Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 8 : CONTROLS FOR INFORMATION SECURITY - Coggle Diagram
CHAPTER 8 : CONTROLS FOR INFORMATION SECURITY
Protecting Information Resources
6.IT SOLUTIONS: ANTIMALWARE CONTROLS
c. Centralized management of patches and updates to antimalware software
d.Regular review of new malware threats
b.Installation of antimalware protection tools on all devices
e.Filtering of incoming traffic to block potential sources of malware
a.Malicious software awareness education
f.Training employees not to install shared or unapproved software
7.IT SOLUTIONS: NETWORK ACCESS CONTROLS
Controlling Access by Filtering Packets
packet filtering
- A process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet.
deep packet inspection
- A process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers.
access control list (ACL)
- A set of IF-THEN rules used to determine what to do with arriving packets.
intrusion prevention systems (IPS)
- Software or hardware that monitors patterns in the traffic flow to identify and automatically block attacks.
Using Defense-in-Depth to Restrict Network Access
Thus, most organizations use border routers to quickly filter out obviously bad packets and pass the rest to the main firewall.
The main firewall does more detailed checking, and then other firewalls perform deep packet inspection to more fully protect specific devices such as the organization’s web server and e-mail server.
The use of multiple perimeter filtering devices is more efficient and effective than relying on only one device.
In addition, an IPS monitors the traffic passed by the firewalls to identify and block suspicious network traffic patterns that may indicate that an attack is in progress.
PERIMETER DEFENSE: ROUTERS, FIREWALLS, AND INTRUSION PREVENTION SYSTEMS
firewall
- A special-purpose hardware device or software running a general-purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks.
demilitarized zone (DMZ)
- A separate network located outside the organization’s internal information system that permits controlled access from the Internet.
border router
- A device that connects an organization’s information system to the Internet.
routers
- Special purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next.
SECURING WIRELESS ACCESS
Many organizations also provide wireless access to their information systems. Wireless access is convenient and easy, but it also provides another venue for attack and extends the perimeter that must be protected.
For example, a number of companies have experienced security incidents in which intruders obtained unauthorized wireless access to the organization’s corporate network from a laptop while sitting in a car parked outside the building.
5.PROCESS: CHANGE CONTROLS AND CHANGE MANAGEMENT
Change control and change management
- The formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability.
4.PROCESS: PENETRATION TESTING
penetration test - An authorized attempt to break into the organization’s information system.
8.IT SOLUTIONS: DEVICE AND SOFTWARE HARDENING CONTROLS
vulnerabilities
- Flaws in programs that can be exploited to either crash the system or take control of it.
vulnerability scanners
- Automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats
ENDPOINT CONFIGURATION
-
Endpoints can be made more secure by modifying their configurations. Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever, used
exploit
- A program designed to take advantage of a known vulnerability
endpoints
- Collective term for the workstations, servers, printers, and other devices that comprise an organization’s network.
patch
- Code released by software developers that fixes a particular vulnerability.
patch management
- The process of regularly applying patches and updates to software.
hardening
- The process of modifying the default configuration of endpoints to eliminate unnecessary settings and services.
USER ACCOUNT MANAGEMENT
-
it is important to change the default passwords on all administrative accounts that are created during initial installation of any software or hardware because those account names and their default passwords are publicly available on the Internet and thus provide attackers with an easy way to compromise a system.
SOFTWARE DESIGN
-
As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. Buffer overflows, SQL injection, and cross-site scripting are common examples of attacks against the software running on websites. These attacks all exploit poorly written software that does not thoroughly check user-supplied input prior to further processing.
3.PROCESS: USER ACCESS CONTROLS
a. AUTHENTICATION CONTROLS
Authentication is the process of verifying the identity of the person or device attempting to access the system. The objective is to ensure that only legitimate users can access the system. Three types of credentials can be used to verify a person’s identity:
Something the person has, such as smart cards or ID badges
Some physical or behavioral characteristic (referred to as a biometric identifier) of the person, such as fingerprints or typing patterns.
Something the person knows, such as passwords or personal identification numbers (PINs)
multimodal authentication
- The use of multiple authentication credentials of the same type to achieve a greater level of security
multifactor authentication
- The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.
b. AUTHORIZATION CONTROLS
access control matrix
- A table used to implement authorization controls
compatibility test
- Matching the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
authorization
- The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
9.IT SOLUTIONS: ENCRYPTION
Encryption provides a final layer of defense to prevent unauthorized access to sensitive information
2.PEOPLE: TRAINING
Security awareness training is important for senior management, too, because in recent years many social engineering attacks, such as spear phishing, have been targeted at them.
