C HAPTER 7 Information Systems Controls for Systems Reliability

advertisement
C HAPTER 7
Information Systems Controls
for Systems Reliability
Part 1: Information Security
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
1 of 212
INTRODUCTION
• Questions to be addressed in this chapter:
– How does security affect systems reliability?
– What are the four criteria that can be used to evaluate
the effectiveness of an organization’s information
security?
– What is the time-based model of security and the
concept of defense-in-depth?
– What types of preventive, detective, and corrective
controls are used to provide information security?
– How does encryption contribute to security and how
do the two basic types of encryption systems work?
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
2 of 212
INTRODUCTION
• One basic function of an AIS is to provide
information useful for decision making. In
order to be useful, the information must be
reliable, which means:
– It provides an accurate, complete, and timely
picture of the organization’s activities.
– It is available when needed.
– The information and the system that produces
it is protected from loss, compromise, and
theft.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
3 of 212
INTRODUCTION
SYSTEMS
RELIABILITY
© 2006 Prentice Hall Business Publishing
• The Trust Services framework
developed by the AICPA and
the Canadian Institute of
Chartered Accountants (CICA)
identified five basic principles
that contribute to systems
reliability:
Accounting Information Systems, 10/e
Romney/Steinbart
4 of 212
INTRODUCTION
SYSTEMS
RELIABILITY
• The Trust Services framework
developed by the AICPA and
the Canadian Institute of
Chartered Accountants (CICA)
identified five basic principles
that contribute to systems
reliability:
– Security
• Access to the system and its data
is controlled.
SECURITY
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
5 of 212
INTRODUCTION
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The Trust Services framework
developed by the AICPA and
the Canadian Institute of
Chartered Accountants (CICA)
identified five basic principles
that contribute to systems
reliability:
– Security
– Confidentiality
• Sensitive information is protected
from unauthorized disclosure.
SECURITY
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
6 of 212
INTRODUCTION
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The Trust Services framework
developed by the AICPA and
the Canadian Institute of
Chartered Accountants (CICA)
identified five basic principles
 Personal information about
that
contribute to systems
customers collected through ereliability:
commerce is collected, used,
–
–
–
Security
disclosed, and maintained in an
appropriate manner.
Confidentiality
Privacy
SECURITY
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
7 of 212
INTRODUCTION
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The Trust Services framework
developed by the AICPA and
the Canadian Institute of
Chartered Accountants (CICA)
identified five basic principles
• that
Data
is processed:
contribute
to systems
– Accurately
reliability:
–
–
–
–
–Security
Completely
–Confidentiality
In a timely manner
–Privacy
With proper authorization
Processing integrity
SECURITY
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
8 of 212
INTRODUCTION
SECURITY
© 2006 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The Trust Services framework
developed by the AICPA and
the Canadian Institute of
Chartered Accountants (CICA)
identified five basic principles
that contribute to systems
reliability:
–
–
–
–
–
Security
Confidentiality
The system is available to meet
Online
privacyand contractual
operational
obligations.
Processing
integrity
Availability
Accounting Information Systems, 10/e
Romney/Steinbart
9 of 212
INTRODUCTION
SECURITY
© 2006 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• Note the importance of
security in this picture. It is
the foundation of systems
reliability. Security
procedures:
– Restrict system access to
only authorized users and
protect:
• The confidentiality of sensitive
organizational data.
• The privacy of personal
identifying information
collected from customers.
Accounting Information Systems, 10/e
Romney/Steinbart
10 of 212
INTRODUCTION
• Security procedures also:
– Provide for processing
integrity by preventing:
SECURITY
© 2006 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• Submission of unauthorized or
fictitious transactions.
• Unauthorized changes to
stored data or programs.
– Protect against a variety of
attacks, including viruses
and worms, thereby
ensuring the system is
available when needed.
Accounting Information Systems, 10/e
Romney/Steinbart
11 of 212
INTRODUCTION
• In this chapter, we will focus on the Trust
Services principle of information security.
• Chapter 8 will discuss controls relevant to the
other four reliability principles.
• This chapter provides a broad introduction to the
topic of information systems security.
• Anyone interested in a career in information
systems security would need to undertake
additional detailed study.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
12 of 212
INTRODUCTION
• There has been a dramatic rise in the number of
reported security incidents in recent years,
including:
–
–
–
–
Denial of service attacks
Fraud
Loss of trade secrets
Identity theft
• Accountants and IS professionals need to
understand basic principles of information
security in order to protect their organizations
and themselves.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
13 of 212
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
• There are three fundamental information
security concepts that will be discussed in
this chapter:
– Security as a management issue, not a
technology issue.
