Professional Documents
Culture Documents
Effective information security arrangement is the foundation for protecting assets and privacy.
The security objective of information assets could be enlisted as under:
Information integrity.
Confidentiality of sensitive data.
Adherence to piracy or copy right arrangement.
Continued availability of data.
Conformity to applicable laws.
KEY ELEMENTS:
Following are the key elements of information security management:
Senior management commitment and support.
Policies and procedures.
Organization of the responsibilities.
Security awareness and education.
Monitoring and compliance.
Incident handing and response.
KEY TERMS:
CSIRT Computer Security Incident Response team.
CERT Computer Emergency Response Team.
These teams should be formulated, with clearly defined responsibilities, for incident handling.
c) Users:
d) Data owners:
f)
IS security committee:
consistent
with
g) Security specialist:
h) IT developers:
i)
IS auditors:
j)
External Parties:
SYSTEM ACCESS:
The ability to do something with a computer is termed as system access such as CREATE,
MODIFY, DELETE, EXECUTE, CONNECT etc.
TYPES OF SYSTEM ACCESS CONTROLS:
System access could be logical or physical:
a) Logical system access control:
It provides technical means of controlling
Information users can utilize.
Program or transactions they can run.
Modification they can make.
It can be through O/S, separate software, or application built-in etc.
b) Physical system access control:
It restricts entry and exit of personnel. They include badges, memory cards, guard keys,
locks, and biometrics.
Keynote:
System access (logical or physical) should be on a documented need-to-know basis.
Other points:
IMPORTANT:
Access controls could either be mandatory or discretionary:
Mandatory access control is a mechanism to enforce corporate security policy or security
rules dealing with information resource sharing.
Discretionary access controls are data data-owner-defined sharing of access control.
PRIVACY ISSUES:
Privacy defined:
Adherence to trust and obligation of any information relating to an identified/identifiable
individual is called privacy.
Critical points:
Management is responsible to adhere to privacy issues. IS auditor is NOT responsible of the
contents of database. IS auditors could also take expert opinion.
IS auditor e has to review managements privacy policies, which include:
Nature of information.
Documentation.
Accountability of privacy issues.
Reduction in privacy modifications.
CRITICAL SUCCESS FACTORS:
Managerial commitment and support.
Updated policies and procedures reflecting business objectives.
I&A TECHNIQUES
I&A techniques are generally categorized on the following bases:
1) Something you know passwords.
2) Something you have token card.
3) BIOMETRICS.
a. Something you are biometric features (physical)
b. Something you do signature and voice recognition (behavioral)
e) Fingerprint.
f)
Face.
SINGLE-SIGN-ON (SSO)
Users have to access number of resources during a typical workday; therefore, users have to
get authenticated himself number of times. Users normally cannot memorize many passwords
and there is an increased likelihood that the password information could be communicated
through written near workstation area.
SSO means consolidating all organizations platform-based administration, making
authentication and authorization functions into a single centralized administrative function.
SSO server handling this information is called primary domain.
Advantages:
Multiple passwords are no longer required.
Improves managers ability to manage user accounts.
It improves efficiency.
Disadvantages:
Difficult for all operating systems to support.
Costly.
Centralize failure could cause huge disruption.
Social engineering:
No matter how strong the security system of an organization is, it doesnt work unless its
employees are committed and aware of security implications. Management should install a
program for ongoing employee awareness regarding security issues.
AUTHORIZATION ISSUES
Access rules specify WHO can access WHAT. Access should be documented. Computer access
can be of varying degrees of levels, for example:
Read, write, and copy only.
Write, execute, update, or delete only.
Execute only.
Combination of above.
A least dangerous access type is READ ONLY.
ACCESS CONTROL LISTS:
Access control lists (ACL) refer to the register of:
Authorized usernames.
Access permitted.
REMOTE ACCESS SECURITY:
Organizations require remote connectivity to their information system.
LAN SECURITY:
LANs facilitate the storage and retrieval of programs and data used by a group of people. LAN
software and practices also need to provide for the security of these programs and data.
INFORMATION REQUIRED:
LAN topology and network design.
LAN administrator and his/her functions.
Group of users.
Applications used in LAN.
Standards and procedures.
RISKS AND ISSUES:
The administrative and control functions available with network software might be limited.
