IS Controls for Systems Reliability - Information Security

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 49

C HAPTER 7

Information Systems Controls for Systems Reliability

Part 1: Information Security


INTRODUCTION

• Questions to be addressed in this chapter:– How does security affect systems reliability?– What is the time-based model of security and

the concept of defense-in-depth?– What types of preventive, detective, and

corrective controls are used to provide information security?


INTRODUCTION

• One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable, which means:– It provides an accurate, complete, and timely

picture of the organization’s activities.– It is available when needed.– The information and the system that produces

it is protected from loss, compromise, and theft.


INTRODUCTION

• The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability:– Security– Confidentiality– Online privacy– Processing integrity– Availability

SECURITY

CO

NF

IDE

NT

IAL

ITY

PR

IVA

CY

PR

OC

ES

SIN

G I

NT

EG

RIT

Y

AV

AIL

AB

ILIT

Y

SYSTEMSRELIABILITY


INTRODUCTION

• In this chapter, we will focus on the Trust Services principle of information security.

• Chapter 8 will discuss controls relevant to the other four reliability principles.

• This chapter provides a broad introduction to the topic of information systems security.

• Anyone interested in a career in information systems security would need to undertake additional detailed study.


FUNDAMENTAL INFORMATION SECURITY CONCEPTS

• There are three fundamental information security concepts that will be discussed in this chapter:– Security as a management issue, not a

technology issue.– The time-based model of security.– Defense in depth.


SECURITY AS A MANAGEMENT ISSUE

• Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS.– SOX Section 302 requires that the CEO and CFO certify the

accuracy of the financial statements.– SOX Section 404 requires that the annual report include a report

on the company’s internal controls. Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness.

– Security is a key component of the internal control and systems reliability to which management must attest.

– As identified in the COSO model, management’s philosophy and operating style are critical to an effective control environment.


TIME-BASED MODEL OF SECURITY

• The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.

• All three types of controls are necessary:– Preventive– Detective– Corrective



• The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables:– P = Time it takes an attacker to break through the

organization’s preventive controls– D = Time it takes to detect that an attack is in

progress– C = Time to respond to the attack

• These three variables are evaluated as follows:– If P > (D + C), then security procedures are effective.– Otherwise, security is ineffective.



• EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures:– Measure 1 would increase P by 5 minutes.– Measure 2 would decrease D by 3 minutes.– Measure 3 would decrease C by 5 minutes.– Measure 4 would increase P by 3 minutes and reduce

C by 3 minutes. • Since each measure has the same cost, which

do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)



• You may be able to solve this problem by eyeballing it. If not, one way to solve it is to assume some initial values for P, D, and C.

• So let’s assume that P = 15 min., D = 5 min., and C = 8 min.• At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.• With Measure 1, P is increased by 5 minutes:

– 20 – (5 + 8) = 7 min.• With Measure 2, D is decreased by 3 minutes:

– 15 – (2 + 8) = 5 min.• With Measure 3, C is decreased by 5 min.

– 15 – (5 + 3) = 7 min.• With Measure 4, P is increased by 3 minutes and C is reduced

by 3 min.– 18 – (5 + 5) = 8 min.


DEFENSE IN DEPTH

• The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure.

• If one layer fails, another may function as planned.

• Computer security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access.

• Redundancy also applies to detective and corrective controls.


PREVENTIVE CONTROLS

Major types of preventive controls used for defense in depth include:

1. Authentication controls 2. Authorization controls 3. Training4. Physical access controls 5. Remote access controls 6. Host and Application Hardening procedures 7. Encryption


PREVENTIVE CONTROLS

1. Authentication - focuses on verifying the identity of the person or device attempting to gain access.

• Passwords are probably the most commonly used authentication method and also the most controversial.– An effective password must satisfy a number of

requirements:• Length• Multiple character types• Random• Secret


PREVENTIVE CONTROLS

• Other authentication methods have their own limitations.– Physical identification techniques– Biometric techniques

• Multi-factor authentication


PREVENTIVE CONTROLS

2. Authorization - restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform.

• Authorization controls are implemented by creating an access control matrix.– Specifies what part of the IS a user can access and

what actions they are permitted to perform.– When an employee tries to access a particular

resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.