– The time-based model of security.
– Defense in depth.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
14 of 212
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
• There are three fundamental information
security concepts that will be discussed in
this chapter:
– Security as a management issue, not a
technology issue.
– The time-based model of security.
– Defense in depth.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
15 of 212
SECURITY AS A MANAGEMENT ISSUE
• Though information security is a complex
technical subject, security is first and
foremost a top management issue, not an
IT issue.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
16 of 212
SECURITY AS A MANAGEMENT ISSUE
• Management is responsible for the accuracy of various
internal reports and financial statements produced by the
organization’s IS.
– SOX Section 302 requires that the CEO and CFO certify the
accuracy of the financial statements.
– SOX Section 404 requires that the annual report include a report
on the company’s internal controls. Within this report,
management acknowledges their responsibility for designing and
maintaining internal controls and assessing their effectiveness.
– Security is a key component of the internal control and systems
reliability to which management must attest.
– As identified in the COSO model, management’s philosophy and
operating style are critical to an effective control environment.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
17 of 212
SECURITY AS A MANAGEMENT ISSUE
• The Trust Services framework identifies four
essential criteria for successfully implementing
the five principles of systems reliability:
– Develop and document policies.
– Effectively communicate those policies to all
authorized users.
– Design and employ appropriate control procedures to
implement those policies.
– Monitor the system, and take corrective action to
maintain compliance with the policies.
• Top management involvement and support is
necessary to satisfy each of the preceding
criteria.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
18 of 212
SECURITY AS A MANAGEMENT ISSUE
• The Trust Services framework identifies four
essential criteria for successfully implementing
the five principles of systems reliability:
– Develop and document policies.
– Effectively communicate those policies to all
authorized users.
– Design and employ appropriate control procedures to
implement those policies.
– Monitor the system, and take corrective action to
maintain compliance with the policies.
• Top management involvement and support is
necessary to satisfy each of the preceding
criteria.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
19 of 212
SECURITY AS A MANAGEMENT ISSUE
• Policy Development
– It’s more exciting to react to security issues than to
prevent them.
– However, it is important to develop a comprehensive
set of security policies before designing and
implementing specific control procedures.
– Helps ensure that the security products you ultimately
purchase protect each IS resource.
– Developing a comprehensive set of security policies
begins with taking an inventory of information
systems resources, including:
• Hardware
• Software
• Databases
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
20 of 212
SECURITY AS A MANAGEMENT ISSUE
• Once the resources have been identified, they
need to be valued in order to select the most
cost-effective control procedures.
– Not easy—particularly in valuing information itself.
– Top management needs to be involved because they
have a broader understanding of the organization’s
mission and goals that will enable them to better
assess the dollar impact caused by loss or disclosure
of information resources.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
21 of 212
SECURITY AS A MANAGEMENT ISSUE
• The Trust Services framework identifies four
essential criteria for successfully implementing
the five principles of systems reliability:
– Develop and document policies.
– Effectively communicate those policies to all
authorized users.
– Design and employ appropriate control procedures to
implement those policies.
– Monitor the system, and take corrective action to
maintain compliance with the policies.
• Top management involvement and support is
necessary to satisfy each of the preceding
criteria.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
22 of 212
SECURITY AS A MANAGEMENT ISSUE
• Effective Communication of Policies
– Security policies must be communicated to and
understood by employees, customers, suppliers, and
other authorized users.
– Needs to be more than having people sign off that
they’ve received and read a written document.
– Employees should have regular reminders about
security policies and training in how to comply.
– Training and communication will only be taken
seriously if management provides active support and
involvement.
– Sanctions must also be associated with these
violations, again requiring management support for
enforcement.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
23 of 212
SECURITY AS A MANAGEMENT ISSUE
• The Trust Services framework identifies four
essential criteria for successfully implementing
the five principles of systems reliability:
– Develop and document policies.
– Effectively communicate those policies to all
authorized users.
– Design and employ appropriate control
procedures to implement those policies.
– Monitor the system, and take corrective action to
maintain compliance with the policies.
• Top management involvement and support is
necessary to satisfy each of the preceding
criteria.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
24 of 212
SECURITY AS A MANAGEMENT ISSUE
• Design and Employ Appropriate Control Procedures
– Control frameworks such as COBIT and Trust Services identify a
variety of specific control procedures and tools that can be used
to mitigate various security threats.
– Options differ in terms of cost and effectiveness.
– Determining the optimal level of investment in security involves
evaluating cost-benefit trade-offs.
– Systems personnel have knowledge about the technical merits
of each alternative, as well as the risk of various threats.
