Professional Documents
Culture Documents
8-1
Learning Objectives
Discuss how the COBIT framework can be
used to develop sound internal control
over an organizations information
systems.
Explain the factors that influence
information systems reliability.
Describe how a combination of
preventive, detective, and corrective
controls can be employed to provide
reasonable assurance about information
security.
8-2
AIS Controls
COSO and COSO-ERM address general
internal control
COBIT addresses information technology
internal control
8-3
Business Objectives
Criteria
COBIT
Frame
work
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Monitor and
Evaluate
Application systems
Information
Infrastructure
People
IT Life C
ycle
Deliver and
Support
Acquire and
Implement
4
Plan and
Organise
Effectiveness
Information must be relevant and
timely.
Availability
Information must be
available whenever needed.
Efficiency
Information must be produced in a
cost-effective manner.
Confidentiality
Sensitive information must be
protected from unauthorized
disclosure.
Compliance
Controls must ensure
compliance with internal
policies and with external
legal and regulatory
requirements.
Reliability
Management must have
access to appropriate
information needed to
conduct daily activities and
to exercise its fiduciary and
governance responsibilities.
Integrity
Information must be accurate,
complete, and valid.
8-5
CONFIDENTIALITY
Security
Confidentiality
SECURITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
SECURITY
SECURITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Security
Confidentiality
Privacy
Processing
integrity
Data
is processed:
Accurately
Completely
In a timely manner
With proper authorization
SECURITY
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Security
Confidentiality
Online privacy
Processing integrity
Availability
SECURITY
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
INTRODUCTION
Trust
Services Framework
Security procedures
also:
SECURITY
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Submission of unauthorized
or fictitious transactions.
Unauthorized changes to
stored data or programs.
8-15
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are two fundamental information
security concepts that will be discussed in
this chapter:
Security as a management issue, not a
technology issue.
Defense in depth & time-based model of
security.
8-17
8-18
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are two fundamental information
security concepts that will be discussed in
this chapter:
Security is a management issue, not a
technology issue.
Defense in depth and the time-based
model of security.
TIME-BASED MODEL OF
SECURITY
The time-based model of security
focuses on implementing a set of
preventive, detective, and corrective
controls that enable an organization to
recognize that an attack is occurring and
take steps to thwart it before any assets
have been compromised.
All three types of controls are necessary:
Preventive Limit actions to those in accord
with the organizations security
policy and disallows all others.
TIME-BASED MODEL OF
SECURITY
The time-based model of security
focuses on implementing a set of
preventive, detective, and corrective
controls that enable an organization to
recognize that an attack is occurring and
take steps to thwart it before any assets
have been compromised.
All three types of controls are necessary:
Preventive
Detective
TIME-BASED MODEL OF
SECURITY
The time-based model of security
focuses on implementing a set of
preventive, detective, and corrective
controls that enable an organization to
recognize that an attack is occurring and
take steps to thwart it before any assets
have been compromised.
Repair
damage from
problems
that
All three types
of controls
are
necessary:
Preventive
Detective
Corrective
have occurred.
Improve preventive and detective
controls to reduce likelihood of similar
incidents.
TIME-BASED MODEL OF
SECURITY
The time-based model evaluates the
effectiveness of an organizations security
by measuring and comparing the
relationship among three variables:
P = Time it takes an attacker to break through
the organizations preventive controls.
D = Time it takes to detect that an attack is in
progress.
C = Time to respond to the attack.
DEFENSE IN DEPTH
The idea of defense-in-depth is to employ
multiple layers of controls to avoid having
a single point of failure.
If one layer fails, another may function as
planned.
Information security involves using a
combination of firewalls, passwords, and
other preventive procedures to restrict
access.
Redundancy also applies to detective and
corrective controls.
