY

CO

NF

IDE

NT

IALI

TY

PR

IVA

CY

PR

OC

ES

SIN

G I

NT

EG

RIT

Y

AV

AIL

AB

ILIT

Y

SYSTEMSRELIABILITY




FUNDAMENTAL INFORMATION SECURITY CONCEPTS

There are two fundamental information security concepts that will be discussed in this chapter: Security as a management issue, not a

technology issue. Defense in depth & time-based model of

security.

Security / Systems Reliability

Foundation of the Trust Services Framework Security is a Management issue, not a technology

issue SOX 302 states:

CEO and the CFO responsible to certify that the financial statements fairly present the results of the company’s activities.

The accuracy of an organization’s financial statements depends upon the reliability of its information systems.


Management’s Role in IS Security

Table 8-1

Create security aware culture

Inventory and value company information resources

Assess risk, select risk response

Develop and communicate security: Plans, policies, and procedures

Acquire and deploy IT security resources

Monitor and evaluate effectiveness


FUNDAMENTAL INFORMATION SECURITY CONCEPTS

There are two fundamental information security concepts that will be discussed in this chapter: Security is a management issue, not a

technology issue. Defense in depth and the time-based

model of security.

TIME-BASED MODEL OF SECURITY

The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.

All three types of controls are necessary: Preventive • Limit actions to those in accord

with the organization’s security policy and disallows all others.



All three types of controls are necessary: Preventive Detective

Identify when preventive controls have been breached.



All three types of controls are necessary: Preventive Detective Corrective

• Repair damage from problems that have occurred.

• Improve preventive and detective controls to reduce likelihood of similar incidents.


The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: P = Time it takes an attacker to break through

the organization’s preventive controls. D = Time it takes to detect that an attack is in

progress. C = Time to respond to the attack.

These three variables are evaluated as follows: If P > (D + C), then security procedures are

effective. Otherwise, security is ineffective.

DEFENSE IN DEPTH The idea of defense-in-depth is to employ

multiple layers of controls to avoid having a single point of failure.

If one layer fails, another may function as planned.

Information security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access.

Redundancy also applies to detective and corrective controls.

DEFENSE IN DEPTH

Major types of preventive controls used for defense in depth include: Authentication controls (passwords, tokens,

biometrics, MAC addresses) Authorization controls (access control matrices and

compatibility tests) Training Physical access controls (locks, guards, biometric

devices) Remote access controls (IP packet filtering by border

routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls)

Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows)

Encryption

DEFENSE IN DEPTH**SP14 NIGHT

Major types of Detective Controls used for defense in depth include:

Detective controls include: Log analysis Intrusion detection systems Managerial reports Security testing (vulnerability scanners, penetration tests, war

dialing)

DEFENSE IN DEPTH***

Major types of Corrective controls used for defense in depth include:

Corrective controls include: Computer incident response teams (CIRT) Chief Information Security Officer (CISO) Patch Management

PREVENTIVE CONTROLS

Major types of preventive controls used for defense in depth include: Authentication controls (passwords, tokens,

biometrics, MAC addresses) Authorization controls (access control matrices

and compatibility tests) Training Physical access controls (locks, guards, biometric

devices) Remote access controls (IP packet filtering by border

routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls)

Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows)

Encryption

PREVENTIVE CONTROLS

The objective of preventive controls is to prevent security incidents from happening.

Involves two related functions: Authentication

Focuses on verifying the identity of the person or device attempting to gain access.

Authorization Restricts access of authenticated users to specific portions

of the system and specifies what actions they are permitted to perform.

PREVENTIVE CONTROLS

Users can be authenticated by verifying: Something they know, such as passwords or PINs. Something they have, such as smart cards or ID badges. Some physical characteristic (biometric identifier), such as

fingerprints or voice.

PREVENTIVE CONTROLS

Passwords are probably the most commonly used authentication method and also the most controversial. An effective password must satisfy a number of requirements:

Length Multiple character types Random Secret

PREVENTIVE CONTROLS

Each authentication method has its limitations. Passwords

• Can be guessed, lost, written down, or given away.

PREVENTIVE CONTROLS

Each authentication method has its limitations. Passwords Physical identification techniques

• Include cards, badges, and USB devices, cell phones

.• Can be lost, stolen, or duplicated.

PREVENTIVE CONTROLS

Each authentication method has its limitations. Passwords Physical identification techniques Biometric techniques

• Expensive and often cumbersome.• Not yet 100% accurate, sometimes rejecting legitimate users

and allowing unauthorized people.• Some techniques like fingerprints may carry negative

connotations that hinder acceptance.• Security concerns surround the storage of this data.

– If the data is compromised, it could create serious, life-long problems for the donor.

– Unlike passwords or tokens, biometric identifiers cannot be replaced or changed.

PREVENTIVE CONTROLS

Although none of the three basic authentication methods is foolproof by itself, the use of two or three in conjunction, known as multi-factor authentication, is quite effective.

Example: Using a palm print and a PIN number together is much more effective than using either method alone.