Training of information security professionals is also important. New developments in technology continuously create new security threats and make old solutions obsolete.
All employees should be taught why security measures are important to the organization’s long-run survival.
an organization’s investment in security training will be effective only if management clearly demonstrates that it supports employees who follow prescribed security policies.
10.PHYSICAL SECURITY: ACCESS CONTROLS
A skilled attacker needs only a few minutes of unsupervised direct physical access in order to bypass existing information security controls.
For example, an attacker with unsupervised direct physical access can install a keystroke logging device that captures a user’s authentication credentials, thereby enabling the attacker to subsequently obtain unauthorized access to the system by impersonating a legitimate user.
1.PEOPLE: CREATION OF A “SECURITY-CONSCIOUS” CULTURE
Employees are more likely to comply with information security policies when they see their managers do so.
Conversely, if employees observe managers violating an information security policy, for example by writing down a password and affixing it to a monitor, they are likely to imitate that behavior.
To create a security-conscious culture in which employees comply with organizational policies, top management must not only communicate the organization’s security policies, but must also lead by example.
Two Fundamental Information Security Concepts
2. THE TIME-BASED MODEL OF INFORMATION SECURITY
defense-in-depth
- Employing multiple layers of controls to avoid a single point-of-failure.
time-based model of security
- Implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
1. SECURITY IS A MANAGEMENT ISSUE, NOT JUST A TECHNOLOGY ISSUE
2. Develop and communicate policy
-involves developing information security policies and communicating them to all employees. Senior management must participate in developing policies because they must decide the sanctions they are willing to impose for noncompliance.
3. Acquire & implement solutions
-involves the acquisition or building of specific technological tools. Senior management must authorize investing the necessary resources to mitigate the threats identified and achieve the desired level of security
1. Assess threats & select risk response
-is to assess the information security-related threats that the organization faces and select an appropriate response.
4. Monitor performance
-to evaluate the effectiveness of the organization’s information security program. Advances in IT create new threats and alter the risks associated with old threats.
Detecting Attacks
3.CONTINUOUS MONITORING
the importance of continuously monitoring both employee compliance with the organization’s information security policies and overall performance of business processes. Such monitoring is an important detective control that can timely identify potential problems and identify opportunities to improve existing controls.
4.Chief Information Security Officer (CISO)
It is especially important that organizations assign responsibility for information security to someone at an appropriate senior level of management because organizations that o so are more likely to have a well-trained incident response team than do organizations that do not make someone accountable for information security.
2.INTRUSION DETECTION SYSTEMS
A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.
1.LOG ANALYSIS
The process of examining logs to identify evidence of possible attacks.
Understanding Targeted Attacks
3.Scan and map the target - If an attacker cannot successfully penetrate the target system via social engineering, the next step is to conduct more detailed reconnaissance to identify potential points of remote entry
4.Research - Once the attacker has identified specific targets and knows what versions of software are running on them, the next step is to conduct research to find known vulnerabilities for those programs and learn how to take advantage of those vulnerabilities.
2.Attempt social engineering - Attackers will often try to use the information obtained during their initial reconnaissance to “trick” an unsuspecting employee into granting them access. Such use of deception to obtain unauthorized access to information resources is referred to as social engineering
5.Execute the attack - The criminal takes advantage of a vulnerability to obtain unauthorized access to the target’s information system.
1.Conduct reconnaissance - Bank robbers usually do not just drive up to a bank and attempt to rob it. Instead, they first study their target’s physical layout to learn about the controls it has in place (alarms, number of guards, placement of cameras, etc.)
6.Cover tracks - After penetrating the victim’s information system, most attackers attempt to cover their tracks and create “back doors” that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.
Security Implications of Virtualization, Cloud Computing, and the Internet of Things
cloud computing
- Using a browser to remotely access software, data storage, hardware, and applications.
virtualization
- Running multiple systems simultaneously on one physical computer.
Responding to Attacks
computer incident response team (CIRT )
- A team that is responsible for dealing with major security incidents.
The CIRT should lead the organization’s incident response process through the following four steps:
2.Containment of the problem.
Once an intrusion is detected, prompt action is needed to stop it and to contain the damage.
3.Recovery.
Damage caused by the attack must be repaired. This may involve eradicating any malware and restoring data from backup and reinstalling corrupted programs.
1.Recognition that a problem exists.
Typically, this occurs when an IPS or IDS signals an alert, but it can also be the result of log analysis by a systems administrator.