Describe how a combination of preventive, detective, and corrective
controls can be employed to provide reasonable assurance about
information security.
Before discussing the preventive, detective, and corrective controls, it is
helpful to understand the basic steps used by criminals to attack an
organization’s information system:
1. Reconnaissance. Computer attackers begin by collecting information about
their target. Much valuable information can be obtained by perusing an
organization’s financial statements, SEC filings, Web site and press
releases.
2. Attempt Social Engineering. Why go through all the trouble of trying to
break into a system if you can get someone to let you in? Attackers will
often try to use the information obtained during their initial
reconnaissance to socially engineer (i.e., trick) an unsuspecting
employee into granting them access.
An attack known as “spear phishing” involves sending e-mails
purportedly coming from someone else in the organization that the
victim knows, or should know.
3. Scan and Map the Target. If an attacker cannot successfully penetrate
the target system via social engineering, the next step is to conduct
more detailed reconnaissance to identify potential points of remote
entry.
4. Research. Once the attacker has identified specific targets and knows
what versions of software are used, the next step is to find known
vulnerabilities for those programs.
5. Execute the attack and obtain unauthorized access to the system.
6. Cover Tracks. After penetrating the victim’s information system, most
attackers will try to cover their tracks and come up with “back doors”
just in case their initial attack is discovered.
Preventive Controls
Preventive controls consist of two related functions; authentication
and authorization controls.
Authentication Controls
Authentication focuses on verifying the identity of the person or
device attempting to access the system.
Users can be authenticated by verifying:
1. Something they know, such as passwords or personal
identification (PINs)
2. Something they have, such as smart cards or ID badges
3. Some physical characteristic (referred to as a biometric
identifier), such as their fingerprints or voice
Authorization Controls
Authorization restricts access of authenticated users to specific
portions of the system and specifies what actions they are
permitted to perform.
Access control matrix is a table specifying which portions of the
system users are permitted to access and what actions they can
perform.
When an
systems
matches
control
allowed
employee attempts to access a particular information
resource, the system performs a compatibility test that
the user’s authentication credentials against the access
matrix to determine whether that employee should be
to access that resource and perform the requested action.
Authentication and authorization should also apply to devices
Every workstation, printer, or other computing device needs
a Network Interface Card (NIC) to connect to the
organization’s internal network.
Each NIC has a unique identifier, referred to as its Media
Access Control (MAC) address.
Training
Training is a critical preventive control as employees must
understand and follow the organization’s security policies.
All employees should be taught why security measures are
important to the organization’s long-run survival.
Some good security measures include:
1.
Never open unsolicited e-mail attachments
2.
Only use approved software
3.
Never share or reveal your passwords
4.
Taking steps to physically protect laptops
Training is especially needed to educate employees about social
engineering attacks, which use deception to obtain unauthorized
access to information resources.
Employees also need to be trained not to allow other people to
follow them through restricted access entrances. This social
engineering attack, called piggybacking, can take place not only
at the main entrance to the building but also at any internal
locked doors, especially to rooms that contain computer
equipment.
Controlling Physical Access
Controlling physical access to the system is absolutely
essential.
Within minutes a skilled attacker can gain physical access
to the system and obtain sensitive data.
Someone with unsupervised physical access could also insert
special “boot” disks that provide direct access to every file on
the computer and then copy sensitive files to a portable device
such as a USB drive.
An attacker with unsupervised physical access could simply remove
the hard drive or even steal the entire computer.
COBIT’s 34 top-level control objectives, DS 12, focuses
specifically on physical security.
Focus 8-2 on page 250 describes an especially elaborate set of
physical access controls referred to as a “man-trap.”
This technique involves the use of specially designed rooms
that serve as an entryway to the data center.
They typically contain two doors, each of which uses
multiple authentication methods to control access.
Laptops, cell phones, and Personal Digital Assistant (PDA)
devices require special attention. A PDA is a handheld computer
that has had a significant impact on personal productivity.
Laptop theft is a large problem. The major cost is not the price
of replacing the laptop, but the loss of the confidential
information it contains and the costs of notifying those
affected.
Controlling Remote Access
Perimeter Defense: Routers, Firewalls, and Intrusion Prevention
Systems
Figure 8-4 on page 251 shows the relationship between an
organization’s information system and the Internet.
A border router connects an organization’s information system to
the Internet.
Behind the border router is the main firewall, which is either a
special-purpose hardware device or software running on a generalpurpose computer.
Firewall is a combination of security algorithms and router
communications protocols that prevents outsiders from tapping
into corporate databases and e-mail systems.
The organization’s Web servers and e-mail servers are placed in a
separate network, called the demilitarized zone (DMZ) because it
sits outside the corporate network yet is accessible from the
Internet.
Overview of TCP/IP and Routers
Information travels throughout the Internet and internal local
area networks in the form of packets.
So, it’s not documents or files that are sent to the
printer. Instead they are broken down into packets and then
sent to the printer.
Well defined rules and procedures called protocols dictate how to
perform these activities.
Figure 8-5 on page 252 shows how two important protocols,
referred to as TCP/IP, govern the process for transmitting
information over the Internet.
The Transmission Control Protocol (TCP) specifies the
procedures for dividing files and documents into packets to
be sent over the Internet and the methods for reassembly of
the original document or file at the destination.
The Internet Protocol (IP) specifies the structure of those
packets and how to route them to the proper destination.
Every IP packet consists of two parts: a header and a body. The
header contains the packet’s origin and destination addresses, as
well as information about the type of data contained in the body
of the packet.
Special-purpose devices called routers are designed to read the
destination address fields in IP packet headers to decide where
to send (route) the packet next.
Filtering Packets
A set of rules, called an Access Control List (ACL), determines
which packets are allowed entry and which are dropped.
Border routers typically perform what is called static packet
filtering, which screens individual IP packets based solely on
the contents of the source or destination fields in the IP packet
header.
A stateful packet filtering maintains a table that lists all
established connections between the organization’s computers and
the Internet.
Stateful packet filtering is still limited to examining
only information in the IP packet header.
Clearly, control over incoming mail would be more effective if
each envelope or package were opened and inspected.
Deep Packet Inspection
Stateful packet filtering is still limited to examining only
information in the IP packet header.
Undesirable mail can get through if the return address is not on
the list of unacceptable sources. Clearly, control over incoming
mail would be more effective if each envelope or package were
opened and inspected.
Such a process called deep packet inspection provides this added
control.
Intrusion prevention systems (IPS) are designed to identify and
drop packets that are part of an attack.
Defense-in-Depth
The use of multiple perimeter filtering devices is actually more
efficient than trying to use only one device.
Figure 9-4 on page 284 illustrates one other dimension of the
concept of defense-in-depth: the use of a number of internal
firewalls to segment different departments within the
organization.
Dial-Up Connections
The Remote Authentication Dial-In User Service (RADIUS) is a
standard method that verifies the identity of users attempting to
connect via dial-in-access.
Modems are cheap and easy to install. If an employee installs
their own personal modem that they purchased for the office
computer, the modem is called a rogue modem. This in turn creates
a back door in which a hacker could easily gain access to the
company’s system.
To detect these unauthorized, rogue modems, either computer
security or internal auditing uses war dialing software.
This software calls every telephone number assigned to the
organization to identify those which are connected to
modems; which in turn identifies the rogue modems.
Wireless Access
The following procedures need to be followed to adequately secure
wireless access:
1.
Turn on available security features.
2.
Authenticate all devices attempting to establish wireless
access to the network before assigning them an IP address.
3.
Configure all authorized wireless Network Interface Cards
(NICs) to operate only in infrastructure mode, which
forces the device to connect only to wireless access
points.
4.
Use noninformative names for the access point’s address,
which is called a Service Set Identifier (SSID).
5.
Predefine a list of authorized Media Access Control (MAC)
addresses and configure wireless access points to only
accept connections if the device’s MAC address is on the
authorized list.
6.
Reduce the broadcast strength of wireless access points to
make unauthorized reception off-premises more difficult.
7.
Locate wireless access points in the interior of the
building and use directional antennas to make unauthorized
access and eavesdropping more difficult.
Host and Application Hardening
Routers, firewalls, and intrusion prevention systems are designed
to protest the network perimeter.
However, information system security is enhanced by supplementing
preventive controls.
Three areas deserve special attention:
1. Host configuration
2. User accounts
3. Software design
1. Host Configuration
Hosts can be made more secure by modifying their
configurations. Every program running on a host represents a
potential point of attack because it
probably contains flaws, called vulnerabilities, that can be
exploited to either crash the system or take control of it.
Microsoft Baseline Security Analyzer and vulnerability
scanners can be used to identify unused and, therefore,
unnecessary programs that represent potential security
threats. This process of turning off unnecessary features is
called hardening.
2. Managing User Accounts and Privileges
Users who need administrative powers on a particular computer
should be assigned two accounts: one with administrative
rights and another that has only limited privileges.
It is especially important that they be logged into their
limited regular user account when browsing the Web or
reading their e-mail.
3. Software Design
As organizations have increased the effectiveness of their
perimeter security controls, attackers have increasingly
targeted vulnerabilities in application programs.
The most common input-related vulnerability is referred to as
a buffer overflow attack, in which an attacker sends a program
more data than it can handle.
Most programs set aside a fixed amount of memory, referred to
as a buffer, to hold user input.
However, if the program does not carefully check the size of
data being input, an attacker may enter many times the amount
of data that was anticipated and overflow the buffer.