Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 8 - Controls for Information Security - Coggle Diagram
CHAPTER 8 - Controls for Information
Security
Introduction
The Trust Services Framework organizes IT-related controls into five principles that
jointly contribute to systems reliability:
1.
Security
.—access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.
Confidentiality
—sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.
Privacy
—personal information about customers, employees, suppliers, or business partners is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.
Processing Integrity
—data are processed accurately, completely, in a timely manner, and
only with proper authorization.
Availability
—the system and its information are available to meet operational and contractual obligations
Two Fundamental Information Security Concepts
SECURITY IS A MANAGEMENT ISSUE, NOT JUST A TECHNOLOGY ISSUE
Effective information security
requires the deployment of technological tools such
as firewalls, antivirus, and encryption, senior management involvement and support
throughout all phases of the security life cycle is absolutely essential for success.
step in the
security life cycle
1st- to assess the information security-related threats
that the organization faces and select an appropriate response
2nd- involves developing information security policies and communicating them to all
employees
3rd- involves the acquisition or building of specific technological tools.
4th- regular monitoring of performance to evaluate the effectiveness of the organization’s information security program
THE
TIME-BASED MODEL OF INFORMATION SECURITY
Implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
defense-in-depth
- Employing multiple layers of controls to avoid a single point-of-failure.
Understanding Targeted Attacks
Basic steps
criminals use to attack an organization’s information system
:
Conduct reconnaissance.
computer attackers begin by collecting information about their target. Perusing an organization’s financial statements, Securities and Exchange Commission (SEC) filings, website, and press releases can yield much valuable information
Attempt social engineering
social engineering
- Using deception to obtain unauthorized access to information resources.
Scan and map the target.
The attacker uses a variety of automated tools to identify computers that can be remotely accessed and the types of software they are running
Research.
Conduct research to find known vulnerabilities for those programs and learn how to take advantage of those vulnerabilities.
Execute the attack.
The criminal takes advantage of a vulnerability to obtain unauthorized access to the target’s information system.
Cover tracks.
most attackers attempt to cover their tracks and create “back doors” that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.
Protecting Information Resources
IT SOLUTIONS:
ANTIMALWARE CONTROLS
lists malware protection as one of the keys to effective security, specifically recommending the following:
Malicious software awareness education
Installation of antimalware protection tools on all devices
Centralized management of patches and updates to antimalware software
Regular review of new malware threats
Filtering of incoming traffic to block potential sources of malware
Training employees not to install shared or unapproved software
NETWORK ACCESS CONTROLS
PERIMETER DEFENSE: ROUTERS, FIREWALLS, AND INTRUSION PREVENTION SYSTEMS
border router
- A device that connects an organization’s information system to the Internet.
firewall
- A special-purpose hardware device or software running a general-purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks.
demilitarized zone (DMZ)
- A separate network located outside the organization’s internal information system that permits controlled access from the Internet
Routers
- Special purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next
Controlling Access by Filtering Packets
access control list (ACL)
- A set of IF-THEN rules used to determine what to do with arriving packets.
packet filtering
- A process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet.
deep packet inspection
- A process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers.
intrusion prevention systems (IPS)
- Software or hardware that monitors patterns in the traffic flow to identify and automatically block attacks.
Using Defense-in-Depth to Restrict Network Access.
the use of multiple internal firewalls to segment different departments within the organization.
Internal firewalls help to restrict what data and portions of the organization’s information system particular employees can access.
many security incidents involve employees, not outsiders.
SECURING WIRELESS ACCESS
procedures need to be followed to adequately secure wireless access:
●
Turn on available security features.
Most wireless equipment is sold and installed with
these features disabled
●
Authenticate all devices attempting to establish wireless access to the network before
assigning them an IP address.
This can be done by treating incoming wireless connections
●
Configure all authorized wireless devices to operate only in infrastructure mode
, which
forces the device to connect only to wireless access points.
●
Use noninformative names for the access point’s address
, which is called a service set
identifier (SSID). SSIDs such as “payroll,” “finance,” or “R&D” are more obvious targets to attack than devices with generic SSIDs such as “A1” or “X2.”
●
Reduce the broadcast strength of wireless access points, locate them in the interior of the building
, and
use directional antenna
s to make unauthorized reception off-premises more difficult.
●
Encrypt all wireless traffic
. This is absolutely essential to protect the confidentiality and
privacy of wireless communications
DEVICE AND SOFTWARE HARDENING CONTROLS
ENDPOINT CONFIGURATION
Endpoints
- Collective term for the workstations, servers, printers, and other devices that comprise an organization’s network.
vulnerabilities
- Flaws in programs that can be exploited to either crash the system or take control of it.
vulnerability scanners
- Automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats.
exploit
- A program designed to take advantage of a known vulnerability.
patch
- Code released by software developers that fixes a particular vulnerability.
patch management
- The process of regularly applying patches and updates to software.
hardening
- The process of modifying the default configuration of endpoints to eliminate unnecessary settings and services.
USER ACCOUNT MANAGEMENT
-employees who need administrative powers on a particular computer should be assigned two accounts:
one with administrative rights
and
another that has only limited privileges.
These employees should be trained to log in under their limited account to perform routine daily duties and to log in to their administrative account only when they need to perform some action, such as
installing new software, which requires administrative rights.
It is especially important that the employee use a limited regular user account when browsing the web or reading e-mail.
