chapter 8_slater.pptx
TRANSCRIPT
Chapter 8Information Systems Controls for System Reliability— Part 1: Information Security
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-1
Learning Objectives
Discuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems.
Explain the factors that influence information systems reliability.
Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-2
AIS Controls
COSO and COSO-ERM address general internal control
COBIT addresses information technology internal control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-3
Acquire andImplement
Deliver andSupport
Monitor and Evaluate
Criteria• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
• Application systems
• Information• Infrastructure• People
IT Resources
Business Objectives
Plan andOrganise
COBITFramework
IT Life Cycle
2007 IT Governance Institute. All rights reserved. www.itgi.org 4
Information for Management Should Be:
Effectiveness Information must be relevant and
timely.
Efficiency Information must be produced in a
cost-effective manner.
Confidentiality Sensitive information must be
protected from unauthorized disclosure.
Integrity Information must be accurate,
complete, and valid.
Availability Information must be
available whenever needed.
Compliance Controls must ensure
compliance with internal policies and with external legal and regulatory requirements.
Reliability Management must have
access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-5
COBIT and Trust Frameworks
COBIT Framework provides a comprehensive guidance for controlling and managing IS.
COBIT specifies detailed control objectives for 34 IT processes (figure 8-1).
Auditors are only interested in a subset of COBIT, SOX only addresses the issue of system reliability for financial statements.
The Trust Services Framework developed by the AICPA and CICA (Canadian) relates to systems reliability (security, confidentiality, privacy, process integrity, availability).
6
The five basic principles that contribute to systems reliability:
SYSTEMSRELIABILITY
Trust Services Framework
The five basic principles that contribute to systems reliability: Security
SECURITY
SYSTEMSRELIABILITY
• Access to the system and its data is controlled.
Trust Services Framework
The five basic principles that contribute to systems reliability: Security Confidentiality
SECURITY
CO
NF
IDE
NT
IALI
TY
SYSTEMSRELIABILITY
• Sensitive information is protected from unauthorized disclosure.
Trust Services Framework
The five basic principles that contribute to systems reliability: Security Confidentiality Privacy
SECURITY
CO
NF
IDE
NT
IALI
TY
PR
IVA
CY
SYSTEMSRELIABILITY
Personal information about customers collected through e-commerce is collected, used, disclosed, and maintained in an appropriate manner.
Trust Services Framework
The five basic principles that contribute to systems reliability: Security Confidentiality Privacy Processing integrity
SECURITY
CO
NF
IDE
NT
IALI
TY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
YSYSTEMSRELIABILITY
• Data is processed:– Accurately– Completely– In a timely manner– With proper authorization
Trust Services Framework
The five basic principles that contribute to systems reliability: Security Confidentiality Online privacy Processing integrity Availability
SECURITY
CO
NF
IDE
NT
IALI
TY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
Y
AV
AIL
AB
ILIT
Y
SYSTEMSRELIABILITY
The system is available to meet operational and contractual obligations.
Trust Services Framework
Note the importance of security in this picture. It is the foundation of systems reliability. Security procedures: Restrict system access to
only authorized users and protect: The confidentiality of
sensitive organizational data.
The privacy of personal identifying information collected from customers.
SECURITY
CO
NF
IDE
NT
IALI
TY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
Y
AV
AIL
AB
ILIT
Y
SYSTEMSRELIABILITY
Trust Services Framework
INTRODUCTION
Security procedures also: Provide for processing
integrity by preventing: Submission of unauthorized
or fictitious transactions. Unauthorized changes to
stored data or programs.
Protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed.
SECURITY
CO
NF
IDE
NT
IALI
TY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
Y
AV
AIL
AB
ILIT
Y
SYSTEMSRELIABILITY
Trust Services Framework
Trust Services Framework
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-15
FUNDAMENTAL INFORMATION SECURITY CONCEPTS
There are two fundamental information security concepts that will be discussed in this chapter: Security as a management issue, not a
technology issue. Defense in depth & time-based model of
security.
Security / Systems Reliability
Foundation of the Trust Services Framework Security is a Management issue, not a technology
issue SOX 302 states:
CEO and the CFO responsible to certify that the financial statements fairly present the results of the company’s activities.
The accuracy of an organization’s financial statements depends upon the reliability of its information systems.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-17
Management’s Role in IS Security
Table 8-1
Create security aware culture
Inventory and value company information resources
Assess risk, select risk response
Develop and communicate security: Plans, policies, and procedures
Acquire and deploy IT security resources
Monitor and evaluate effectiveness
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-18
FUNDAMENTAL INFORMATION SECURITY CONCEPTS
There are two fundamental information security concepts that will be discussed in this chapter: Security is a management issue, not a
technology issue. Defense in depth and the time-based
model of security.