DEFENSE IN DEPTH
Major types of preventive controls used for
defense in depth include:
Authentication controls (passwords, tokens,
biometrics, MAC addresses)
Authorization controls (access control matrices and
compatibility tests)
Training
Physical access controls (locks, guards, biometric
devices)
Remote access controls (IP packet filtering by border
routers and firewalls using access control lists; intrusion
prevention systems; authentication of dial-in users;
wireless access controls)
Host and application hardening procedures
(firewalls, anti-virus software, disabling of unnecessary
features, user account management, software design,
e.g., to prevent buffer overflows)
Encryption
DEFENSE IN DEPTH**SP14
NIGHT
Major types of Detective Controls used for defense in depth
include:
Detective controls include:
Log analysis
Managerial reports
DEFENSE IN DEPTH***
Major types of Corrective controls used for defense in depth
include:
Corrective controls include:
Patch Management
PREVENTIVE CONTROLS
Major types of preventive controls used for
defense in depth include:
Authentication controls (passwords, tokens,
biometrics, MAC addresses)
Authorization controls (access control matrices
and compatibility tests)
Training
Physical access controls (locks, guards, biometric
devices)
Remote access controls (IP packet filtering by border
routers and firewalls using access control lists; intrusion
prevention systems; authentication of dial-in users;
wireless access controls)
Host and application hardening procedures (firewalls,
anti-virus software, disabling of unnecessary features,
user account management, software design, e.g., to
prevent buffer overflows)
Encryption
PREVENTIVE CONTROLS
The objective of preventive controls is to prevent security
incidents from happening.
Involves two related functions:
Authentication
Focuses on verifying the identity of the person or device
attempting to gain access.
Authorization
Restricts access of authenticated users to specific portions
of the system and specifies what actions they are permitted
to perform.
PREVENTIVE CONTROLS
Users can be authenticated by verifying:
PREVENTIVE CONTROLS
Passwords are probably the most commonly used
authentication method and also the most controversial.
Random
Secret
PREVENTIVE CONTROLS
Each authentication method has its limitations.
Passwords
PREVENTIVE CONTROLS
Each authentication method has its limitations.
Passwords
PREVENTIVE CONTROLS
PREVENTIVE CONTROLS
Although none of the three basic
authentication methods is foolproof by
itself, the use of two or three in
conjunction, known as multi-factor
authentication, is quite effective.
Example: Using a palm print and a PIN
number together is much more effective
than using either method alone.
PREVENTIVE CONTROLS
Authorization controls are implemented
by creating an access control matrix.
Specifies what part of the IS a user can access
and what actions they are permitted to
perform.
When an employee tries to access a particular
resource, the system performs a compatibility
test that matches the users authentication
credentials against the matrix to determine if
the action should be allowed.
PREVENTIVE CONTROLS
User Identification
Code
Number Password
12345
ABC
12346
DEF
12354
KLM
12359
NOP
12389
RST
12567
XYZ
Files
A
0
0
1
3
0
1
B
0
2
1
0
1
1
Programs
C
1
0
1
0
0
1
1
0
0
0
0
0
1
2
0
0
0
0
3
1
3
0
0
0
0
0
1
4
0
0
0
0
0
1
Who has
the
authority
to delete
Program
2?
PREVENTIVE CONTROLS
Authentication and authorization can be applied
to devices as well as users.
Every workstation, printer, or other computing device
needs a network interface card (NIC) to connect to the
organizations network.
Each network device has a unique identifier, referred to
as its media access control (MAC) address.
It is possible to restrict network access to only those
devices which have a recognized MAC address or to use
MAC addresses for authorization.
For example, payroll or EFT applications should be set
only to run from authorized terminals.
PREVENTIVE CONTROLS
Encryption
Training
Control Physical Access
Control Remote Access
Hardening
Encryption
PREVENTIVE CONTROLS
Encrypting sensitive stored data provides
one last barrier that must be overcome by
an intruder.
Also strengthens authentication
procedures and plays an essential role in
ensuring and verifying the validity of ebusiness transactions.
Therefore, accountants, auditors, and
systems professionals need to understand
encryption.
Plaintext
This is a
contract
for . . .