– Management insight is needed in identifying potential costs and
ensuring that all relevant organizational factors are considered.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
25 of 212
SECURITY AS A MANAGEMENT ISSUE
• The Trust Services framework identifies four
essential criteria for successfully implementing
the five principles of systems reliability:
– Develop and document policies.
– Effectively communicate those policies to all
authorized users.
– Design and employ appropriate control procedures to
implement those policies.
– Monitor the system, and take corrective action to
maintain compliance with the policies.
• Top management involvement and support is
necessary to satisfy each of the preceding
criteria.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
26 of 212
SECURITY AS A MANAGEMENT ISSUE
• Monitor and Take Remedial Action
– Security is a moving target.
– Technology advances create new threats and alter
the risks associated with existing threats.
– Effective control involves a continuous cycle of:
•
•
•
•
•
Developing policies to address identified threats;
Communicating those policies to all employees;
Implementing specific control procedures to mitigate risk;
Monitoring performance; and
Taking corrective action in response to problems.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
27 of 212
SECURITY AS A MANAGEMENT ISSUE
• Corrective actions often involve the modification
of existing cycles, and the cycle starts all over.
• Senior management must be involved to ensure
that security policies remain consistent with and
support the organization’s business strategy.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
28 of 212
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
• There are three fundamental information
security concepts that will be discussed in
this chapter:
– Security is a management issue, not a
technology issue.
– The time-based model of security.
– Defense in depth.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
29 of 212
TIME-BASED MODEL OF SECURITY
• Given enough time and resources, any
preventive control can be circumvented.
• Consequently, effective control requires
supplementing preventive procedures with:
– Methods for detecting incidents; and
– Procedures for taking corrective remedial action.
• Detection and correction must be timely,
especially for information security, because once
preventive controls have been breached, it takes
little time to destroy, compromise, or steal the
organization’s economic and information
resources.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
30 of 212
TIME-BASED MODEL OF SECURITY
• The time-based model of security focuses on
implementing a set of preventive, detective, and
corrective controls that enable an organization to
recognize that an attack is occurring and take
steps to thwart it before any assets have been
compromised.
• All three types of controls are necessary:
– Preventive • Limit actions to those in accord
with the organization’s security
policy and disallow all others.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
31 of 212
TIME-BASED MODEL OF SECURITY
• The time-based model of security focuses on
implementing a set of preventive, detective, and
corrective controls that enable an organization to
recognize that an attack is occurring and take
steps to thwart it before any assets have been
compromised.
• All three types of controls are necessary:
– Preventive
– Detective  Identify when preventive controls
have been breached.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
32 of 212
TIME-BASED MODEL OF SECURITY
• The time-based model of security focuses on
implementing a set of preventive, detective, and
corrective controls that enable an organization to
recognize that an attack is occurring and take
steps to thwart it before any assets have been
compromised.
• All three types of controls are necessary:
– Preventive
– Detective
– Corrective
© 2006 Prentice Hall Business Publishing
• Repair damage from problems that
have occurred
• Improve preventive and detective
controls to reduce likelihood of
similar incidents.
Accounting Information Systems, 10/e
Romney/Steinbart
33 of 212
TIME-BASED MODEL OF SECURITY
• The time-based model evaluates the
effectiveness of an organization’s security by
measuring and comparing the relationship
among three variables:
– P = Time it takes an attacker to break through the
organization’s preventive controls
– D = Time it takes to detect that an attack is in
progress
– C = Time to respond to the attack
• These three variables are evaluated as follows:
– If P > (D + C), then security procedures are effective.
– Otherwise, security is ineffective.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
34 of 212
TIME-BASED MODEL OF SECURITY
• The model provides management with a
means to identify the most cost-effective
approach to improving security by
comparing the effects of additional
investments in preventive, detective, or
corrective controls.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
35 of 212
TIME-BASED MODEL OF SECURITY
• EXAMPLE: For an additional expenditure of
$25,000, the company could take one of four
measures:
–
–
–
–
Measure 1 would increase P by 5 minutes.
Measure 2 would decrease D by 3 minutes.
Measure 3 would decrease C by 5 minutes.
Measure 4 would increase P by 3 minutes and reduce
C by 3 minutes.
• Since each measure has the same cost, which
do you think would be the most cost-effective
choice? (Hint: Your goal is to have P exceed (D
+ C) by the maximum possible amount.)
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
36 of 212
 The most cost-effective choice
would therefore be Measure 4,
because for the same money, it
creates a greater distance between
the time it takes a perpetrator to
breakby
into
a systemit.and
the time it
You may be able to solve this problem
eyeballing
If not,
one way to solve it is to assume some
values for
D, and
takes initial
the company
toP,
detect
and
C.
thwart the attack.