TIME-BASED MODEL OF SECURITY
The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.
All three types of controls are necessary: Preventive • Limit actions to those in accord
with the organization’s security policy and disallows all others.
TIME-BASED MODEL OF SECURITY
The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.
All three types of controls are necessary: Preventive Detective
Identify when preventive controls have been breached.
TIME-BASED MODEL OF SECURITY
The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.
All three types of controls are necessary: Preventive Detective Corrective
• Repair damage from problems that have occurred.
• Improve preventive and detective controls to reduce likelihood of similar incidents.
TIME-BASED MODEL OF SECURITY
The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: P = Time it takes an attacker to break through
the organization’s preventive controls. D = Time it takes to detect that an attack is in
progress. C = Time to respond to the attack.
These three variables are evaluated as follows: If P > (D + C), then security procedures are
effective. Otherwise, security is ineffective.
DEFENSE IN DEPTH The idea of defense-in-depth is to employ
multiple layers of controls to avoid having a single point of failure.
If one layer fails, another may function as planned.
Information security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access.
Redundancy also applies to detective and corrective controls.
DEFENSE IN DEPTH
Major types of preventive controls used for defense in depth include: Authentication controls (passwords, tokens,
biometrics, MAC addresses) Authorization controls (access control matrices and
compatibility tests) Training Physical access controls (locks, guards, biometric
devices) Remote access controls (IP packet filtering by border
routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls)
Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows)
Encryption
DEFENSE IN DEPTH**SP14 NIGHT
Major types of Detective Controls used for defense in depth include:
Detective controls include: Log analysis Intrusion detection systems Managerial reports Security testing (vulnerability scanners, penetration tests, war
dialing)
DEFENSE IN DEPTH***
Major types of Corrective controls used for defense in depth include:
Corrective controls include: Computer incident response teams (CIRT) Chief Information Security Officer (CISO) Patch Management
PREVENTIVE CONTROLS
Major types of preventive controls used for defense in depth include: Authentication controls (passwords, tokens,
biometrics, MAC addresses) Authorization controls (access control matrices
and compatibility tests) Training Physical access controls (locks, guards, biometric
devices) Remote access controls (IP packet filtering by border
routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls)
Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows)
Encryption
PREVENTIVE CONTROLS
The objective of preventive controls is to prevent security incidents from happening.
Involves two related functions: Authentication
Focuses on verifying the identity of the person or device attempting to gain access.
Authorization Restricts access of authenticated users to specific portions
of the system and specifies what actions they are permitted to perform.
PREVENTIVE CONTROLS
Users can be authenticated by verifying: Something they know, such as passwords or PINs. Something they have, such as smart cards or ID badges. Some physical characteristic (biometric identifier), such as
fingerprints or voice.
PREVENTIVE CONTROLS
Passwords are probably the most commonly used authentication method and also the most controversial. An effective password must satisfy a number of requirements:
Length Multiple character types Random Secret
PREVENTIVE CONTROLS
Each authentication method has its limitations. Passwords
• Can be guessed, lost, written down, or given away.
PREVENTIVE CONTROLS
Each authentication method has its limitations. Passwords Physical identification techniques
• Include cards, badges, and USB devices, cell phones
.• Can be lost, stolen, or duplicated.
PREVENTIVE CONTROLS
Each authentication method has its limitations. Passwords Physical identification techniques Biometric techniques
• Expensive and often cumbersome.• Not yet 100% accurate, sometimes rejecting legitimate users
and allowing unauthorized people.• Some techniques like fingerprints may carry negative
connotations that hinder acceptance.• Security concerns surround the storage of this data.
– If the data is compromised, it could create serious, life-long problems for the donor.
– Unlike passwords or tokens, biometric identifiers cannot be replaced or changed.
PREVENTIVE CONTROLS
Although none of the three basic authentication methods is foolproof by itself, the use of two or three in conjunction, known as multi-factor authentication, is quite effective.
Example: Using a palm print and a PIN number together is much more effective than using either method alone.
PREVENTIVE CONTROLS
Authorization controls are implemented by creating an access control matrix. Specifies what part of the IS a user can access
and what actions they are permitted to perform.
When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.
PREVENTIVE CONTROLS
Who has the authority to delete Program 2?
Code Number Password A B C 1 2 3 412345 ABC 0 0 1 0 0 0 012346 DEF 0 2 0 0 0 0 012354 KLM 1 1 1 0 0 0 012359 NOP 3 0 0 0 0 0 012389 RST 0 1 0 0 3 0 012567 XYZ 1 1 1 1 1 1 1
Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete
User Identification Files Programs
PREVENTIVE CONTROLS
Authentication and authorization can be applied to devices as well as users. Every workstation, printer, or other computing device
needs a network interface card (NIC) to connect to the organization’s network.