PREVENTIV
E
CONTROLS
Key
Encryption
algorithm
Ciphertext
Xb&j &m 2
ep0%fg . . .
Key
Encryption is the
process of transforming
normal text, called
plaintext, into
unreadable gibberish,
called ciphertext.
Decryption reverses
this process.
Decryption
algorithm
Plain- This is a
contract
text
for . . .
To encrypt or decrypt,
both a key and an
algorithm are needed.
PREVENTIVE CONTROLS
Hashing
Hashing takes plaintext of any length and
transforms it into a short code called a hash.
SHA-256 creates 256 bit hash regardless of text
length.
Hashing differs from encryption in that:
Encryption always produces ciphertext similar in
length to the plaintext, but hashing produces a hash
of a fixed short length.
Encryption is reversible, but hashing is not; you
cannot transform a hash back into its original
plaintext.
PREVENTIVE CONTROLS
Digital signatures
Asymmetric encryption and hashing are used to
create digital signatures.
A digital signature is information encrypted
with the creators private key.
That information can only be decrypted using the
corresponding public key.
So successful decryption with an entitys public key
proves the message could only have been created by
the entity that holds the corresponding private key.
The private key is known only to its owner, so only the
owner could have created the message.
PREVENTIVE CONTROLS
A digital certificate is an electronic document,
created and digitally signed by a trusted third
party.
Certifies the identity of the owner of a particular public
key.
Digital certificates provide an automated method for
obtaining an organizations or individuals public key.
DETECTIVE CONTROLS
Preventive controls are never 100% effective in blocking all
attacks.
So organizations implement detective controls to enhance
security by:
DETECTIVE CONTROLS
Authentication and authorization controls (both
preventive and detective) govern access to the
system and limit the actions that can be
performed by authorized users.
Actual system use (detective control) must be
examined to assess compliance through:
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Authentication and authorization controls
represent the organizations policies governing
access to the system and limits the actions that
can be performed by authorized users.
Actual system use must be examined to assess
compliance through:
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Log analysis
DETECTIVE CONTROLS
The log may indicate unsuccessful
attempts to log in to different servers.
The person analyzing the log must try to
determine the reason for the failed
attempt. Could be:
The person was a legitimate user who forgot
his password.
Was a legitimate user but not authorized to
access that particular server.
The user ID was invalid and represented an
attempted intrusion.
DETECTIVE CONTROLS
Authentication and authorization controls
represent the organizations policies governing
access to the system and limits the actions that
can be performed by authorized users.
Actual system use must be examined to assess
compliance through:
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Intrusion detection systems
A major weakness of log analysis is that it is
labor intensive and prone to human error.
Intrusion detection systems (IDS) represent an
attempt to automate part of the monitoring.
DETECTIVE CONTROLS
An Intrusion Detection System creates a
log of network traffic that was permitted to
pass the firewall.
Analyzes the logs for signs of attempted or
successful intrusions.
Most common analysis is to compare logs to a
database containing patterns of traffic
associated with known attacks.
An alternative technique builds a model
representing normal network traffic and uses
various statistical techniques to identify
unusual behavior.
DETECTIVE CONTROLS
Authentication and authorization controls
represent the organizations policies governing
access to the system and limits the actions that
can be performed by authorized users.
Actual system use must be examined to assess
compliance through:
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Managerial reports
Management reports are another important
detective control.
Management can use COBIT to set up a report
scorecard.
COBIT provides:
Management guidelines that identify
crucial success factors associated with
each objective.
Key performance indicators that can be
used to assess their effectiveness.
DETECTIVE CONTROLS
COBIT key performance indicators:
Number of incidents with business impact
Percent of users who do not comply with
password standards
Percent of cryptographic keys compromised
and revoked
DETECTIVE CONTROLS
Although regular review of periodic
performance reports can help ensure that
security controls are adequate, surveys
indicate that many organizations fail to
regularly monitor security.
DETECTIVE CONTROLS
Authentication and authorization controls
represent the organizations policies governing
access to the system and limits the actions that
can be performed by authorized users.
