Information Security: ACC 444 - Enterprise Process Analysis

Information Security
ACC 444 Enterprise Process Analysis

1

2
INTRODUCTION
SECURITY
C
O
N
F
I
D
E
N
T
I
A
L
I
T
Y

P
R
I
V
A
C
Y

P
R
O
C
E
S
S
I
N
G

I
N
T
E
G
R
I
T
Y

A
V
A
I
L
A
B
I
L
I
T
Y

SYSTEMS
RELIABILITY
One basic function of an AIS is to
provide information useful for decision
making. In order to be useful, the
information must be reliable
The Trust Services framework developed
by the AICPA and the Canadian Institute
of Chartered Accountants (CICA)
identified five basic principles that
contribute to systems reliability:
Security
Confidentiality
Online privacy
Processing integrity
Availability
5
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are three fundamental information security
concepts that will be discussed in this chapter:
1. Security as a management issue, not a technology
issue.
2. The time-based model of security.
3. Defense in depth.
6
SECURITY AS A MANAGEMENT ISSUE
Management is responsible for the accuracy of various internal reports
and financial statements produced by the organizations IS.
SOX Sections 302 & 906 requires that the CEO and CFO certify the
accuracy of the financial statements.
SOX Section 404 requires that the annual report include a report on
the companys internal controls. Within this report, management
acknowledges their responsibility for designing and maintaining
internal controls and assessing their effectiveness.
Security is a key component of the internal control and systems
reliability to which management must attest.
As identified in the COSO model, managements philosophy and
operating style are critical to an effective control environment.
7
SECURITY AS A MANAGEMENT ISSUE
The Trust Services framework identifies four essential criteria for
successfully implementing the five principles of systems reliability:
1. Develop and document policies.
2. Effectively communicate those policies to all authorized users.
3. Design and employ appropriate control procedures to
implement those policies.
4. Monitor the system, and take corrective action to maintain
compliance with the policies.
Top management involvement and support is necessary to satisfy
each of the preceding criteria.
10
TIME-BASED MODEL OF SECURITY
The time-based model of security focuses on implementing a
set of preventive, detective, and corrective controls that enable an
organization to recognize that an attack is occurring and take
steps to thwart it before any assets have been compromised.
All three types of controls are necessary:
Preventive
Detective
Corrective
Repair damage from problems that
have occurred
Improve preventive and detective
controls to reduce likelihood of similar
incidents.
11
The time-based model evaluates the effectiveness of an
organizations security by measuring and comparing the
relationship among three variables:
P = Time it takes an attacker to break through the
organizations preventive controls
D = Time it takes to detect that an attack is in progress
C = Time to respond to the attack
These three variables are evaluated as follows:
If P > (D + C), then security procedures are effective.
Otherwise, security is ineffective.
The model provides management with a means to identify the
most cost-effective approach to improving security by comparing
the effects of additional investments in preventive, detective, or
corrective controls
12
EXAMPLE: For an additional expenditure of $25,000, the company
could take one of four measures:
Measure 1 would increase P by 5 minutes.
Measure 2 would decrease D by 3 minutes.
Measure 3 would decrease C by 5 minutes.
Measure 4 would increase P by 3 minutes and reduce C by 3
minutes.
Since each measure has the same cost, which do you think would
be the most cost-effective choice? (Hint: Your goal is to have P
exceed (D + C) by the maximum possible amount.)

14
DEFENSE IN DEPTH
The idea of defense-in-depth is to employ multiple layers of
controls to avoid having a single point of failure.
If one layer fails, another may function as planned.
Computer security involves using a combination of firewalls,
passwords, and other preventive procedures to restrict access.
Redundancy also applies to detective and corrective controls.

