Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Auditing Information Systems (AIS) Lecture – 11 ‘Protection of Information Assets' Importance of Information Security Management Security objectives to meet organization’s business requirements include : • Ensure the continued availability of their information systems • Ensure the integrity of the information stored on their computer systems • Preserve the confidentiality of sensitive data • Ensure conformity to applicable laws, regulations and standards • Ensure adherence to trust and obligation in relation to any information relating to an identified or identifiable individual • Preserve the confidentiality of sensitive data in store and in transit Key Elements of Information Security Management Key elements of information security management • Senior management commitment and support • Policies and procedures • Security awareness and education • Monitoring and compliance • Incident handling and response Inventory and Classification of Information Assets The inventory record of each information asset should include: • Specific identification of assets • Relative value to the organization • Location • Security / risk classification • Asset group • Owner • Designated custodian System Access Permission • Who has access rights and to what? • What is the level of access to be granted? • Who is responsible for determining the access rights and access levels? • What approvals are needed for access? Practice Question 5-1 A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the operating system (OS) prompt or as one of the menu options in an application. The BEST control to mitigate the risk of an unauthorized manipulation of data is to: A. delete the utility software and install it as and when required. B. provide access to the utility on a need-to-use basis. C. provide access to the utility to user management. Mandatory and Discretionary Access Controls • Mandatory ▫ Enforces corporate security policy ▫ Compares sensitivity of information resources • Discretionary ▫ Enforces data owner-defined sharing of information resources Logical Access Logical access controls are the primary means used to manage and protect information assets. Logical Access Exposures Technical exposures include: • Data leakage • Trojan horses / backdoors • Viruses / Worms • Logic bombs • Denial-of-service attacks • War driving Familiarization with the Organization’s IT Environment Security layers to be reviewed include: • The network • Operating system platform • Database and application layers Paths of Logical Access General points of entry • Network connectivity • Remote access • Operator console • Online workstations or terminals Logical Access Control Software Purpose Prevents unauthorized access and modification to an organization’s sensitive data and use of system critical functions. Identification and Authentication I&A common vulnerabilities • Weak authentication methods • Lack of confidentiality and integrity for the stored authentication information • Lack of encryption for authentication and protection of information transmitted over a network • User’s lack of knowledge on the risks associated with sharing passwords, security tokens, etc. Identification and Authentication (continued) Logon IDs and passwords • Features of passwords • Password syntax (format) rules • Token devices, one-time passwords • Biometric Identification and Authentication (continued) Best practices for logon IDs and passwords • Passwords should be a minimum of 8 characters • Passwords should be a combination of alpha, numeric, upper and lower case and special characters • Login IDs not used should be deactivated • System activity should automatically disconnect with no Practice Question 5-3 An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious? A. The security officer also serves as the database administrator. B. Password controls are not administered over the client-server environment. C. There is no business continuity plan for the mainframe system’s non-critical applications. D. Most local area networks (LANs) do not back up file server-fixed disks regularly. Identification and Authentication (continued) • Token devices, one-time passwords • Biometrics ▫ Physically-oriented biometric ▫ Behavior-oriented biometric Identification and Authentication (continued) Single sign-on (SSO) • The process for the consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function • A single sign-on interfaces with: – Client-server and distributed systems – Mainframe systems – Network security including remote access mechanisms Identification and Authentication (continued) Single sign-on (SSO) advantages • Multiple passwords are no longer required • Improves management of users’ accounts and authorizations to all associates systems • Reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications • Reduces the time taken by users to log into multiple applications and platforms Identification and Authentication (continued) Single sign-on (SSO) disadvantages • Support for all major operating system environments is difficult • The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary • The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets Practice Question 5-4 An organization is proposing to install a single signon facility giving access to all systems. The organization should be aware that: A. maximum unauthorized access would be possible if a password is disclosed. B. user access rights would be restricted by the additional security parameters. C. the security administrator’s workload would increase. D. user access rights would be increased. Access Authorization / Administration Logical access security administration • Centralized environment • Decentralized environment Access Authorization / Administration Advantages of Decentralized Security Management • Security administration is onsite at the distributed location • Security issues resolved in a timely manner • Security controls are monitored frequently Associated Risk • Local standards might be implemented rather than those required • Levels of security management might be below what can be maintained by central administration • Unavailability of management checks and audits Authorization Issues (continued) Remote access using personal digital assistants (PDAs) • Inherent increased risks due to PDA lack of security Access issues with Mobile Technology • Banning all use of transportable drives in the security policy • Where no authorized use of USB ports exists, disabling use with a logon script which removes them from the system directory • If they are considered necessary for business use, encrypting all data transported or saved by these devices Authorization Issues (continued) Audit logging in monitoring System Access Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID Practice Question 5-5 An IS auditor reviewing the log of failed logon attempts would be MOST concerned if which of the following accounts was targeted? A. Network administrator B. System administrator C. Data administrator D. Database administrator Internet Threats and Security Network security attacks • Passive attacks • Active attacks Internet Threats and Security (continued) Passive attacks Network analysis Footprinting to create a profile of network infrastructure. Eavesdropping Monitor the network and try to compromise the confidentiality of sensitive information. Traffic analysis When messages are encrypted and eavesdropping cannot work. Internet Threats and Security (continued) Active attacks • Brute-force attack • Masquerading (IP / ID Spoofing) • Packet replay / Message Modification • Phishing (Social Engineering) • Unauthorized access through the Internet • Denial of service • Penetration attacks • E-mail bombing / spamming • E-mail spoofing Internet Threats and Security (continued) Causal factors for Internet attacks • Availability of tools and techniques on the Internet • Lack of security awareness and training • Exploitation of security vulnerabilities • Inadequate security over firewalls Internet Threats and Security (continued) Firewall security systems Firewall platforms Using hardware or software Authorization Issues (continued) • Intrusion detection system (IDS) • Intrusion prevention system (IPS) Physical and Environmental Security Environmental Security Power failures • Alarm control panels • Electrical surge protectors • Uninterruptible power supply / generator Fire • • • • Fireproof walls, floors and ceilings of the computer room Fire extinguishers / Fire suppression systems Manual fire alarms Smoke detectors Water • Water detectors Physical Access Issues and Exposures Physical Security • Unauthorized entry • Damage or theft to equipment or documents • Copying or viewing of sensitive or copyrighted information • Alteration of sensitive equipment and information • Public disclosure of sensitive information • Illegal user of data processing resources Possible perpetrators include the organization disgruntled employees. Physical Access Controls Combination door locks (cipher locks) Electronic door locks Biometric door locks Manual logging Electronic logging Identification badges (photo IDs) Video cameras Security guards Escorted personnel Security Incident Handling and Response • Planning and preparation • Response • Detection • Recovery • Initiation • Closure • Evaluation • Post incident review • Containment • Lessons learned Conclusion • Quick Reference Review ▫ Page 292 of the CISA Review Manual 2010