Actual system use must be examined to assess
compliance through:
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing
security procedures
DETECTIVE CONTROLS
Security testing
The effectiveness of existing security procedures should
be tested periodically.
One approach is vulnerability scans, which use
automated tools designed to identify whether a
system possesses any well-known vulnerabilities.
Security Websites such as the Center for Information
Security (www.cisecurity.org) provide:
Benchmarks for security best practices.
Tools to measure how well a system conforms.
DETECTIVE CONTROLS
Penetration testing provides a rigorous way to
test the effectiveness of an organizations
information security.
This testing involves an authorized attempt by
either an internal audit team or external security
consulting firm to break into the organizations IS.
Cover Tracks
Attempt Social
Engineering
Execute Attack
Research
8-60
DETECTIVE CONTROLS
The teams try every possible way to
compromise a companys system,
including:
Masquerading as custodians, temporary
workers, or confused delivery personnel to get
into offices to locate passwords or access
computers.
Using sexy decoys to distract guards.
Climbing through roof hatches and dropping
through ceiling panels.
CORRECTIVE CONTROLS
CORRECTIVE CONTROLS
COBIT specifies the need to identify and
handle security incidents.
Two of the Trust Services framework
criteria for effective security are the
existence of procedures to:
React to system security breaches and other
incidents.
Take corrective action on a timely basis.
CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria
are:
CORRECTIVE CONTROLS
Computer emergency response team
CORRECTIVE CONTROLS
The CIRT should lead the organizations incident response
process through four steps:
CORRECTIVE CONTROLS
The CIRT should lead the organizations incident response
process through four steps:
CORRECTIVE CONTROLS
The CIRT should lead the organizations incident response
process through four steps:
Recovery
Recovery
to ensure that all possible evidence is
Follow-up
collected and maintained in a manner
that makes it admissible in court.
CORRECTIVE CONTROLS
CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria
are:
CORRECTIVE CONTROLS
A chief infomation security officer (CISO):
Should be independent of other IS functions and report
to either the COO or CEO.
Must understand the companys technology environment
and work with the CIO to design, implement, and
promote sound security policies and procedures.
Disseminates info about fraud, errors, security breaches,
improper system use, and consequences of these
actions.
Works with the person in charge of building security, as
that is often the entitys weakest link.
Should impartially assess and evaluate the IT
environment, conduct vulnerability and risk
assessments, and audit the CIOs security measures.
CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria
are:
CORRECTIVE CONTROLS
Patch management
Another important corrective control involves
fixing known vulnerabilities and installing latest
updates to:
Anti-virus software
Firewalls
Operating systems
Application programs
The number of reported vulnerabilities rises
each year.
CORRECTIVE CONTROLS
Hackers usually publish instructions for
doing so (known as exploits) on the
Internet.
Although it takes skill to discover the
exploit, once published, it can be executed
by almost anyone.
Attackers who execute these programmed
exploits are referred to as script kiddies.
A patch is code released by software
developers to fix vulnerabilities that have
CORRECTIVE CONTROLS
Patch management is the process for
regularly applying patches and updates to
all of an organizations software.
Challenging to do because:
Patches can have unanticipated side effects
that cause problems, which means they should
be tested before being deployed.
There are likely to be many patches each year
for each software program, which may mean
that hundreds of patches will need to be
applied to thousands of machines.
CORRECTIVE CONTROLS
Intrusion prevention systems may provide
great promise if they can be quickly
updated to respond to new vulnerabilities
and block new exploits, so that the entity
can buy time to:
Thoroughly test the patches.
Apply the patches.
Firewall
Software or hardware used to filter information
8-76
New Considerations
Virtualization
Risks
Increased exposure if
breach occurs
Reduced
authentication
standards
Cloud Computing
Remotely accessed
resources
Software
applications
Data storage
Hardware
Opportunities
Implementing strong
access controls in the
cloud or over the server
that hosts a virtual
network provides good
security over all the
systems contained therein
8-77