This preview has intentionally blurred parts. Sign up to view the full document

View Full Document

Unformatted Document Excerpt

Objectives AccountingInformation Systems InformationSecurity Learning Discuss how the COBIT framework can be used to develop sound internal control over an organizations information systems. Explain the factors that influence information systems reliability. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. INTRODUCTION One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable, which means: It provides an accurate, complete, and timely picture of the organizations activities. It is available when needed. The information and the system that produces it is protected from loss, compromise, and theft. INTRODUCTION SECURITY AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY The five basic principles that contribute to systems reliability: 1. Security: control access, the foundation 2. Confidentiality: no unauthorized disclosure 3. Online privacy: personal data protected 4. Processing integrity: accurate, complete, timely manner, proper authorization 5. Availability INTRODUCTION Sarbanes-Oxley requires management to include an internal control assessment using a suitable framework in the companys annual report. INTRODUCTION Suitable framework include: 1. COSO 2. COBIT and 3. Trust Services Framework Information Criteria (COBIT objectives) Effectiveness Information must be relevant and timely. Efficiency Information must be produced in a cost-effective manner. Confidentiality Sensitive information must be protected from unauthorized disclosure. Integrity Information must be accurate, complete, and valid. Availability Information must be available whenever needed. Compliance Controls must ensure compliance with internal policies and with external legal and regulatory requirements. Reliability Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities. COBIT Process Framework Information Criteria COBIT Process Cycle Management develops plans to organize information resources to provide the information it needs. Management authorizes and oversees efforts to acquire (or build internally) the desired functionality. Management ensures that the resulting system actually delivers the desired information. Management monitors and evaluates system performance against the established criteria. Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology. Trust Services Framework Trust Services are a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. While COBIT is an excellent comprehensive framework for assessing IT controls, a narrower framework complementing the overall COSO model is better Trust Services framework with specific principles and criteria can be used to assess the reliability of a companys IT systems. Trust Services Framework Principles and criteria: Security Access to the system and its data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure. Privacy Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. Processing Integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability The system and its information are available to meet operational and contractual obligations. Security / Systems Reliability Foundation of the Trust Services Framework Management issue, not a technology issue SOX 302 states: CEO and the CFO responsible to certify that the FS fairly present the results of the companys activities. The accuracy of an organizations FS depends upon the reliability of its information systems. Defense-in-depth and the time-based model of information security Have multiple layers of control Managements Role in IS Security Create security aware culture Inventory and value company information resources Assess risk, select risk response Develop and communicate security: Plans, policies, and procedures Acquire and deploy IT security resources Monitor and evaluate effectiveness Managements Role in IS Security Security is a key component of the internal control and systems reliability to which management must attest. As identified in the COSO model, managements philosophy and operating style are critical to an effective control environment. Managements Role in IS Security The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: 1. Develop and document policies; considering resources available and cost effectiveness 2. Effectively communicate those policies to all authorized users; including training , sanction of violation Managements Role in IS Security 3. Design and employ appropriate control procedures to implement those policies; at optimal level of investment. 4. Monitor the system, and take corrective action to maintain compliance with the policies; remembering security is a moving target Top management involvement and support is necessary to satisfy each of the preceding criteria. TIME-BASED MODEL OF SECURITY The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. All three types of controls are necessary: Preventive Detective Corrective TIME-BASED MODEL OF SECURITY Combination of detective and corrective controls P = the time it takes an attacker to break through the organizations preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack For an effective information security system: P>D+C The model provides management with a means to identify the most cost-effective TIME-BASED MODEL OF SECURITY EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: Measure 1 would increase P by 5 minutes. Measure 2 would decrease D by 3 minutes. Measure 3 would decrease C by 5 minutes. Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. Because each measure has the same cost, which do you think would be the most costeffective choice? (Hint: Your goal is to have P exceed [D + C] by the maximum possible amount.) TIME-BASED MODEL OF SECURITY You may be able to solve this problem by eyeballing it. If not, one way to solve it is to assume some initial values for P, D, and C. So lets assume that P = 15 min., D = 5 min., and C = 8 min. At our starting point, P (D + C) = 15 (5 + 8) = 2 min. With Measure 1, P is increased by 5 minutes: 20 (5 + 8) = 7 min. With Measure 2, D is decreased by 3 minutes: 15 (2 + 8) = 5 min. With Measure 3, C is decreased by 5 min. 15 (5 + 3) = 7 min. With Measure 4, P is increased by 3 minutes and C is reduced by 3 min. 18 (5 + 5) = 8 min. DEFENSE IN DEPTH The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. If one layer fails, another may function as planned. Information security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access. Redundancy also applies to detective and corrective controls. DEFENSE IN DEPTH Major types of preventive controls used for defense in depth include: Authentication controls (passwords, tokens, biometrics, MAC addresses) Authorization controls (access control matrices and compatibility tests) Training Physical access controls (locks, guards, biometric devices) Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) Encryption DEFENSE IN DEPTH Detective controls include: Log analysis Intrusion detection systems Managerial reports Security testing (vulnerability scanners, penetration tests, war dialing) DEFENSE IN DEPTH Corrective controls include: Computer emergency response teams Chief Security Officer (CSO) Patch Management Steps in an IS System Attack PREVENTIVE CONTROLS The objective of preventive controls is to prevent security incidents from happening. Involves two related functions: Authentication Focuses on verifying the identity of the person or device attempting to gain access. Authorization Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. PREVENTIVE CONTROLS Users can be authenticated by verifying: Something they know, such as passwords or PINs. Something they have, such as smart cards or ID badges. Some physical characteristic (biometric identifier), such as fingerprints or voice. PREVENTIVE CONTROLS Discuss the pros and cons of passwords PREVENTIVE CONTROLS Authorization controls are implemented by creating an access control matrix. Specifies what part of the IS a user can access and what actions they are permitted to perform. When an employee tries to access a particular resource, the system performs a compatibility test that matches the users authentication credentials against the matrix to determine if the action should be allowed. PREVENTIVE CONTROLS User Identification Code Number Password 12345 ABC 12346 DEF 12354 KLM 12359 NOP 12389 RST 12567 XYZ Files A 0 0 1 3 0 1 B 0 2 1 0 1 1 Programs C 1 0 1 0 0 1 1 0 0 0 0 0 1 2 0 0 0 0 3 1 Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete 3 0 0 0 0 0 1 4 0 0 0 0 0 1 PREVENTIVE CONTROLS Authentication and authorization can be applied to devices as well as users. Every workstation, printer, or other computing device needs a network interface card (NIC) to connect to the organizations network. Each network device has a unique identifier, referred to as its media access control (MAC) address. It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC addresses for authorization. For example, payroll or EFT applications should be set only to run from authorized terminals. PREVENTIVE CONTROLS-training Employees should be trained to follow safe computing practices. Train employees about social engineering attacks, which use deception to obtain unauthorized access. Invest in continuing professional education for information security specialists. Keep abreast of recent hacking developments. Top management must also provide support for training: funding, support, enforcement PREVENTIVE CONTROLS -physical access Within a few minutes, a skilled attacker with unsupervised direct physical access to the system can successfully obtain access to sensitive data. Special boot disks exist that, when inserted, provide the person with unfettered privileges and rights on the computer. Keystroke loggers can be installed on the PC through hardware or software, which will capture every one of the authorized users keystrokes, including his ID and password. A diskette with a publicly available utility can be inserted in a PC which will instantly capture any ID number or password that has been entered on that PC, since the time it was last booted. Data can be copied to USB drive. Hard drive can be stolen. PREVENTIVE CONTROLS -physical access Physical access control begins with entry points to the building itself. Once inside the building, physical access to rooms housing computer equipment must be restricted. Access to wiring used in LANs must be restricted to prevent wiretapping. Physical access security must be cost effective. Laptops, cell phones, and PDA devices require special attention. PREVENTIVE CONTROLS -remote access Within a few minutes, a skilled attacker with unsupervised direct physical access to the system can successfully obtain access to sensitive data. Special boot disks exist that, when inserted, provide the person with unfettered privileges and rights on the computer. Keystroke loggers can be installed on the PC through hardware or software, which will capture every one of the authorized users keystrokes, including his ID and password. A diskette with a publicly available utility can be inserted in a PC which will instantly capture any ID number or password that has been entered on that PC, since the time it last was booted. Data can be copied to USB drive. Hard drive can be stolen. Network Access Control (Perimeter Defense) Border router Connects an organizations information system to the Internet Firewall Software or hardware used to filter information Demilitarized Zone (DMZ) Separate network that permits controlled access from the Internet to selected resources Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks PREVENTIVE CONTROLS -remote access Dial-up connections Many organizations still allow employees to