PREVENTIVE CONTROLS

• Who has the authority to delete Program 2?

• Which files can user 12354 access?

• Which programs can user 12354 access?

Code Number Password A B C 1 2 3 412345 ABC 0 0 1 0 0 0 012346 DEF 0 2 0 0 0 0 012354 KLM 1 1 1 0 0 0 012359 NOP 3 0 0 0 0 0 012389 RST 0 1 0 0 3 0 012567 XYZ 1 1 1 1 1 1 1

Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete

User Identification Files Programs


PREVENTIVE CONTROLS

3. Training

• Employees should be trained to follow safe computing practices, such as:

– Never open unsolicited email attachments.– Use only approved software.– Never share or reveal passwords.– Physically protect laptops, especially when

traveling.


PREVENTIVE CONTROLS

• Train employees about social engineering attacks, which use deception to obtain unauthorized access.– Do not divulge passwords or other info about their accounts or

workstation configuration to anyone who contacts them by phone, email, or IM, even if they claim to be part of systems security staff.

– Do not allow other people (employees or outsiders) to follow them through restricted-access entrances.

• This type of piggybacking can take place at main entrances and at internal locked doors.

• Often succeeds because people feel it is rude not to let the other person come through with them.


PREVENTIVE CONTROLS

4. Controlling Physical Access• Within a few minutes, a skilled attacker with unsupervised direct

physical access to the system can successfully obtain access to sensitive data.

• Physical access control begins with entry points to the building itself.

– Should be one regular entry point unlocked during normal office hours.

– Fire codes require emergency exits.• These should not permit entry from outside.• Should be connected to an alarm that is triggered if someone leaves

through the exit.– A receptionist or security guard should be stationed at the main

entrance of the building to:• Verify the identity of employees.• Require that visitors sign in and be escorted to their destination.


PREVENTIVE CONTROLS

• Once inside the building, physical access to rooms housing computer equipment must be restricted.

• Access to wiring used in LANs must be restricted to prevent wiretapping.– Cables and wiring should not be exposed in areas

accessible to casual visitors.– Wall jacks not in use should be physically

disconnected from the network.– Wiring closets should be securely locked.

• If shared with other tenants of a building, the telecommunications equipment should be placed inside locked steel cages.


PREVENTIVE CONTROLS

5. Controlling Remote Access • Information sent over the Internet is governed by

TCP/IP, two protocols for transmitting information over the Internet.– Transmission Control Protocol (TCP) specifies the

procedures for dividing files and documents into packets and for reassembly at the destination.

– Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination.

• Every IP packet consists of two parts.• Header – contains the packet’s origin and destination addresses,

as well as info about the type of data contained in the body.• Body.


PREVENTIVE CONTROLS

• routers read the destination address fields in packet headers to decide where to send (route) the packet next.

• A device called a border router connects an organization’s information system to the Internet• An organization’s border router checks the contents of

the destination address field of every packet it receives.

• If the address is not that of the organization, the packet is forwarded to another router on the Internet.

• If the destination address matches the organization, the packet undergoes one or more tests before being allowed in.


PREVENTIVE CONTROLS

• Behind the border router is the main firewall, either a special-purpose hardware device or software running on a general purpose computer.

• Like the border router, firewalls determine what to do with each packet.– Firewalls are designed to act as filters and only permit

packets that meet specific conditions to pass.– Firewalls don’t block all traffic, but only filter it.– Certain traffic passes through.


PREVENTIVE CONTROLS

• Modems• Modems are cheap and easy to install, so employees

are often tempted to install them on their desktops without seeking permission or notifying anyone.– Creates a huge hole in perimeter security, especially because

employees seldom configure any strong authentication controls.– A single rogue modem creates a “back door” through which

attackers can successfully compromise the system.– Computer security or internal audit staff should periodically

check for the existence of rogue modems.– War dialing software (also used by hackers) can dial every

phone number assigned to the organization to identify those connected to modems.