Each network device has a unique identifier, referred to as its media access control (MAC) address.
It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC addresses for authorization.
For example, payroll or EFT applications should be set only to run from authorized terminals.
PREVENTIVE CONTROLS
Encryption The final layer of
preventive controls.
PREVENTIVE CONTROLS
Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder.
Also strengthens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions.
Therefore, accountants, auditors, and systems professionals need to understand encryption.
PREVENTIVE CONTROLS
This is a contract for . . .
Encryption algorithm
Xb&j &m 2 ep0%fg . . .
Decryption algorithm
This is a contract for . . .
Plaintext
Plain- text
Cipher- text
Key
Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.
Decryption reverses this process.
To encrypt or decrypt, both a key and an algorithm are needed.
+
+Key
PREVENTIVE CONTROLS
Hashing Hashing takes plaintext of any length and
transforms it into a short code called a hash. SHA-256 creates 256 bit hash regardless of text
length. Hashing differs from encryption in that:
Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short length.
Encryption is reversible, but hashing is not; you cannot transform a hash back into its original plaintext.
PREVENTIVE CONTROLS
Digital signatures Asymmetric encryption and hashing are used to
create digital signatures. A digital signature is information encrypted
with the creator’s private key. That information can only be decrypted using the
corresponding public key. So successful decryption with an entity’s public key
proves the message could only have been created by the entity that holds the corresponding private key.
The private key is known only to its owner, so only the owner could have created the message.
PREVENTIVE CONTROLS
A digital certificate is an electronic document, created and digitally signed by a trusted third party. Certifies the identity of the owner of a particular public
key. Digital certificates provide an automated method for
obtaining an organization’s or individual’s public key.
DETECTIVE CONTROLS
Preventive controls are never 100% effective in blocking all attacks.
So organizations implement detective controls to enhance security by: Monitoring the effectiveness of preventive controls; and Detecting incidents in which preventive controls have been
circumvented.
DETECTIVE CONTROLS
Authentication and authorization controls (both preventive and detective) govern access to the system and limit the actions that can be performed by authorized users.
Actual system use (detective control) must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users.
Actual system use must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Log analysis Most systems come with extensive capabilities for logging who
accesses the system and what specific actions each user performed. Logs form an audit trail of system access. Are of value only if routinely examined. Log analysis is the process of examining logs to monitor
security.
DETECTIVE CONTROLS
The log may indicate unsuccessful attempts to log in to different servers.
The person analyzing the log must try to determine the reason for the failed attempt. Could be: The person was a legitimate user who forgot
his password. Was a legitimate user but not authorized to
access that particular server. The user ID was invalid and represented an
attempted intrusion.
DETECTIVE CONTROLS
Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users.
Actual system use must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Intrusion detection systems A major weakness of log analysis is that it is
labor intensive and prone to human error. Intrusion detection systems (IDS) represent an
attempt to automate part of the monitoring.
DETECTIVE CONTROLS
An Intrusion Detection System creates a log of network traffic that was permitted to pass the firewall. Analyzes the logs for signs of attempted or
successful intrusions. Most common analysis is to compare logs to a
database containing patterns of traffic associated with known attacks.
An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior.
DETECTIVE CONTROLS
Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users.
Actual system use must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Managerial reports Management reports are another important
detective control. Management can use COBIT to set up a report
scorecard. COBIT provides:
Management guidelines that identify crucial success factors associated with each objective.
Key performance indicators that can be used to assess their effectiveness.
DETECTIVE CONTROLS
COBIT key performance indicators: Number of incidents with business impact Percent of users who do not comply with
password standards Percent of cryptographic keys compromised
and revoked
DETECTIVE CONTROLS
Although regular review of periodic performance reports can help ensure that security controls are adequate, surveys indicate that many organizations fail to regularly monitor security.
DETECTIVE CONTROLS
Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users.
Actual system use must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing
security procedures
DETECTIVE CONTROLS
Security testing The effectiveness of existing security procedures should
be tested periodically. One approach is vulnerability scans, which use
automated tools designed to identify whether a system possesses any well-known vulnerabilities.
Security Websites such as the Center for Information Security (www.cisecurity.org) provide: Benchmarks for security best practices. Tools to measure how well a system conforms.
DETECTIVE CONTROLS
Penetration testing provides a rigorous way to test the effectiveness of an organization’s information security.
This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS.