dial into their network from remote locations. Dial-in access often bypasses the firewalls. It is important to verify the identity of these users. Remote Authentication Dial-In User Service (RADIUS) is a standard method for doing that. Users connect to a remote-access server and submit log-in credentials. The remote-access server passes the credentials to the RADIUS server, which does compatibility tests to authenticate the users identity. PREVENTIVE CONTROLS -remote access The following adequately secure wireless access: Turn on available security features. Most wireless devices are sold and installed with these features disabled. Example: Encryption is usually turned off. Authenticate all devices attempting to establish wireless access to the network before assigning them an IP address. To do this, treat incoming wireless connections as dial-up attempts and route them first through a RADIUS server or other authorization device. PREVENTIVE CONTROLS -remote access Configure all authorized wireless NICs to operate only in infrastructure mode. Forces the device to connect only to wireless access points. Wireless NICs configured in ad hoc mode can communicate directly with any other device that has a wireless NIC. Creates a security threat because it creates peer-to-peer networks with no authentication controls. Use non-informative address for the access points address, called a service set identifier (SSID). SSIDs like "payroll," "finance," or "R&D" are more obvious targets to attack than devices with generic SSIDs like "A1," or "X2." PREVENTIVE CONTROLS -remote access Predefine a list of authorized MAC addresses and configure wireless access points to only accept connections from those MAC addresses. Reduce broadcast strength of wireless access points to make unauthorized reception more difficult off premises. Locate wireless access points in the interior of the building and use directional antennae to make unauthorized access and eavesdropping more difficult. PREVENTIVE CONTROLShardening Information security is enhanced by additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts) Three areas deserve special attention: End-Point Configuration Disable unnecessary features that may be vulnerable to attack on: Servers, printers, workstations User Account Management Software Design Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions. PREVENTIVE CONTROLSencryption Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder. Also strengthens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions. PREVENTIVE CONTROLSencryption Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses this process. To encrypt or decrypt, both a key and an algorithm are needed. Plaintext This is a contract for . . . Key + Encryption algorithm Key Ciphertext Xb&j &m 2 ep0%fg . . . + Decryption algorithm Plaintext This is a contract for . . . PREVENTIVE CONTROLSencryption Encryption strength Three important factors determine the strength of any encryption system: Key length: longer the better Key management policies: built in master key, key escrow The nature of the encryption algorithm PREVENTIVE CONTROLSencryption Types of encryption systems There are two basic types of encryption systems: 1. Symmetric encryption systems; Use the same key to encrypt and decrypt. Examples: DES and AES. 2. Asymmetric encryption systems Use two keys The public key is publicly available. The private key is kept secret and known only to the owner of that pair of keys. Either key can be used to encrypt. Whichever key is used to encrypt, the other key must be used to decrypt. PREVENTIVE CONTROLSencryption E-business uses both types of encryption systems: Symmetric encryption to encode most of the data being exchanged. Asymmetric encryption to safely send the symmetric key to the recipient for use in decrypting the ciphertext. Asymmetric encryption can also be used in combination with a process called hashing to create digital signatures. PREVENTIVE CONTROLSencryption Hashing Hashing takes plaintext of any length and transforms it into a short code called a hash. SHA-256 creates 256 bit hash regardless of text length. Hashing differs from encryption in that: Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short length. Encryption is reversible, but hashing is not; you cannot transform a hash back into its original plaintext. PREVENTIVE CONTROLSencryption Digital signatures Asymmetric encryption and hashing are used to create digital signatures. A digital signature is information encrypted with the creators private key. That information can only be decrypted using the corresponding public key. So successful decryption with an entitys public key proves the message could only have been created by the entity that holds the corresponding private key. The private key is known only to its owner, so only the owner could have created the message. PREVENTIVE CONTROLSencryption Digital signatures PREVENTIVE CONTROLSencryption Successfully using a public key to decrypt a document or file proves that it was created by the entity possessing the corresponding private key. But how can you know whether the entity with the private key is really who they purport to be? Also, how do you get hold of the entitys public key to decrypt it in the first place? If you have the sender provide their public key to you directly, you are not protected from an impersonation. Answers involve the use of digital certificates and the creation of a public key infrastructure. PREVENTIVE CONTROLSencryption A digital certificate is an electronic document, created and digitally signed by a trusted third party. Certifies the identity of the owner of a particular public key. Contains that partys public key. These certificates can be stored on Websites. Browsers are designed to automatically obtain a copy of that digital certificate and use the public key contained therein to