Please enable JavaScript.
Coggle requires JavaScript to display documents.
5. Protection of information Assets CIA confidentiality, integrity,…
5. Protection of information Assets
CIA confidentiality, integrity, availability
5.1. Information Asset security Frameworks, standards and Guidelines
IT security baseline rec commendations Figure 5.1.
Inventory
Malware
Passwords
Patching
Minimizing services offered by systems
Addressing vulnerabilities
Backups
Baseline Security Evaluation Checklist Figure 5.2
5.1.1. Auditing the Information Security Management Framework
Reviewing written policies
Formal Security Awareness and training
Data ownership
Data Owners
Data Custodians
Security Administrator
Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. the best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. IT is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.
New IT Users
Data Users
Documented Authorisations
Terminated Employee Access
Security Baselines, figure 5.1 and 5.2
#
#
Access Standards
5.3. Physical Access and Environmental Controls
5.3.1. Managerial, technical and physical controls
Control Matrix Figure 5.5
Control Methods Figure 5.4
5.3.2.Control Monitoring and effectiveness
5.3.3. Environmental Exposures and controls
Q A5-240
Equipment Issues and Exposures related to the Environment
Power failures
Total failure (blackout)
Solution: alternative power generator
Severely reduced voltage (brownout)
Solution: Uninterruptable power supply UPS (up to 30min of power failure)
Sags, spikes and surges
Solution: properly placed surge protectors
Electromagnetic interference (EMI)
Water damage
Manmade concerns: terrorist attacks, vandalism
Controls for Environmental Exposures
Water and Smoke Detectors
Handled fire extinguishers
Manual fire alarms
Fire suppression systems
Strategically locating the computer room
Regular inspections by fire dept
Fireproof walls, floors and ceilings of the computer room, Qs: A5-204
Electric surge protectors
Uninterruptible power supplies/generator
Emergency Power-off Switch
Power leads from two substations
Fully documented and tested BCP
Wiring placed in Electrical Panels and conduit
Inhibited Activities within the information processing facility
Fire -resistant Office Materials
Documented and tested Emergency Evacuation Plans
Humidity/Temperature control
Alarm Control Panels
5.3.4. Physical Access exposures and controls
Physical Access Controls
Bolting door locks
Combination door locks
Electronic door locks
Bio-metric door locks
Manual logging
Electronic logging
Identification badges
Video Cameras
Security Guards
Controlled visitors access
Deadman doors
Computer workstation locks
Controlled single entry point
An alarm system
Secured report/document distribution carts
Having no physical signs on the outside of a computer room is a security measure known as
obscurity
.
Physical Access Issues and exposures
Unauthorised entry
Damage Vandalism, theft to equipment or documents
Copying or viewing of sensitive or copyrighted information
Alteration of sensitive equipment or information
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement
Wiretapping/eavesdropping
Auditing physical Access
Data purging
Obsolete magnetic tapes should be degaussed; Degaussing is the application of a coercive magnetic force to the tape media.
5.4. Identity and Access Management
5.4.2. Mandatory and Discretionary Access Controls
MACs are logical access control filters used to validate access credentials that cannot be controlled or modified by normal users or data owners
DACs: access controls that may be configured or modified by the users or data owners
especially for low risk applications.
