Beruflich Dokumente
Kultur Dokumente
Today, every organization relies on information technology (IT). Many organizations are also
moving at least portions of their information systems to the cloud. Management wants assurance
that the information produced by the organization’s own accounting system is reliable and also about
the reliability of the cloud service providers with whom it contracts. In addition,
management also wants assurance that the organization is compliant with an everincreasing
array of regulatory and industry requirements including Sarbanes-Oxley (SOX),
Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry
Data Security Standards (PCI-DSS).
The Trust Services Framework organizes IT-related controls into five principles that
jointly contribute to systems reliability:
1. Security—access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.
2. Confidentiality—sensitive organizational information (e.g., marketing plans, trade secrets)
is protected from unauthorized disclosure.
3. Privacy—personal information about customers, employees, suppliers, or business partners
is collected, used, disclosed, and maintained only in compliance with internal policies
and external regulatory requirements and is protected from unauthorized disclosure.
4. Processing Integrity—data are processed accurately, completely, in a timely manner, and
only with proper authorization.
5. Availability—the system and its information are available to meet operational and contractual
obligations.
Although effective information security requires the deployment of technological tools such as
&rewalls, antivirus, and encryption, senior management involvement and support through-out all phases
of the security life cycle is essential for success.
Although many information security threats, such as viruses, worms, natural disasters, hardware
failures, and human errors are often random (untargeted) events, organizations are also
frequently the target of deliberate attacks. Before we discuss the preventive, detective, and
corrective controls that can be used to mitigate the risk of systems intrusions, it is helpful to
understand the basic steps criminals use to attack an organization’s information system:
1. Conduct reconnaissance. Bank robbers usually do not just drive up to a bank and attempt
to rob it. Instead, they first study their target’s physical layout to learn about the controls it
has in place (alarms, number of guards, placement of cameras, etc.). Similarly, computer
attackers begin by collecting information about their target. Perusing an organization’s financial
statements, Securities and Exchange Commission (SEC) filings, website, and press
releases can yield much valuable information. The objective of this initial reconnaissance
is to learn as much as possible about the target and to identify potential vulnerabilities.
2. Attempt social engineering. Why go through all the trouble of trying to break into a system
if you can get someone to let you in? Attackers will often try to use the information
obtained during their initial reconnaissance to “trick” an unsuspecting employee into
granting them access. Such use of deception to obtain unauthorized access to information
resources is referred to as social engineering. Social engineering can take place in countless
ways, limited only by the creativity and imagination of the attacker. Social engineering
attacks often take place over the telephone. One common technique is for the attacker
to impersonate an executive who cannot obtain remote access to important files. The attacker
calls a newly hired administrative assistant and asks that person to help obtain the
critical files. Another common ruse is for the attacker to pose as a clueless temporary
worker who cannot log onto the system and calls the help desk for assistance. Social
engineering attacks can also take place via e-mail. A particularly effective attack known
as spear phishing involves sending e-mails purportedly from someone that the victim
knows. The spear phishing e-mail asks the victim to click on an embedded link or open an
attachment. If the recipient does so, a Trojan horse program is executed that enables the
attacker to obtain access to the system. Yet another social engineering tactic is to spread
USB drives in the targeted organization’s parking lot. An unsuspecting or curious employee
who picks up the drive and plugs it into their computer will load a Trojan horse
program that enables the attacker to gain access to the system.
3. Scan and map the target. If an attacker cannot successfully penetrate the target system
via social engineering, the next step is to conduct more detailed reconnaissance to identify
potential points of remote entry. The attacker uses a variety of automated tools to identify
computers that can be remotely accessed and the types of software they are running.
4. Research. Once the attacker has identified specific targets and knows what versions of
software are running on them, the next step is to conduct research to find known vulnerabilities
for those programs and learn how to take advantage of those vulnerabilities.
5. Execute the attack. The criminal takes advantage of a vulnerability to obtain unauthorized
access to the target’s information system.
6. Cover tracks. After penetrating the victim’s information system, most attackers attempt to
cover their tracks and create “back doors” that they can use to obtain access if their initial
attack is discovered and controls are implemented to block that method of entry.
Preventive Controls
This section discusses the preventive controls listed in Table 8-1 that organizations
commonly use to restrict access to information resources. As Figure 8-3 shows, these various
preventive controls fit together like pieces in a puzzle to collectively provide defense-in-depth.
Although all of the pieces are necessary, the “people” component is the most important.
Management must create a “security-conscious” culture and employees must be trained to
follow security policies and practice safe computing behaviors.
People: Training
COBIT 5 identifies employee skills and competencies as another critical enabler for effective
information security. Employees must understand how to follow the organization’s security
policies. Thus, training is a critical preventive control. Indeed, its importance is reflected in
the fact that security awareness training is discussed as a key practice to support several of
COBIT 5’s 32 management processes.