So let’s assume that P = 15 min., D = 5 min., and C = 8 min.
At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.
With Measure 1, P is increased by 5 minutes:
– 20 – (5 + 8) = 7 min.
With Measure 2, D is decreased by 3 minutes:
– 15 – (2 + 8) = 5 min.
With Measure 3, C is decreased by 5 min.
– 15 – (5 + 3) = 7 min.
With Measure 4, P is increased by 3 minutes and C is reduced
by 3 min.
– 18 – (5 + 5) = 8 min.
TIME-BASED MODEL OF SECURITY
•
•
•
•
•
•
•
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
37 of 212
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
• There are three fundamental information
security concepts that will be discussed in
this chapter:
– Security is a management issue, not a
technology issue.
– The time-based model of security.
– Defense in depth.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
38 of 212
DEFENSE IN DEPTH
• The idea of defense-in-depth is to employ
multiple layers of controls to avoid having a
single point of failure.
• If one layer fails, another may function as
planned.
• Computer security involves using a combination
of firewalls, passwords, and other preventive
procedures to restrict access.
• Redundancy also applies to detective and
corrective controls.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
39 of 212
DEFENSE IN DEPTH
 Major types of preventive controls used for defense in
depth include:
– Authentication controls (passwords, tokens, biometrics, MAC
addresses)
– Authorization controls (access control matrices and compatibility
tests)
– Training
– Physical access controls (locks, guards, biometric devices)
– Remote access controls (IP packet filtering by border routers and
firewalls using access control lists; intrusion prevention systems;
authentication of dial-in users; wireless access controls)
– Host and Application Hardening procedures (firewalls, anti-virus
software, disabling of unnecessary features, user account
management, software design, e.g., to prevent buffer overflows)
– Encryption
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
40 of 212
DEFENSE IN DEPTH
• Detective controls include:
– Log analysis
– Intrusion detection systems
– Managerial reports
– Security testing (vulnerability scanners,
penetration tests, war dialing)
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
41 of 212
DEFENSE IN DEPTH
• Corrective controls include:
– Computer Emergency Response Teams
– Chief Security Officer (CSO)
– Patch Management
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
42 of 212
PREVENTIVE CONTROLS
• Major types of preventive controls used for defense in
depth include:
– Authentication controls (passwords, tokens, biometrics,
MAC addresses)
– Authorization controls (access control matrices and
compatibility tests)
– Training
– Physical access controls (locks, guards, biometric devices)
– Remote access controls (IP packet filtering by border routers and
firewalls using access control lists; intrusion prevention systems;
authentication of dial-in users; wireless access controls)
– Host and Application Hardening procedures (firewalls, anti-virus
software, disabling of unnecessary features, user account
management, software design, e.g., to prevent buffer overflows)
– Encryption
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
43 of 212
PREVENTIVE CONTROLS
• The objective of preventive controls is to
prevent security incidents from happening.
• Involves two related functions:
– Authentication
• Focuses on verifying the identity of the person or
device attempting to gain access.
– Authorization
• Restricts access of authenticated users to specific
portions of the system and specifies what actions
they are permitted to perform.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
44 of 212
PREVENTIVE CONTROLS
• Users can be authenticated by verifying:
– Something they know, such as passwords or
PINs.
– Something they have, such as smart cards or
ID badges.
– Some physical characteristic (biometric
identifier), such as fingerprints or voice.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
45 of 212
PREVENTIVE CONTROLS
• Passwords are probably the most
commonly used authentication method
and also the most controversial.
– An effective password must satisfy a number
of requirements:
• Length
 Longer is better.
 Should be at least 8 characters.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
46 of 212
PREVENTIVE CONTROLS
• Passwords are probably the most
commonly used authentication method
and also the most controversial.
– An effective password must satisfy a number
of requirements:
• Length
• Multiple character types
 Use a mix of upper-and lowercase alphabetic, numeric, and
special characters.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
47 of 212
PREVENTIVE CONTROLS
• Passwords are probably the most
commonly
used authentication
• Passwords
should not be wordsmethod
found in the
dictionary
or dictionary
words preceded or
and also the
most
controversial.
–
followed by a number such as 4dog or dog4.
An effective
password
must
satisfy
a number
• Should
not be related
to the
employee’s
personal interests or hobbies, because specialof requirements:
purpose, password-cracking dictionaries can be
• Lengthfound on the Internet containing the most
passwords
• Multiplecommon
character
types related to various topics.
• Random
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
48 of 212
PREVENTIVE CONTROLS
• Passwords are probably the most
commonly used authentication method
and also the most controversial.