5.4.3. Information Security and External Parties
Identification of risk related to external Parties Figure 5.6
Customer Access Security Considerations
Addressing security in Third-party Agreements, Figure 5.8
DRM - Digital Rights Management
Human Resources Security and Third Parties
Screening
Removal of Access Rights
5.4.4. Logical Access
Logical Access Exposures
Data Leakage
Computer shutdown
General Points of Entry
Network Connectivity
Remote Access and VPN :!:
#
Qs: A5-214
Test Qs: A5-75, A5-72
Advantages of VPN:
-ubiquity (used everywhere)
-ease of use
-inexpensive connectivity
-read, inquiry or copy only access
Disadvantages:
-significantly less reliable
than dedicated circuits
-lack of central authority
-difficult to troubleshoot
Digital Rights Management (DRM) software will manage access privileges to confidential files stored on the server, test Qs: A5-165
5.4.5. Access Control : Software
Features of Passwords
Login ID and Password good practices
Token Devices, one-time Passwords
5.4.6. Identification and Authentication
Q A5-238
Identify Creation and access request
Transfer request
Access termination request
Password communication
Password management
Policy Administration
Validation
Reinstatement
Authorisation subprocess
SoD
Log Management
Privileged access
Dormant/orphan user accounts
5.4.7. Logon IDs and Passwords
Firecall ID
Is when absent Administrator's password is sealed in safe only available to the senior manager
5.4.8. Bio-metrics, EER test Qs A5-159, A5-237
Physically oriented biometrics
Behaviour-oriented biometrics
Management of biometrics
Quantitative measure of biometric performance
Type-I error rate
False-rejection rate
FRR
number of times and individual granted authority to use the system is falsely rejected by the system
Failure to enroll rate
FER
Type-II error rate
False-acceptance rate
FAR
, the number of times an individual not granted authority to use a system is falsely accepted by the system.
Equal Error Rate
EER
, percent showing equal FRR and FAR. The lower EER the more successful biometric.
5.4.9. Single sign-on
Risks: requires new architecture components (complexity), cost, SSO can present a single point of failure
SAML - Security Assertion Markup Language - Web browser SSO
5.4.10. Authorization Issues, test Qs A5-186
Access control lists
logical access security administration
Remote access security
dedicated lines - most secure, but expensive
Dial-up RAS least secure
and it is too slow to be considered for most commercial applications today
NAS point-to-point
VPN
5.4.11. Audit Logging in Monitoring System Access
Access rights to system logs
Audit trials can be controlled against modification by the use of digital-signatures, write once devices or a SIEM system.
Tools for audit trail (logs) analysis :!: (p. 273)
Cost considerations
5.4.12. Naming Conventions for logical access controls
Set up by the owner of the data and security officer
Implement separation of Duties SoD
5.4.13. Federated Identity Management FIM
5.4.14. Auditing logical access :red_flag:
#
Familiarization with the IT Enthronement
Assessing and documenting the access paths
One or more servers (OS running on servers should be patched etc.)
Telecommunications (LAN server or terminal emulator if connecting to mainframe) intercepts the logon to direct it to the correct telecom. link. (the telecom. software can restrict PCs to specific data, audit issue is to ensure that all applications have need defined within the software and that the various optional telecom. control and processing features used are appropriate and approved by management. This analysis usually requires the assistance of a system software analyst.)
End user signs on to a PC, which is part of the LAN (PC physically secure, password controlled, OS updated, patched, open ports closed)
Transaction processing software (proper identification/authentication of the user, by reviewing internal tables that reside in the transaction processing software or in separate security software).
Application software (restricting access to production software library to the implementation coordinator only)
The database management system DBMS directs access to the computerized information (all data elements are identified in the data dictionary, access to the data dictionary is restricted to the database administrator (DBA), all data elements are subject to logical access controls)
Access control software can wrap logical access security around all of the above components. This is done via internal security tables.
Interviewing systems personnel
Reviewing reports from access control software
Reviewing application systems operations manual
5.4.15. Data Leakage
Data leak prevention (DLP)
Data at rest: crawlers help identify data location
Data in motion: Deep packet inspection DPI, they inspect packets to see if they are going where they should, work bit like IDS
Data in use (endpoint): an 'agent' is a software that monitors and stops user from processing data in a certain way (e.g.: copying, printing, saving on drive)
DLP Risk, limitation and considerations
5.4.1. System Access Permission
Four layers of IT assets under logical security
Networks
Platforms
Data Bases
Applications
5.5. Network and end-point security
5.5.2. Enterprise Network Architecture
Telecommunication
is the electronic transmission of data, sound and images between connected end systems (two or more computers acting as sender and receiver).
Network Interface Card (NIC)
is a hardware component without which a computer cannot be connected over a network. It is a circuit board installed in a computer that provides a dedicated network connection to the computer. It is also called network interface controller, network adapter or LAN adapter.
NIC allows both wired and wireless communications.
NIC allows communications between computers connected via local area network (LAN) as well as communications over large-scale network through Internet Protocol (IP).
