Controls for Information Security in Chapter 11

Security

Access to the system and data is controlled and restricted to legitimate users.

Confidentiality

Sensitive organizational data is protected.

Privacy

Personal information about trading partners, investors, and employees are protected.

Processing integrity

Data are processed accurately, completely, in a timely manner, and only with proper authorization.

Availability

System and information are available.

Security Life Cycle

1. Assess threats & select risk response; 2. Develop and communicate policy; 3. Acquire & implement solutions; 4. Monitor performance.

Time Based Model of Information Security

Goal: use preventive, detective, and corrective controls to protect systems and data long enough for an organization to detect and respond to an attack before systems and data are compromised.

Time-based model effectiveness

Security is effective if: P > D + R where P is the time it takes an attacker to break through Preventive controls, D is the time it takes to Detect an attack is in progress, and R is the time it takes to Respond to the attack and take corrective action.

Defense-in-depth

Employing multiple layers of controls to avoid a single point-of-failure.

Understanding targeted attacks

1.      Conduce reconnaissance: learn about target and its systems and security to identify vulnerabilities

2.      Attempt social engineering: deceive employee to obtain access to systems

3.      Scan and map the target: identify types of software used and identify computers that can be remotely accessed

4.      Research: identify vulnerabilities for software in step 3

5.      Execute the attack: obtain access to system

6.      Cover tracks: remove evidence and create “back doors”

Preventive Controls

Includes people, process, IT solutions, and physical security.

Detective Controls

Includes log analysis, intrusion detection systems, and continuous monitoring.

Response

Includes Computer Incident Response Teams (CIRT) and Chief Information Security Officer (CISO).

Preventive: People

First line of defense and most important component; includes a 'security-conscious' culture and training.

Training

Follow safe computing practices such as never opening unsolicited e-mail attachments, using only approved software, not sharing passwords, and physically protecting laptops/cellphones.

Authentication

Verifies the person/device attempting to access the system.

Authentication methods

1. Something person knows (password, PIN)

2. Something person has (tokens, smart cards, ID badges)

3. Some biometric characteristics (physical or behavior).

4. Multiple (multifactor authentication, 2FA)

Authorization

Determines what a user can access, limiting access to systems/data necessary for the user's role.

Antimalware controls

Address threats such as viruses, worms, keystroke loggers, etc.

Network access controls

Perimeter defense mechanisms to protect networks.

Routers

Device that uses the Internet Protocol (IP) to send packets across networks

Firewalls

Device that provides perimeter security by filtering packets

Intrusion preventive systems (IPS)

Software or hardware that monitors patterns in traffic flow to identify and automatically block attacks.

Device and software hardening controls

Internal measures including endpoint configurations, user account management, and software design.

Encryption

The process of converting information or data into a code to prevent unauthorized access.

Physical security access controls

Limit entry to facilities through controlled areas, key card access for employees, logging of visitors, and alarms and cameras on exterior doors.

Log analysis

Examining logs to identify evidence of possible attacks.

Intrusion detection systems (IDSs)

Systems that create logs of network traffic permitted to pass the firewall and analyze those logs for signs of attempted or successful intrusions.

Continuous monitoring

Employee compliance with organizational information security policies and overall performance of business processes.

Computer Incident Response Team (CIRT)

Set of employees assigned responsibility for resolving problems and incidents

Chief Information Security Officer (CISO)

An executive responsible for the information security of an organization.

vulnerability

Flaw or weakness in a program

exploit

Software code that can be used to take advantage of a flaw and compromise a system

Demilitarized zone (DMZ)

Subnetwork accessible from the Internet but separate from the organization’s internal network

Packet filtering

Firewall technique that filters traffic by examining only the information in packet headers to test the rules in an ACL

Honeypot

Device that has no real function, but merely serves as a decoy

Hardening

Improving security by removal or disabling unnecessary programs and features

patch

a.      Code that corrects a flaw in a program

Border router

Device that connects the organization to the Internet

 Vulnerability scan

Detective control that identifies weaknesses in devices or software

Penetration test

Test that determines how long it takes to detect and respond to an attack

Patch management

Process of applying code supplied by a vendor to fix a problem in that vendor’s software