Chapter 5 Protection of Information Assets

download report

Transcript Chapter 5 Protection of Information Assets

Auditing Information Systems (AIS)
Lecture – 11
‘Protection of Information Assets'
Importance of Information Security
Management
Security objectives to meet organization’s business
requirements include :
• Ensure the continued availability of their information
systems
• Ensure the integrity of the information stored on their
computer systems
• Preserve the confidentiality of sensitive data
• Ensure conformity to applicable laws, regulations and
standards
• Ensure adherence to trust and obligation in relation to any
information relating to an identified or identifiable
individual
• Preserve the confidentiality of sensitive data in store and
in transit
Key Elements of Information Security
Management
Key elements of information security management
• Senior management commitment and support
• Policies and procedures
• Security awareness and education
• Monitoring and compliance
• Incident handling and response
Inventory and Classification of
Information Assets
The inventory record of each information asset should
include:
• Specific identification of assets
• Relative value to the organization
• Location
• Security / risk classification
• Asset group
• Owner
• Designated custodian
System Access Permission
• Who has access rights and to what?
• What is the level of access to be granted?
• Who is responsible for determining the access rights and
access levels?
• What approvals are needed for access?
Practice Question
5-1 A utility is available to update critical tables in case of
data inconsistency. This utility can be executed at the
operating system (OS) prompt or as one of the menu
options in an application. The BEST control to mitigate the
risk of an unauthorized manipulation of data is to:
A. delete the utility software and install it as and
when required.
B. provide access to the utility on a need-to-use
basis.
C. provide access to the utility to user management.
Mandatory and Discretionary
Access Controls
• Mandatory
▫ Enforces corporate security policy
▫ Compares sensitivity of information resources
• Discretionary
▫ Enforces data owner-defined sharing of information
resources
Logical Access
Logical access controls are the primary means
used to manage and protect information assets.
Logical Access Exposures
Technical exposures include:
• Data leakage
• Trojan horses / backdoors
• Viruses / Worms
• Logic bombs
• Denial-of-service attacks
• War driving
Familiarization with the Organization’s IT
Environment
Security layers to be reviewed include:
• The network
• Operating system platform
• Database and application layers
Paths of Logical Access
General points of entry
• Network connectivity
• Remote access
• Operator console
• Online workstations or terminals
Logical Access Control
Software
Purpose
Prevents unauthorized access and modification to an
organization’s sensitive data and use of system critical
functions.
Identification and Authentication
I&A common vulnerabilities
• Weak authentication methods
• Lack
of
confidentiality
and
integrity
for
the
stored
authentication information
• Lack of encryption for authentication and protection of
information transmitted over a network
• User’s lack of knowledge on the risks associated with sharing
passwords, security tokens, etc.
Identification and Authentication
(continued)
Logon IDs and passwords
• Features of passwords
• Password syntax (format) rules
• Token devices, one-time passwords
• Biometric
Identification and Authentication
(continued)
Best practices for logon IDs and passwords
• Passwords should be a minimum of 8 characters
• Passwords should be a combination of alpha, numeric,
upper and lower case and special characters
• Login IDs not used should be deactivated
• System
activity
should
automatically
disconnect
with
no
Practice Question
5-3
An IS auditor has just completed a review of an
organization that has a mainframe and a client-server
environment where all production data reside. Which of
the following weaknesses would be considered the MOST
serious?
A. The security officer also serves as the database
administrator.
B. Password controls are not administered over the
client-server environment.
C. There is no business continuity plan for the
mainframe system’s non-critical applications.
D. Most local area networks (LANs) do not back up
file server-fixed disks regularly.
Identification and Authentication
(continued)
•
Token devices, one-time passwords
•
Biometrics
▫
Physically-oriented biometric
▫
Behavior-oriented biometric
Identification and Authentication
(continued)
Single sign-on (SSO)
• The process for the consolidating all organization
platform-based administration, authentication and
authorization functions into a single centralized
administrative function
• A single sign-on interfaces with:
– Client-server and distributed systems
– Mainframe systems
– Network security including remote access mechanisms
Identification and Authentication
(continued)
Single sign-on (SSO) advantages
• Multiple passwords are no longer required
• Improves management of users’ accounts and authorizations
to all associates systems
• Reduces administrative overhead in resetting forgotten
passwords over multiple platforms and applications
• Reduces the time taken by users to log into multiple
applications and platforms
Identification and Authentication
(continued)
Single sign-on (SSO) disadvantages
• Support for all major operating system environments is
difficult
• The costs associated with SSO development can be significant
when considering the nature and extent of interface
development and maintenance that may be necessary
• The centralized nature of SSO presents the possibility of a
single point of failure and total compromise of an
organization’s information assets
Practice Question
5-4
An organization is proposing to install a single signon facility giving access to all systems. The
organization should be aware that:
A. maximum unauthorized access would be
possible if a password is disclosed.
B. user access rights would be restricted by the
additional security parameters.
C. the security administrator’s workload would
increase.
D. user access rights would be increased.
Access Authorization / Administration
Logical access security administration
• Centralized environment
• Decentralized environment
Access Authorization / Administration
Advantages of Decentralized Security Management
•
Security administration is onsite at the distributed location
•
Security issues resolved in a timely manner
•
Security controls are monitored frequently
Associated Risk
•
Local standards might be implemented rather than those
required
•
Levels of security management might be below what can be
maintained by central administration
•
Unavailability of management checks and audits
Authorization Issues
(continued)
Remote access using personal digital assistants (PDAs)
•
Inherent increased risks due to PDA lack of security
Access issues with Mobile Technology
•
Banning all use of transportable drives in the security policy
•
Where no authorized use of USB ports exists, disabling use with
a logon script which removes them from the system directory
•
If they are considered necessary for business use, encrypting
all data transported or saved by these devices
Authorization Issues
(continued)
Audit logging in monitoring System Access
Provides management an audit trail to monitor activities
of a suspicious nature, such as a hacker attempting brute
force attacks on a privileged logon ID
Practice Question
5-5 An IS auditor reviewing the log of failed logon
attempts would be MOST concerned if which of the
following accounts was targeted?
A. Network administrator
B. System administrator
C. Data administrator
D. Database administrator
Internet Threats and Security
Network security attacks
•
Passive attacks
•
Active attacks
Internet Threats and Security
(continued)
Passive attacks
 Network analysis