NIC is both a physical layer and a data link layer device, i.e. it provides the necessary hardware circuitry so that the physical layer processes and some data link layer processes can run on it.
SOA Service oriented architecture
uses SOAP protocol and XML to make network open and available
5.5.3. Types of Networks
Personal area networks (PANs)
Used to connect to local printers and other devices.
WPAN (wireless): Can be Bluetooth, or IrDA (Infrared Data Association)
LANs
Ethernet
Is a Carrier Sense Multiple Access/Collision Detection (CSMA/CD) protocol
WLANs
Storage area network (SANs)
A5-251
Wide area Network (WANs)
A5-272
e.g.: The Internet
Metropolitan Area Networks (MANs)
5.5.4. Network Services
Network files system
e-mail services
about e-mail encryption A5-257
Print services
Remote Access services
Directory services
Network management
Dynamic Host Configuration Protocol :red_flag:
It allocates IP addresses (and other parameters) to the requesting network computers. IP address pool management.
DNS - IP translator
Q A5-222
Gateways, test Qs: A5-106, A5-258
5.5.5. Network Standards and Protocols
interoperability
Availability
Flexibility
Maintainability
5.5.6. OSI Architecture :red_flag:
Open systems Interconnection
Application layer is not application software :check:
it provide standard interface for applications that must communicate with devices on the network: an interface to the network.
Presentation layer transforms data acceptable by application layer and provides common communication services, such as encryption, text compression and reformatting to convert the outgoing data into a format acceptable by the network standard and then passes the data to the session layer.
Session layer controls the dialogs (sessions) between computers. Establishes, manages and terminates connections.
Transport layer provides reliable and transparent transfer of data between end points, end-to-end error recovery and flow control.
A5-268
Network layer creates a virtual circuit between the transport layer on the local device and on the remote device.
It understands IP addresses
and does routing and forwarding. It prepares the packet for the data link layer. :red_flag:
Data link layer, Error detection takes place via CRC cyclic redundancy check
CRC can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.
Physical layer provides the hardware that transmits and receives the bit stream as electrical, optical or radio signals over an appropriate medium or carrier.
A5-269
A protocol
is an agreed-upon set of rules and procedures to follow when implementing the tasks associated with a given layer of the OSI model. The actual implementation of the functions defined in each layer is based on protocols developed for each layer.
5.5.7. Application of the OSI Model in Network Architectures
#
LAN
#
Copper (twisted-pair) circuits cables should be shielded to avoid the effect of electromagnetic interference (EMI)
Electromagnetic emissions can be detected by sophisticated equipment and displayed. TEMPEST is a term referring to an investigation and study of compromising emanation of unintentional intelligence-bearing signals that , if intercepted and analyzed may reveal their content.
LAN components
Hubs
Physical layer device that serve as the center of a star topology network or a network concentrator. Can be active (if they repeat signals) or passive (if they merely split signal);
Bridges
Data link layer device, they connect LANs or create two separate LANs. Today they have more functionalities, e.g.: they can filter frames based on Layer 2 info, like block packets based on sender MAC address
Layer 2 switches
Data link layer device, can divide and interconnect network segments and help reduce collision domains in Ethernet based networks. Use more sophisticated data link layer protocols than bridges, implemented via special hardware: application-specific integrated circuits (ASIC);
Layer 3 switch
Network layer switch, by analyzing IPs of sender and receiver, calculates the best transfer path, this practically creates virtual circuit (ability to segment LAN within itself); L3S performs packet switching using ASIC, whereas router does that using microprocessor.
Layer 4 switching
Transport layer switch allows policy-based switching, can off-load server by balancing traffic across a cluster of servers, based on individual session information and status. Will use port numbers from protocols such as user Datagram Protocol (UDP) or TCP
Content switches - Layer 4 to 7 switches
Content-switches. web-switches or application-switches, used for load balancing among groups of servers. Also used to perform standard operations, such as SSL encryption/decryption to reduce the load on the servers receiving the traffic, and to centralize the management of digital certificates.