SOFTWARE DESIGN
if the program does not carefully check the size of data being input, an attacker may enter many times the amount of data that was anticipated and overflow the buffer.
The excess data may be written to an area of memory normally used to store and execute commands.
ENCRYPTION
provides a final layer of defense to prevent unauthorized access to sensitive information
its importance to achieving the security principles of protecting confidentiality of organizational information and the privacy of personal information collected from customers, employees, and business partners.
PROCESS:
USER ACCESS CONTROLS
AUTHENTICATION CONTROLS
Verifying the identity of the person or device attempting to access the system.
3 types of credentials can be used to verify a person’s identity:
Something the person knows, such as passwords or personal identification numbers
(PINs)
Something the person has, such as smart cards or ID badges
Some physical or behavioral characteristic (referred to as a biometric identifier) of the
person, such as fingerprints or typing patterns.
multifactor authentication
- The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.
multimodal authentication
- The use of multiple authentication credentials of the same type to achieve a greater level of security
AUTHORIZATION CONTROLS
The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
access control matrix
- A table
used to implement authorization controls
compatibility test
- Matching the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
PENETRATION TESTING
An authorized attempt to break into the organization’s information system.
CHANGE CONTROLS AND CHANGE MANAGEMENT
The formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
Characteristics of a well-designed change control and change management process include:
● Documentation of all change requests, identifying the nature of the change, its rationale,
date of the request, and outcome of the request.
● Documented approval of all change requests by appropriate levels of management.
● Testing of all changes in a separate system,
● Conversion controls to ensure that data is accurately and completely transferred from the
old to the new system
● Updating of all documentation (program instructions, system descriptions, procedures
manuals, etc.) to reflect the newly implemented changes.
● A special process for timely review, approval, and documentation of “emergency changes”
as soon after the crisis as is practical
● Development and documentation of “backout” plans to facilitate reverting to previous
configurations if the new change creates unexpected problems.
● Careful monitoring and review of user rights and privileges during the change process to
ensure that proper segregation of duties is maintained.
PEOPLE:
CREATION OF A “SECURITY-CONSCIOUS” CULTURE
To create a
security-conscious
culture in which employees comply with organizational policies,
top management must not only communicate the
organization’s security policies, but must also lead by example.
TRAINING
need to be trained to
follow safe computing practices
, such as never opening unsolicited e-mail attachments,
using only approved software, not sharing passwords
, and
taking steps to physically protect laptops.
not to allow other people to follow them through restricted access entrances
.(piggybacking)
Training of
information security professionals
is also important
PHYSICAL SECURITY:
ACCESS CONTROLS
there should only be one regular entry point that remains unlocked during normal office hours.
Fire codes usually require additional emergency exits, but these should not permit entry from the outside and should be connected to an alarm system that is automatically triggered whenever the fire exit is opened.
receptionist or a security guard should be stationed at the main entrance to verify the identity of employees.
Visitors should be required to sign in and be escorted by an employee wherever they go in the building.
physical access to rooms housing computer equipment must also be restricted
Access to the wiring used in the organization’s LANs also needs to be restricted in order to prevent wiretapping
Detecting Attacks
LOG ANALYSIS
The process of examining logs to identify evidence of possible attacks.
The
goal of log analysis
is to determine the reason for this failed log-on attempt.
INTRUSION DETECTION SYSTEMS
A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.
CONTINUOUS MONITORING
important detective control that can timely identify potential problems and identify opportunities to improve existing controls.
Measuring compliance with policies is straightforward, but effectively monitoring performance requires judgment and skill
Responding to Attacks
Computer Incident Response Team (CIRT )
-A team that is responsible for dealing with major security incidents.
should lead the organization’s incident response process through the following four steps:
Recognition that a problem exists.
Typically, this occurs when an IPS or IDS signals an
alert, but it can also be the result of log analysis by a systems administrator.
Containment of the problem
Once an intrusion is detected, prompt action is needed to stop it and to contain the damage.
Recovery
Damage caused by the attack must be repaired. This may involve eradicating
any malware and restoring data from backup and reinstalling corrupted programs.
Follow-up
Once recovery is in process, the CIRT should lead the analysis of how the incident occurred
Chief Information Security Officer (CISO)
This
objective
is to create the position of CISO, who should be independent of other information systems functions and should report to either the
chief operating officer (COO) or the chief executive officer (CEO).
The CISO must:
-understand the company’s technology environment and work with the chief information officer (CIO) to design, implement, and promote sound security policies and procedures.
-also be an impartial assessor and evaluator of the IT environment
-have responsibility for ensuring that vulnerability and risk assessments are performed regularly and that security audits are carried out periodically.
-needs to work closely with the person in charge of physical security, because unauthorized physical access can allow an intruder to bypass the most elaborate logical access controls.
Security Implications of Virtualization, Cloud
Computing, and the Internet of Things
Virtualization
- Running multiple systems simultaneously on one physical computer.
Cloud computing
- Using a browser to remotely access software, data storage, hardware, and applications.
Cloud computing can potentially generate significant cost savings.
Internet of Things (IoT)
- refers to the embedding of sensors in a multitude of devices (lights, heating and air conditioning, appliances, etc.) so that those devices can now connect to the Internet.
Virtualization
and
cloud computing:
-increase the risk of some threats, both
developments also offer the opportunity to significantly improve overall security
-alter the risk of some information security threats
-have either
positive or negative effects
on the overall level of information security, depending upon how well the organization or the cloud provider implements the various layers of preventive, detective, and corrective controls.