communicate with the Website. You can manually examine the contents of a Websites digital certificate by double-clicking on the lock icon that appears in the lower, right-hand corner of the browser window. Digital certificates provide an automated method for obtaining an organizations or individuals public key. PREVENTIVE CONTROLSencryption The term public key infrastructure (PKI) refers to the system and processes used to issue and manage asymmetric keys and digital certificates. An organization that issues public and private keys and records the public key in a digital certificate is called a certificate authority. E-business typically uses commercial certificate authorities, such as Thawte or Verisign. The certificate authority: Hashes the information stored on a digital certificate Encrypts that hash with its private key Appends that digital signature to the digital certificate Provides a means for validating the authenticity of the certificate. PREVENTIVE CONTROLSencryption Digital signatures vs. e-signature Digital signatures use asymmetric keys to sign documents. E-signatures use a cursive imprint of a persons name applied to an electronic document. Both are legally binding like a paper document. PREVENTIVE CONTROLSencryption Effects of encryption on other layers of defense Encryption protects the confidentiality and privacy of the transmission and provides for authentication and non-repudiation of transactions. It also causes some problems. The firewall cannot effectively inspect encrypted packets. So one alternative is to have these packets routed to the DMZ, where they are decrypted and then passed back to the firewall. PREVENTIVE CONTROLSencryption The problem with the preceding approach is that it leaves the incoming packets vulnerable to sniffing attacks and therefore compromises their confidentiality and privacy. Allowing them through the firewall without being encrypted compromises the organizations security. Anti-virus and intrusion detection systems also have difficulty dealing with encrypted packets. Makes it important for the organization to consider these trade-offs in designing and implementing security procedures. DETECTIVE CONTROLS Organizations implement detective controls to enhance security by: Monitoring the effectiveness of preventive controls; and Detecting incidents in which preventive controls have been circumvented. DETECTIVE CONTROLS Actual system use (detective control) must be examined to assess compliance through: 1. Log analysis; process of examining logs to identify evidence of possible attacks, labor intensive 2. Intrusion detection systems (IDS); software with sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions DETECTIVE CONTROLS IDS sensors are usually located in several places. Most common is just inside the main firewall. Some may be placed inside each internal firewall to monitor the effectiveness of policies governing employee access to resources. Sometimes located just outside the main firewall. Provides means to monitor the number of attempted intrusions that are blocked. Can provide early warning that the organization is being targeted. May also be located on individual hosts to provide warnings of attempts to compromise those systems. DETECTIVE CONTROLS 3. Managerial reports; scorecards, no. of incidents with business impact, % of users who do not comply with password standards, % of cryptographic keys compromised and revoked 4. Periodically testing the effectiveness of existing security procedures; vulnerability scans, which use automated tools designed to identify whether a system possesses any well-known vulnerabilities DETECTIVE CONTROLS COBIT key performance indicators: Number of incidents with business impact Percent of users who do not comply with password standards Percent of cryptographic keys compromised and revoked CORRECTIVE CONTROLS COBIT specifies the need to identify and handle security incidents. Two of the Trust Services framework criteria for effective security are the existence of procedures to: React to system security breaches and other incidents (3.7). Take corrective action on a timely basis (3.9). CORRECTIVE CONTROLS Three key components that satisfy the preceding criteria are: 1.Establishment of a computer incident response team. 2. Designation of a specific individual with organization-wide responsibility for security. 3. An organized patch management system. CORRECTIVE CONTROLS The response team should lead the organizations incident response process through four steps: Recognition that a problem exists Containment of the problem Recovery: backup Follow-up CORRECTIVE CONTROLS Patch management Another important corrective control involves fixing known vulnerabilities and installing latest updates to: Anti-virus software Firewalls Operating systems Application programs CORRECTIVE CONTROLS Patch management is the process for regularly applying patches and updates to all of an organizations software. Challenging to do because: Patches can have unanticipated side effects that cause problems, which means they should be tested before being deployed. There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines. New Technologies Virtualization Multiple systems are run on one computer simultaneously Cloud Computing Remotely accessed resources through high bandwidth of telecommunication network Software applications Data storage Hardware Can be private, public or hybrid depending on ownership of the resources New Technologies Risks Increased exposure if breach occurs Reduced authentication standards Opportunities Implementing strong access controls; i.e. multifactor authentication, physical access control, virtual firewall, IPS, IDS, in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein The controls mentioned are all relevant ... View Full Document

End of Preview

Sign up now to access the rest of the document