– Rogue modems should be disconnected and sanctions applied to offending employees.


PREVENTIVE CONTROLS

6. Host and Application Hardening• Routers and firewalls are designed to protect the

network perimeter.• Information security is enhanced by supplementing

preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts) that comprise the organization’s network.

• Three areas deserve special attention:– Host configuration– User accounts– Software design


PREVENTIVE CONTROLS

• Host Configuration– Hosts can be made more secure by modifying their

configurations.• Default configurations of most devices typically turn on a

large number of optional settings that are seldom, if ever used.

• Default installations of many operating systems turn on many special purpose programs, called services, which are not essential.

– Turning on unnecessary features and extra services:• Maximizes the likelihood of successful installation without the

need for customer support.• But the cost is that it creates security weaknesses.


PREVENTIVE CONTROLS

• Managing User Accounts and Privileges– User accounts must be carefully managed, especially

when they have unlimited (administrative) rights on the computer.

– Users who need administrative powers on a particular computer should be assigned two accounts:

• One with administrative rights• One with limited privileges

– Users should log in under the limited account to perform routine duties.

• They should be logged into their limited account when browsing the web or reading email.

• If they visit a compromised website or open an infected email, the attacker will only acquire limited rights.


PREVENTIVE CONTROLS

• Software Design– Controls are also needed over in-house development

and modification of programs, because poorly-written code can be exploited to give attackers administrative privileges.

– The most common input-related vulnerability is a buffer overflow attack.

• Attacker sends a program more data than it can handle.• May cause the system to crash or provide a command

prompt, giving the attacker full administrative privileges and control.


PREVENTIVE CONTROLS

7. Encryption• Encrypting sensitive stored data provides one

last barrier that must be overcome by an intruder.

• Encryption plays an essential role in ensuring and verifying the validity of e-business transactions.

• Therefore, accountants, auditors, and systems professionals need to understand encryption.


PREVENTIVE CONTROLS

This is a contract for . . .

Encryption Algorithm

Xb&j &m 2 ep0%fg . . .

Decryption Algorithm

This is a contract for . . .

Plaintext

Plain- text

Cipher- text

Key

• Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.

• Decryption reverses this process.

• To encrypt or decrypt, both a key and an algorithm are needed.

+

+Key


PREVENTIVE CONTROLS

• Types of Encryption Systems– There are two basic types of encryption

systems• Symmetric encryption systems• Asymmetric encryption systems


PREVENTIVE CONTROLS

• Symmetric Encryption Systems– Use the same key to encrypt and decrypt.

• Symmetric encryption advantages:– It is much faster than asymmetric encryption.

• Symmetric encryption disadvantages:– Both parties need to know the secret key, so a method is

needed to securely exchange the keys, and email is not an appropriate solution.

– A different key needs to be created for each party with whom the entity engages in encrypted transactions.

– Since both sides of a transaction are using the same key, there is no way to prove which of the two parties created a document.


PREVENTIVE CONTROLS

• Asymmetric encryption systems– Use two keys:

• The public key is publicly available.• The private key is kept secret and known only to

the owner of that pair of keys.

– Either key can be used to encrypt.– Whichever key is used to encrypt, the other

key must be used to decrypt.– The main drawback to asymmetric encryption

is speed.


PREVENTIVE CONTROLS

• Digital Signatures– Asymmetric encryption is used to create

digital signatures.– A digital signature is information encrypted

with the creator’s private key.• That information can only be decrypted using the

corresponding public key.• So successful decryption with an entity’s public key

proves the message could only have been created by the entity that holds the corresponding private key.


DETECTIVE CONTROLS

• Preventive controls are never 100% effective in blocking all attacks.

