CH8.

Controls for Information Security

After studying this chapter, you should be able to:
1. Explain how security and the other four principles in the Trust
Services Framework affect systems reliability.
2. Explain two fundamental concepts: why info security is a mgt
issue, and the time-based model of info security.
3. Discuss the steps criminals follow to execute targeted attack
against an orgn’s IS
4. Describe the preventive, detective, and corrective controls that
can be used to protect an org’s info.
5. Describe the controls that can be used to timely detect that an
orgn’s IS is under attack.
6. Discuss how orgs can timely respond to attacks against their IS.
7. Explain how virtualization, cloud computing, and the Internet of
Things affect info security. 1
1. The 5 principles of IT-related controls that jointly contribute to
systems reliability:
1. Security—access (both physical and logical) to the system and its
data is controlled and restricted to legitimate users.
2. Confidentiality—sensitive orgnal info (e.g., marketing plans,
trade secrets) is protected from unauthorized disclosure.
3. Privacy—personal info about customers, employees, suppliers, or
business partners is collected, used, disclosed, and maintained
only in compliance with internal policies and external regulatory
requirements and is protected from unauthorized disclosure.
4. Processing Integrity—data are processed accurately, completely,
in a timely manner, and only with proper authorization.
5. Availability—the system and its info are available to meet
operational and contractual obligations.
2
R/ps among the 5 Trust Services Principles for Systems Reliability

From the fig we can

understand how
security is the base for
other key principles

3
 2. Two Fundamental Info Security concepts
1. Security is a Mgt issue, not just a technology issue.
Although effective info security requires the deployment of
technological tools such as firewalls, antivirus, and
encryption, senior management involvement and support
throughout all phases of the security life cycle is important.
2. The time-based model of Info security: The goal of the time-
based model of info security is to employ a combination of
preventive, detective, and corrective controls to protect
info assets long enough for an orgn to detect that an attack
is occurring and to take timely steps to thwart the attack
before any info is lost/ compromised.

4
 3. Understanding Targeted Attacks
Attacks can be targeted or untargeted. This section is about targeted attack.
Basic steps criminals use to attack an org’s IS are:
• Conduct reconnaissance: learn as much as possible about the target and to
identify potential vulnerabilities.
• Attempt social engineering.
• Scan and map the target: The attacker uses a variety of automated tools to
identify computers that can be remotely accessed and the types of software
they are running.
• Research: Once the attacker has identified targets and knows what versions of
sw are running on them, the next step is to conduct research to find known
vulnerabilities for those programs and learn how to take advantage of those
vulnerabilities.
• Execute the attack.
• Cover tracks.
– But what are the different ways of preventive, detective, and corrective controls
5
• Now that we have a basic understanding of how
criminals attack an orgn’s IS, we can proceed to
discuss methods for mitigating the risk that such
attacks, as well as random threats such as viruses
and worms, will be successful.

6
4. Protecting Information Resources

7
8
Example of Access Control Matrix

9
 LOG ANALYSIS

• Most systems come with extensive capabilities

for logging who accesses the system and what
specific actions each user performed. These logs
form an audit trail of system access. Like any
other audit trail, logs are of value only if they are
routinely examined.
• Log analysis is the process of examining logs to
identify evidence of possible attacks.

10
Example of log report

11
 Exercise
• Explain why an orga would want to use all of the ff info security
controls: firewalls, intrusion prevention systems, intrusion
detection systems, and a CIRT.
• What are the adv and disadv of having the person responsible
for info security report directly to the chief info officer (CIO),
who has overall responsibility for all aspects of the org’s IS?
• What are the limitations, if any, of relying on the results of
penetration tests to assess the overall level of security?
• Security awareness training is necessary to teach employees
“safe computing” practices. The key to effectiveness, however,
is that it changes employee behavior. How can organizations
maximize the effectiveness of their security awareness training
programs?
12
Read the article “Security Controls that Work” by Dwayne Melancon in
the Information Systems Control Journal, 2007, volume 4 (available
http://www.isaca.org/Journal/Past-Issues/2007/Volume-
4/Pages/Security-Controls-That-Work1.aspx).
Write a report that answers the following questions:
1. What are the differences between high-performing organizations
and medium- and low-performing organizations in terms of normal
operating performance? Detection of security breaches? Percentage
of budget devoted to IT?
2. Which controls were used by almost all high-performing
organizations, but were not used by any low- or medium-performers?
3. What three things do high-performing organizations never do?
4. What metrics can an IT auditor use to assess how an organization is
performing in terms of change controls and change management?
Why are those metrics particularly useful?
13
Research reports of two security breaches: one that
occurred in 2014 or later and one that occurred prior to
2010. Write a report that describes the following:
a. How each breach happened
b. How each breach was discovered
c. How long it took to discover each breach
d. The consequences of each breach to the affected org
(e.g., effect on stock price, sales, fines, etc.)
e. Discuss any notable similarities or differences between
the two breaches
14
15
Which preventive, detective, and/or corrective controls would best mitigate the following
threats?
a. An employee’s laptop was stolen at the airport. The laptop contained personal
information about the company’s customers that could potentially be used to commit
identity theft.
b. A salesperson successfully logged into the payroll system by guessing the payroll
supervisor’s password.
c. A criminal remotely accessed a sensitive database using the authentication credentials
(user ID and strong password) of an IT manager. At the time the attack occurred, the IT
manager was logged into the system at his workstation at company headquarters.
d. An employee received an e-mail purporting to be from her boss informing her of an
important new attendance policy. When she clicked on a link embedded in the e-mail
to view the new policy, she infected her laptop with a keystroke logger.
e. A company’s programming staff wrote custom code for the shopping cart feature on its
website. The code contained a buffer overflow vulnerability that could be exploited
when the customer typed in the ship-to address.
16
f. A company purchased the leading “off-the-shelf” e-commerce software for linking its
electronic storefront to its inventory database. A customer discovered a way to
directly access the back-end database by entering appropriate SQL code.
g. Attackers broke into the company’s information system through a wireless access
point located in one of its retail stores. The wireless access point had been purchased
and installed by the store manager without informing central IT or security.
h. An employee picked up a USB drive in the parking lot and plugged it into his laptop to
“see what was on it.” As a result, a keystroke logger was installed on that laptop.
i. Once an attack on the company’s website was discovered, it took more than 30
minutes to determine who to contact to initiate response actions.
j. To facilitate working from home, an employee installed a modem on his office
workstation. An attacker successfully penetrated the company’s system by dialing into
that modem.
k. An attacker gained access to the company’s internal network by installing a wireless
access point in a wiring closet located next to the elevators on the fourth floor of a
high-rise office building that the company shared with seven other companies.

17
Secure configuration of endpoints includes properly configuring your browser and
your smart phone. Visit the Center for Internet Security’s website (
www.cisecurity.org). Navigate to the “Configuration Benchmarks” and download
the benchmark for either your favorite browser or your smart phone. Adjust the
settings for java, javascript, and plugins to the recommended settings. Then test
the properly configured device on the following tasks:
a. Access your university e-mail account
b. Access your personal e-mail account
c. Use your favorite search engine to find information about travel tours to Easter
Island
d. Attempt to book a flight
e. Play an online game (Sudoku, Kenken, etc.)

REQUIRED
• Write a brief report that explains the effects, if any, of the more secure device
configuration when you attempted each task.

18