Now lets see how Preventive, Detective & Corrective Controls
may be implemented in a computer environment..
15
PREVENTIVE CONTROLS
The objective of preventive controls is to prevent
security incidents from happening.
Involves two related functions:
Authentication
a) Focuses on verifying the identity of the person
or device attempting to gain access.
Authorization
a) Restricts access of authenticated users to
specific portions of the system and specifies
what actions they are permitted to perform.
16
PREVENTIVE CONTROLS - AUTHENTICATION
Users can be authenticated by verifying:
Something they know, such as passwords or PINs.
Something they have, such as smart cards or ID
badges.
Some physical characteristic (biometric
identifier), such as fingerprints or voice.
21
PREVENTIVE CONTROLS
Passwords are probably the most commonly used
authentication method and also the most controversial.
An effective password must satisfy a number of
requirements:
a) Length (eg., passphrase)
b) Multiple character types
c) Random
d) Secret
e) Changed often
How Strong Is Your Password? Test it at Intel's
Password Grader
24
PREVENTIVE CONTROLS
Each authentication method has its limitations.
Passwords
Physical identification techniques
Biometric techniques
Expensive and often cumbersome
Not yet 100% accurate, sometimes rejecting legitimate users and allowing
unauthorized people
Some techniques like fingerprints may carry negative connotations that
hinder acceptance.
Security concerns surround the storage of this data.
If the data is compromised, it could create serious, life-long problems for
the donor.
Unlike passwords or tokens, biometric identifiers cannot be replaced or
changed.
26
PREVENTIVE CONTROLS - AUTHORIZATION
Authorization controls are implemented by creating an access
control matrix.
Specifies what part of the IS a user can access and what
actions they are permitted to perform.
When an employee tries to access a particular resource, the
system performs a compatibility test that matches the
users authentication credentials against the matrix to
determine if the action should be allowed.
The access control matrix should be regularly updated, so that an
employee who changes job duties cannot accumulate a set of
rights that are incompatible with proper segregation of duties.
27
PREVENTIVE CONTROLS
Who has
the
authority
to delete
Program
2?
Code
Number Password A B C 1 2 3 4
12345 ABC 0 0 1 0 0 0 0
12346 DEF 0 2 0 0 0 0 0
12354 KLM 1 1 1 0 0 0 0
12359 NOP 3 0 0 0 0 0 0
12389 RST 0 1 0 0 3 0 0
12567 XYZ 1 1 1 1 1 1 1
Codes for type of access:
0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
User Identification Files Programs
30
PREVENTIVE CONTROLS
Authentication and authorization can be applied to devices as well as
users.
Every workstation, printer, or other computing device needs a
network interface card (NIC) to connect to the organizations
network.
Each network device has a unique identifier, referred to as its media
access control (MAC) address.
It is possible to restrict network access to only those devices which
have a recognized MAC address or to use MAC addresses for
authorization.
For example, payroll or EFT applications should be set only to run
from authorized terminals.

31
PREVENTIVE CONTROLS
In addition to
authentication and
authorization, 5
additional types of
preventive controls
reflect the defense-
in-depth approach to
satisfying the
constraints of the
time-based model of
security.
32
PREVENTIVE CONTROLS - TRAINING
Employees should be trained to follow safe computing
practices, such as:
Never open unsolicited email attachments.
Use only approved software.
Never share or reveal passwords.
Physically protect laptops, especially when traveling.
Train employees about social engineering
attacks, which use deception to obtain unauthorized
access.

33
PREVENTIVE CONTROLS PHYSICAL ACCESS
Unauthorized/unsupervised direct physical access to
the system can result in:
Access to sensitive data
Unfettered privileges and rights to the computer
Some Controls:
Only one regular entry point to the building
Receptionist/security guard to verify identity
Physical access to rooms housing computer
equipment should be restricted
Closed circuit TVs

37
PREVENTIVE CONTROLS
REMOTE ACCESS
Together, the
border router and
firewall act as filters
to control which
information is
allowed to enter
and leave the
organizations
information system.
To understand how
they function, we
first need to discuss
how information is
transmitted on the
Internet.
44
PREVENTIVE CONTROLS - HARDENING
Every program contains flaws, called vulnerabilities, and therefore
represents a potential point of attack.
Optional programs and features that are not used should be disabled.
This process of turning off unnecessary features is called hardening.
Utilize vulnerability scanners like the following to identify potential
security threats:
Microsoft Baseline Security Analyzer for Windows:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx#E
DAA; (Note that you have two options, x64 and x86. If one does not
work, try the other. They are each set up for different processors, so
it is likely that if one does not work on your system, the other will)
Secunia PSI for Windows: http://secunia.com/
Security Analyzing tool for Mac: There is no free security analyzing
tool available for Mac. Instead, review and implement Security
Configuration Benchmarks available at
http://www.cisecurity.org/resources-publications/)
46
CHAPTER 7to be continued