Repeaters
Physical layer device that extends the range of a network or connect two separate network segments together
Routers
Network layer logical devices able to analyze IP addresses; the linked network segments like that remain separate, but because they analyze every packet they can create traffic bottleneck, not like switches, so their placement in the network should be carefully considered.
Gateways
Protocol converters; connect and convert between LAN and the mainframe, or between LANs and the Internet, at the
application layer
, most common gateway: System Network Architecture (SNA)
WAN
A5-268
Wireless Networks, WLAN
Q A5-147, A5-264
VPNs :black_flag:
#
,
test Qs A5-107, 109, 214
TCP/IP :black_flag:
HTTP is a protocol used to serve client-server request, processed by the destination server which provides the requested web page back to the client's web browser
Common Gateway Interface (CGI
Processing input received from a client who typed information into a form on a web page; it's a script which is an executable, machine-independent software program that is run on the server and can be called and executed by a web server; a bug may allow user access to the server and then to the organization's network
Public global Internet infrastructure
Network Administration and control
Applications in a network environement
on-demand computing
5.5.8 Network Infrastructure Security
Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense :!!:
Client-Server Security
Internet Security Controls
Firewalls security Systems :!:
Q A5-174, A5-221, A5-227,
A5-242
, A5-254, A5-258, A5-263
Firewall types
Packet Filtering Firewalls
first generation firewalls
Application Firewall Systems
application-level
circuit-level
Stateful Inspection Firewalls
register responses IP-addresses noting that it arrives as a result of internal request; are much more efficient than application firewalls, but much more complex to administer.
Development and authorization of new changes, Q A5-265
5.5.9. Shadow IT
5.5.1. IS Network Infrastructure
Digital Networks
Switched circuit
circuit switching
Used over telephone network (POTS)
Integrated Services Digital Network (ISDN)
packet switching (network based)
Asynchronous transfer mode (ATM)
Frame relay
Switched Multimegabit Data Services (SMDS)
X.25
Dedicated circuit (leased line)
Analog telecommunication lines
Baseband :red_flag:
A baseband network is one that is usually shared with many other users and requires encryption of traffic but still may allow some traffic analysis by an attacker.
Broadband
The
secure
use of broadband communication is subject to whether the network is shared with other users, the data are encrypted and the risk of network interruption.
5.6. Data Classification
DC Should define
Importance of the information asset
Information asset owner
Process for granting access
Person responsible for approving the access rights and access levels
Extent and depth of security controls
5.7. Data Encryption and Encryption-related Techniques
Used to
protect data in transit over networks from unauthorized interception and manipulation,
protect information stored on computers from unauthorized viewing and manipulation,
deter and detect accidental or intentional alterations of data,
verify authenticity of a transaction or document;
5.7.2. Symmetric key cryptographic system
Advantages: easy to remember relatively short secret keys, less complicated so use less processing power, suited for bulk data encryption
Disadvantage: because the key is shared among at least two parties, cannot serve as digital signature, key distribution is a risk, especially in e-commerce where customers are untrusted;
5.7.3 Public (asymmetric) Key Cryptographic Systems, test Qs: A5-71, A5-88
First widespread public key scheme was RSA, but was slow, so elliptic curve cryptography (ECC) was introduces with shorter keys and are faster computing.
Quantum cryptography
Digital Signatures,
test Qs A5-85, A5-215, A5-230, A5-231, A5-249
In asymmetric public encryption, public key is used for encryption and private key for decryption. In digital signature this is other way around.
Replay attack
is when a signed data is intercepted and send again to the recipient. Solution: a signed timestamping or a counter may be attached to the document.
integrity of the digitally signed message is ensured by attaching a message digest to the message. It should have the same value as the recalculation of the digest of the received message.
Digital Envelope
5.7.4. Applications of cryptographic systems
Transport Layer Security (TLS) :!: page 303
IP Security (Network Layer) :!:
Establishes VPN: the data packet (the encapsulation security payload
ESP
) is encrypted for transport (confidentiality), then authentication header AH is applied to the packet and both are encrypted to achieve secure tunnel (nonrepudiation). For both modes SA - security association is established. To do that a unique identifier - the security parameter index (SPI) is defined in the sending host.
test Qs: A5-87
Secure Shell replaces Telnet, similar to VPN, implemented at application layer., test Q: A5-175, A5-233
SSH is a protocol that only encrypts data in transit to establish secure remote logon, it does not encrypt data at rest (including on USB). For that AES is used.
Secure Multipurpose Internet mail extensions (S/MIME)
Steganography
is a technique to protect intellectual property - digital rights management, it is applied to conceal the existence of messages or information within another message, e.g.: digital watermarking, which hides data within data; this encodes rights in formation in an art piece without compromising its aesthetic qualities
5.7.1 Key Elements of Encryption Systems
Encryption algorithm
AES (Advanced Encryption Standard) Q A5-233, A5-260
Encryption keys
Key length
Hashing vs Encryption, QA5-65 :!!:
5.8. Public Key Infrastructure
primarily used to gain assurance that protected data or services originated from a legitimate source. The process to ensure the validity of the subscriber identity by linking to the digital certificate/public key is strict and rigorous.
Public (digital) certificate of the subject authenticity,
Qs A5-84, A5-91, A5-203, A5-229, A5-230
Third party provides services of the authenticity verification: Certification authority (CA),
test Qs A5-69, A5-84, A5-86, A5-91, a5-111, A5-146, A5-158
CRL
Certificate revocation list: list of compromised certificates
CPS
Certificate practice statement: statement about the way a CA issues certificates
Self-signed digital certificates are not signed by a certificate authority and can be created by anyone. Thus, they can be used by attackers to impersonate a website, which may lead to data theft or perpetrate a man-in-the middle attack.
5.10. Virtualised Environments
Hypervisor Hosted
5.10.1. Key Risk Areas
5.10.2. Typical controls
Hypevisor on Bare Metal
5.11. Mobile, Wireless and Internet-of-things Devices
5.11.1 Mobile computing
A5-260
5.11.2. Wireless networks
5.11.3 Internet of things
5.2. Privacy principles
Changes that impact privacy Figure 5.3
Technology
Processes
People
Audit considerations for privacy
Privacry of PErson
Privacy of behaviour and action
Privacy of communication
Privacy of data and image (information)
Privacy of thoughts and feelings
Privacy of location and space territorial)
Privacy of association
5.9. Web-based communication Technologies
5.9.1 Voice-over IP, -
must have constant power source :!!:
test, A5-27,30, Qs A5-156, A5-271
Segregating the voice-over Internet Protocol (VoiPtraffic using VLAN would best protect the VoiP infrastructure from network-based attack's, potential eavesdropping and network traffic issues (to ensure uptime)
the use of buffers at VoiP endpoints is a method to maintain call quality, not a security
The biggest threat for VoiP is the distributed denial of service DDoS, which would disrupt organization ability to communicate between offices
VoiP uses standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls.
On a Ethernet switch is a data table known as the Address Resolution Protocol (ARP) cache, which stores mapping between media access control and IP addresses. During normal operation, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply flood the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol
5.9.7. Cloud computing
Risks
Support for audit and forensic investigations
Hypervisor attacks
Collateral damage
Ease to contract SaaS
Exit strategy
Service oriented architecture (SOA)-related vulnerabilities
Identity and access management (IAM)
Lack of control of the release management process
Lack of visibility into software systems development life cycle (SDLC)
Application disposal
Multi-tenancy and isolation failure
Data disposal
A5-262
Physical security
Legal Transboarder requirements
Service Model
Infrastructure as a Service (IaaS)
Software as a Service (SaaS), Q: A5-202
Platform as a Service (PaaS)
5.9.6. Social Media
5.9.5 Instant messaging
5.9.4 Peer-to-Peer computing
A5-155
Peer-to-Peer increases the risk of virus infection,
it may use more network bandwidth, so may create performance issues
it may be used to download or share unauthorized software, which users could install on their PCs unless other control prevent it
peer-to-peer also can
share the contents of a user hard drive over the Internet.
the risk that sensitive data could be shared with others is
of greatest concern
5.9.3 Email Security Issues
5.9.2. Private Branch Exchange (PBX)
Configuration
Hardening the system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute prevailed instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.
The strongest control is a preventive control that is automated through the system.