Software vendors and network users have recognized the need to provide diagnostic
capabilities to identify the cause of problems when the network goes down or functions in an
unusual manner. The use of logon Ids and passwords with associated administration facilities is
only now becoming standard.
DIAL-UP ACCESS CONTROLS:
It is possible to break LAN security through the dial-in route. Without dial-up access controls, a
caller can dial in and try passwords until they gain access. Once in, they can hide pieces of
software anywhere, pass through wide area network (WAN) links to other systems and generally
create as much or as little havoc as they like. To minimize the risk of unauthorized dial-in
access, remote users should never store their passwords in plain text login scripts on notebooks
and laptops.
Dial back procedures:
When a dialup line is used, access should be restricted by a dial-back mechanism, user calling
line identity to verify the calling number, or strong two-factor authentication. Dial-back
interrupts the telecommunications dialup connection to the computer by dialing back the caller
to validate user authority. Once a dialup connection is made, logical access controls should
provide the same restrictions as if the user were using a terminal from within the organization.
When a call is answered by the modem, the caller must enter a code. The modem hangs up the
connection, looks up the connection, and calls back if authenticated.
CLIENT/SERVER SECURITY:
A client/server system typically contains numerous access points. Security procedures for these
server environments are usually not as well understood nor as protected as a mainframe-based
processing environment. Client/server systems utilize distributed techniques, creating
increased risk of access to data and processing. To effectively secure the client/server
environment, all access points should be identified.
INTERNET SECURITY:
IMPACT OF INTERNET THREATS:
Loss of income.
Increased cost of recovery.
Increased cost of retrospectively securing systems.
Loss of information.
Loss of trade secrets.
Damage to reputation.
Legal and regulatory noncompliance.
Failure to meet contractual commitments.
CAUSAL FACTORS FOR INTERNET ATTACKS:
Availability of tools and techniques on the Internet.
Lack of security awareness and training.
Exploitation of security vulnerabilities.
Inadequate security over firewalls.
FIREWALL:
Every time a corporation connects its internal computer network to the Internet, it faces
potential danger. Because of the Internets openness, every corporate network connected to it
is vulnerable to attack. Hackers on the Internet could theoretically break into the corporate
network and do harm in a number of ways: steal or damage important data, damage individual
computers, etc.
Firewalls are hardware and software combinations that are built using routers, servers and a
variety of software. They should sit in the most vulnerable point between a corporate network
and the Internet and they can be as simple or complex as a corporate information security
policy demands.
WHY?
TYPES:
1) Router Packet Filtering:
A screening router examines the header of every packet of data traveling between the
Internet and the corporate network. Packet headers have information in them, including
the IP address of the sender and receiver, and the authorized port numbers (application or
service) allowed to use the information transmitted.
Advantages
Disadvantages
Simple.
Vulnerable to attack due to direct exchange
of packets.
2) Application Firewall Systems:
There are two types. They are referred to as Application or circuit level firewall systems
and provide greater protection capabilities than packet filtering routers. These firewalls
allow information to flow between systems but do not allow the direct exchange of
packets.
Advantages
Disadvantages
Provides security for commonly used
Poor performance as usage increases.
protocols and hide internal network from
outside untrusted network.
3) Statefull Inspection Firewalls:
It keeps track of destination IP address of each packet that leaves the organizations
internal network.
Advantages
Disadvantages
Efficient
Complex to administer.
FIREWALL ISSUES:
Problems faced by organizations that have implemented firewalls are:
A false sense of security exists where management feels that no further security checks and
controls are needed on the internal network.
The circumvention of firewalls through the use of modems connecting users directly to
Internet service providers.
Misconfigured firewalls allowing unknown and dangerous services to pass through freely.
The misunderstanding of what constitutes a firewall.
Monitoring activities do not occur on a regular basis.
Firewall policies are not regularly maintained.
INTRUSION DETECTION:
An intrusion detection system works in conjunction with routers and firewalls by monitoring
network usage anomalies. It protects companys IS from both internal and external misuse. It
notifies the administrator when it detects a perceived threat.
CATEGORIES:
There are two broad categories of IDS:
a) Network-based IDS:
They identify attacks within the monitored network and issue warnings to operator.