PREVENTIVE CONTROLS

Authorization controls are implemented by creating an access control matrix. Specifies what part of the IS a user can access

and what actions they are permitted to perform.

When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.

PREVENTIVE CONTROLS

Who has the authority to delete Program 2?

Code Number Password A B C 1 2 3 412345 ABC 0 0 1 0 0 0 012346 DEF 0 2 0 0 0 0 012354 KLM 1 1 1 0 0 0 012359 NOP 3 0 0 0 0 0 012389 RST 0 1 0 0 3 0 012567 XYZ 1 1 1 1 1 1 1

Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete

User Identification Files Programs

PREVENTIVE CONTROLS

Authentication and authorization can be applied to devices as well as users. Every workstation, printer, or other computing device

needs a network interface card (NIC) to connect to the organization’s network.

Each network device has a unique identifier, referred to as its media access control (MAC) address.

It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC addresses for authorization.

For example, payroll or EFT applications should be set only to run from authorized terminals.

PREVENTIVE CONTROLS

Encryption The final layer of

preventive controls.

PREVENTIVE CONTROLS

Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder.

Also strengthens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions.

Therefore, accountants, auditors, and systems professionals need to understand encryption.

PREVENTIVE CONTROLS

This is a contract for . . .

Encryption algorithm

Xb&j &m 2 ep0%fg . . .

Decryption algorithm

This is a contract for . . .

Plaintext

Plain- text

Cipher- text

Key

Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.

Decryption reverses this process.

To encrypt or decrypt, both a key and an algorithm are needed.

+

+Key

PREVENTIVE CONTROLS

Hashing Hashing takes plaintext of any length and

transforms it into a short code called a hash. SHA-256 creates 256 bit hash regardless of text

length. Hashing differs from encryption in that:

Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short length.

Encryption is reversible, but hashing is not; you cannot transform a hash back into its original plaintext.

PREVENTIVE CONTROLS

Digital signatures Asymmetric encryption and hashing are used to

create digital signatures. A digital signature is information encrypted

with the creator’s private key. That information can only be decrypted using the

corresponding public key. So successful decryption with an entity’s public key

proves the message could only have been created by the entity that holds the corresponding private key.

The private key is known only to its owner, so only the owner could have created the message.

PREVENTIVE CONTROLS

A digital certificate is an electronic document, created and digitally signed by a trusted third party. Certifies the identity of the owner of a particular public

key. Digital certificates provide an automated method for

obtaining an organization’s or individual’s public key.

DETECTIVE CONTROLS

Preventive controls are never 100% effective in blocking all attacks.

So organizations implement detective controls to enhance security by: Monitoring the effectiveness of preventive controls; and Detecting incidents in which preventive controls have been

circumvented.

DETECTIVE CONTROLS

Authentication and authorization controls (both preventive and detective) govern access to the system and limit the actions that can be performed by authorized users.

Actual system use (detective control) must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security

procedures

DETECTIVE CONTROLS

Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users.

Actual system use must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security

procedures

DETECTIVE CONTROLS

Log analysis Most systems come with extensive capabilities for logging who

accesses the system and what specific actions each user performed. Logs form an audit trail of system access. Are of value only if routinely examined. Log analysis is the process of examining logs to monitor

security.

DETECTIVE CONTROLS

The log may indicate unsuccessful attempts to log in to different servers.

The person analyzing the log must try to determine the reason for the failed attempt. Could be: The person was a legitimate user who forgot

his password. Was a legitimate user but not authorized to

access that particular server. The user ID was invalid and represented an

attempted intrusion.

DETECTIVE CONTROLS



procedures

DETECTIVE CONTROLS

Intrusion detection systems A major weakness of log analysis is that it is

labor intensive and prone to human error. Intrusion detection systems (IDS) represent an

attempt to automate part of the monitoring.

DETECTIVE CONTROLS

An Intrusion Detection System creates a log of network traffic that was permitted to pass the firewall. Analyzes the logs for signs of attempted or

successful intrusions. Most common analysis is to compare logs to a

database containing patterns of traffic associated with known attacks.

An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior.

DETECTIVE CONTROLS



procedures

DETECTIVE CONTROLS

Managerial reports Management reports are another important

detective control. Management can use COBIT to set up a report

scorecard. COBIT provides:

Management guidelines that identify crucial success factors associated with each objective.

Key performance indicators that can be used to assess their effectiveness.

DETECTIVE CONTROLS

COBIT key performance indicators: Number of incidents with business impact Percent of users who do not comply with

password standards Percent of cryptographic keys compromised

and revoked

DETECTIVE CONTROLS

Although regular review of periodic performance reports can help ensure that security controls are adequate, surveys indicate that many organizations fail to regularly monitor security.

DETECTIVE CONTROLS


Actual system use must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing

security procedures

DETECTIVE CONTROLS

Security testing The effectiveness of existing security procedures should

be tested periodically. One approach is vulnerability scans, which use

automated tools designed to identify whether a system possesses any well-known vulnerabilities.

