Information Security ACC 444 Enterprise Process Analysis 2 INTRODUCTION SECURITY C O N F I D E N T I A L I T Y
P R I V A C Y
P R O C E S S I N G
I N T E G R I T Y
A V A I L A B I L I T Y
SYSTEMS RELIABILITY One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: Security Confidentiality Online privacy Processing integrity Availability Information Security ACC 444 Enterprise Process Analysis 5 FUNDAMENTAL INFORMATION SECURITY CONCEPTS There are three fundamental information security concepts that will be discussed in this chapter: 1. Security as a management issue, not a technology issue. 2. The time-based model of security. 3. Defense in depth. Information Security ACC 444 Enterprise Process Analysis 6 SECURITY AS A MANAGEMENT ISSUE Management is responsible for the accuracy of various internal reports and financial statements produced by the organizations IS. SOX Sections 302 & 906 requires that the CEO and CFO certify the accuracy of the financial statements. SOX Section 404 requires that the annual report include a report on the companys internal controls. Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness. Security is a key component of the internal control and systems reliability to which management must attest. As identified in the COSO model, managements philosophy and operating style are critical to an effective control environment. Information Security ACC 444 Enterprise Process Analysis 7 SECURITY AS A MANAGEMENT ISSUE The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: 1. Develop and document policies. 2. Effectively communicate those policies to all authorized users. 3. Design and employ appropriate control procedures to implement those policies. 4. Monitor the system, and take corrective action to maintain compliance with the policies. Top management involvement and support is necessary to satisfy each of the preceding criteria. Information Security ACC 444 Enterprise Process Analysis 10 TIME-BASED MODEL OF SECURITY The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. All three types of controls are necessary: Preventive Detective Corrective Repair damage from problems that have occurred Improve preventive and detective controls to reduce likelihood of similar incidents. Information Security ACC 444 Enterprise Process Analysis 11 TIME-BASED MODEL OF SECURITY The time-based model evaluates the effectiveness of an organizations security by measuring and comparing the relationship among three variables: P = Time it takes an attacker to break through the organizations preventive controls D = Time it takes to detect that an attack is in progress C = Time to respond to the attack These three variables are evaluated as follows: If P > (D + C), then security procedures are effective. Otherwise, security is ineffective. The model provides management with a means to identify the most cost-effective approach to improving security by comparing the effects of additional investments in preventive, detective, or corrective controls Information Security ACC 444 Enterprise Process Analysis 12 TIME-BASED MODEL OF SECURITY EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: Measure 1 would increase P by 5 minutes. Measure 2 would decrease D by 3 minutes. Measure 3 would decrease C by 5 minutes. Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)
Information Security ACC 444 Enterprise Process Analysis 14 DEFENSE IN DEPTH The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. If one layer fails, another may function as planned. Computer security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access. Redundancy also applies to detective and corrective controls.
Now lets see how Preventive, Detective & Corrective Controls may be implemented in a computer environment.. Information Security ACC 444 Enterprise Process Analysis 15 PREVENTIVE CONTROLS The objective of preventive controls is to prevent security incidents from happening. Involves two related functions: Authentication a) Focuses on verifying the identity of the person or device attempting to gain access. Authorization a) Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. Information Security ACC 444 Enterprise Process Analysis 16 PREVENTIVE CONTROLS - AUTHENTICATION Users can be authenticated by verifying: Something they know, such as passwords or PINs. Something they have, such as smart cards or ID badges. Some physical characteristic (biometric identifier), such as fingerprints or voice. Information Security ACC 444 Enterprise Process Analysis 21 PREVENTIVE CONTROLS Passwords are probably the most commonly used authentication method and also the most controversial. An effective password must satisfy a number of requirements: a) Length (eg., passphrase) b) Multiple character types c) Random d) Secret e) Changed often How Strong Is Your Password? Test it at Intel's Password Grader Information Security ACC 444 Enterprise Process Analysis 24 PREVENTIVE CONTROLS Each authentication method has its limitations. Passwords Physical identification techniques Biometric techniques Expensive and often cumbersome Not yet 100% accurate, sometimes rejecting legitimate users and allowing unauthorized people Some techniques like fingerprints may carry negative connotations that hinder acceptance. Security concerns surround the storage of this data. If the data is compromised, it could create serious, life-long problems for the donor. Unlike passwords or tokens, biometric identifiers cannot be replaced or changed. Information Security ACC 444 Enterprise Process Analysis 26 PREVENTIVE CONTROLS - AUTHORIZATION Authorization controls are implemented by creating an access control matrix. Specifies what part of the IS a user can access and what actions they are permitted to perform. When an employee tries to access a particular resource, the system performs a compatibility test that matches the users authentication credentials against the matrix to determine if the action should be allowed. The access control matrix should be regularly updated, so that an employee who changes job duties cannot accumulate a set of rights that are incompatible with proper segregation of duties. Information Security ACC 444 Enterprise Process Analysis 27 PREVENTIVE CONTROLS Who has the authority to delete Program 2? Code Number Password A B C 1 2 3 4 12345 ABC 0 0 1 0 0 0 0 12346 DEF 0 2 0 0 0 0 0 12354 KLM 1 1 1 0 0 0 0 12359 NOP 3 0 0 0 0 0 0 12389 RST 0 1 0 0 3 0 0 12567 XYZ 1 1 1 1 1 1 1 Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete User Identification Files Programs Information Security ACC 444 Enterprise Process Analysis 30 PREVENTIVE CONTROLS Authentication and authorization can be applied to devices as well as users. Every workstation, printer, or other computing device needs a network interface card (NIC) to connect to the organizations network. Each network device has a unique identifier, referred to as its media access control (MAC) address. It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC addresses for authorization. For example, payroll or EFT applications should be set only to run from authorized terminals.
Information Security ACC 444 Enterprise Process Analysis 31 PREVENTIVE CONTROLS In addition to authentication and authorization, 5 additional types of preventive controls reflect the defense- in-depth approach to satisfying the constraints of the time-based model of security. Information Security ACC 444 Enterprise Process Analysis 32 PREVENTIVE CONTROLS - TRAINING Employees should be trained to follow safe computing practices, such as: Never open unsolicited email attachments. Use only approved software. Never share or reveal passwords. Physically protect laptops, especially when traveling. Train employees about social engineering attacks, which use deception to obtain unauthorized access.
Information Security ACC 444 Enterprise Process Analysis 33 PREVENTIVE CONTROLS PHYSICAL ACCESS Unauthorized/unsupervised direct physical access to the system can result in: Access to sensitive data Unfettered privileges and rights to the computer Some Controls: Only one regular entry point to the building Receptionist/security guard to verify identity Physical access to rooms housing computer equipment should be restricted Closed circuit TVs
Information Security ACC 444 Enterprise Process Analysis 37 PREVENTIVE CONTROLS REMOTE ACCESS Together, the border router and firewall act as filters to control which information is allowed to enter and leave the organizations information system. To understand how they function, we first need to discuss how information is transmitted on the Internet. Information Security ACC 444 Enterprise Process Analysis 44 PREVENTIVE CONTROLS - HARDENING Every program contains flaws, called vulnerabilities, and therefore represents a potential point of attack. Optional programs and features that are not used should be disabled. This process of turning off unnecessary features is called hardening. Utilize vulnerability scanners like the following to identify potential security threats: Microsoft Baseline Security Analyzer for Windows: http://www.microsoft.com/technet/security/tools/mbsahome.mspx#E DAA; (Note that you have two options, x64 and x86. If one does not work, try the other. They are each set up for different processors, so it is likely that if one does not work on your system, the other will) Secunia PSI for Windows: http://secunia.com/ Security Analyzing tool for Mac: There is no free security analyzing tool available for Mac. Instead, review and implement Security Configuration Benchmarks available at http://www.cisecurity.org/resources-publications/) Information Security ACC 444 Enterprise Process Analysis 46 CHAPTER 7to be continued
Information Systems Controls for Systems Reliability - Part 1: Information Security Information Security ACC 444 Enterprise Process Analysis 47 PREVENTIVE CONTROLS - ENCRYPTION Encryption The final layer of preventive controls. Information Security ACC 444 Enterprise Process Analysis 48 PREVENTIVE CONTROLS This is a contract for . . . Encryption Algorithm Xb&j &m 2 ep0%fg . . . Decryption Algorithm This is a contract for . . . Plaintext Plain- text Cipher- text Key + + Key Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses this process. To encrypt or decrypt, both a key (password) and an algorithm are needed. Information Security ACC 444 Enterprise Process Analysis 49 PREVENTIVE CONTROLS Types of Encryption Systems There are two basic types of encryption systems a) Symmetric encryption systems b) Asymmetric encryption systems Information Security ACC 444 Enterprise Process Analysis 50 PREVENTIVE CONTROLS Symmetric Encryption Systems Use the same key to encrypt and decrypt. Examples: Data Encryption Standard (DES) and Advanced Encryption Standard (AES) Information Security ACC 444 Enterprise Process Analysis 51 PREVENTIVE CONTROLS Symmetric encryption advantages: It is much faster than asymmetric encryption. Symmetric encryption disadvantages: Both parties need to know the secret key, so a method is needed to securely exchange the keys, and email is not an appropriate solution. A different key needs to be created for each party with whom the entity engages in encrypted transactions. Since both sides of a transaction are using the same key, there is no way to prove which of the two parties created a document. Information Security ACC 444 Enterprise Process Analysis 52 PREVENTIVE CONTROLS Asymmetric encryption systems Use two keys: a) The public key is publicly available. b) The private key is kept secret and known only to the owner of that pair of keys. Either key can be used to encrypt. Whichever key is used to encrypt, the other key must be used to decrypt. Information Security ACC 444 Enterprise Process Analysis 53 PREVENTIVE CONTROLS Asymmetric encryption solves several problems with symmetric keys. It doesnt matter who knows the public key, because any text encrypted with it can only be decrypted using the private key. The public key can be distributed by email or posted on a website for anyone who wants to send an encrypted message to the entity. Any number of parties can use the same public key to send messages, because only the owner of the key can decrypt them. Since only one party has the private key, its possible to prove who created a document, which provides a means for legally-binding electronic agreements. Information Security ACC 444 Enterprise Process Analysis 54 PREVENTIVE CONTROLS The main drawback to asymmetric encryption is speed. Much (thousands of times) slower then symmetric encryption. Too slow to exchange large amounts of data over the Internet. So, e-business uses both types of encryption systems: Symmetric encryption to encode most of the data being exchanged. Asymmetric encryption to safely send the symmetric key to the recipient for use in decrypting the ciphertext. Asymmetric encryption can also be used in combination with a process called hashing to create digital signatures.
Information Security ACC 444 Enterprise Process Analysis 55 PREVENTIVE CONTROLS Hashing Hashing takes plaintext of any length and transforms it into a short code called a hash. Two widely-used hashing algorithms are: a) MD5Produces a 128-bit hash of the original message. b) SHA-1Produces a 160-bit hash. Hashing differs from encryption in that: a) Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short length. b) Encryption is reversible, but hashing is not; you cannot transform a hash back into its original plaintext. Lets test it at: http://www.fileformat.info/tool/hash.htm
Information Security ACC 444 Enterprise Process Analysis 56 PREVENTIVE CONTROLS Digital Signatures A digital signature is information encrypted with the creators private key. a) That information can only be decrypted using the corresponding public key. b) So successful decryption with an entitys public key proves the message could only have been created by the entity that holds the corresponding private key. c) The private key is known only to its owner, so only the owner could have created the message. Information Security ACC 444 Enterprise Process Analysis 57 PREVENTIVE CONTROLS Asymmetric encryption is slow, so digital signatures are not normally created by using the private key to encrypt the entire contract, purchase order, or other document being exchanged. The document is first hashed. The hash is then encrypted, using the senders private key, to create the digital signature. Information Security ACC 444 Enterprise Process Analysis 58 PREVENTIVE CONTROLS Successfully using a public key to decrypt a document or file proves that it was created by the entity possessing the corresponding private key. But how can you know whether the entity with the private key is really who they purport to be? Also, how do you get hold of the entitys public key to decrypt it in the first place? If you have the sender provide their public key to you directly, you are not protected from an impersonation. Answers involve the use of digital certificates and the creation of a public key infrastructure. Information Security ACC 444 Enterprise Process Analysis 59 PREVENTIVE CONTROLS A digital certificate is an electronic document, created and digitally signed by a trusted third party. Certifies the identity of the owner of a particular public key. Contains that partys public key. These certificates can be stored on websites. Browsers are designed to automatically obtain a copy of that digital certificate and use the public key contained therein to communicate with the website. You can manually examine the contents of a websites digital certificate by double-clicking on the lock icon that appears in the lower, right-hand corner of the browser window. Lets check it out at https://web.da-us.citibank.com/cgi- bin/citifi/scripts/login2/login.jsp Digital certificates provide an automated method for obtaining an organizations or individuals public key. Information Security ACC 444 Enterprise Process Analysis 60 PREVENTIVE CONTROLS The term public key infrastructure (PKI) refers to the system and processes used to issue and manage asymmetric keys and digital certificates. An organization that issues public and private keys and records the public key in a digital certificate is called a certificate authority. E-business typically uses commercial certificate authorities, such as Thawte or Verisign. The certificate authority: a) Hashes the information stored on a digital certificate b) Encrypts that hash with its private key c) Appends that digital signature to the digital certificate This provides a means for validating the authenticity of the certificate. Information Security ACC 444 Enterprise Process Analysis 61 PREVENTIVE CONTROLS EXAMPLE OF ENCRYPTION IN E-BUSINESS Lets go through an example of how the encryption process would work in a transaction where Northwest Industries (a fictional company) is submitting a competitive bid to the federal government. Keep in mind that this is serious business. Defense contractors regularly submit bids to the federal government for contracts in the millions and billions of dollars. At the time of bid submission, the contractors themselves may have spent hundreds of thousands or millions of dollars just developing the bids. The stakes can be very high and protection measures are very tight. Prior to electronic submission of these bids, serious physical measures were taken to deliver bids. One defense contractor, for example, would send 3-6 different employees on different flights to Washington, D.C., to deliver a single bid to the Pentagon. An employee of this contractor revealed that bids were intercepted on more than one occasion.
Information Security ACC 444 Enterprise Process Analysis 62 PREVENTIVE CONTROLS N.W. USA CA The N.W. employee connects to the government agencys website and clicks on the button for submitting bids on open contracts. Information Security ACC 444 Enterprise Process Analysis 63 PREVENTIVE CONTROLS N.W. USA CA The browser moves to a secure web page displaying the lock icon. Information Security ACC 444 Enterprise Process Analysis 64 PREVENTIVE CONTROLS N.W. USA CA The software on N.W.s computer: Obtains the digital certificate for the federal agency; Verifies the validity of the certificate; and Opens the certificate to get the federal agencys public key. Information Security ACC 444 Enterprise Process Analysis 65 PREVENTIVE CONTROLS N.W. USA CA The federal computer does the same with NWs digital certificate and key. Information Security ACC 444 Enterprise Process Analysis 66 PREVENTIVE CONTROLS N.W. USA NW now has the federal agencys public key, and the federal agency now has NWs public key. USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 67 PREVENTIVE CONTROLS N.W. USA The NW employee clicks a button to attach and submit the companys bid. NWs Bid USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 68 PREVENTIVE CONTROLS N.W. USA Before submitting the bid, NWs encryption software goes through several steps. The encryption software first creates a hash of the bid, using a publicly available hashing algorithm like MD5. Hash of NW Bid NWs Bid USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 69 PREVENTIVE CONTROLS N.W. USA Next, the hash is encrypted using NWs private key. This encrypted hash is NWs digital signature. Digital signature Hash of NW Bid NWs Bid Coded w/ NW private key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 70 PREVENTIVE CONTROLS N.W. USA The bid itself is then encrypted with a symmetric key, such as AES. Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 71 PREVENTIVE CONTROLS N.W. USA NW also needs to send a copy of the symmetric key to the federal agency. Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 72 PREVENTIVE CONTROLS N.W. USA They encrypt the symmetric key using the federal agencys public key. Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 73 PREVENTIVE CONTROLS N.W. USA A package is then electronically transmitted to the federal agency including: The bid encrypted with a symmetric key. The symmetric key encrypted with the federal agencys public key. The digital signature (encrypted hash). Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 74 PREVENTIVE CONTROLS N.W. USA A package is then electronically transmitted to the federal agency including: The bid encrypted with a symmetric key. The symmetric key encrypted with the federal agencys public key. The digital signature (encrypted hash). Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 75 PREVENTIVE CONTROLS N.W. USA The federal agency then uses NWs public key to decrypt the digital signature. Coded w/ NW private key Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 76 PREVENTIVE CONTROLS N.W. USA They use their own private key to decrypt the symmetric key. Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key Coded w/ USA public key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 77 PREVENTIVE CONTROLS N.W. USA They use the symmetric key that theyve just decrypted to decrypt the actual bid. Hash of NW Bid NWs Bid Coded w/ sym- metric key Symmetric Key USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 78 PREVENTIVE CONTROLS N.W. USA They use the same publicly- available hashing program that was used by NW (MD5 in this case) to create their own hash of NWs bid.
