Presentation is loading. Please wait.

Presentation is loading. Please wait.

Controls for Information Security

Published byShannon Rodgers Modified over 8 years ago

Similar presentations

Presentation on theme: "Controls for Information Security"— Presentation transcript:

1 Controls for Information Security
Chapter 8

2 Learning Objectives Explain how information security affects information systems reliability. Discuss how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about the security of an organization’s information system.

3

4 Trust Services Framework
Security Access to the system and data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational data is protected. Privacy Personal information about trading partners, investors, and employees are protected. Processing integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability System and information are available.

5 FUNDAMENTAL INFORMATION SECURITY CONCEPTS
There are three fundamental information security concepts that will be discussed in this chapter: Security as a management issue, not a technology issue. The time-based model of security. Defense in depth.

6 Security is a management issue
Security Life Cycle Security is a management issue

7 Security Approaches Time-based model, security is effective if:
P > D + C where P is time it takes an attacker to break through preventive controls D is time it takes to detect an attack is in progress C is time it takes to respond to the attack and take corrective action

8 TIME-BASED MODEL OF SECURITY
EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: Measure 1 would increase P by 5 minutes. Measure 2 would decrease D by 3 minutes. Measure 3 would decrease C by 5 minutes. Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)

9 TIME-BASED MODEL OF SECURITY
You may be able to solve this problem by eyeballing it. If not, one way to solve it is to assume some initial values for P, D, and C. So let’s assume that P = 15 min., D = 5 min., and C = 8 min. At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min. With Measure 1, P is increased by 5 minutes: 20 – (5 + 8) = 7 min. With Measure 2, D is decreased by 3 minutes: 15 – (2 + 8) = 5 min. With Measure 3, C is decreased by 5 min. 15 – (5 + 3) = 7 min. With Measure 4, P is increased by 3 minutes and C is reduced by 3 min. 18 – (5 + 5) = 8 min.

10 Security Approaches Defense-in-depth
Multiple layers of control (preventive, detective, and corrective) to avoid a single point of failure

11 How to Mitigate Risk of Attack
Preventive Controls Detective Controls People Process IT Solutions Physical security Change controls and change management Log analysis Intrusion detection systems Penetration testing Continuous monitoring

12 Preventive: People Culture of security Training
Tone set at the top with management Training Follow safe computing practices Never open unsolicited attachments Use only approved software Do not share passwords Physically protect laptops/cellphones Protect against social engineering

13 Preventive: Process Authentication—verifies the person
Something person knows Something person has Some biometric characteristic Combination of all three (multifactor)

14 Preventive: Process Authorization—determines what a person can access and what actions they are permitted to perform Authorization controls are implemented by creating an access control matrix. Specifies what part of the IS a user can access and what actions they are permitted to perform. When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.

15 Which programs can user 12354 access?
Who has the authority to delete Program 2? Which files can user access? Which programs can user access?

16 Preventive: IT Solutions
Antimalware controls Education Protection on all devices Centralized patch management Regular review of threats Filtering of incoming traffic Training employees

17 Preventive: IT Solutions
Network access controls Information sent over the Internet is governed by TCP/IP, two protocols for transmitting information over the Internet. Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets and for reassembly at the destination. Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination. Every IP packet consists of two parts. Header – contains the packet’s origin and destination addresses, as well as info about the type of data contained in the body. Body.

18 routers read the destination address fields in packet headers to decide where to send (route) the packet next. A device called a border router connects an organization’s information system to the Internet An organization’s border router checks the contents of the destination address field of every packet it receives. If the address is not that of the organization, the packet is forwarded to another router on the Internet. If the destination address matches the organization, the packet undergoes one or more tests before being allowed in.

19 Behind the border router is the main firewall, either a special-purpose hardware device or software running on a general purpose computer. Like the border router, firewalls determine what to do with each packet. Firewalls are designed to act as filters and only permit packets that meet specific conditions to pass. Firewalls don’t block all traffic, but only filter it. Certain traffic passes through.

20 Access Control List (ACL)
Static packet filtering/Deep packet inspection Demilitarized Zone (DMZ) Separate network that permits controlled access from the Internet to selected resources Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks

21 Preventive: IT Solutions
Device and software hardening controls Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as endpoints) that comprise the organization’s network. Three areas deserve special attention: Endpoint configuration User accounts Software design

22 Endpoint Configuration
Endpoints can be made more secure by modifying their configurations. Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever used. Default installations of many operating systems turn on many special purpose programs, called services, which are not essential. Turning on unnecessary features and extra services: Maximizes the likelihood of successful installation without the need for customer support. But the cost is that it creates security weaknesses.