Security Websites such as the Center for Information Security (www.cisecurity.org) provide: Benchmarks for security best practices. Tools to measure how well a system conforms.

http://www.cisecurity.org/

DETECTIVE CONTROLS

Penetration testing provides a rigorous way to test the effectiveness of an organization’s information security.

This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS.

Steps in an IS System Attack

Conduct Reconnaissance

Attempt Social Engineering

Scan & Map Target

Research

Execute Attack

Cover Tracks


DETECTIVE CONTROLS

The teams try every possible way to compromise a company’s system, including: Masquerading as custodians, temporary

workers, or confused delivery personnel to get into offices to locate passwords or access computers.

Using sexy decoys to distract guards. Climbing through roof hatches and dropping

through ceiling panels.

Some claim they can get into 90% or more of the companies they attack.

CORRECTIVE CONTROLS

CORRECTIVE CONTROLS

COBIT specifies the need to identify and handle security incidents.

Two of the Trust Services framework criteria for effective security are the existence of procedures to: React to system security breaches and other

incidents. Take corrective action on a timely basis.

CORRECTIVE CONTROLS

Three key components that satisfy the preceding criteria are: Establishment of a computer incident response team. Designation of a specific individual with organization-wide

responsibility for security. An organized patch management system.

CORRECTIVE CONTROLS

Computer emergency response team A key component to being able to respond to security

incidents promptly and effectively is the establish of a computer incident response team (CIRT). Responsible for dealing with major incidents. Should include technical specialists and senior operations

management.

Some potential responses have significant economic consequences (e.g., whether to temporarily shut down an e-commerce server) that require management input.

CORRECTIVE CONTROLS

The CIRT should lead the organization’s incident response process through four steps:

Recognition that a problem exists

• Typically occurs when an IDS signals an alert or as a result of a system administrator’s log analysis.

CORRECTIVE CONTROLS


Recognition that a problem exists Containment of the problem

• Once an intrusion is detected, prompt action is needed to stop it and contain the damage.

CORRECTIVE CONTROLS


Recognition that a problem exists Containment of the problem Recovery

• Damage must be repaired.• May involve restoring data from backup and

reinstalling corrupted programs (discussed more in Chapter 8).

CORRECTIVE CONTROLS


Recognition that a problem exists Containment of the problem Recovery Follow-up

• Once recovery is in process, the CIRT should lead analysis of how the incident occurred.

• Steps should be taken to modify existing security policy and minimize the likelihood of a similar incident.

• An important decision is whether to try to catch and punish the perpetrator.– If the perpetrator will be pursued, forensic

experts should be involved immediately to ensure that all possible evidence is collected and maintained in a manner that makes it admissible in court.

CORRECTIVE CONTROLS

Three key components that satisfy the preceding criteria are: Establishment of a computer incident response team. Designation of a specific individual with organization-

wide responsibility for security. An organized patch management system.

CORRECTIVE CONTROLS

A chief infomation security officer (CISO): Should be independent of other IS functions and report

to either the COO or CEO. Must understand the company’s technology environment

and work with the CIO to design, implement, and promote sound security policies and procedures.

Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions.

Works with the person in charge of building security, as that is often the entity’s weakest link.

Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures.

CORRECTIVE CONTROLS

Three key components that satisfy the preceding criteria are: Establishment of a computer incident response team. Designation of a specific individual with organization-wide

responsibility for security. An organized patch management system.

CORRECTIVE CONTROLS

Patch management Another important corrective control involves

fixing known vulnerabilities and installing latest updates to: Anti-virus software Firewalls Operating systems Application programs

The number of reported vulnerabilities rises each year.

CORRECTIVE CONTROLS

Hackers usually publish instructions for doing so (known as exploits) on the Internet.

Although it takes skill to discover the exploit, once published, it can be executed by almost anyone.

Attackers who execute these programmed exploits are referred to as script kiddies.

A patch is code released by software developers to fix vulnerabilities that have been discovered.

CORRECTIVE CONTROLS

Patch management is the process for regularly applying patches and updates to all of an organization’s software.

Challenging to do because: Patches can have unanticipated side effects

that cause problems, which means they should be tested before being deployed.

There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines.

CORRECTIVE CONTROLS

Intrusion prevention systems may provide great promise if they can be quickly updated to respond to new vulnerabilities and block new exploits, so that the entity can buy time to: Thoroughly test the patches. Apply the patches.

Network Access Control Perimeter Defense(Should be part of Preventative Controls)**

Border router Connects an organization’s information system to

the Internet

Firewall Software or hardware used to filter information

Demilitarized Zone (DMZ) Separate network that permits controlled access

from the Internet to selected resources

Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only

inspecting individual packets, to identify and automatically block attacks


New Considerations

Virtualization Multiple systems are

run on one computer

Cloud Computing Remotely accessed

resources Software

applications Data storage Hardware


Risks Increased exposure if

breach occurs Reduced

authentication standards

Opportunities Implementing strong

access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein

Documents

Chapter 8_Slater.pptx