CHAPTER 7 INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART 1: INFORMATION SECURITY For a variety of reasons, management needs

s an assessment of the reliability of the accounting information system, for example, to comply with Sarbanes-Oxley (SOX) and to have information that is useful for decision making. As a result of your study of this chapter, you should be able to: 1. Explain how information security affects systems reliability. 2. Identify the four criteria that can be used to evaluate the effectiveness of an organizations information security. 3. Explain the time-based model of security and the concept of defense-in-depth. 4. Describe the various types of preventive, detective, and corrective controls used to provide information security. 5. Explain how encryption contributes to security and how the two basic types of encryption systems work. Information produced by the AIS must be accurate, complete, and timely. Accessibility to that information is important. However, because that information is so valuable, it must be protected from loss, compromise, theft, or inappropriate use and be reliable. Figure 5-1 on page 250 shows the five fundamental principles that contribute to the overall objective of systems reliability and the importance of information security as the foundation for information systems reliability: 1. Security Security procedures restricts access to authorized users only. 2. Confidentiality By restricting access, the confidentiality of sensitive organizational information is protected. 3. Privacy Also, by restricting access, the privacy of personal information collected from customers is protected. 4. Processing Integrity Security procedures provide for processing integrity by preventing submission of unauthorized or fictitious transactions as well as preventing unauthorized changes to stored data or programs. 5. Availability Security procedures provide protection against a variety of attacks, including viruses and worms, thereby ensuring that the system is available when needed. The COBIT and Trust Service Frameworks Figure 7-2 on Page 252 presents an overview of the Control Objectives for Information and related Technology (COBIT) framework. It shows that achieving the organizations business and governance objectives requires adequate controls over IT resources to ensure that information provided to management satisfies seven key criteria:

Page 1 of 14

1. Effectiveness the information must be relevant and timely 2. Efficiency the information must be produced in a cost-effective manner 3. Confidentiality sensitive information must be protected from unauthorized disclosure 4. Integrity the information must be accurate, complete, and valid 5. Availability the information must be available whenever needed 6. Compliance controls must ensure compliance with internal policies and with external legal and regulatory requirements 7. Reliability management must have access to appropriate information needed to conduct daily activities and to exercise it fiduciary and governance responsibilities Figure 7-2 shows 34 generic IT processes that must be properly managed and controlled in order to produce information that satisfies the seven criteria listed above. Those processes are grouped into four basic management activities, which COBIT refers to as domains: 1. Plan and Organize (PO). Figure 7-2 lists ten important processes for properly planning and organizing an organizations information systems. 2. Acquire and Implement (AI). Figure 7-2 lists seven fundamental processes that pertain to the acquisition and implementation of technology solutions 3. Deliver and Support (DS). Figure 7-2 lists 13 critical processes for effectively and efficiently delivering the information management needs to run the organization. 4. Monitor and Evaluate (ME). Figure 7-2 lists four essential processes for monitoring and evaluating an organizations information system. COBIT also specifies 210 detailed control objectives for these IT processes and specifies specific audit procedures for assessing the effectiveness of those controls, suggesting metrics that management can use to evaluate performance. The Trust Services Framework developed by the AICPA and the Canadian Institute of Chartered Accountants addresses a subset of the issues covered by COBIT, focusing specifically on five aspects of information systems controls and governance that most directly pertain to systems reliability: 1.Security 2.Confidentiality 3.Privacy 4.Processing Integrity 5.Availability

Three Fundamental Information Security Concepts

Page 2 of 14

1. Security Is a Management Issue, Not a Technology Issue Section 302 of the Sarbanes-Oxley Act requires the CEO and the CFO to certify that the financial statements fairly present the results of the companys activities and requires them to certify that they have evaluated the effectiveness of the organizations internal controls. Security is a key component of internal control and systems reliability. Top management plans a critical role in information security. The Trust Services Framework identifies four essential criteria for successfully implementing each of the five principles that contributes to systems reliability: (1) Developing and documenting policies (2) Effectively communicating policies to all authorized users (3) Designing and employing appropriate control procedures to implement policies (4) Monitoring the system and taking corrective action to maintain compliance with policies Policy Development Management needs to develop a comprehensive set of security policies before designing and implementing specific control procedures. The development of those security policies begins by taking an inventory of information system resourcehardware, software, and databases. Once the organizations information systems resources have been identified, they need to be valued in order to select the most cost-effective control procedures. Effective Communication of Policies Security policies must be communicated to and understood by employees, customers, suppliers and other authorized users. Regular reminders and training should be on-going. Sanctions associated with violations should also be communicated. The Design and Employment of Appropriate Control Procedures Control frameworks, such as COBIT and Trust Services, identify a variety of specific control procedures and tools that can be used to mitigate various security threats. Cost/benefit analysis should be used in evaluating alternative control procedures as well as a thorough risk assessment program. Focus 7-1 on Page 241 discusses the consequences of inadequate investments in security are increasing and provides several tips for avoiding lawsuits: Establish and implement an in-house security policy

Page 3 of 14

Have a security audit done Remember security in contracts Dont make promises you cant keep Pay attention to regulations affecting your industry Consider purchasing e-commerce insurance Pay attention to what similar companies are doing

Monitoring and Taking Remedial Action It is important to understand that security is a moving target. Advances in information technology create new threats and alter the risks associated with existing threats. Effective control over information systems involves a continuous cycle of developing policies to address identified threats, communicating those policies to all employees, implementing specific control procedures to mitigate risk, monitoring performance, and taking corrective actions in response to identified problems. 2. The Time-Based Model of Security The time-based model of security focuses on the relationship between preventive, detective and corrective controls and evaluates the effectiveness of an organizations security by measuring and comparing the relationship among the following three variables: P = the time it takes an attacker to break through the organizations preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack If P > D + C, then the organizations security procedures are effective. If P < D + C, then the organizations security procedures are ineffective. Disadvantages of the time-based model of security: 1) One problem is that it is hard, if not impossible, to derive accurate reliable measures of the parameters P, D and C. 2) In addition, even when those parameter values can be reliably calculated, their validity is often quickly lost due to new IT developments

3. Defense-in-Depth The idea is to employ multiple layers of controls in order to avoid having a single point of failure. Redundancy increases effectiveness because even if one procedure

Page 4 of 14

fails or is circumvented, another may function as planned. Information security, for example, involves the use of a combination of firewalls, passwords, and other preventive procedures to restrict access to information systems. Table 7-1 on Page 258 summarizes the major types of preventive, detective and corrective controls that provide security through defense-in-depth. Understanding Targeted Attacks Before discussing the preventive, detective and corrective controls, it is helpful to understand the basic steps used by criminals to attack an organizations information system: 1.Reconnaissance. Computer attackers begin by collecting information about their target. Much valuable information can be obtained by perusing an organizations financial statements, SEC filings, web site and press releases. 2.Attempt Social Engineering. Attackers will often try to use the information obtained during their initial reconnaissance to socially engineer (i.e. trick) an unsuspecting employee into granting them access. An attack known as spear phishing involves sending emails purportedly coming from someone else in the organization that the victim knows, or should know. 3.Scan and Map the Target. If an attacker cannot successfully penetrate the target system via social engineering, the next step is to conduct more detailed reconnaissance to identify potential points of remote entry. 4.Research. Once the attacker has identified specific targets and knows what versions of software are used, the next step is to find known vulnerabilities for those programs. 5. Execute the attack and obtain unauthorized access to the system 6.Cover Tracks. After penetrating the victims information system, most attackers will try to cover their tracks and come up with back doors just in case their initial attack is discovered. Preventive Controls Preventive controls consist of two related functions; authentication and authorization controls intended to prevent security instances from happening. Seven major types of preventive controls are listed in Table 7-1 on page 258. Authentication Controls focus on verifying the identity of the person or device attempting to access the system. Users can be authenticated by verifying: 1. Something users know, such as passwords or personal identification (PINs). Focus 7-2 on Page 260 discusses some of the requirements for creating strong passwords, including length (at least eight characters); multiple character types (alphabetic, numeric, special characters, uppercase and lowercase); randomness, changed frequently (at least every 90 days and possibly every 30 days).

Page 5 of 14

2. Something they have, such as smart cards or ID badges 3. Some physical characteristic (referred to as a biometric identifier), such as their fingerprints or voice. Multifactor authentication is when two or all three basic authentication methods are used Authorization Controls restrict access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. Authorization controls are implemented by creating an access control matrix, a table specifying which portions of the system users are permitted to access and what actions they can perform [See Figure 7-3 on Page 261]. When an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the users authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action. Authentication and authorization should also apply to devices. Every workstation, printer, or other computing devices needs a Network Interface Card (NIC) to connect to the organizations internal network. Each NIC has a unique identifier, referred to as its Media Access Control (MAC) address. Digital signatures and digital certificates also should be considered. Training People play a critical role in information security. Training is a critical preventive control as employees must understand and follow the organizations security policies. All employees should be taught why security measures are important to the organizations long-run survival. Some good security measures include: 1. 2. 3. 4. never open unsolicited e-mail attachments only use approved software never share or reveal your passwords taking steps to physically protect laptops

Training is especially needed to educate employees about social engineering attacks, which use deception to obtain unauthorized access to information resources. Employees need to be trained not to allow other people to follow them through restricted access entrances. This social engineering attack, called piggybacking, can take place not only at the main entrance to the building but also at any internal locked doors, especially to rooms that contain computer equipment. Controlling Physical Access Controlling physical access to the system is absolutely essential. Within minutes a skilled attacker can gain physical access to the system and obtain sensitive data. An attacker with unsupervised physical access could simply remove the hard drive or

Page 6 of 14

even steal the entire computer. Focus 7-3 on Page 263 describes an especially elaborate set of physical access controls referred to as a man-trap. Laptops, cell phones, and Personal Digital Assistant (PDA) devices require special attention. COBITs 34 top-level control objectives, DS 12, focuses specifically on physical security. Controlling Remote Access Perimeter Defense: Routers, Firewalls and Intrusion Prevention Systems Figure 7-4 on page 264 shows the relationship between an organizations information system and the Internet. A border router connects an organizations information system to the Internet. Behind the border router is the main firewall, which is either a special-purpose hardware device or software running on a generalpurpose computer. A firewall uses a combination of security algorithms and router communication protocols that prevent outsiders from tapping into corporate databases and e-mail systems. The organizations Web servers and e-mail servers are placed in a separate network, called the demilitarized zone (DMZ) which is a separate network that permits controlled access from the Internet to selected resources, such as the organizations e-commerce Web server. Overview of TCP/IP and Routers Information travels throughout the Internet and internal local area networks in the form of packets. So, its not documents or files that are sent to the printer. Instead they are broken down into packets and then sent to the printer. Well defined rules and procedures called protocols dictate how to perform these activities. Figure 7-5 on Page 266 shows how two important protocols, referred to as TCP/IP, govern the process for transmitting information over the Internet. The Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets to be sent over the Internet and the methods for reassembly of the original document or file at the destination. The Internet Protocol (IP) specifies the structure of those packets and how to route them to the proper destination. Every IP packet consists of two parts: a header and a body. The header contains the packets origin and destination addresses, as well as information about the type of data contained in the body of the packet. Special-purpose devices called routers are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next.

Page 7 of 14

Filtering Packets A set of rules, called an Access Control List (ACL), determines which packets are allowed entry and which are dropped. Border routers typically perform what is called static packet filtering, which screens individual IP packets based solely on the contents of the source and/or destination fields in the IP packet header. A stateful packet filtering maintains a table that lists all established connections between the organizations computers and the Internet. Stateful packet filtering is still limited to examining only information in the IP packet header. Deep Packet Inspection Undesirable mail can get through if the return address is not on the list of unacceptable sources. Clearly, control over incoming mail would be more effective if each envelope or package were opened and inspected. Such a process called deep packet inspection provides this added control. Intrusion prevention systems (IPS) are designed to identify and drop packets that are part of an attack. Defense-in-Depth The use of multiple perimeter filtering devices is actually more efficient than trying to use only one device. Border routers quickly filter out obviously bad packets and pass the rest to the main firewall. The firewall does more detailed checking, allowing in only those packets purporting to contain specific types of data for specific types of programs, and dropping all others. The IPS then performs deep packet inspection on the packets passed by the firewall to verify that the data they contain does indeed conform to the organizations security policies. Figure 7-4 on page 264 illustrates one other dimension of the concept of defense-in-depth: the use of a number of internal firewalls to segment different departments within the organization. This approach not only increases internal security but also strengthens internal control by providing a means for enforcing segregation of duties. The integration of physical and remote access control has been an especially effective way to achieve defense-in-depth.

Dial-Up Connections The Remote Authentication Dial-In User Service (RADIUS) is a standard method that verifies the identity of users attempting to connect via dial-in-access.