23 Managing User Accounts and Privileges
User accounts must be carefully managed, especially when they have unlimited (administrative) rights on the computer. Users who need administrative powers on a particular computer should be assigned two accounts: One with administrative rights One with limited privileges Users should log in under the limited account to perform routine duties. They should be logged into their limited account when browsing the web or reading . If they visit a compromised website or open an infected , the attacker will only acquire limited rights.

24 Software Design Controls are also needed over in-house development and modification of programs, because poorly-written code can be exploited to give attackers administrative privileges. Some common input-related vulnerabilities: buffer overflow attack SQL injection Cross-site scripting

25 Preventive: IT Solutions
Encryption (covered in Chapter 9)

26 Preventive: Physical security
Within a few minutes, a skilled attacker with unsupervised direct physical access to the system can successfully obtain access to sensitive data. Physical access control begins with entry points to the building itself. Should be one regular entry point unlocked during normal office hours. Fire codes require emergency exits. These should not permit entry from outside. Should be connected to an alarm that is triggered if someone leaves through the exit. A receptionist or security guard should be stationed at the main entrance of the building to: Verify the identity of employees. Require that visitors sign in and be escorted to their destination.

27 Once inside the building, physical access to rooms housing computer equipment must be restricted.
Access to wiring used in LANs must be restricted to prevent wiretapping. Cables and wiring should not be exposed in areas accessible to casual visitors. Wall jacks not in use should be physically disconnected from the network. Wiring closets should be securely locked. If shared with other tenants of a building, the telecommunications equipment should be placed inside locked steel cages.

28 Laptops, cell phones, and PDA devices require special attention.
Laptop theft is a major problem, and the major cost is not the price of the laptop but the loss of the confidential information and the costs of notifying those affected. To deal with laptop theft, employees should be trained to lock their laptops to an immovable object. Sensitive data should only be stored on removable media, not the hard drive, and special care should be taken to restrict access to the removable media.

29 Preventive: Change controls
Change controls and change management Formal processes in place regarding changes made to hardware, software, or processes

30 Detective: Log Analysis
Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. Logs form an audit trail of system access. Are of value only if routinely examined. Log analysis is the process of examining logs to monitor security.

31 Log analysis should be done regularly to detect problems in a timely manner.
Not easy because logs can quickly grow in size. So system administrators use software tools to efficiently strip out routine log entries so that they can focus their attention on anomalous behavior. Also supplement log analysis with software tools called intrusion detection systems to automate the monitoring process.

32 Detective: Intrusion Detection
An IDS creates a log of network traffic that was permitted to pass the firewall. Analyzes the logs for signs of attempted or successful intrusions. Most common analysis is to compare logs to a database containing patterns of traffic associated with known attacks. An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior.

33 Detective: Penetration Testing
Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security. This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS. Masquerading as custodians, temporary workers, or confused delivery personnel to get into offices to locate passwords or access computers. Climbing through roof hatches and dropping through ceiling panels. Some claim they can get into 90% or more of the companies they attack.

34 Detective: Continuous Monitoring
Employee compliance with security policies Performance of business processes

35 Corrective: Computer Incident Response Team (CIRT)
Responsible for dealing with major incidents. Should include technical specialists and senior operations management. Response process: Recognize Contain Recover Follow-up

36 Corrective: Chief Information Security Officer (CISO)
Should be independent of other IS functions and report to either the COO or CEO. Must understand the company’s technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions. Works with the person in charge of building security, as that is often the entity’s weakest link. Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures.

37 Corrective: Patch management
Hackers usually publish instructions for doing so (known as exploits) on the Internet. Although it takes skill to discover the exploit, once published, it can be executed by almost anyone. A patch is code released by software developers to fix vulnerabilities that have been discovered. Patch management is the process for regularly applying patches and updates to all of an organization’s software.

38 New Considerations Virtualization Cloud Computing Risks
Multiple systems are run on one computer Cloud Computing Remotely accessed resources Software applications Data storage Hardware Risks Increased exposure if breach occurs Reduced authentication standards Opportunities Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein

Download ppt "Controls for Information Security"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
HAPTER 7 Information Systems Controls for Systems Reliability

HAPTER 7 Information Systems Controls for Systems Reliability
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Similar presentations

Ads by Google