Steps in an IS System Attack
Conduct Reconnaissance
Attempt Social Engineering
Scan & Map Target
Research
Execute Attack
Cover Tracks
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-60
DETECTIVE CONTROLS
The teams try every possible way to compromise a company’s system, including: Masquerading as custodians, temporary
workers, or confused delivery personnel to get into offices to locate passwords or access computers.
Using sexy decoys to distract guards. Climbing through roof hatches and dropping
through ceiling panels.
Some claim they can get into 90% or more of the companies they attack.
CORRECTIVE CONTROLS
CORRECTIVE CONTROLS
COBIT specifies the need to identify and handle security incidents.
Two of the Trust Services framework criteria for effective security are the existence of procedures to: React to system security breaches and other
incidents. Take corrective action on a timely basis.
CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria are: Establishment of a computer incident response team. Designation of a specific individual with organization-wide
responsibility for security. An organized patch management system.
CORRECTIVE CONTROLS
Computer emergency response team A key component to being able to respond to security
incidents promptly and effectively is the establish of a computer incident response team (CIRT). Responsible for dealing with major incidents. Should include technical specialists and senior operations
management.
Some potential responses have significant economic consequences (e.g., whether to temporarily shut down an e-commerce server) that require management input.
CORRECTIVE CONTROLS
The CIRT should lead the organization’s incident response process through four steps:
Recognition that a problem exists
• Typically occurs when an IDS signals an alert or as a result of a system administrator’s log analysis.
CORRECTIVE CONTROLS
The CIRT should lead the organization’s incident response process through four steps:
Recognition that a problem exists Containment of the problem
• Once an intrusion is detected, prompt action is needed to stop it and contain the damage.
CORRECTIVE CONTROLS
The CIRT should lead the organization’s incident response process through four steps:
Recognition that a problem exists Containment of the problem Recovery
• Damage must be repaired.• May involve restoring data from backup and
reinstalling corrupted programs (discussed more in Chapter 8).
CORRECTIVE CONTROLS
The CIRT should lead the organization’s incident response process through four steps:
Recognition that a problem exists Containment of the problem Recovery Follow-up
• Once recovery is in process, the CIRT should lead analysis of how the incident occurred.
• Steps should be taken to modify existing security policy and minimize the likelihood of a similar incident.
• An important decision is whether to try to catch and punish the perpetrator.– If the perpetrator will be pursued, forensic
experts should be involved immediately to ensure that all possible evidence is collected and maintained in a manner that makes it admissible in court.
CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria are: Establishment of a computer incident response team. Designation of a specific individual with organization-
wide responsibility for security. An organized patch management system.
CORRECTIVE CONTROLS
A chief infomation security officer (CISO): Should be independent of other IS functions and report
to either the COO or CEO. Must understand the company’s technology environment
and work with the CIO to design, implement, and promote sound security policies and procedures.
Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions.
Works with the person in charge of building security, as that is often the entity’s weakest link.
Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures.
CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria are: Establishment of a computer incident response team. Designation of a specific individual with organization-wide
responsibility for security. An organized patch management system.
CORRECTIVE CONTROLS
Patch management Another important corrective control involves
fixing known vulnerabilities and installing latest updates to: Anti-virus software Firewalls Operating systems Application programs
The number of reported vulnerabilities rises each year.
CORRECTIVE CONTROLS
Hackers usually publish instructions for doing so (known as exploits) on the Internet.
Although it takes skill to discover the exploit, once published, it can be executed by almost anyone.
Attackers who execute these programmed exploits are referred to as script kiddies.
A patch is code released by software developers to fix vulnerabilities that have been discovered.
CORRECTIVE CONTROLS
Patch management is the process for regularly applying patches and updates to all of an organization’s software.
Challenging to do because: Patches can have unanticipated side effects
that cause problems, which means they should be tested before being deployed.
There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines.
CORRECTIVE CONTROLS
Intrusion prevention systems may provide great promise if they can be quickly updated to respond to new vulnerabilities and block new exploits, so that the entity can buy time to: Thoroughly test the patches. Apply the patches.
Network Access Control Perimeter Defense(Should be part of Preventative Controls)**
Border router Connects an organization’s information system to
the Internet
Firewall Software or hardware used to filter information
Demilitarized Zone (DMZ) Separate network that permits controlled access
from the Internet to selected resources
Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only
inspecting individual packets, to identify and automatically block attacks
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-76
New Considerations
Virtualization Multiple systems are
run on one computer
Cloud Computing Remotely accessed
resources Software
applications Data storage Hardware
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-77
Risks Increased exposure if
breach occurs Reduced
authentication standards
Opportunities Implementing strong
access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein