Security Management

Security Objectives
CONFIDENTIALITY

Sealed Letter

Data completely hidden to all but the

owner of the data

ACCESS CONTROL

Locks and keys

Only those who are authorized can

access encrypted data

INTEGRITY

Signature on the back of a

credit card

Data has not been altered since it was

originally created

Martin Sokalski

AUTHENTICATION

Drivers License
License Number:
4574698372

Providing proof of who originally created

the data

DOB: 04-14-1975
Height: 60
Weight 180lbs
SS# 222 22 2222

NONNON-REPUDIATION

Notarized signature

Originator of the document cannot deny

their generation of the document

Security Definitions

Vulnerability
Weakness in a mechanism that threatens the
confidentiality, integrity, or availability of an asset.
Threat
Potential danger to an asset, which would be carried
out by a threat agent.
Risk
Likelihood of a threat agent finding and taking
advantage of a vulnerability.
Exposure
Instance of being exposed to losses from a threat
agent.
Countermeasure
A safeguard put into place to mitigate potential
losses.

Control Types

Administrative controls
Development of policies, standards, procedures, and guidelines. They
also include screening personnel, security, awareness training,
monitoring system and network activity, and change control.

Technical controls
Logical mechanisms which provide password and resource
management, identification and authentication, and software
configurations.

Physical controls
Physically protecting individual systems, the network, employees, and
the facility from physical damage.

How controls work together

Administrative
Controls
Policies,
Standards,
Procedures,
Guidelines,
Screening,

Technical
Controls
Logical Access,

Facility Protection,

Controls,

Security guards,

Encryption,

Locks,

Security Devices,

Monitoring,

Identification and
authentication

Environmental
Controls,

Personnel,
Security Awareness
Training

Physical
Controls

Intrusion detection
Physical Controls
Technical Controls
Administrative Controls
Company Data
and Assets

Administrative Controls

Developing a security program

Indicating what is authorized access and unauthorized

Classifying data and enforcing the necessary protection required of that

classification

Developing policies and standards and enforcing them when they are
broken

Developing an incident response program

Developing a business continuity and disaster recovery plan

Technical Controls

Implementing access control as in requiring users to

authenticate before accessing a system or information

Encrypting data as it resides on a computer and/or is

transmitted

Implement firewalls and Intrusion Detection Systems

(IDS)

Fault tolerance and load balancing

Physical Controls

Locks and alarms on exterior doors into a facility

Security guards watching for suspicious individuals

and activities

Intrusion detection systems to physically protect

the computers

Remove floppy drive so information could not be

copied and brought out of a building

Backup data stored in a fire proof safe and/or at an

offsite facility

Importance of Info Security

ISO published IS0-17799 as a comprehensive set of 127 control objectives
categorized under I0 areas. Similarly, the ITGI provides good practices for IT
processes that are defined within four domains, which include 220 controls
classified under 34 high-level objectives, through its publication, COBIT.

Security objectives to meet organization's business requirements:

Ensure the continued availability of their information systems.
Ensure the integrity of the information stored on their computer systems.
Preserve the confidentiality of sensitive data.
Ensure conformity to applicable laws, regulations and standards.
Ensure adherence to trust and obligation requirements in relation to any
information relating to an identified or identifiable individual (i.e., data subject)
in accordance with its privacy policy or applicable privacy laws and
regulations.
Preserve the confidentiality of sensitive data in store and in transit.

Key Elements of Info-Sec Management

Effective control requires a detailed Inventory of information assets. Such a list is

the first step in classifying the assets and determining the level of protection to
be provided to each asset.
The inventory record of each information asset should include:
A clear and distinct identification of the asset
Its location
Its security/risk classification
Its asset group (where the asset forms part of a larger information system)
Its owner

Classification of Info-Assets
Classifications should be simple, such as designations by differing degrees for
sensitivity and criticality. End-user managers and security administrators can
then use these classifications in their risk assessment process to assist with
determining who should be able to access what.
Data are the core of IS assets. Categorizing them is a major part of the task of
classifying all information assets. Data classification as a control measure should
define:
Who is the owner of the information asset
Who has access rights and to do what
The level of access to be granted
Who is responsible for determining the access rights and access levels
What approvals are needed for access

System Access Permission

System access permission is the prerogative to act on a computer resource. This
usually refers to a technical privilege. For example, the ability to read, create,
modify or delete a file or data; execute a program; or open or use an external
connection.
System access to computerized information resources is established, managed
and controlled at the physical and/or logical level.
The IT assets under logical security can be grouped in four layers:
1. Network
2. Platforms (OS)
3. Databases and
4. Applications.
Network and platform layers provide pervasive general systems control over users
authenticating into systems. Database and application controls generally provide
a greater degree of control over user activity within a particular business process
by controlling access to records, specific data fields and transactions.

