Controls for Information Security

Today, every organization relies on information technology (IT). Many organizations are also
moving at least portions of their information systems to the cloud. Management wants assurance
that the information produced by the organization’s own accounting system is reliable and also about
the reliability of the cloud service providers with whom it contracts. In addition,
management also wants assurance that the organization is compliant with an everincreasing
array of regulatory and industry requirements including Sarbanes-Oxley (SOX),
Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry
Data Security Standards (PCI-DSS).

The Trust Services Framework organizes IT-related controls into five principles that
jointly contribute to systems reliability:
1. Security—access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.
2. Confidentiality—sensitive organizational information (e.g., marketing plans, trade secrets)
is protected from unauthorized disclosure.
3. Privacy—personal information about customers, employees, suppliers, or business partners
is collected, used, disclosed, and maintained only in compliance with internal policies
and external regulatory requirements and is protected from unauthorized disclosure.
4. Processing Integrity—data are processed accurately, completely, in a timely manner, and
only with proper authorization.
5. Availability—the system and its information are available to meet operational and contractual
obligations.

Security Life Cycle

Although effective information security requires the deployment of technological tools such as
&rewalls, antivirus, and encryption, senior management involvement and support through-out all phases
of the security life cycle is essential for success.

o Step 1: Assess threats

and select risk response.
 Informa'on security
professionals possess the
exper'se to iden'fy
poten'al threats and to
es'mate their likelihood and
impact.
 However, senior
management must choose
which of the four risk
responses
described in Chapter 7
(reduce, accept, share, or
avoid) is appropriate to
adopt so that the resources
invested in informa'on
re0ect the
organisa'on’s risk appe'te.
o Step 2: Develop and
communicate policy.
 Senior management must
par'cipate in developing
policies because they
must decide the sanc'ons
they are willing to impose
for noncompliance.
 In addi'on to that, the
ac've support and
involvement of top
management
is necessary to ensure that
informa'on security training
and
communica'on are taken
seriously.
 For this communica'on to
be e+ec've, employees
must receive regular,
periodic reminders about
security policies and
training on how to comply
with them (instead of
handing people a wri3en
document or sending them
an e-mail message and
asking them to sign an
acknowledgement that they
received and read the
no'ce).
o Step 3: Acquire and
implement solu(ons.
 Senior management must
authorise inves'ng the
necessary resources to
mi'gate the threats
iden'&ed (through acquiring
or building speci&c
technological tools) and
achieve the desired level of
security.
o Step 4: Monitor
performance.
 Management must
periodically reassess the
organisa'on’s risk response
and, when necessary, make
changes to informa'on
security policies and
invest in new solu'ons to
ensure that the
organisa'on’s informa'on
security e+orts support its
business strategy in a
manner that is consistent
with management’s risk
appe'te.
o Step 1: Assess threats and select risk response.
 Information security professionals possess the expertise to identify potential threats and to
estimate their likelihood and impact.
 However, senior management must choose which of the four risk responses described in
Chapter 7 (reduce, accept, share, or avoid) is appropriate to adopt so that the resources
invested in information respect the organisation’s risk appetite.
o Step 2: Develop and communicate policy.
 Senior management must participate in developing policies because they must decide the
sanc'ons they are willing to impose for noncompliance.
 In addition to that, the active support and involvement of top management is necessary to
ensure that information security training and communication are taken seriously.
 For this communication to be effective, employees must receive regular, periodic reminders
about security policies and training on how to comply with them (instead of handing people
a writen document or sending them an e-mail message and asking them to sign an
acknowledgement that they received and read the notice).
 o Step 3: Acquire and implement solutions.
 Senior management must authorise investing the necessary resources to mitigate the
threats identifed (through acquiring or building specific technological tools) and achieve the
desired level of security.

o Step 4: Monitor performance.

 Management must periodically reassess the organisation’s risk response and, when
necessary, make changes to information security policies and invest in new solutions to
ensure that the organisation’s information security efforts support its business strategy in a
manner that is consistent with management’s risk appetite.