Information Systems Controls for Systems Reliability -
Part 1: Information Security
47
PREVENTIVE CONTROLS - ENCRYPTION
Encryption
The final
layer of
preventive
controls.
48
PREVENTIVE CONTROLS
This is a
contract
for . . .
Encryption
Algorithm
Xb&j &m 2
ep0%fg . . .
Decryption
Algorithm
This is a
contract
for . . .
Plaintext
Plain-
text
Cipher-
text
Key
+
+
Key
Encryption is the process
of transforming normal text,
called plaintext, into
unreadable gibberish, called
ciphertext.
Decryption reverses this
process.
To encrypt or decrypt, both
a key (password) and an
algorithm are needed.
49
PREVENTIVE CONTROLS
Types of Encryption Systems
There are two basic types of encryption systems
a) Symmetric encryption systems
b) Asymmetric encryption systems
50
PREVENTIVE CONTROLS
Symmetric Encryption Systems
Use the same key to encrypt and decrypt.
Examples: Data Encryption Standard (DES) and
Advanced Encryption Standard (AES)
51
PREVENTIVE CONTROLS
Symmetric encryption advantages:
It is much faster than asymmetric encryption.
Symmetric encryption disadvantages:
Both parties need to know the secret key, so a method is
needed to securely exchange the keys, and email is not an
appropriate solution.
A different key needs to be created for each party with whom
the entity engages in encrypted transactions.
Since both sides of a transaction are using the same key,
there is no way to prove which of the two parties created a
document.
52
PREVENTIVE CONTROLS
Asymmetric encryption systems
Use two keys:
a) The public key is publicly available.
b) The private key is kept secret and known only
to the owner of that pair of keys.
Either key can be used to encrypt.
Whichever key is used to encrypt, the other key
must be used to decrypt.
53
PREVENTIVE CONTROLS
Asymmetric encryption solves several problems with symmetric keys.
It doesnt matter who knows the public key, because any text
encrypted with it can only be decrypted using the private key.
The public key can be distributed by email or posted on a website for
anyone who wants to send an encrypted message to the entity.
Any number of parties can use the same public key to send
messages, because only the owner of the key can decrypt them.
Since only one party has the private key, its possible to prove who
created a document, which provides a means for legally-binding
electronic agreements.
54
PREVENTIVE CONTROLS
The main drawback to asymmetric encryption is speed.
Much (thousands of times) slower then symmetric encryption.
Too slow to exchange large amounts of data over the
Internet.
So, e-business uses both types of encryption systems:
Symmetric encryption to encode most of the data being
exchanged.
Asymmetric encryption to safely send the symmetric key to
the recipient for use in decrypting the ciphertext.
Asymmetric encryption can also be used in combination with a
process called hashing to create digital signatures.

55
PREVENTIVE CONTROLS
Hashing
Hashing takes plaintext of any length and transforms it into a
short code called a hash.
Two widely-used hashing algorithms are:
a) MD5Produces a 128-bit hash of the original message.
b) SHA-1Produces a 160-bit hash.
Hashing differs from encryption in that:
a) Encryption always produces ciphertext similar in length to
the plaintext, but hashing produces a hash of a fixed short
length.
b) Encryption is reversible, but hashing is not; you cannot
transform a hash back into its original plaintext.
Lets test it at:
http://www.fileformat.info/tool/hash.htm

