Chapter 5 Protection of Information Assets

download report

Transcript Chapter 5 Protection of Information Assets

Auditing Information Systems (AIS)
Lecture – 11
‘Protection of Information Assets'
Importance of Information Security
Security objectives to meet organization’s business
requirements include :
• Ensure the continued availability of their information
• Ensure the integrity of the information stored on their
computer systems
• Preserve the confidentiality of sensitive data
• Ensure conformity to applicable laws, regulations and
• Ensure adherence to trust and obligation in relation to any
information relating to an identified or identifiable
• Preserve the confidentiality of sensitive data in store and
in transit
Key Elements of Information Security
Key elements of information security management
• Senior management commitment and support
• Policies and procedures
• Security awareness and education
• Monitoring and compliance
• Incident handling and response
Inventory and Classification of
Information Assets
The inventory record of each information asset should
• Specific identification of assets
• Relative value to the organization
• Location
• Security / risk classification
• Asset group
• Owner
• Designated custodian
System Access Permission
• Who has access rights and to what?
• What is the level of access to be granted?
• Who is responsible for determining the access rights and
access levels?
• What approvals are needed for access?
Practice Question
5-1 A utility is available to update critical tables in case of
data inconsistency. This utility can be executed at the
operating system (OS) prompt or as one of the menu
options in an application. The BEST control to mitigate the
risk of an unauthorized manipulation of data is to:
A. delete the utility software and install it as and
when required.
B. provide access to the utility on a need-to-use
C. provide access to the utility to user management.
Mandatory and Discretionary
Access Controls
• Mandatory
▫ Enforces corporate security policy
▫ Compares sensitivity of information resources
• Discretionary
▫ Enforces data owner-defined sharing of information
Logical Access
Logical access controls are the primary means
used to manage and protect information assets.
Logical Access Exposures
Technical exposures include:
• Data leakage
• Trojan horses / backdoors
• Viruses / Worms
• Logic bombs
• Denial-of-service attacks
• War driving
Familiarization with the Organization’s IT
Security layers to be reviewed include:
• The network
• Operating system platform
• Database and application layers
Paths of Logical Access
General points of entry
• Network connectivity
• Remote access
• Operator console
• Online workstations or terminals
Logical Access Control
Prevents unauthorized access and modification to an
organization’s sensitive data and use of system critical
Identification and Authentication
I&A common vulnerabilities
• Weak authentication methods
• Lack
authentication information
• Lack of encryption for authentication and protection of
information transmitted over a network
• User’s lack of knowledge on the risks associated with sharing
passwords, security tokens, etc.
Identification and Authentication
Logon IDs and passwords
• Features of passwords
• Password syntax (format) rules
• Token devices, one-time passwords
• Biometric
Identification and Authentication
Best practices for logon IDs and passwords
• Passwords should be a minimum of 8 characters
• Passwords should be a combination of alpha, numeric,
upper and lower case and special characters
• Login IDs not used should be deactivated
• System
Practice Question
An IS auditor has just completed a review of an
organization that has a mainframe and a client-server
environment where all production data reside. Which of
the following weaknesses would be considered the MOST
A. The security officer also serves as the database
B. Password controls are not administered over the
client-server environment.
C. There is no business continuity plan for the
mainframe system’s non-critical applications.
D. Most local area networks (LANs) do not back up
file server-fixed disks regularly.
Identification and Authentication
Token devices, one-time passwords
Physically-oriented biometric
Behavior-oriented biometric
Identification and Authentication
Single sign-on (SSO)
• The process for the consolidating all organization
platform-based administration, authentication and
authorization functions into a single centralized
administrative function
• A single sign-on interfaces with:
– Client-server and distributed systems
– Mainframe systems
– Network security including remote access mechanisms
Identification and Authentication
Single sign-on (SSO) advantages
• Multiple passwords are no longer required
• Improves management of users’ accounts and authorizations
to all associates systems
• Reduces administrative overhead in resetting forgotten
passwords over multiple platforms and applications
• Reduces the time taken by users to log into multiple
applications and platforms
Identification and Authentication
Single sign-on (SSO) disadvantages
• Support for all major operating system environments is
• The costs associated with SSO development can be significant
when considering the nature and extent of interface
development and maintenance that may be necessary
• The centralized nature of SSO presents the possibility of a
single point of failure and total compromise of an
organization’s information assets
Practice Question
An organization is proposing to install a single signon facility giving access to all systems. The
organization should be aware that:
A. maximum unauthorized access would be
possible if a password is disclosed.
B. user access rights would be restricted by the
additional security parameters.
C. the security administrator’s workload would
D. user access rights would be increased.
Access Authorization / Administration
Logical access security administration
• Centralized environment
• Decentralized environment
Access Authorization / Administration
Advantages of Decentralized Security Management
Security administration is onsite at the distributed location
Security issues resolved in a timely manner
Security controls are monitored frequently
Associated Risk
Local standards might be implemented rather than those
Levels of security management might be below what can be
maintained by central administration
Unavailability of management checks and audits
Authorization Issues
Remote access using personal digital assistants (PDAs)
Inherent increased risks due to PDA lack of security
Access issues with Mobile Technology
Banning all use of transportable drives in the security policy
Where no authorized use of USB ports exists, disabling use with
a logon script which removes them from the system directory
If they are considered necessary for business use, encrypting
all data transported or saved by these devices
Authorization Issues
Audit logging in monitoring System Access
Provides management an audit trail to monitor activities
of a suspicious nature, such as a hacker attempting brute
force attacks on a privileged logon ID
Practice Question
5-5 An IS auditor reviewing the log of failed logon
attempts would be MOST concerned if which of the
following accounts was targeted?
A. Network administrator
B. System administrator
C. Data administrator
D. Database administrator
Internet Threats and Security
Network security attacks
Passive attacks
Active attacks
Internet Threats and Security
Passive attacks
 Network analysis
Footprinting to create a profile of network infrastructure.
 Eavesdropping
confidentiality of sensitive information.
 Traffic analysis
When messages are encrypted and eavesdropping cannot
Internet Threats and Security
Active attacks
• Brute-force attack
• Masquerading (IP / ID Spoofing)
• Packet replay / Message Modification
• Phishing (Social Engineering)
• Unauthorized access through the Internet
• Denial of service
• Penetration attacks
• E-mail bombing / spamming
• E-mail spoofing
Internet Threats and Security
Causal factors for Internet attacks
Availability of tools and techniques on the Internet
Lack of security awareness and training
Exploitation of security vulnerabilities
Inadequate security over firewalls
Internet Threats and Security
 Firewall security systems
 Firewall platforms
 Using hardware or software
Authorization Issues
• Intrusion detection system (IDS)
• Intrusion prevention system (IPS)
Physical and Environmental
Environmental Security
Power failures
• Alarm control panels
• Electrical surge protectors
• Uninterruptible power supply / generator
Fireproof walls, floors and ceilings of the computer room
Fire extinguishers / Fire suppression systems
Manual fire alarms
Smoke detectors
• Water detectors
Physical Access Issues and
Physical Security
• Unauthorized entry
• Damage or theft to equipment or documents
• Copying or viewing of sensitive or copyrighted information
• Alteration of sensitive equipment and information
• Public disclosure of sensitive information
• Illegal user of data processing resources
Possible perpetrators include the organization disgruntled
Physical Access Controls
 Combination door locks (cipher locks)
 Electronic door locks
 Biometric door locks
 Manual logging
 Electronic logging
 Identification badges (photo IDs)
 Video cameras
 Security guards
 Escorted personnel
Security Incident Handling and
• Planning and preparation
• Response
• Detection
• Recovery
• Initiation
• Closure
• Evaluation
• Post incident review
• Containment
• Lessons learned
• Quick Reference Review
▫ Page 292 of the CISA Review Manual 2010