10
COMPONENTS:
TYPES:
a) Signature-based:
Detect intrusions based on stored signatures.
b) Statistical based:
Detects intrusions based on expected behavior.
c) Neural based:
Monitors general patterns of network activity with added learning capability.
ENCRYPTION:
Encryption is a method of converting a plaintext message to a cipher text message which
cannot be understood without converting back, decryption. The process is performed through a
mathematical function and a special password called KEY.
WHY?
Encryption is performed to
Protect unauthorized access of important data.
Detect accidental or intentional modification of data.
Verify authenticity of a transaction or document.
ELEMENTS:
There are three elements of an encryption system:
1) Algorithm a mathematical function.
2) Keys a unique piece of information to be used in the process, similar to password.
3) Key length a predetermined length for the key.
CRYPTOGRAPHIC SYSTEMS:
There are two cryptographic systems:
a) Private key cryptographic systems:
They are based on symmetric encryption algorithms which use a secret (private) key to
encrypt the plaintext to the ciphertext. They also use the same key to decrypt the
ciphertext to the corresponding plaintext. DES (Data Encryption Standard) is a private
cryptographic system.
b) Public key cryptographic systems:
They are based on an asymmetric encryption process, two keys work together as a pair.
One key is used to encrypt data; the other is used to decrypt data. Either key can be used
to encrypt or decrypt, but once the key has been used to encrypt data, only its partner can
be used to decrypt the data.
11
QUANTUM CRYPTOGRAPHY:
It is the next generation of cryptography that will solve existing problems associated with
current cryptographic systems. Proven in laboratory research as a commercially viable
technology, Quantum cryptography taps the natural uncertainty of the quantum world (using
interaction of light pulses as a way of transmitting keys and secure information).
DIGITAL SIGNATURES:
It is an electronic identification of a person or entity created by using a public key algorithm
and intended to verify to a recipient the integrity of the data and the identity of the sender. To
verify the integrity of the data, a cryptographic hashing algorithm is computed against the
entire message, which generates a small fixed string message usually about 128 bytes in length.
This process, also referred to as a digital signature algorithm, creates a message digest (i.e.,
smaller extrapolated version of the original message).
12
POINTS OF PRESENCE:
When auditing an organizations presence over the Internet, IS auditor should review the use of
Internet in the following areas:
a) Email.
b) Marketing.
c) ECommerce.
d) Delivery channels.
e) Information gathering.
NETWORK PENETRATION TESTS: (Simulation of real hacking attack)
These are effective methods to determine real-time risks in an information processing
environment. IS auditor attempts to avoid the security features of a system and exploits the
vulnerabilities to gain access that would otherwise be unauthorized.
These tests try to imitate the real hacking situation. Formal top managerial approval is
required.
TYPES:
There are five types of penetration tests:
RISKS:
Doesnt ensure discovery of all vulnerabilities.
Miscommunication.
Disclosure of sensitive information.
Potential of damaging information assets by inexperienced testators.
FULL NETWORK ASSESSMENT REVIEWS:
After penetration testing, full review of network vulnerabilities is done which include:
Security policy and procedures.
Network and firewall configuration.
Logical access controls.
Encryption.
Firewall.
Virus scanning.
Audit logging.
13
NETWORK CHANGES:
Controls to prevent unauthorized changes are:
Segregation of duties.
Restricting access to development environments.
Restricting source code access.
COMPUTER FORENSICS:
It is a process of identifying, preserving, analysing, and presenting audit evidence in a
manner which legally acceptable in any legal proceedings.
Smoke detectors.
Fireproof environment.
UPS.
Eating/drinking prohibition.
14
Water detectors.
Manual fire alarms.
Fire suppression systems.
Inspection.
Electrical surge detectors.
Emergency power-switch off.
Documented evacuation procedures.
AND CONTROLS
CONTROLS:
Bolting door locks.
Biometric door locks.
Identification badges.
Controlled visitor access.
Alarm system.
AUDITING:
Touring IPF (computer room, programmers area, tape library, printer stations, and
management offices) is useful in understanding overall installation.
Documents to assist:
Emergency evacuation procedures.
Inspection tags.
Fire suppression system test results.
Key lock logs.
Areas:
All operator consoles.
Printer rooms.
Computer storage rooms.
UPS/generator.
Communication equipment. Tape library.
Offsite backup storage.
15