• Actual system use must be examined to assess compliance through:

1. Log analysis

2. Intrusion detection systems

3. Managerial reports

4. Periodically testing the effectiveness of existing security procedures


DETECTIVE CONTROLS

1. Log Analysis– Most systems come with extensive

capabilities for logging who accesses the system and what specific actions each user performed.• Logs form an audit trail of system access.• Are of value only if routinely examined.• Log analysis is the process of examining logs to

monitor security.


DETECTIVE CONTROLS

• The log may indicate unsuccessful attempts to log in to different servers.

• The person analyzing the log must try to determine the reason for the failed attempt. Could be:– The person was a legitimate user who forgot his

password.– Was a legitimate user but not authorized to access

that particular server.– The user ID was invalid and represented an

attempted intrusion.


DETECTIVE CONTROLS

• Log analysis should be done regularly to detect problems in a timely manner.– Not easy because logs can quickly grow in size.– So system administrators use software tools to

efficiently strip out routine log entries so that they can focus their attention on anomalous behavior.

– Also supplement log analysis with software tools called intrusion detection systems to automate the monitoring process.


DETECTIVE CONTROLS

2. Intrusion Detection Systems• An IDS creates a log of network traffic that was

permitted to pass the firewall.– Analyzes the logs for signs of attempted or

successful intrusions.– Most common analysis is to compare logs to a

database containing patterns of traffic associated with known attacks.

– An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior.


DETECTIVE CONTROLS

3. Managerial Reports– The Information Systems Audit and Control Association

(ISACA) and the IT Governance Institute have developed a comprehensive framework for information systems controls called Control Objectives for Information and Related Technology (COBIT).

• Specifies 34 IT-related control objectives• Provides:

– Management guidelines that identify crucial success factors associated with each objective.

– Key performance indicators that can be used to assess their effectiveness.


DETECTIVE CONTROLS

4. Security Testing - the effectiveness of existing security procedures should be tested periodically.

• One approach is vulnerability scans, which use automated tools designed to identify whether a system possesses any well-known vulnerabilities.


DETECTIVE CONTROLS

Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security.

• This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS.– Masquerading as custodians, temporary workers, or confused

delivery personnel to get into offices to locate passwords or access computers.

– Climbing through roof hatches and dropping through ceiling panels.

• Some claim they can get into 90% or more of the companies they attack.


CORRECTIVE CONTROLS

• Detection of attempted and successful intrusions is important but is worthless if not followed by corrective action.

• Three key components that satisfy the preceding criteria are:

1. Establishment of a computer emergency response team.

2. Designation of a specific individual with organization-wide responsibility for security.

3. An organized patch management system.


CORRECTIVE CONTROLS

1. Computer Emergency Response Team (CERT)

• Responsible for dealing with major incidents.• Should include technical specialists and senior

operations management.


CORRECTIVE CONTROLS

2. A chief security officer (CSO):– Should be independent of other IS functions and report to

either the COO or CEO.– Must understand the company’s technology environment and

work with the CIO to design, implement, and promote sound security policies and procedures.

– Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions.

– Works with the person in charge of building security, as that is often the entity’s weakest link.

– Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures.


CORRECTIVE CONTROLS

3. Patch Management– Another important corrective control involves

fixing known vulnerabilities and installing latest updates to:• Anti-virus software• Firewalls• Operating systems• Application programs


CORRECTIVE CONTROLS

• A primary cause of the rise in reported vulnerabilities is the ever-increasing size and complexity of software.

• Many widely-used programs contain millions of lines of code.

• Even if 99.9% error free, there would still be 100 vulnerabilities per million lines.

• Both hackers and security consultants constantly search for these vulnerabilities.

• Once discovered, the question is how to take advantage of them.


CORRECTIVE CONTROLS

• Hackers usually publish instructions for doing so (known as exploits) on the Internet.

• Although it takes skill to discover the exploit, once published, it can be executed by almost anyone.

• A patch is code released by software developers to fix vulnerabilities that have been discovered.

• Patch management is the process for regularly applying patches and updates to all of an organization’s software.

Documents

IS Controls for Systems Reliability - Information Security