Page 8 of 14

If an employee installs their own personal modem that they purchased for the office computer; the modems are called rogue modems. This in turn creates a back door in which a hacker could easily gain access to the companys system. To detect these unauthorized, rogue modems; either computer security or internal auditing uses war dialing software. This software calls every telephone number assigned to the organization to identify those which are connected to modems; which in turn identifies the rogue modems. Wireless Access Figure 7-4 on Page 264 shows all the wireless access points (the devices that accept incoming wireless communications and permit the sending device to connect to the organizations network). The following procedures need to be followed to adequately secure wireless access: Turn on available security features Authenticate all devices attempting to establish wireless access to the network before assigning them an IP address Configure all authorized wireless Network Interface Cards (NICs) to operate only in infrastructure mode, which forces the device to connect only to wireless access points. Use noninformative names for the access points address, which is called a Service Set Identifier (SSID). Predefine a list of authorized Media Access Control (MAC) addresses and configure wireless access points to only accept connections if the devices MAC address is on the authorized list. Reduce the broadcast strength of wireless access points to make unauthorized reception off-premises more difficult Locate wireless access points in the interior of the building and use directional antennas to make unauthorized access and eavesdropping more difficult

Host and Application Hardening Routers, firewalls and intrusion prevention systems are designed to protest the network perimeter. However, information system security is enhanced by supplementing preventive controls on workstations, servers, printers, and other devices that comprise the organizations network.

Three areas deserve special attention: 1. Host configuration 2. User accounts 3. Software design
Page 9 of 14

1. Host Configuration Hosts can be made more secure by modifying their configurations. Every program running on a host represents a potential point of attack because it probably contains flaws, called vulnerabilities that can be exploited to either crash the system or take control of it. Microsoft Baseline Security Analyzer and vulnerability scanners can be used to identify unused and, therefore, unnecessary programs that represent potential security threats. This process of turning off unnecessary features is called hardening. 2. Managing User Accounts and Privileges Users who need administrative powers on a particular computer should be assigned two accounts: one with administrative rights and another that has only limited privileges. It is especially important that they be logged into their limited regular user account when browsing the Web or reading their e-mail. 3. Software Design As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. The most common input-related vulnerability is referred to as a buffer overflow attack, in which an attacker sends a program more data than it can handle. Most programs set aside a fixed amount of memory, referred to as a buffer, to hold user input. However, if the program does not carefully check the size of data being input, an attacker may enter many times the amount of data that was anticipated and overflow the buffer. Input security needs to be carefully designed into new applications; new applications should be thoroughly tested before deployment. Encryption Encryption is the final layer of preventive controls and is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses this process, transforming ciphertext back into plaintext. Encryption also strengthens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions. Figure 7-6 on Page 271 shows that both a key and an algorithm are used to encrypt plaintext into ciphertext and to decrypt the ciphertext back into plaintext. Encryption Strength Three important factors determine the strength of any encryption system:

Page 10 of 14

1. Key length: Longer keys provide stronger encryption by reducing the number of repeating blocks of ciphertext. This makes it harder to spot patterns in the ciphertext that reflect patterns in the original plaintext. 2. Key management policies: The procedures used to store and manage the encryption keys are also important. COBIT control objective DS 5.8 identifies important control objectives related to the management of cryptographic keys, which is a piece of information (a parameter) that controls the operation of a cryptographic algorithm. This is often the most vulnerable aspect of encryption systems. Access to these keys must be tightly controlled. Encryption software that creates a built-in master key that can be used to decrypt anything encrypted by that software should be considered in the event that the employee who encrypted the data leaves. A second best alternative is a process called key escrow, which involves making copies of all encryption keys used by employees and storing those copies securely. 3. Nature of encryption algorithm A third factor affecting encryption strength concerns the nature of the algorithm. A strong algorithm is difficult, if not impossible, to break by guessing. Types of Encryption Systems There are two basic types of encryption systems: 1. Symmetric Encryption Systems that use the same key both to encrypt and to decrypt. Symmetric encryption has the following three problems: 1) Both parties (sender and receiver) need to know the shared secret key. 2) Separate secret keys need to be created for use with each different party with whom encryption is going to be used. 3) Both parties using symmetric encryption must know the same secret key; there is no way to prove who created a specific document. 2. Asymmetric Encryption Systems that use two keys. One key, called the public key, is widely distributed and available to everyone. The other key, called the private key, is kept secret and known only to the owner of that pair of keys. The main drawback is speed. Asymmetric encryption is also used with hashing to create digital signatures. Hashing is a process that takes plaintext of any length and transforms it into a short code called a hash. Table 7-2 on Page 273 provides a comparison of Encryption and Hashing. Hashing always produces a hash that is of a fixed short length, regardless of the length of

Page 11 of 14

the original plaintext. Encryption, on the other hand, always produces ciphertext similar in length to the original plaintext. Encryption is reversible; hashing is not. Digital Signatures A digital signature is information encrypted with the creators private key. This encrypted information can only be decrypted using the corresponding public key. Using a hash of the original plaintext to create a digital signature not only is efficient but also provides a means for establishing that the message decrypted by the recipient is exactly the same as the message created by the sender. Asymmetric encryption and hashing are used to create digital signatures. Digital Certificates and Public Key Infrastructure A digital certificate is an electronic document, created and digitally signed by a trusted third party that certifies the identity of the owner of a particular public key. The term Public Key Infrastructure (PKI) refers to the system and processes used to issue and manage asymmetric keys and digital certificates The organization that issues public and private keys and records the public key in a digital certificate is called a certificate authority. The AICPA Trust Services framework contains a list of criteria that can be used in evaluating the overall reliability of a particular certificate authority. Illustrative Example: The Role of Encryption and Hashing in E-Business (Figure 7-7 on Page 276 provides an example.) Effects of Encryption on Other Layers of Defense Digital signatures use asymmetric encryption to create legally-binding electronic documents. Web-based e-signatures are an alternative mechanism for accomplishing the same objective. An e-signature is a cursive-style imprint of a persons name that is applied to an electronic document. Firewalls function by inspecting the contents of packets but cannot effectively screen packets that are encrypted. Anti-virus and intrusion detection systems also have difficulty in dealing with encrypted packets.

Detective Controls Preventive controls are never 100% effective in blocking all attacks. Therefore, organizations need detective controls to enhance security by monitoring the effectiveness of preventive controls and detecting incidents in which preventive controls have been

Page 12 of 14

successfully circumvented. Some procedures function as both preventive and detective controls, for example, the audit trail created by authentication and authorization controls is a detective control that can be examined to determine whether actual system use is in compliance with those policies. Log analysis, intrusion detection systems, managerial reports, and security testing are four types of detective controls. Log Analysis is the process of examining logs to monitor security. These logs form an audit trail of system access, revealing who accesses the system and what specific actions each user performed. Figure 7-8 on Page 278 is an example of a portion of security log from a computer running the Windows operating system. Log analysis is labor intensive and prone to error. Intrusion Detection Systems (IDS) create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions. Managerial Reports are another important detective control. The COBIT Framework provides management guidelines that identify critical success factors associated with each objective and suggest key success indicators that management can use to monitor and assess control effectiveness. Security Testing involves vulnerability scans which use automated tools designed to identify whether a given system possess any well-known vulnerabilities. A penetration test is an authorized attempt by either an internal audit team or an external security consulting firm to break into the organizations information system. A number of information security Web sites such as the Center for Information Security provide benchmarks for security best practices and tools that can be used to measure how well a given system conforms to those benchmarks. Corrective Controls involve the need for procedures to react to incidents to take corrective actions on a timely basis. Many rely on human judgment. Planning and preparation are important. Three key components that satisfy these COBIT criteria for effectively managing incidents and problems are: 1. Establishment of a computer emergency response team 2. Designation of a specific individual with organization-wide responsibility for security 3. An organized patch management system Computer Emergency Response Team The Computer Emergency Response Team (CERT) is responsible for dealing with major incidents. The following are four steps taken by the CERT: 1. Recognition that a problem exists

Page 13 of 14

2. Containment of the problem 3. Recovery 4. Follow-Up Communication is vital to all four steps in the incident response process. Chief Security Officer (CSO): The chief security officer is responsible for information security. The CSO should be independent of other information systems functions and should report to either the chief operating officer (COO) or the chief executive officer (CEO). Patch Management, another important corrective control, is the process for regularly applying patches and updates to all software used by the organization to fix known vulnerabilities. Hackers and security consulting firms are constantly searching for vulnerabilities in widely used software. Then they publish instructions as how to take advantage of these vulnerabilities. The set of instructions for taking advantage of vulnerability is called an exploit. Back to Homepage

Page 14 of 14