All employees should be taught why security measures are important to the organization’s
long-run survival. They also need to be trained to follow safe computing practices, such as never
opening unsolicited e-mail attachments, using only approved software, not sharing
passwords,and taking steps to physically protect laptops. Training is especially needed to educate
employees about social engineering attacks.
Process: User Access Controls
It is important to understand that “outsiders” are not the only threat source. An employee
may become disgruntled for any number of reasons (e.g., being passed over for a promotion)
and seek revenge, or may be vulnerable to being corrupted because of financial difficulties, or
may be blackmailed into providing sensitive information. Therefore, organizations need to
implement a set of controls designed to protect their information assets from unauthorized use
and access by employees.
IT Solutions: Encryption
Encryption provides a final layer of defense to prevent unauthorized access to sensitive
information. We discuss encryption in more detail in Chapter 9 because of its importance to
achieving the security principles of protecting confidentiality of organizational information
and the privacy of personal information collected from customers, employees, and business
partners.
Detective Controls
As noted earlier, preventive controls are never 100% effective in blocking all attacks.
Therefore, COBIT 5 management practice DSS05.07 describes the activities that organizations
also need to enable timely detection of intrusions and problems. This section discusses the four
types of detective controls
Log Analysis
Most systems come with extensive capabilities for logging who accesses the system and
what specific actions each user performed. These logs form an audit trail of system access. Like
any other audit trail, logs are of value only if they are routinely examined. Log analysis is the
process of examining logs to identify evidence of possible attacks.
It is especially important to analyze logs of failed attempts to log on to a system and
failed attempts to obtain access to specific information resources.
Penetration Testing
COBIT 5 control processes MEA01 and MEA02 state the need to periodically test the
Effectiveness of business processes and internal controls (including security procedures). We
already discussed the use of vulnerability scanners to identify potential weaknesses in system
configuration. Penetration testing provides a more rigorous way to test the effectiveness of
an organization’s information security. A penetration test is an authorized attempt by either
an internal audit team or an external security consulting firm to break into the organization’s
information system.
Continuous Monitoring
COBIT 5 management practice APO01.08 stresses the importance of continuously
monitoring both employee compliance with the organization’s information security policies and
overall performance of business processes.
Recently, as reported in the Chosun newspaper on November 25th 2005, there was an incident
at IIA which involved an internal employee who illegally accessed and released the design
documents for the system integration project of IIA valued over $150 million. This project was to
integrate the security system, the communication system and the airport information system.
The internal employee accessed the 250 related documents for the bidding purpose, saved them
in CD and supplied it to a company who is interested in winning this security system integration
project. This information apparently would have given an advantage to this company over other
competitors. The internal employee was later arrested by the police and this incident was
considered a clear sign of computer system vulnerability to the internal intrusion at IIA. Such an
internal security breach is more damaging than the external security
breach because the internal employee is more knowledgeable with the computer system at IIA.
This paper focuses on the development of the computer information security protection
software and its implementation at IIA.
As discussed earlier, the critical corporate knowledge can be leaked out by internal users in a number
of ways. In this section, various knowledge protection methods are discussed
When the encoded document is to be transmitted to the outside, the encode file and the access
right of the external user are transmitted in an executable file format. In order to create an externally
transmittable file, an internal user must click on the right button on the mouse and create the
external user’s right and his/her password to open the file. The information security system
automatically converts the file into executable file such as “document1.exe”. When the external user
clicks on the exe file and enters his/her supplied password, the file will be open with a
designated level of access right.Creation of Executable File for the Transmission to Outside
Finally, when the confidential document is printed, the information on the user is automatically
printed on the output. The basic watermarking of the IIAC logo, user ID, time of printing will be
displayed on the printout. This will alert the user about his/her identity is being disclosed not only to
his/her corporation but also to whomever the output is provided.
The Information Security System (ISS) was developed and implemented at the Incheon
International Airport Corporation (IIAC) where over 1,000 employees share numerous documents in
the file formats of doc, xls, ppt, gif, bmp, pdf, txt, zip, and dwg. The ISS presented in this paper not
only would provide the secure environment for sharing information at IIAC but also efficient working
environment without unnecessary interruptions. Once the airport information security is
compromised, the ISS will quickly detect and track down the source of such information leakage.
The information leakage points are identified and used to design the ISS to prevent such leakage.
The ISS is designed to prevent the information leakage by deploying (1) real-time user authentication
and user file and folder encoding technology, (2) external memory device and printing device control
through water marking technology (3) external transmission control of the internal document by
creating the executable file with security information.
The proposed ISS include a number of security control features which would not only stop the
illegal access to the valuable corporation information but also track down if such an illegal access has
taken place. However, when all of these security control functions are implemented, users may find
the ISS constantly interfering with their daily job functions. Therefore, in the future, the proposed ISS
should be expanded to become a virtual file system which can protect the confidential corporate
information including the intermediate and temporary files.