56
PREVENTIVE CONTROLS
Digital Signatures
A digital signature is information encrypted with
the creators private key.
a) That information can only be decrypted using
the corresponding public key.
b) So successful decryption with an entitys public
key proves the message could only have been
created by the entity that holds the
corresponding private key.
c) The private key is known only to its owner, so
only the owner could have created the message.
57
PREVENTIVE CONTROLS
Asymmetric encryption is slow, so digital signatures are not
normally created by using the private key to encrypt the entire
contract, purchase order, or other document being exchanged.
The document is first hashed.
The hash is then encrypted, using the senders private key, to
create the digital signature.
58
PREVENTIVE CONTROLS
Successfully using a public key to decrypt a document or file proves that it
was created by the entity possessing the corresponding private key.
But how can you know whether the entity with the private key is
really who they purport to be?
Also, how do you get hold of the entitys public key to decrypt it in
the first place?
If you have the sender provide their public key to you directly, you
are not protected from an impersonation.
Answers involve the use of digital certificates and the creation of a
public key infrastructure.
59
PREVENTIVE CONTROLS
A digital certificate is an electronic document, created and digitally
signed by a trusted third party.
Certifies the identity of the owner of a particular public key.
Contains that partys public key.
These certificates can be stored on websites.
Browsers are designed to automatically obtain a copy of that digital
certificate and use the public key contained therein to communicate
with the website.
You can manually examine the contents of a websites digital
certificate by double-clicking on the lock icon that appears in the
lower, right-hand corner of the browser window. Lets check it out at
https://web.da-us.citibank.com/cgi-
bin/citifi/scripts/login2/login.jsp
Digital certificates provide an automated method for obtaining an
organizations or individuals public key.
60
PREVENTIVE CONTROLS
The term public key infrastructure (PKI) refers to the system and
processes used to issue and manage asymmetric keys and digital
certificates.
An organization that issues public and private keys and records the
public key in a digital certificate is called a certificate authority.
E-business typically uses commercial certificate authorities, such as
Thawte or Verisign.
The certificate authority:
a) Hashes the information stored on a digital certificate
b) Encrypts that hash with its private key
c) Appends that digital signature to the digital certificate
This provides a means for validating the authenticity of the
certificate.
61
PREVENTIVE CONTROLS
EXAMPLE OF ENCRYPTION IN E-BUSINESS
Lets go through an example of how the encryption process
would work in a transaction where Northwest Industries (a
fictional company) is submitting a competitive bid to the
federal government.
Keep in mind that this is serious business. Defense
contractors regularly submit bids to the federal government
for contracts in the millions and billions of dollars. At the time
of bid submission, the contractors themselves may have spent
hundreds of thousands or millions of dollars just developing
the bids.
The stakes can be very high and protection measures are very
tight. Prior to electronic submission of these bids, serious
physical measures were taken to deliver bids. One defense
contractor, for example, would send 3-6 different employees
on different flights to Washington, D.C., to deliver a single bid
to the Pentagon. An employee of this contractor revealed that
bids were intercepted on more than one occasion.

62
PREVENTIVE CONTROLS
N.W.
USA
CA
The N.W. employee
connects to the
government agencys
website and clicks on the
button for submitting
bids on open contracts.
63
PREVENTIVE CONTROLS
N.W.
USA
CA
The browser moves to a
secure web page
displaying the lock icon.
64
PREVENTIVE CONTROLS
N.W.
USA
CA
The software on N.W.s
computer:
Obtains the digital
certificate for the
federal agency;
Verifies the validity of
the certificate; and
Opens the certificate
to get the federal
agencys public key.
65
PREVENTIVE CONTROLS
N.W.
USA
CA
The federal computer does
the same with NWs digital
certificate and key.
66
PREVENTIVE CONTROLS
N.W.
USA
NW now has the federal
agencys public key, and
the federal agency now has
NWs public key.
USA Public
N.W. Public
67
PREVENTIVE CONTROLS
N.W.
USA
The NW employee clicks a
button to attach and
submit the companys bid.
NWs
Bid
USA Public
N.W. Public
68
PREVENTIVE CONTROLS
N.W.
USA
Before submitting the bid, NWs encryption software goes through
several steps.
The encryption software first creates a hash of the bid, using a
publicly available hashing algorithm like MD5.
Hash of
NW Bid
NWs
Bid
USA Public
N.W. Public
69
PREVENTIVE CONTROLS
N.W.
USA
Next, the hash is encrypted
using NWs private key.
This encrypted hash is NWs
digital signature.
Digital
signature
Hash of
NW Bid
NWs
Bid
Coded
w/ NW
private
key
USA Public
N.W. Public
70
PREVENTIVE CONTROLS
N.W.
USA
The bid itself is then encrypted with a
symmetric key, such as AES.
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
USA Public
N.W. Public
71
PREVENTIVE CONTROLS
N.W.
USA
NW also needs to
send a copy of the
symmetric key to the
federal agency.
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
USA Public
N.W. Public
72
PREVENTIVE CONTROLS
N.W.
USA
They encrypt the
symmetric key using
the federal agencys
public key.
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
USA Public
N.W. Public
73
PREVENTIVE CONTROLS
N.W.
USA
A package is then electronically transmitted to the federal agency
including:
The bid encrypted with a symmetric key.
The symmetric key encrypted with the federal agencys public key.
The digital signature (encrypted hash).
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
USA Public
N.W. Public
74
PREVENTIVE CONTROLS
N.W.
USA
A package is then electronically transmitted to the federal agency
including:
The bid encrypted with a symmetric key.
The symmetric key encrypted with the federal agencys public key.
The digital signature (encrypted hash).
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
USA Public
N.W. Public
75
PREVENTIVE CONTROLS
N.W.
USA
The federal agency then uses NWs
public key to decrypt the digital
signature.
Coded
w/ NW
private
key
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
USA Public
N.W. Public
76
PREVENTIVE CONTROLS
N.W.
USA
They use their own private key to
decrypt the symmetric key.
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
Coded w/
USA public
key
USA Public
N.W. Public
77
PREVENTIVE CONTROLS
N.W.
USA
They use the symmetric key that
theyve just decrypted to decrypt
the actual bid.
Hash of
NW Bid
NWs
Bid
Coded
w/ sym-
metric
key
Symmetric
Key
USA Public
N.W. Public
78
PREVENTIVE CONTROLS
N.W.
USA
They use the same publicly-
available hashing program that
was used by NW (MD5 in this
case) to create their own hash of
NWs bid.