Footprinting to create a profile of network infrastructure.
 Eavesdropping

Monitor
the
network
and
try
to
compromise
the
confidentiality of sensitive information.
 Traffic analysis

When messages are encrypted and eavesdropping cannot
work.
Internet Threats and Security
(continued)
Active attacks
• Brute-force attack
• Masquerading (IP / ID Spoofing)
• Packet replay / Message Modification
• Phishing (Social Engineering)
• Unauthorized access through the Internet
• Denial of service
• Penetration attacks
• E-mail bombing / spamming
• E-mail spoofing
Internet Threats and Security
(continued)
Causal factors for Internet attacks
•
Availability of tools and techniques on the Internet
•
Lack of security awareness and training
•
Exploitation of security vulnerabilities
•
Inadequate security over firewalls
Internet Threats and Security
(continued)
 Firewall security systems
 Firewall platforms
 Using hardware or software
Authorization Issues
(continued)
• Intrusion detection system (IDS)
• Intrusion prevention system (IPS)
Physical and Environmental
Security
Environmental Security
Power failures
• Alarm control panels
• Electrical surge protectors
• Uninterruptible power supply / generator
Fire
•
•
•
•
Fireproof walls, floors and ceilings of the computer room
Fire extinguishers / Fire suppression systems
Manual fire alarms
Smoke detectors
Water
• Water detectors
Physical Access Issues and
Exposures
Physical Security
• Unauthorized entry
• Damage or theft to equipment or documents
• Copying or viewing of sensitive or copyrighted information
• Alteration of sensitive equipment and information
• Public disclosure of sensitive information
• Illegal user of data processing resources
Possible perpetrators include the organization disgruntled
employees.
Physical Access Controls
 Combination door locks (cipher locks)
 Electronic door locks
 Biometric door locks
 Manual logging
 Electronic logging
 Identification badges (photo IDs)
 Video cameras
 Security guards
 Escorted personnel
Security Incident Handling and
Response
• Planning and preparation
• Response
• Detection
• Recovery
• Initiation
• Closure
• Evaluation
• Post incident review
• Containment
• Lessons learned
Conclusion
• Quick Reference Review
▫ Page 292 of the CISA Review Manual 2010