External Party & Security

These external party arrangements can include:

Service providers, such as ISPs

Managed security services
Customers
Outsourcing facilities and/or operations
Management and business consultants, and auditors
Developers and suppliers, e.g.. o f software products and I T systems
Cleaning, catering and other outsourced support services
Temporary personnel, student placement and other casual short-term
appointments

Such agreements can help to reduce the risks associated with external parties.

Third-party Agreements & Security

Proper information security practices should be in place to ensure that
employees, contractors and third-party users understand their
responsibilities, and are suitable for the roles they are considered for, and
to reduce the risk of theft, fraud or misuse of facilities. specifically:
Security responsibilities should be addressed prior to employment in
adequate job descriptions and in terms and conditions of employment.
All candidates (or employment, contractors and third-party users should
be adequately screened. especially for sensitive jobs.
Employees, contractors and third-party users of information processing
facilities should sign an agreement on their security roles and
responsibilities
Security roles and responsibilities of employees. contractors and thirdparty users should be defined and documented in accordance with the
organization's information security policy.

Computer Crimes & Exposures

Threats to business include the following:

Financial loss
Legal repercussions
Loss of credibility o r competitive edge
Blackmail
Disclosure of confidential, sensitive or embarrassing information
Sabotage

Possible perpetrators include:

Hackers
Script kiddies
Crackers
Employees
IS personnel
End users
Former employees
Interested or educated outsiders
Part-time and temporary personnel
Third parties
Accidental ignorant

Malicious Code
Computer programs developed with evil intentions are referred to as Malicious Codes. They
are mainly categorized as below.
Virus
A computer program that is designed to replicate itself by copying itself into other programs
and cause damages.
Worm
It is a self-replicating computer program. It uses a network to send copies of itself to other
nodes and it may do so without any user intervention. Worms always harm the network (if
only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted
computer.
Trojan-horse
A program that appears to be legitimate but is designed to have destructive effects, as to data
residing in the computer onto which the program was loaded. Virus/worm dropper, Logic
bombs & time bombs are trojans. Svchost32.exe, Svhost.exe & back.exe are common
Windows service look-alike trojans.
Spyware
Spyware is computer software that collects personal information about users without their
informed consent. The term was coined in 1995 but wasn't widely used for another five years,
is often used interchangeably with adware and malware (software designed to infiltrate and
damage a computer respectively).

Comparing Infection & Propagation Methods

Virus
Malicious Code injection into the target files (exe, doc, etc). When the infected files
are opened/executed, the injected malicious code is activated and it does two things
performs the planned attach, replicates again.

Worm
No code injection. It does not use files as its hosts. It uses the vulnerabilities of the
OS to propagate. It normally replicates to different hosts in the network, and attack
combinedly. When the malicious executable is called knowingly or unknowingly,
willingly or unwillingly, it activates attacks & replicates.

Trojan-horse
Trojan is similar to a virus, except that it does not replicate itself. It stays in the
computer doing its damage or allowing somebody from a remote site to take control
of the computer. Trojans often sneak in attached to a free game or other utility.

Spyware
It does not replicate itself. The computer is infected by it while browsing
malicious/infected web sites.

Anti-virus Programs
Scanners
1. Signature scanner (looks for a virus pattern)
2. Heuristic scanner (probabilistic)
Active Monitors
Identifies ROM & BIOS calls
CRC Integrity Checkers
Calculates CRC & compares with that stored in a database
Behavior Blockers
Identifies special behaviors like changing a program, writing in MBR, etc
Immunizer
Attaches itself to a files pretending that it is already infected
Virus-walls
Firewalls with anti-virus filtering SMTP, HTTP & FTP
[Eradication programs clean the infected files & inoculator programs make infected
files unable to execute.]

Logical Access Exposures

Data leakage - involves siphoning or leaking information out of the computer
Wire tapping - involves eavesdropping on information being transmitted over lines
Trojan horses/backdoors - involves hiding malicious, fraudulent code in an authorized or falsely
authorized computer program
Viruses - involve the insertion of malicious program code into other executable codes
Worms - destructive programs that may destroy data, or use up tremendous computer and
communication resources
Logic bombs - while similar to computer viruses, they do not self-replicate.
Denial-of-Service - disrupts or completely denies service to legitimate users, networks, systems or
other resources
Computer shutdown - initiated through terminals or PCs connected directly or remotely to the
computer
War driving - involves receiving wireless data from a laptop (ideally while driving)
Piggybacking - The act of following an authorized person through a secured door or electronically
attaching to an authorized communication link
Trap doors - Exit points out of any area of authorized operating system code, used for insertion of
specific logic. Sometimes, programmers insert code that allows them to bypass an operating
system's integrity.
Asynchronous attacks - indicates a very technical exposure, resulting from how the system
operates in allocating resources to the different jobs in a multiprocessing environment
Rounding down - involves drawing off small amounts of money (the rounding fraction) from a
computerized transaction or account and rerouting this amount to the perpetrator's account.
Salami technique while similar to rounding down, involves truncation.

Points of Entrance
Entry into the a system through:
* Network connectivity
* Remote access
* Operators console

Area

Tools or Points of Entry

Network

Gateway, Router, Firewall, IDS, etc

OS

Telnet, rlogin, rcp, rsh, FTP, etc

Databases

DB tools, e.g., Oracle SQL*Plus, MS Query Analyzer,

ODBC/OCI interfaces, etc

Applications

Application front-ends

Logical Access Control software

Network access control software resides on network layer devices (e.g., routers,
firewalls) that manage and control external access to organizations' networks.
General OS and/or application access control functions include:

Create or change user profiles.

Assign user identification and authentication.
Apply user logon limitation rules.
Create individual accountability and auditability by logging user activities.
Establish rules for access to specific information resources (e.g., system-level
application resources and data).
Log events. - Report capabilities.
Database and/or application-level access control functions include:

Create or change data files and database profiles.

Verify user authorization at the application and transaction level.
Verify user authorization within the application.
Verify user authorization at the field level for changes within a database.
Verify subsystem authorization for the user at the file level.
Log database/data communications access activities for monitoring access
violations

Identification & Authentication

Identification and authentication are altogether separate system matters. While some
types of authentication elements might by themselves suffice to identify a user,
identification and authentication differ because of:
Meaning
Methods, peripherals and techniques supporting them
Requirements in terms of secrecy and management
Attributes. Authentication does not have attributes in itself, while an identity may
have a defined validity in time and other information attached to itself.
The fact that identity does not normally change, while authentication tokens
bound to secrecy must be regularly replaced to preserve their reliability

Authentication is typically categorized as:

something you know (e.g., password),

something you have (e.g., token card),
something you are (e.g., fingerprint), and
something you do (e.g., signing by using a digital pen)

Phishing (Social Engineering)

This normally takes the form of an e-mail though it may be a personal or
telephone approach, pretending to be an authorized person or organization
legitimately requesting information. It may be a bank asking for confirmation of
the users access codes to their Internet banking service, warning that failure to
respond will result in future access being denied. The unsuspecting user
provides the information and finds that their bank account has been cleared of
funds.
Phishing attacks may also seek to obtain apparently innocuous business
information such as the individuals Social Security number (in the US) or staff
number, which might subsequently be used to obtain a replacement password
giving unauthorized access to company systems.
An IS auditor should review the procedures of the help desk staff for caller
identification and to identify weaknesses in that mechanism. For instance, if
help desk staff authenticates based on their birth date, then an attacker can
obtain this information for any authorized user.

Biometric Controls
The word biometric is derived from the Greek words bio and metric meaning life
measurement. It is defined as the automated identification or verification of an individual
based on physiological or behavioral characteristics.

False Acceptance & Rejection

IS auditors should consider these measures in evaluating the performance of the biometric systems
during the course of the audit assignment.

Thank You