Information Systems Control for

system Reliability
Chapter 5

Part 1 Controls for Information Security

1
Learning Objectives

1.  Explain how information security affects

information systems reliability.

2.  Discuss how a combination of preventive,

detective, and corrective controls can be
employed to provide reasonable assurance
about the security of an organization’s
information system.

2
INTRODUCTION
•  The Trust Services framework
developed by the AICPA and
SYSTEMS the Canadian Institute of
RELIABILITY
Chartered Accountants
PROCESSING INTEGRITY

(CICA) identified five basic

principles that contribute to
CONFIDENTIALITY

systems reliability:
AVAILABILITY

▫  Security
▫  Confidentiality
PRIVACY

▫  Online privacy
▫  Processing integrity
SECURITY ▫  Availability
3
Trust Services Framework
•  Security
▫  Access to the system and data is controlled and
restricted to legitimate users.
•  Confidentiality
▫  Sensitive organizational data is protected.
•  Privacy
▫  Personal information about trading partners,
investors, and employees are protected.
•  Processing integrity
▫  Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
•  Availability
▫  System and information are available.
6-4
1.FUNDAMENTAL INFORMATION SECURITY
CONCEPTS
• Fundamental information security
concepts that will be discussed in this
chapter:
▫  Security as a management issue, not a
technology issue.
▫  Defense in depth
▫  The time-based model of security.

6-5
Security Life Cycle
Security is a management issue

6-6
Security Approaches
•  Defense-in-depth
▫  Multiple layers of control (preventive and
detective) to avoid a single point of failure
•  Time-based model, security is effective if:
▫  P > D + C where
–  P is time it takes an attacker to break through
preventive controls
–  D is time it takes to detect an attack is in progress
–  C is time it takes to respond to the attack and take
corrective action

8-7
Understanding Targeted Attacks

•  Conduct reconllllissance.
•  Attempt social engineering.
•  Scan and map the target.
•  Research.
•  Execute the attack.
•  Covertracks.

8
DEFENSE IN DEPTH
•  The idea of defense-in-depth is to employ
multiple layers of controls to avoid having a
single point of failure.
•  If one layer fails, another may function as
planned.
•  Computer security involves using a combination
of firewalls, passwords, and other preventive
procedures to restrict access.
•  Redundancy also applies to detective and
corrective controls.
6-9
TIME-BASED MODEL OF SECURITY

•  The time-based model of security focuses

on implementing a set of preventive, detective,
and corrective controls that enable an
organization to recognize that an attack is
occurring and take steps to thwart it before any
assets have been compromised.
•  All three types of controls are necessary:
▫  Preventive
▫  Detective
▫  Corrective

6-10
TIME-BASED MODEL OF SECURITY
•  The time-based model evaluates the
effectiveness of an organization’s security by
measuring and comparing the relationship
among three variables:
▫  P = Time it takes an attacker to break through the
organization’s preventive controls
▫  D = Time it takes to detect that an attack is in progress
▫  C = Time to respond to the attack
•  These three variables are evaluated as follows:
▫  If P > (D + C), then security procedures are effective.
▫  Otherwise, security is ineffective.
6-11
TIME-BASED MODEL OF SECURITY
•  EXAMPLE: For an additional expenditure of
$25,000, the company could take one of four
measures:
▫  Measure 1 would increase P by 5 minutes.
▫  Measure 2 would decrease D by 3 minutes.
▫  Measure 3 would decrease C by 5 minutes.
▫  Measure 4 would increase P by 3 minutes and reduce
C by 3 minutes.
•  Since each measure has the same cost, which do
you think would be the most cost-effective
choice? (Hint: Your goal is to have P exceed (D
+ C) by the maximum possible amount.)

6-11
TIME-BASED MODEL OF SECURITY
•  You may be able to solve this problem by eyeballing it. If not, one
way to solve it is to assume some initial values for P, D, and C.
•  So let’s assume that P = 15 min., D = 5 min., and C = 8 min.
•  At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.
•  With Measure 1, P is increased by 5 minutes:
▫  20 – (5 + 8) = 7 min.
•  With Measure 2, D is decreased by 3 minutes:
▫  15 – (2 + 8) = 5 min.
•  With Measure 3, C is decreased by 5 min.
▫  15 – (5 + 3) = 7 min.
•  With Measure 4, P is increased by 3 minutes and C is reduced by
3 min.
▫  18 – (5 + 5) = 8 min.

6-13
2.Steps in an IS System Attack
Conduct
Reconnaissance

Attempt Social
Cover Tracks
Engineering

Scan & Map

Execute Attack
Target

Research

6-14
15
16
17
How to Mitigate Risk of Attack

Preventive Controls Detective Controls

1.  People 1.  Log analysis
2.  Process 2.  Intrusion detection
3.  IT Solutions systems
4.  Physical security 3.  Penetration testing
5.  Change controls and 4.  Continuous
change management monitoring

6-18
19
Preventive: 1.People

•  Creation of a security-conscious" culture

▫  Tone set at the top with management
•  Training
▫  Follow safe computing practices
–  Never open unsolicited e-mail attachments
–  Use only approved software
–  Do not share passwords
–  Physically protect laptops/cellphones
▫  Protect against social engineering

6-20
Preventive: 2.Process

•  Authentication—verifies the person

1.  Something person knows:password, PIN
2. Something person has: smart cards
3. Some biometric characteristic: fingerprints
4. Combination of all three
•  Authorization—determines what a person can
access

6-21
Example of an Access Control Matrix
(Authorization)

22
Preventive: 3.IT Solutions

•  Antimalware controls
•  Network access controls
•  Device and software hardening controls
•  Encryption

8-23
Preventive: 4-5. Other

•  Physical security access controls

▫  Limit entry to building
▫  Restrict access to network and data
•  Change controls and change management
▫  The formal process used to ensure that
modifications to hardware, software, or processes
do not reduce systems reliability

8-24
DETECTIVE CONTROLS
•  Preventive controls are never 100% effective in
blocking all attacks.
•  Actual system use must be examined to assess
compliance through:
1.  Log analysis
2.  Intrusion detection systems
3.  Penetration testing
4.  Continuous monitoring
DETECTIVE CONTROLS
1.  Log Analysis
▫  Most systems come with extensive
capabilities for logging who accesses the
system and what specific actions each user
performed.
–  Logs form an audit trail of system access.
–  Logs are of value only if routinely
examined.
–  Log analysis is the process of
examining logs to monitor security.
DETECTIVE CONTROLS
2.  Intrusion Detection Systems
•  An IDS creates a log of network traffic that was
permitted to pass the firewall.
▫  Analyzes the logs for signs of attempted or
successful intrusions.
▫  Most common analysis is to compare logs to a
database containing patterns of traffic associated
with known attacks.
▫  An alternative technique builds a model
representing “normal” network traffic and uses
various statistical techniques to identify unusual
behavior.
DETECTIVE CONTROLS
3. Penetration test: an authorized attempt by
either an internal audit team or an external
security consulting firm to break into the
organization's information system.

4. Continuous monitoring: the importance of

continuously monitoring both employee
compliance with the organization's information
security policies and overall performance of
business processes

28
Corrective

•  Computer Incident Response Team (CIRT): A

team that is responsible for dealing with
major security incidents.
•  Chief Information Security Officer (CISO)
•  Patch management: The process of regularly
applying patches and updates to software.

6-29
Key Terms
•  Defense-in-depth
•  Time-based model of security
•  Authentication
•  Authorization
•  Access control matrix
•  Hardening
•  Change control and change
management
•  Log analysis
•  Intrusion detection system
(IDS)
•  Penetration test
•  Computer incident response
team (CIRT)
•  Patch management 6-30