Hash of NW Bid NWs Bid Symmetric Key Hash of NW Bid USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 79 PREVENTIVE CONTROLS N.W. USA They then compare their own hash of the bid to the hash that was transmitted by NW. What will it mean if the two hashes are not identical?
Hash of NW Bid NWs Bid Symmetric Key Hash of NW Bid USA Public N.W. Public Information Security ACC 444 Enterprise Process Analysis 80 PREVENTIVE CONTROLS N.W. USA Assuming everything is in order and the hashes do match, the federal agency then sends an acknowledgment to NW that their bid has been received.
Hash of NW Bid NWs Bid Symmetric Key Hash of NW Bid A-OK Information Security ACC 444 Enterprise Process Analysis 81 DETECTIVE CONTROLS Authentication and authorization controls represent the organizations policies governing access to the system and limits the actions that can be performed by authorized users. Actual system use must be examined to assess compliance through: Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures Information Security ACC 444 Enterprise Process Analysis 82 DETECTIVE CONTROLS Log Analysis Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. a) Logs form an audit trail of system access. b) Are of value only if routinely examined. c) Log analysis is the process of examining logs to monitor security. Information Security ACC 444 Enterprise Process Analysis 83 DETECTIVE CONTROLS Intrusion Detection Systems A major weakness of log analysis is that it is labor intensive and prone to human error. Intrusion detection systems (IDS) represent an attempt to automate part of the monitoring. An IDS creates a log of network traffic that was permitted to pass the firewall. Analyzes the logs for signs of attempted or successful intrusions. Most common analysis is to compare logs to a database containing patterns of traffic associated with known attacks. An alternative technique builds a model representing normal network traffic and uses various statistical techniques to identify unusual behavior.
Information Security ACC 444 Enterprise Process Analysis 84 DETECTIVE CONTROLS Managerial Reports. Eg., key performance indicators such as: Downtime caused by security incidents Number of systems with IDSs installed Time to react to security incidents once detected
Information Security ACC 444 Enterprise Process Analysis 85 DETECTIVE CONTROLS Security Testing The effectiveness of existing security procedures should be tested periodically. a) One approach is vulnerability scans, which use automated tools designed to identify whether a system possesses any well- known vulnerabilities. b) Security websites such as the Center for Information Security (www.cisecurity.org) provide: Benchmarks for security best practices. Tools to measure how well a system conforms. Information Security ACC 444 Enterprise Process Analysis 86 CORRECTIVE CONTROLS Detection of attempted and successful intrusions is important but is worthless if not followed by corrective action. Two of the Trust Services framework criteria for effective security are the existence of procedures to: React to system security breaches and other incidents. Take corrective action on a timely basis. Three key components that satisfy the preceding criteria are: 1. Establishment of a computer incident response team (CIRT). 2. Designation of a specific individual with organization-wide responsibility for security. 3. An organized patch management system.
Information Security ACC 444 Enterprise Process Analysis 87 CORRECTIVE CONTROLS Patch Management: Fixing known vulnerabilities and installing latest updates to: a) Anti-virus software b) Firewalls c) Operating systems d) Application programs Information Security ACC 444 Enterprise Process Analysis New Considerations Virtualization Multiple systems are run on one computer Cloud Computing Remotely accessed resources a) Software applications b) Data storage c) Hardware Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall Risks Increased exposure if breach occurs Reduced authentication standards Opportunities Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein