Vous êtes sur la page 1sur 85

2009 CISA Review Course

Chapter 5 Protection of Information Assets

5.2.5 Mandatory and Discretionary Access Controls


Mandatory
Enforces corporate security policy Compares sensitivity of information resources

Discretionary
Enforces data owner-defined sharing of information resources

5.3 Logical Access


Logical access controls are the primary means used to manage and protect information assets.

5.3.1 Logical Access Exposures

Technical exposures include:


Data leakage Wire tapping Trojan horses / backdoors Viruses Worms Logic bombs Denial-of-service attacks Computer shutdown War driving Piggybacking Trap doors Asynchronous attacks Rounding down Salami technique

5.3.2 Social Engineering


Weakest link in the information security chain Human side of breaking into a computer system Examples:
Impersonation through telephone call Dumpster diving and shoulder surfing Phishing

Best defense:
Ongoing security awareness

5.3.3 Familiarization with the Organizations IT Environment


Security layers to be reviewed include:
The network Operating system platform Database and application layers

5.3.4 Paths of Logical Access


General points of entry
Network connectivity
Remote access Operator console Online workstations or terminals

5.3.5 Logical Access Control Software


Purpose
Prevents unauthorized access and modification to an organizations sensitive data and use of system critical functions.

5.3.5 Logical Access Control Software (continued)


General operating systems access control functions include:
User identification and authentication mechanisms Restricted logon IDs Rules for access to specific information resources Create individual accountability and auditability Create or change user profiles Log events Log user activities Report capabilities

5.3.5 Logical Access Control Software (continued)


Database and / or application-level access control functions include:
Create or change data files and database profiles Verify user authorization at the application and transaction levels Verify user authorization within the application Verify user authorization at the field level for changes within a database Verify subsystem authorization for the user at the file level Log database / data communications access activities for monitoring access violations

5.3.6 Identification and Authentication


Logon IDs and passwords
Features of passwords Password syntax (format) rules Token devices, one-time passwords Biometric
Management of biometrics

5.3.6 Identification and Authentication (continued)


I&A common vulnerabilities
Weak authentication methods Lack of confidentiality and integrity for the stored authentication information Lack of encryption for authentication and protection of information transmitted over a network Users lack of knowledge on the risks associated with sharing passwords, security tokens, etc.

5.3.6 Identification and Authentication (continued)


Best practices for logon IDs and passwords
Passwords should be a minimum of 8 characters Passwords should be a combination of alpha, numeric, upper and lower case and special characters Login IDs not used should be deactivated System should automatically disconnect with no activity

5.3.6 Identification and Authentication (continued)


Token devices, one-time passwords Biometrics
Physically-oriented biometric Behavior-oriented biometric

5.3.6 Identification and Authentication (continued)


Single sign-on (SSO)
The process for the consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function A single sign-on interfaces with:
Client-server and distributed systems Mainframe systems Network security including remote access mechanisms

5.3.6 Identification and Authentication (continued)


Single sign-on (SSO) advantages
Multiple passwords are no longer required, therefore, whereby a user may be more inclined and motivated to select a stronger password It improves an administrators ability to manage users accounts and authorizations to all associates systems It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications It reduces the time taken by users to log into multiple applications and platforms

5.3.6 Identification and Authentication (continued)


Single sign-on (SSO) disadvantages
Support for all major operating system environments is difficult The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organizations information assets

5.3.7 Authorization Issues


Access restrictions at the file level include:
Read, inquiry or copy only Write, create, update or delete only Execute only A combination of the above

5.3.7 Authorization Issues (continued)


Access control lists (ACLs) refer to a register of:
Users who have permission to use a particular system resource The types of access permitted

5.3.7 Authorization Issues (continued)


Logical access security administration
Centralized environment Decentralized environment

5.3.7 Authorization Issues (continued)


Advantages of conducting security in a decentralized environment
Security administration is onsite at the distributed location Security issues resolved in a timely manner Security controls are monitored frequently

5.3.7 Authorization Issues (continued)


Risks associated with distributed responsibility for security administration
Local standards might be implemented rather than those required Levels of security management might be below chat can be maintained by central administration Unavailability of management checks and audits

5.3.7 Authorization Issues (continued)


Remote access security risks include:
Denial of service Malicious third parties Misconfigured communications software Misconfigured devices on the corporate computing infrastructure Host systems not secured appropriately Physical security issues over remote users computers

5.3.7 Authorization Issues (continued)


Audit logging in monitoring system access
Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID

5.3.7 Authorization Issues (continued)


Tools for audit trails (logs) analysis
Audit reduction tools Trends/variance-detection tools

Attack signature-detection tools

5.3.7 Authorization Issues (continued)


Intrusion detection system (IDS) Intrusion prevention system (IPS)

5.3.8 Storing, Retrieving, Transporting and Disposing of Confidential Information


Policies required for:
Backup files of databases Data banks Disposal of media previously used to hold confidential information Management of equipment sent for offsite maintenance Public agencies and organizations concerned with sensitive, critical or confidential information E-token electronic keys Storage records

5.3.8 Storing, Retrieving, Transporting and Disposing of Confidential Information (continued)


Policies required for:
Backup files of databases Data banks Disposal of media previously used to hold confidential information Management of equipment sent for offsite maintenance Public agencies and organizations concerned with sensitive, critical or confidential information E-token electronic keys Storage records

5.3.8 Storing, Retrieving, Transporting and Disposing of Confidential Information (continued) Preserving information during shipment or storage
Recommendations applicable to all types of media
Keep out of direct sunlight Keep free of liquids Keep free of dust Keep media away from exposure to magnetic fields, radio equipment or any sources of vibration Do not transport in areas and at times of exposure to strong magnetic storm

5.3.8 Storing, Retrieving, Transporting and Disposing of Confidential Information (continued)


Media Storage
Hard drives

Precautions
Store hard drives in antistatic bags, and be sure that the person removing them from the bag is static-free. If the original box and padding for the hard drive is available, use it for shipping. Avoid styrofoam packaging products or other materials that can cause static electricity. Quick drops or spikes in temperature are a danger, since such changes can lead to hard drive rashes. If the hard drive has been in a cold environment, bring it to room temperature prior to installing and using it. Avoid sudden mechanical shocks or vibrations. Store tapes vertically. Store tapes in acid-free containers. Write-protect tapes immediately. When handling the floppy, pick it up by the label. The mylar surface must never be touched. Write labels using a felt tip pen only. Handle by the edges or by the hole in the middle. Be careful not to bend the CD. Avoid long-term exposure to bright light. Store in a hard jewel case, not in soft sleeves.

Magnetic media

Floppy disks

CDs and DVDs

5.4 Network Infrastructure Security


Communication network controls
Network control functions should be performed by technically qualified operators Network control functions should be separated, and the duties should be rotated on a regular basis, where possible Network control software must restrict operator access from performing certain functions (e.g., the ability to amend/delete operator activity logs) Network control software should maintain an audit trail of all operator activities Audit trails should be periodically reviewed by operations management to detect any unauthorized network operations activities

5.4 Network Infrastructure Security (continued)


Communication network controls (continued)
Network operation standards and protocols should be documented and made available to the operators, and should be reviewed periodically to ensure compliance Network access by the system engineers should be monitored and reviewed closely to detect unauthorized access to the network Analysis should be performed to ensure workload balance, fast response time and system efficiency A terminal identification file should be maintained by the communications software to check the authentication of a terminal when it tries to send or receive messages Data encryption should be used, where appropriate, to protect messages from disclosure during transmission

5.4.1 LAN Security


The IS auditor should identify and document:
LAN topology and network design LAN administrator / LAN owner Functions performed by the LAN administrator/owner Distinct groups of LAN users Computer applications used on the LAN Procedures and standards relating to network design, support, naming conventions and data security

5.4.2 Client-server Security


Control techniques in place
Securing access to data or application Use of network monitoring devices Data encryption techniques Authentication systems

Use of application level access control programs

5.4.2 Client-server Security (continued)


Client / server risks and issues
Access controls may be weak in a client-server environment Change control and change management procedures. The loss of network availability may have a serious impact on the business or service Obsolescence of the network components The use of modems to connect the network to other networks

5.4.2 Client-server Security (continued)


Client / server risks and issues (continued)
The connection of the network to public switched telephone networks may be weak Changes to systems or data Access to confidential data and data modification may be unauthorized Application code and data may not be located on a single machine enclosed in a secure computer room, as with mainframe computing

5.4.3 Wireless Security Threats and Risk Mitigation


Threats categorization
Errors and omissions Fraud and theft committed by authorized or unauthorized users of the system Employee sabotage Loss of physical and infrastructure support Malicious hackers Industrial espionage Malicious code Foreign government espionage Threats to personal privacy

5.4.3 Wireless Security Threats and Risk Mitigation (continued)


Security requirements
Authenticity Nonrepudiation Accountability Network availability

5.4.3 Wireless Security Threats and Risk Mitigation (continued)


Malicious access to WLANs
War driving
War walking War chalking

5.4.3 Wireless Security Threats and Risk Mitigation (continued)


Malicious access to WLANs
War driving
War walking War chalking

5.4.4 Internet Threats and Security


Network security attacks
Passive attacks
Active attacks

5.4.4 Internet Threats and Security (continued)


Passive attacks
Network analysis
Eavesdropping Traffic analysis

5.4.4 Internet Threats and Security (continued)


Active attacks
Brute-force attack

Masquerading
Packet replay Phishing Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks

E-mail bombing and spamming


E-mail spoofing

5.4.4 Internet Threats and Security (continued)


Active attacks
Brute-force attack

Masquerading
Packet replay Phishing Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks

E-mail bombing and spamming


E-mail spoofing

5.4.4 Internet Threats and Security (continued)


Active attacks
Brute-force attack

Masquerading
Packet replay Phishing Message modification Unauthorized access through the Internet or web-based services Denial of service Dial-in penetration attacks

E-mail bombing and spamming


E-mail spoofing

5.4.4 Internet Threats and Security (continued)


Threat impact Loss of income Increased cost of recovery (correcting information and reestablishing services) Increased cost of retrospectively securing systems Loss of information (critical data, proprietary information, contracts) Loss of trade secrets Damage to reputation Degraded performance in network systems Legal and regulatory noncompliance Failure to meet contractual commitments Legal action by customers for loss of confidential data

5.4.4 Internet Threats and Security (continued)


Causal factors for Internet attacks
Availability of tools and techniques on the Internet
Lack of security awareness and training Exploitation of security vulnerabilities

Inadequate security over firewalls


Internet security controls

5.4.4 Internet Threats and Security (continued)


Causal factors for Internet attacks
Availability of tools and techniques on the Internet
Lack of security awareness and training Exploitation of security vulnerabilities

Inadequate security over firewalls


Internet security controls

5.4.4 Internet Threats and Security (continued)


Firewall security systems
Firewall general features Firewall types
Router packet filtering Application firewall systems Stateful inspection

5.4.4 Internet Threats and Security (continued)


Examples of firewall implementations
Screened-host firewall
Dual-homed firewall Demilitarized zone (DMZ)

5.4.4 Internet Threats and Security (continued)


Examples of firewall implementations
Screened-host firewall
Dual-homed firewall Demilitarized zone (DMZ)

5.4.4 Internet Threats and Security (continued)


Firewall issues
A false sense of security The circumvention of firewall Misconfigured firewalls What constitutes a firewall Monitoring activities may not occur on a regular basis Firewall policies

5.4.4 Internet Threats and Security (continued)


Firewall security systems Firewall platforms
Using hardware or software Appliances versus normal servers

5.4.4 Internet Threats and Security (continued)


Intrusion detection system (IDS)
An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies
Network-based IDS Host-based IDS

5.4.4 Internet Threats and Security (continued)


Intrusion detection system (IDS) components
Sensors that are responsible for collecting data
Analyzers that receive input from sensors and determine intrusive activity An administration console A user interface

5.4.4 Internet Threats and Security (continued)


Intrusion detection systems (IDS) types include:
Signature-based
Statistical-based Neural networks

5.4.4 Internet Threats and Security (continued)


Intrusion detection system (IDS) features
Intrusion detection Gathering evidence on intrusive activity Automated response Security monitoring Interface with system tolls Security policy management

5.4.4 Internet Threats and Security (continued)


Honeypots and honeynets
High interaction Give hackers a real environment to attack Low interaction Emulate production environments

5.4.5 Encryption
Key elements of encryption systems
Encryption algorithm
Encryption key Key length

Private key cryptographic systems Public key cryptographic systems

5.4.5 Encryption (continued)


Elliptical curve cryptosystem (ECC) Quantum cryptography Advanced Encryption Standard (AES) Digital signatures

5.4.5 Encryption (continued)


Digital signatures
Data integrity Authentication Nonrepudiation Replay protection

5.4.5 Encryption (continued)


Digital envelope
Used to send encrypted information and the relevant key along with it. The message to be sent, can be encrypted by using either:
Asymmetric key Symmetric key

5.4.5 Encryption (continued)


Public Key Infrastructure (PKI)
Digital certificates Certificate authority (CA) Registration authority (RA) Certificate revocation list (CRL) Certification practice statement (CPS)

5.4.5 Encryption (continued)


Use of encryption in OSI protocols
Secure sockets layer (SSL) Secure Hypertext Transfer Protocol (S/HTTP) IP security SSH Secure multipurpose Internet mail extensions (S/MIME) Secure electronic transactions (SET)

5.4.5 Encryption (continued)


Use of encryption in OSI protocols
Secure sockets layer (SSL) Secure Hypertext Transfer Protocol (S/HTTP) IP security SSH Secure multipurpose Internet mail extensions (S/MIME) Secure electronic transactions (SET)

5.4.6 Viruses
Viruses attack four parts of the computer
Executable program files The file directory system, which tracks the location of all the computers files Boot and system areas, which are needed to start the computer Data files

5.4.6 Viruses (continued)


Virus and worm controls Management procedural controls Technical controls Anti-virus software implementation strategies

5.5.2 Auditing Logical Access


When evaluating logical access controls the IS auditor should:
Obtain a general understanding of the security risks facing information processing Document and evaluate controls over potential access paths into the system Test controls over access paths to determine whether they are functioning and effective Evaluate the access control environment to determine if the control objectives are achieved Evaluate the security environment to assess its adequacy

5.5.3 Techniques for Testing Security


Terminal cards and keys Terminal identification Logon IDs and passwords Controls over production resources Logging and reporting access violations Follow-up access violations Bypassing security and compensating controls

5.5.3 Techniques for Testing Security (continued)


Terminal cards and keys Terminal identification Logon IDs and passwords Controls over production resources Logging and reporting access violations Follow-up access violations Bypassing security and compensating controls

5.5.3 Techniques for Testing Security (continued)


Terminal cards and keys Terminal identification Logon IDs and passwords Controls over production resources Logging and reporting access violations Follow-up access violations Bypassing security and compensating controls

5.6 Auditing Network Infrastructure Security


Review network diagrams Identify the network design implemented Determine that applicable security policies, standards, procedures and guidance on network management and usage exist Identify who is responsible for security and operation of Internet connections Identify legal problems arising from the Internet Review service level agreements (SLAs) if applicable Review network administrator procedures

5.6.1 Auditing Remote Access


Assess remote access points of entry

Test dial-up access controls


Test the logical controls Evaluate remote access approaches for cost-effectiveness, risk and business requirements

5.6.1 Auditing Remote Access (continued)


Audit Internet points of presence:
E-mail Marketing Sales channel / electronic commerce Channel of deliver for goods / services Information gathering

5.6.1 Auditing Remote Access (continued)


Audit scope should identify network penetration tests:
Precise IP addresses / ranges to be tested Host restricted Acceptable testing techniques Acceptance of proposed methodology from management Attack simulation details

5.6.1 Auditing Remote Access (continued)


Audit should also include:
Full network assessment reviews Development and authorization of network changes Unauthorized changes Computer forensics

5.7.1 Environmental Issues and Exposures


Power failures:
Total failure (blackout) Severely reduced voltage (brownout) Sags, spikes and surges Electromagnetic interference (EMI)

5.7.2 Controls for Environmental Exposures


Alarm control panels Water detectors Handheld fire extinguishers Manual fire alarms Smoke detectors Fire suppression systems Strategically locating the computer room Regular inspection by fire department

5.7.2 Controls for Environmental Exposures (continued)


Fireproof walls, floors and ceilings of the computer room Electrical surge protectors Uninterruptible power supply / generator Emergency power-off switch Power leads from two substations Wiring placed in electrical panels and conduit Inhibited activities within the IPF Fire-resistant office materials Documented and tested emergency evacuation plans

5.8.1 Physical Access Issues and Exposures


Unauthorized entry Damage, vandalism or theft to equipment or documents Copying or viewing of sensitive or copyrighted information Alteration of sensitive equipment and information Public disclosure of sensitive information Abuse of data processing resources Blackmail Embezzlement

5.8.1 Physical Access Issues and Exposures (continued)


Possible perpetrators include employees who are:
Disgruntled On strike Threatened by disciplinary action or dismissal Addicted to a substance or gambling Experiencing financial or emotional problems Notified of their termination

5.8.2 Physical Access Controls


Bolting door locks Combination door locks (cipher locks) Electronic door locks Biometric door locks Manual logging Electronic logging

5.8.2 Physical Access Controls (continued)


Identification badges (photo IDs) Video cameras Security guards Controlled visitor access Bonded personnel Deadman doors

5.8.2 Physical Access Controls (continued)


Not advertising the location of sensitive facilities Computer workstation locks Controlled single entry point Alarm system Secured report / document distribution cart

5.8.3 Auditing Physical Access


Touring the information processing facility (IPF) Testing of physical safeguards

Vous aimerez peut-être aussi