Professional Documents
Culture Documents
Chapter 5 - IS Control For System Reliability1
Chapter 5 - IS Control For System Reliability1
system Reliability
Chapter 5
1
Learning Objectives
2
INTRODUCTION
• The Trust Services framework
developed by the AICPA and
SYSTEMS the Canadian Institute of
RELIABILITY
Chartered Accountants
PROCESSING INTEGRITY
systems reliability:
AVAILABILITY
▫ Security
▫ Confidentiality
PRIVACY
▫ Online privacy
▫ Processing integrity
SECURITY ▫ Availability
3
Trust Services Framework
• Security
▫ Access to the system and data is controlled and
restricted to legitimate users.
• Confidentiality
▫ Sensitive organizational data is protected.
• Privacy
▫ Personal information about trading partners,
investors, and employees are protected.
• Processing integrity
▫ Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
• Availability
▫ System and information are available.
6-4
1.FUNDAMENTAL INFORMATION SECURITY
CONCEPTS
• Fundamental information security
concepts that will be discussed in this
chapter:
▫ Security as a management issue, not a
technology issue.
▫ Defense in depth
▫ The time-based model of security.
6-5
Security Life Cycle
Security is a management issue
6-6
Security Approaches
• Defense-in-depth
▫ Multiple layers of control (preventive and
detective) to avoid a single point of failure
• Time-based model, security is effective if:
▫ P > D + C where
P is time it takes an attacker to break through
preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take
corrective action
8-7
Understanding Targeted Attacks
• Conduct reconllllissance.
• Attempt social engineering.
• Scan and map the target.
• Research.
• Execute the attack.
• Covertracks.
8
DEFENSE IN DEPTH
• The idea of defense-in-depth is to employ
multiple layers of controls to avoid having a
single point of failure.
• If one layer fails, another may function as
planned.
• Computer security involves using a combination
of firewalls, passwords, and other preventive
procedures to restrict access.
• Redundancy also applies to detective and
corrective controls.
6-9
TIME-BASED MODEL OF SECURITY
6-10
TIME-BASED MODEL OF SECURITY
• The time-based model evaluates the
effectiveness of an organization’s security by
measuring and comparing the relationship
among three variables:
▫ P = Time it takes an attacker to break through the
organization’s preventive controls
▫ D = Time it takes to detect that an attack is in progress
▫ C = Time to respond to the attack
• These three variables are evaluated as follows:
▫ If P > (D + C), then security procedures are effective.
▫ Otherwise, security is ineffective.
6-11
TIME-BASED MODEL OF SECURITY
• EXAMPLE: For an additional expenditure of
$25,000, the company could take one of four
measures:
▫ Measure 1 would increase P by 5 minutes.
▫ Measure 2 would decrease D by 3 minutes.
▫ Measure 3 would decrease C by 5 minutes.
▫ Measure 4 would increase P by 3 minutes and reduce
C by 3 minutes.
• Since each measure has the same cost, which do
you think would be the most cost-effective
choice? (Hint: Your goal is to have P exceed (D
+ C) by the maximum possible amount.)
6-11
TIME-BASED MODEL OF SECURITY
• You may be able to solve this problem by eyeballing it. If not, one
way to solve it is to assume some initial values for P, D, and C.
• So let’s assume that P = 15 min., D = 5 min., and C = 8 min.
• At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.
• With Measure 1, P is increased by 5 minutes:
▫ 20 – (5 + 8) = 7 min.
• With Measure 2, D is decreased by 3 minutes:
▫ 15 – (2 + 8) = 5 min.
• With Measure 3, C is decreased by 5 min.
▫ 15 – (5 + 3) = 7 min.
• With Measure 4, P is increased by 3 minutes and C is reduced by
3 min.
▫ 18 – (5 + 5) = 8 min.
6-13
2.Steps in an IS System Attack
Conduct
Reconnaissance
Attempt Social
Cover Tracks
Engineering
Research
6-14
15
16
17
How to Mitigate Risk of Attack
6-18
19
Preventive: 1.People
6-20
Preventive: 2.Process
6-21
Example of an Access Control Matrix
(Authorization)
22
Preventive: 3.IT Solutions
• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption
8-23
Preventive: 4-5. Other
8-24
DETECTIVE CONTROLS
• Preventive controls are never 100% effective in
blocking all attacks.
• Actual system use must be examined to assess
compliance through:
1. Log analysis
2. Intrusion detection systems
3. Penetration testing
4. Continuous monitoring
DETECTIVE CONTROLS
1. Log Analysis
▫ Most systems come with extensive
capabilities for logging who accesses the
system and what specific actions each user
performed.
Logs form an audit trail of system access.
Logs are of value only if routinely
examined.
Log analysis is the process of
examining logs to monitor security.
DETECTIVE CONTROLS
2. Intrusion Detection Systems
• An IDS creates a log of network traffic that was
permitted to pass the firewall.
▫ Analyzes the logs for signs of attempted or
successful intrusions.
▫ Most common analysis is to compare logs to a
database containing patterns of traffic associated
with known attacks.
▫ An alternative technique builds a model
representing “normal” network traffic and uses
various statistical techniques to identify unusual
behavior.
DETECTIVE CONTROLS
3. Penetration test: an authorized attempt by
either an internal audit team or an external
security consulting firm to break into the
organization's information system.
28
Corrective
6-29
Key Terms
• Defense-in-depth
• Time-based model of security
• Authentication
• Authorization
• Access control matrix
• Hardening
• Change control and change
management
• Log analysis
• Intrusion detection system
(IDS)
• Penetration test
• Computer incident response
team (CIRT)
• Patch management 6-30