Hash of
NW Bid
NWs
Bid
Symmetric
Key
Hash of
NW Bid
USA Public
N.W. Public
79
PREVENTIVE CONTROLS
N.W.
USA
They then compare their own
hash of the bid to the hash that
was transmitted by NW.
What will it mean if the two
hashes are not identical?

Hash of
NW Bid
NWs
Bid
Symmetric
Key
Hash of
NW Bid
USA Public
N.W. Public
80
PREVENTIVE CONTROLS
N.W.
USA
Assuming everything is in order and the
hashes do match, the federal agency then
sends an acknowledgment to NW that their
bid has been received.

Hash of
NW Bid
NWs
Bid
Symmetric
Key
Hash of
NW Bid
A-OK
81
DETECTIVE CONTROLS
Authentication and authorization controls represent the organizations
policies governing access to the system and limits the actions that can be
performed by authorized users.
Actual system use must be examined to assess compliance through:
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security procedures
82
DETECTIVE CONTROLS
Log Analysis
Most systems come with extensive capabilities for
logging who accesses the system and what specific
actions each user performed.
a) Logs form an audit trail of system access.
b) Are of value only if routinely examined.
c) Log analysis is the process of examining logs
to monitor security.
83
DETECTIVE CONTROLS
Intrusion Detection Systems
A major weakness of log analysis is that it is labor intensive
and prone to human error.
Intrusion detection systems (IDS) represent an attempt to
automate part of the monitoring.
An IDS creates a log of network traffic that was permitted to pass
the firewall.
Analyzes the logs for signs of attempted or successful
intrusions.
Most common analysis is to compare logs to a database
containing patterns of traffic associated with known attacks.
An alternative technique builds a model representing normal
network traffic and uses various statistical techniques to
identify unusual behavior.

84
DETECTIVE CONTROLS
Managerial Reports. Eg., key performance indicators such
as:
Downtime caused by security incidents
Number of systems with IDSs installed
Time to react to security incidents once detected

85
DETECTIVE CONTROLS
Security Testing
The effectiveness of existing security procedures should be tested
periodically.
a) One approach is vulnerability scans, which use automated
tools designed to identify whether a system possesses any well-
known vulnerabilities.
b) Security websites such as the Center for Information Security
(www.cisecurity.org) provide:
Benchmarks for security best practices.
Tools to measure how well a system conforms.
86
CORRECTIVE CONTROLS
Detection of attempted and successful intrusions is important but
is worthless if not followed by corrective action.
Two of the Trust Services framework criteria for effective security
are the existence of procedures to:
React to system security breaches and other incidents.
Take corrective action on a timely basis.
Three key components that satisfy the preceding criteria are:
1. Establishment of a computer incident response team (CIRT).
2. Designation of a specific individual with organization-wide
responsibility for security.
3. An organized patch management system.

87
CORRECTIVE CONTROLS
Patch Management:
Fixing known vulnerabilities and installing latest
updates to:
a) Anti-virus software
b) Firewalls
c) Operating systems
d) Application programs
New Considerations
Virtualization
Multiple systems are
run on one
computer
Cloud Computing
Remotely accessed
resources
a) Software
applications
b) Data storage
c) Hardware
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall
Risks
Increased exposure if
breach occurs
Reduced
authentication
standards
Opportunities
Implementing strong
access controls in the
cloud or over the server
that hosts a virtual
network provides good
security over all the
systems contained
therein

Information Security: ACC 444 - Enterprise Process Analysis

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Information Security: ACC 444 - Enterprise Process Analysis

Hochgeladen von

Copyright:

Verfügbare Formate

Information Security

ACC 444 Enterprise Process Analysis

Das könnte Ihnen auch gefallen