Understanding Targeted Attacks

Although many information security threats, such as viruses, worms, natural disasters, hardware
failures, and human errors are often random (untargeted) events, organizations are also
frequently the target of deliberate attacks. Before we discuss the preventive, detective, and
corrective controls that can be used to mitigate the risk of systems intrusions, it is helpful to
understand the basic steps criminals use to attack an organization’s information system:

1. Conduct reconnaissance. Bank robbers usually do not just drive up to a bank and attempt
to rob it. Instead, they first study their target’s physical layout to learn about the controls it
has in place (alarms, number of guards, placement of cameras, etc.). Similarly, computer
attackers begin by collecting information about their target. Perusing an organization’s financial
statements, Securities and Exchange Commission (SEC) filings, website, and press
releases can yield much valuable information. The objective of this initial reconnaissance
is to learn as much as possible about the target and to identify potential vulnerabilities.
2. Attempt social engineering. Why go through all the trouble of trying to break into a system
if you can get someone to let you in? Attackers will often try to use the information
obtained during their initial reconnaissance to “trick” an unsuspecting employee into
granting them access. Such use of deception to obtain unauthorized access to information
resources is referred to as social engineering. Social engineering can take place in countless
ways, limited only by the creativity and imagination of the attacker. Social engineering
attacks often take place over the telephone. One common technique is for the attacker
to impersonate an executive who cannot obtain remote access to important files. The attacker
calls a newly hired administrative assistant and asks that person to help obtain the
critical files. Another common ruse is for the attacker to pose as a clueless temporary
worker who cannot log onto the system and calls the help desk for assistance. Social
engineering attacks can also take place via e-mail. A particularly effective attack known
as spear phishing involves sending e-mails purportedly from someone that the victim
knows. The spear phishing e-mail asks the victim to click on an embedded link or open an
attachment. If the recipient does so, a Trojan horse program is executed that enables the
attacker to obtain access to the system. Yet another social engineering tactic is to spread
USB drives in the targeted organization’s parking lot. An unsuspecting or curious employee
who picks up the drive and plugs it into their computer will load a Trojan horse
program that enables the attacker to gain access to the system.
3. Scan and map the target. If an attacker cannot successfully penetrate the target system
via social engineering, the next step is to conduct more detailed reconnaissance to identify
potential points of remote entry. The attacker uses a variety of automated tools to identify
computers that can be remotely accessed and the types of software they are running.
4. Research. Once the attacker has identified specific targets and knows what versions of
software are running on them, the next step is to conduct research to find known vulnerabilities
for those programs and learn how to take advantage of those vulnerabilities.
5. Execute the attack. The criminal takes advantage of a vulnerability to obtain unauthorized
access to the target’s information system.
6. Cover tracks. After penetrating the victim’s information system, most attackers attempt to
cover their tracks and create “back doors” that they can use to obtain access if their initial
attack is discovered and controls are implemented to block that method of entry.

Preventive Controls

This section discusses the preventive controls listed in Table 8-1 that organizations
commonly use to restrict access to information resources. As Figure 8-3 shows, these various
preventive controls fit together like pieces in a puzzle to collectively provide defense-in-depth.
Although all of the pieces are necessary, the “people” component is the most important.
Management must create a “security-conscious” culture and employees must be trained to
follow security policies and practice safe computing behaviors.

 People: Creation of a “security-conscious” culture

The discussion of the COSO and COSO-ERM (Enterprise Risk Management) frameworks in
Chapter 7 stressed how top management’s risk attitudes and behaviors create either an internal
environment that supports and reinforces sound internal control or one that effectively negates
written control policies. The same principle holds regarding information security. Indeed,
COBIT 5 specifically identifies an organization’s culture and ethics as one of the critical
Enablers for effective information security. To create a security-conscious culture in which
employees comply with organizational policies, top management must not only communicate
the organization’s security policies, but must also lead by example.

 People: Training
COBIT 5 identifies employee skills and competencies as another critical enabler for effective
information security. Employees must understand how to follow the organization’s security
policies. Thus, training is a critical preventive control. Indeed, its importance is reflected in
the fact that security awareness training is discussed as a key practice to support several of
COBIT 5’s 32 management processes.
All employees should be taught why security measures are important to the organization’s
long-run survival. They also need to be trained to follow safe computing practices, such as never
opening unsolicited e-mail attachments, using only approved software, not sharing
passwords,and taking steps to physically protect laptops. Training is especially needed to educate
employees about social engineering attacks.
 Process: User Access Controls
It is important to understand that “outsiders” are not the only threat source. An employee
may become disgruntled for any number of reasons (e.g., being passed over for a promotion)
and seek revenge, or may be vulnerable to being corrupted because of financial difficulties, or
may be blackmailed into providing sensitive information. Therefore, organizations need to
implement a set of controls designed to protect their information assets from unauthorized use
and access by employees.

IT Solutions: Antimalware Controls

Malware (e.g., viruses, worms, keystroke logging software, etc.) is a major threat.
Malware can damage or destroy information or provide a means for unauthorized access.
Therefore, COBIT 5 section DSS05.01 lists malware protection as one of the keys to effective
security, specifically recommending:
1. Malicious software awareness education,
2. Installation of antimalware protection tools on all devices,
3. Centralized management of patches and updates to antimalware software,
4. Regular review of new malware threats,
5. Filtering of incoming traffic to block potential sources of malware, and
6. Training employees not to install shared or unapproved software.

IT Solutions: Network Access Controls

Most organizations provide employees, customers, and suppliers with remote access to
their information systems. Usually this access occurs via the Internet, but some organizations still
maintain their own proprietary networks or provide direct dial-up access by modem. Many
organizations also provide wireless access to their systems.

IT Solutions: Device and Software Hardening Controls

Firewalls and IPSs are designed to protect the network perimeter. However, just as many
homes and businesses supplement exterior door locks and alarm systems with locked cabinets
and safes to store valuables, an organization can enhance information system security by
supplementing preventive controls on the network perimeter with additional preventive controls
on the workstations, servers, printers, and other devices (collectively referred to as endpoints)
that comprise the organization’s network. COBIT 5 management practice DSS05.03 describes the
activities involved in managing endpoint security. Three areas deserve special attention: (1)
endpoint configuration, (2) user account management, and (3) software design.

IT Solutions: Encryption
Encryption provides a final layer of defense to prevent unauthorized access to sensitive
information. We discuss encryption in more detail in Chapter 9 because of its importance to
achieving the security principles of protecting confidentiality of organizational information
and the privacy of personal information collected from customers, employees, and business
partners.
Detective Controls
As noted earlier, preventive controls are never 100% effective in blocking all attacks.
Therefore, COBIT 5 management practice DSS05.07 describes the activities that organizations
also need to enable timely detection of intrusions and problems. This section discusses the four
types of detective controls

 Log Analysis
Most systems come with extensive capabilities for logging who accesses the system and
what specific actions each user performed. These logs form an audit trail of system access. Like
any other audit trail, logs are of value only if they are routinely examined. Log analysis is the
process of examining logs to identify evidence of possible attacks.
It is especially important to analyze logs of failed attempts to log on to a system and
failed attempts to obtain access to specific information resources.

 Intrusion Detection Systems

Network intrusion detection systems (IDSs) consist of a set of sensors and a central
monitoring unit that create logs of network traffic that was permitted to pass the firewall and
then analyze those logs for signs of attempted or successful intrusions. Like a network IPS, a
network IDS functions by comparing observed traffic to its rulebase.

 Penetration Testing
COBIT 5 control processes MEA01 and MEA02 state the need to periodically test the
Effectiveness of business processes and internal controls (including security procedures). We
already discussed the use of vulnerability scanners to identify potential weaknesses in system
configuration. Penetration testing provides a more rigorous way to test the effectiveness of
an organization’s information security. A penetration test is an authorized attempt by either
an internal audit team or an external security consulting firm to break into the organization’s
information system.

 Continuous Monitoring
COBIT 5 management practice APO01.08 stresses the importance of continuously
monitoring both employee compliance with the organization’s information security policies and
overall performance of business processes.

Security Implications of Virtualization and the Cloud

Recently, many organizations have embraced virtualization and cloud computing to
enhance both efficiency and effectiveness. Virtualization takes advantage of the power and
speed of modern computers to run multiple systems simultaneously on one physical computer.
This cuts hardware costs, because fewer servers need to be purchased. Fewer machines mean
lower maintenance costs. Data center costs also fall because less space needs to be rented,
which also reduces utility costs.
Cloud computing takes advantage of the high bandwidth of the modern global
telecommunication network to enable employees to use a browser to remotely access
software (software as a service), data storage devices (storage as a service), hardware
(infrastructure as a service), and entire application environments (platform as a service).
The arrangement is referred to as a “private,” “public,” or “hybrid” cloud depending upon
whether the remotely accessed resources are entirely owned by the organization, a third
party, or a mix of the two, respectively. Cloud computing can potentially generate significant
cost savings.
Virtualization and cloud computing alter the risk of some information security threats.
For example, unsupervised physical access in a virtualization environment exposes not just
one device but also the entire virtual network to the risk of theft or destruction and
compromise. Similarly, compromising a cloud provider’s system may provide unauthorized
access to multiple systems. Moreover, because public clouds are, by definition, accessible via the
Internet, the authentication process is the primary means of protecting your data stored in the
cloud from unauthorized access. Public clouds also raise concerns about the other aspects of
systems reliability (confidentiality, privacy, processing integrity, and availability) because the
organization is outsourcing control of its data and computing resources to a third party.

CASE : Information Security System

Construction of the Incheon International Airport (IIA) was completed in December

2000 and its design is shown in Fig. 1. with two major runways and a passenger terminal of
496,000m2. Recently, the IIA was selected as the best airport worldwide by ACI and IATA in 2005
[1]. Airport security can be classified into two categories: facility security and computer security.
The physical facilities of the IIA are well protected by the airport security force that is in charge
of the fences around the airport, passenger terminal, transportation center, auxiliary facilities
and free economic zone. The computer information security system has become more complex
because most corporations like Incheon International Airport Corporation (IIAC) uses an
integrated information system which shares information through intranet, groupware,
knowledge management system and electronic document management system.
This paper focuses on the computer information security system which would not
only protect the information on the airport operations from outsiders but also prevent
the internal employees from illegally releasing the protected information to the
outsiders.
Although the construction and operation of the Incheon International Airport can
be considered a very successful one, there are some areas in the corporate information
security which can be improved.
- Lack of response plan for emergency: There are several emergency scenarios for
the airport facilities but there is a lack of the security and response plan for emergency
failure of the computer system.
- Lack of integration of emergency response systems: The current emergency response
system at IIA are not well integrated and for an emergency situation such
as illegal entry or fire through the electronic CAD drawings to locate the point of
 emergency, integration of CCTV and sensors, and broadcasting system to announce the
emergency and evacuation plan.
- Lack of protection of corporate information: The critical information such as various
internal documents and CAD drawings of the IIA facilities are not well protected and can
be accessed and released to the outsiders by the malicious internal employees.

Recently, as reported in the Chosun newspaper on November 25th 2005, there was an incident
at IIA which involved an internal employee who illegally accessed and released the design
documents for the system integration project of IIA valued over $150 million. This project was to
integrate the security system, the communication system and the airport information system.
The internal employee accessed the 250 related documents for the bidding purpose, saved them
in CD and supplied it to a company who is interested in winning this security system integration
project. This information apparently would have given an advantage to this company over other
competitors. The internal employee was later arrested by the police and this incident was
considered a clear sign of computer system vulnerability to the internal intrusion at IIA. Such an
internal security breach is more damaging than the external security
breach because the internal employee is more knowledgeable with the computer system at IIA.
This paper focuses on the development of the computer information security protection
software and its implementation at IIA.

As discussed earlier, the critical corporate knowledge can be leaked out by internal users in a number
of ways. In this section, various knowledge protection methods are discussed

- Device Control Technology

The device control technology addresses the channel of knowledge leakage through
portable storage devices such as USB memory device, CD, and DVD. Since this technology controls a
variety of devices installed on the PC, it is difficult to implement
such a restrictive security policy on a corporate-wide basis. Besides, it is nearly impossible to control
all such possible hardware devices without negatively affecting the
productivity. As a result, this device control technology can be applied to the limited
number of internal users dealing with simple tasks.

- Document Security Technology

The document security technology restricts discreet use of documents by controlling
software packages used for preparing such documents such as Notepad, Word and
Excel and enabling the management of the documents according to user authority.
This technology can be applied to simple documents such as web pages and image
files with a single extension.

- Policy and Contract Approach

For the ultimate security of corporate knowledge, a contract like a non-disclosure agreement
should be signed by everyone including the internal staff, collaborating companies, suppliers and
customers. This contractual protection of the corporate knowledge will give a clear message to all
parties that the legal action will be pursued upon illegal handling of the confidential files.
Computer Security Protection System Development
Dring a typical flow of the information in its life-cycle from creation to delivery, security holes
can be identified as follows
- Indiscreet access to information: Without the access control system for newly created
information, anybody may access the information indiscreetly. Then the value of information is
diminished and the potential of information leakage is high.
- Unauthorized alteration and appropriation: Without the document security system, the
information can be altered, misappropriated and misused by anybody.
- Indiscreet leakage of information: Without the device control system, the information can be
distributed through the printing devices, portable storage devices and mobile terminals.
- Impossible to track important information: Without the document tracking system, it is difficult
to track those who are involved in the information leakage and make them accountable for the
damages caused by the information leakage.

Implementation of Information Security System

The developed Information Security System (IIS) was implemented in the computer system at
the Incheon International Airport Corporation, which is running Hand Software Groupware under
Windows XP environment. When a user log into the computer system, according to the access
control policy, the user will be provided with the appropriate level of access control. The user will be
then continuously monitored and controlled by the ISS. The standard operational documents within
Incheon International Airport Corporation (IIAC) are classified as confidential and the access to these
corporate documents is controlled by the ISS. Depending on a user’s access rights, he/she can
modify the corporate documents. If a user tries to access the file without an appropriate level of
authority, he/she will be provided with the encoded message with a warning.

When the encoded document is to be transmitted to the outside, the encode file and the access
right of the external user are transmitted in an executable file format. In order to create an externally
transmittable file, an internal user must click on the right button on the mouse and create the
external user’s right and his/her password to open the file. The information security system
automatically converts the file into executable file such as “document1.exe”. When the external user
clicks on the exe file and enters his/her supplied password, the file will be open with a
designated level of access right.Creation of Executable File for the Transmission to Outside
Finally, when the confidential document is printed, the information on the user is automatically
printed on the output. The basic watermarking of the IIAC logo, user ID, time of printing will be
displayed on the printout. This will alert the user about his/her identity is being disclosed not only to
his/her corporation but also to whomever the output is provided.

Summary and Conclusion

The Information Security System (ISS) was developed and implemented at the Incheon
International Airport Corporation (IIAC) where over 1,000 employees share numerous documents in
the file formats of doc, xls, ppt, gif, bmp, pdf, txt, zip, and dwg. The ISS presented in this paper not
only would provide the secure environment for sharing information at IIAC but also efficient working
environment without unnecessary interruptions. Once the airport information security is
compromised, the ISS will quickly detect and track down the source of such information leakage.
 The information leakage points are identified and used to design the ISS to prevent such leakage.
The ISS is designed to prevent the information leakage by deploying (1) real-time user authentication
and user file and folder encoding technology, (2) external memory device and printing device control
through water marking technology (3) external transmission control of the internal document by
creating the executable file with security information.
The proposed ISS include a number of security control features which would not only stop the
illegal access to the valuable corporation information but also track down if such an illegal access has
taken place. However, when all of these security control functions are implemented, users may find
the ISS constantly interfering with their daily job functions. Therefore, in the future, the proposed ISS
should be expanded to become a virtual file system which can protect the confidential corporate
information including the intermediate and temporary files.