– An effective password must satisfy a number
of requirements:
•
•
•
•
Length
• The
most important
Multiple
character
types requirement.
• A password must be kept secret to be effective.
Random
Secret
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
49 of 212
PREVENTIVE CONTROLS
• A password that meets the preceding criteria is
typically difficult to memorize—exacerbated by
the typical requirement that the password be
changed every 90 days.
• So most people either:
– Select passwords that can be easily guessed but can
be memorized; or
– Select passwords that meet the criteria for a strong
password but write them down.
– When the password is written down, it changes from
something the employee knows to something the
employee has, which can be stolen and used.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
50 of 212
PREVENTIVE CONTROLS
• As a result of this dilemma, some security
experts argue for abandoning the quest to
develop and use strong passwords.
– They note that a major component of help
desk costs is associated with resetting
passwords.
– They suggest reliance on dual-factor
authentication methods, such as a
combination of a smart card and a PIN
number.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
51 of 212
PREVENTIVE CONTROLS
• Other experts disagree.
– They note that operating systems can now
accommodate passwords longer than 15 characters.
– So users can create strong but easy-to-remember
paraphrases like: Idlike2binParis.
– Long paraphrases dramatically increase the effort
required to crack them by guessing.
– So this group argues that longer length, coupled with
the fact that it is easier to remember a long
paraphrase than a strong password, should
dramatically cut help desk costs while improving
security.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
52 of 212
PREVENTIVE CONTROLS
• Each authentication method has its
limitations.
– Passwords
• Can be guessed, lost, written down, or given
away.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
53 of 212
PREVENTIVE CONTROLS
• Each authentication method has its
limitations.
– Passwords
– Physical identification techniques
• Include cards, badges, and USB devices.
• Can be lost, stolen, or duplicated.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
54 of 212
• Expensive and often cumbersome
• Not yet 100% accurate, sometimes rejecting legitimate
users and allowing unauthorized people
• Some techniques like fingerprints may carry negative
connotations that hinder acceptance.
• Security concerns surround the storage of this data.
limitations.
– If the data is compromised, it could create serious, lifelong problems for the donor.
– Passwords
– Unlike passwords or tokens, biometric identifiers
cannot
be replaced ortechniques
changed.
– Physical
identification
PREVENTIVE CONTROLS
• Each authentication method has its
– Biometric techniques
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
55 of 212
PREVENTIVE CONTROLS
• Although none of the three basic authentication
methods is foolproof by itself, the use of two or
three in conjunction, known as multi-factor
authentication, is quite effective.
• Example: Using a palm print and a PIN number
together is much more effective than using either
method alone.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
56 of 212
PREVENTIVE CONTROLS
• Authorization controls are implemented by
creating an access control matrix.
– Specifies what part of the IS a user can
access and what actions they are permitted to
perform.
– When an employee tries to access a
particular resource, the system performs a
compatibility test that matches the user’s
authentication credentials against the matrix
to determine if the action should be allowed.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
57 of 212
PREVENTIVE CONTROLS
User Identification
Code
Number Password
12345
ABC
12346
DEF
12354
KLM
12359
NOP
12389
RST
12567
XYZ
Files
A
0
0
1
3
0
1
B
0
2
1
0
1
1
Programs
C
1
0
1
0
0
1
1
0
0
0
0
0
1
2
0
0
0
0
3
1
3
0
0
0
0
0
1
4
0
0
0
0
0
1
• Who has
the
authority
to delete
Program
2?
Codes for type of access:
0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
58 of 212
PREVENTIVE CONTROLS
User Identification
Code
Number Password
12345
ABC
12346
DEF
12354
KLM
12359
NOP
12389
RST
12567
XYZ
Files
A
0
0
1
3
0
1
B
0
2
1
0
1
1
Programs
C
1
0
1
0
0
1
1
0
0
0
0
0
1
2
0
0
0
0
3
1
3
0
0
0
0
0
1
4
0
0
0
0
0
1
• Which
files can
user
12354
access?
Codes for type of access:
0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
59 of 212
PREVENTIVE CONTROLS
User Identification
Code
Number Password
12345
ABC
12346
DEF
12354
KLM
12359
NOP
12389
RST
12567
XYZ
Files
A
0
0
1
3
0
1
B
0
2
1
0
1
1
Programs
C
1
0
1
0
0
1
1
0
0
0
0
0
1
2
0
0
0
0
3
1
3
0
0
0
0
0
1
4
0
0
0
0
0
1
• Which
programs
can user
12354
access?
Codes for type of access:
0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
60 of 212
PREVENTIVE CONTROLS
 The access control matrix should be regularly
updated, so that an employee who changes job
duties cannot accumulate a set of rights that are
incompatible with proper segregation of duties.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
61 of 212
PREVENTIVE CONTROLS
• Authentication and authorization can be applied to
devices as well as users.
– Every workstation, printer, or other computing device needs a
network interface card (NIC) to connect to the organization’s
network.
– Each network device has a unique identifier, referred to as its
media access control (MAC) address.
– It is possible to restrict network access to only those devices
which have a recognized MAC address or to use MAC
addresses for authorization.
– For example, payroll or EFT applications should be set only to
run from authorized terminals.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
62 of 212
PREVENTIVE CONTROLS
• Although authentication and authorization
controls are key to restricting access to IS
resources, a number of other preventive
controls are necessary to provide
adequate security.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
63 of 212
PREVENTIVE CONTROLS
 These are the
multiple layers of
preventive
controls that
reflect the
defense-in-depth
approach to
satisfying the
constraints of the
time-based
model of security.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
64 of 212
PREVENTIVE CONTROLS
• Training
- The first
layer of
preventive
controls is
training.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
65 of 212
PREVENTIVE CONTROLS
• People play a critical role in information
security.
• The effectiveness of specific control
procedures depends on how well
employees understand and follow the
organization’s security policies.
• Employees should be taught why security
measures are important to the
organization’s long-run survival.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
66 of 212
PREVENTIVE CONTROLS
• Employees should be trained to follow
safe computing practices, such as:
– Never open unsolicited email attachments.
– Use only approved software.
– Never share or reveal passwords.
– Physically protect laptops, especially when
traveling.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
67 of 212
PREVENTIVE CONTROLS
• Train employees about social engineering attacks,
which use deception to obtain unauthorized access.
– Do not divulge passwords or other info about their accounts or
workstation configuration to anyone who contacts them by
phone, email, or IM, even if they claim to be part of systems
security staff.
– Do not allow other people (employees or outsiders) to follow
them through restricted-access entrances.
• This type of piggybacking can take place at main entrances
and at internal locked doors.
• Often succeeds because people feel it is rude not to let the
other person come through with them.
• Role-playing exercises are particularly helpful here.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
68 of 212
PREVENTIVE CONTROLS
• It is also important to invest in continuing
professional education for information
security specialists.
– New technology developments create new
security threats and make old solutions
obsolete.
– Organizations frequently fail to invest in this
vital training.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
69 of 212
PREVENTIVE CONTROLS
• It is also useful to keep abreast of recent
hacking developments.
– “White hat” organizations monitor hacker
activities and publish findings on the Web.
• How the activities are perpetrated.
• How network administrators can protect
themselves from each approach.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
70 of 212
PREVENTIVE CONTROLS
– Underground journals, books and cracker
Websites provide information on how to break
into systems, including how to:
• Breach a server
• Generate virus code
• Hide your identity
– These sites should be monitored to stay
abreast of current approaches and protect
your system.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
71 of 212
PREVENTIVE CONTROLS
• Top management must also provide support for
training.
– Providing funding
– Demonstrating that they support employees who
follow prescribed security policies.
• Especially important for combating social engineering
attacks.
– Enforcing consequences against employees who
willfully violate security policies.
• Sends strong message to other employees.
• May mitigate consequences to the organization if the
employee has engaged in illegal behavior.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
72 of 212
PREVENTIVE CONTROLS
• Controlling
Physical
Access
– Physical
access
controls are
the second
layer of
preventive
controls.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
73 of 212
PREVENTIVE CONTROLS
• Within a few minutes, a skilled attacker with
unsupervised direct physical access to the system can
successfully obtain access to sensitive data.
– Special boot disks exist that, when inserted, provide the person
with unfettered privileges and rights on the computer.
– Keystroke loggers can be installed on the PC through hardware
or software, which will capture every one of the authorized user’s
keystrokes, including his ID and password.
– A diskette with a publicly available utility can be inserted in a PC
which will instantly capture any ID number or password that has
been entered on that PC, since the time it was last booted..
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
74 of 212
PREVENTIVE CONTROLS
• Physical access control begins with entry points
to the building itself.
– Should be one regular entry point unlocked during
normal office hours.
– Fire codes require emergency exits.
• These should not permit entry from outside.
• Should be connected to an alarm that is triggered if someone
leaves through the exit.
– A receptionist or security guard should be stationed at
the main entrance of the building to:
• Verify the identity of employees.
• Require that visitors sign in and be escorted to their
destination.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
75 of 212
PREVENTIVE CONTROLS
• Once inside the building, physical access to rooms
housing computer equipment must be restricted.
– Rooms should be securely locked.
– All entries and exits should be monitored by closed-circuit
TV.
– Multiple failed access attempts should trigger an alarm.
– Rooms with servers with highly sensitive data should
supplement regular locks with:
• Card readers;
• Numeric keypads; or
• Biometric devices.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
76 of 212
PREVENTIVE CONTROLS
• Access to wiring used in LANs must be
restricted to prevent wiretapping.
– Cables and wiring should not be exposed in
areas accessible to casual visitors.
– Wall jacks not in use should be physically
disconnected from the network.
– Wiring closets should be securely locked.
• If shared with other tenants of a building, the
telecommunications equipment should be placed
inside locked steel cages.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
77 of 212
PREVENTIVE CONTROLS
• Physical access security must be cost
effective.
– Requires top management involvement to
ensure resources are properly valued and that
the access controls are appropriate for that
value.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
78 of 212
PREVENTIVE CONTROLS
• Laptops, cell phones, and PDA devices require
special attention.
– Laptop theft is a major problem, and the major cost is
not the price of the laptop but the loss of the
confidential information and the costs of notifying
those affected.
– To deal with laptop theft, employees should be trained
to always lock their laptops to an immovable object—
even while in the office.
– Sensitive data should only be stored on removable
media, not the hard drive, and special care should be
taken to restrict access to the removable media.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
79 of 212
PREVENTIVE CONTROLS
– Because theft is always possible, confidential or
sensitive data should be encrypted during storage to
minimize the likelihood that a thief can access it.
– Some organizations install special software on
laptops so that if one is stolen, it will automatically dial
a toll-free number and reveal its current location when
the thief attempts to connect to the Internet.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
80 of 212
PREVENTIVE CONTROLS
• Cell phones and PDAs increasingly store
confidential information and need the same
types of controls used for laptops.
• Access to network printers should also be
restricted, because they often store document
images on their hard drive.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
81 of 212
PREVENTIVE CONTROLS
• Controlling
Remote
Access
– The third layer
of defense is
control of
remote
access.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
82 of 212
PREVENTIVE
CONTROLS
• Perimeter Defense:
Routers, Firewalls,
and Intrusion
Prevention Systems
– This figure
shows the
relationship
between an
organization’s
information
system and the
Internet.
– A device called a
border router
connects an
organization’s
information
system to the
Internet.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
83 of 212
PREVENTIVE
CONTROLS
 Behind the
border router is
the main firewall,
either a specialpurpose
hardware device
or software
running on a
general purpose
computer.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
84 of 212
PREVENTIVE
CONTROLS
 Web servers and
email servers are
placed in a
separate network
called the
demilitarized
zone (DMZ),
because it sits
outside the
corporate
network but is
accessible from
the Internet.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
85 of 212
PREVENTIVE
CONTROLS
• Together, the
border router and
firewall act as
filters to control
which information
is allowed to enter
and leave the
organization’s
information
system.
• To understand
how they function,
we first need to
discuss how
information is
transmitted on the
Internet.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
86 of 212
PREVENTIVE CONTROLS
• Information traverses the Internet and
internal networks in the form of packets.
– Documents and files that you send to a printer
or to a colleague are first divided into packets.
– The packets are sent over the LAN and
maybe the Internet to their destination.
– The device receiving the packets must
reassemble them.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
87 of 212
PREVENTIVE CONTROLS
• This process is governed by TCP/IP, two
protocols for transmitting information over
the Internet.
– Transmission Control Protocol (TCP)
specifies the procedures for dividing files and
documents into packets and for reassembly at
the destination.
– Internet Protocol (IP) specifies the structure
of the packets and how to route them to the
proper destination.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
88 of 212
PREVENTIVE CONTROLS
• The structure of IP packets facilitates their
efficient transmission over the Internet.
– Every IP packet consists of two parts.
• Header – contains the packet’s origin and destination
addresses, as well as info about the type of data contained in
the body.
• Body.
– The IP protocol prescribes the size of the header and
the sequence of the information fields in it.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
89 of 212
PREVENTIVE CONTROLS
• Special purpose devices called routers read the
destination address fields in packet headers to
decide where to send (route) the packet next.
– The current version of the IP protocol, IPv4, uses 32bit long addresses.
• Consist of four 8-bit numbers separated by periods.
– When users type a URL in their browser, e.g.,
www.prenticehall.com, the name is translated into the
appropriate address, i.e., 165.193.123.253.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
90 of 212
PREVENTIVE CONTROLS
– An organization’s border router checks the
contents of the destination address field of
every packet it receives.
• If the address is not that of the organization, the
packet is forwarded to another router on the
Internet.
• If the destination address matches the
organization, the packet undergoes one or more
tests before being allowed in.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
91 of 212
PREVENTIVE CONTROLS
• A set of rules called an access control
list (ACL) determine which packets are
allowed in and which are dropped.
– Border routers typically perform a static
packet filtering, which screens individual
packets based only on the contents of the
source and/or destination fields in the packet
header.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
92 of 212
PREVENTIVE CONTROLS
• ACL normally specifies that the following
packets should not be allowed entry.
– Packets with illegal source addresses.
Certain source addresses are reserved for
internal use and cannot be routed over the
Internet:
• 10.0.0.0 – 10.255.255.255
• 172.16.0.0 – 172.31.255.255
• 192.168.0.0 – 192.168.255.255
– The preceding packets would not be allowed
in because they are either errors or attacks.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
93 of 212
PREVENTIVE CONTROLS
• Packets with the organization’s IP address as
the source address.
– Does not make sense that an internal message is
routed over the Internet, so these are typically
spoofed addresses and not allowed in.
• Border router ACLs often contain several
additional rules that specify other types of
packets that should be denied entry.
• The ACL rules mainly focus on dropping
packets, but the last rule in the ACL specifies
that any packet not dropped should be
forwarded to the firewall.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
94 of 212
PREVENTIVE CONTROLS
• The firewall will subject the packet to more
detailed testing before allowing it to enter the
internal network.
• Like the border router, firewalls use ACLs to
determine what to do with each packet.
– Firewalls are designed to act as filters and only permit
packets that meet specific conditions to pass.
– The final rule in the firewall ACL usually specifies that
any packet not allowed entry by a previous rule
should be dropped.
– Firewalls don’t block all traffic, but only filter it.
– Certain traffic passes through.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
95 of 212
PREVENTIVE CONTROLS
• Firewalls use more sophisticated techniques
than border routers to filter packets.
– Most employ stateful packet filtering.
– Static packet filtering would examine each IP packet
in isolation, but stateful packet filtering maintains a
table that lists all established connections between
the organization’s computers and the Internet.
– The firewall consults this table to determine whether
an incoming packet is part of an ongoing
communication initiated by an internal computer.
– Enables the firewall to reject specially crafted attack
packets that would have passed a simple static
packet filter.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
96 of 212
PREVENTIVE CONTROLS
• Stateful packet filtering is still limited to
examining only information in the IP
packet header—the same as screening
mail by looking at just the destination and
return addresses on the envelope.
– Process is fast and catches patently
undesirable packages.
– Limited effectiveness because undesirable
mail can get through if the return address is
not on the list of unacceptable sources.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
97 of 212
PREVENTIVE CONTROLS
• Control would be more effective if each envelope
or package were opened and inspected.
• A process called deep packet inspection
examines the data in the body of an IP packet to
provide more effective access control.
• The process takes more time, and therefore the
added cost is loss of speed.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
98 of 212
PREVENTIVE CONTROLS
• Deep packet inspection is the heart of a new
type of filter called intrusion prevention
systems (IPS).
– IPS are designed to identify and drop packets that are
part of an attack.
– Uses several techniques to identify undesirable
packets:
• Checking packet contents against a database of patterns
(signatures) of known attack methods.
• Developing a profile of “normal” traffic and using statistical
analysis to identify packets that don’t fit the profile.
• Using rule bases that specify acceptable standards for
specific types of traffic and dropping packets that don’t
conform.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
99 of 212
PREVENTIVE CONTROLS
• The major benefit of this approach is that it
blocks not only known attacks for which
signatures already exist, but also blocks new
attacks that violate the standards.
• IPS is a promising addition to the security
arsenal, but does have problems.
– Slows overall throughput.
– Prone to false alarms, resulting in rejection of
legitimate traffic.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
100 of 212
PREVENTIVE CONTROLS
• Much research is being undertaken to improve the
intelligence of IPS, and they are likely to become an
important part of an organization’s security toolkit.
– Will not replace firewalls and routers; they are complementary
tools and provide another layer of perimeter defense.
– Border routers will filter out obviously bad packets and pass the
rest to the firewall.
– The firewall does more detailed checking, allowing in only those
packets purporting to contain specific types of data for specific
types of programs and dropping others.
– The IPS does deep packet inspection on the packets that
proceed through the firewall to verify that the data does indeed
conform to the organization’s security policies.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
101 of 212
PREVENTIVE
CONTROLS
• Another dimension
of the defense-indepth concept is
the use of a
number of internal
firewalls to
segment different
departments
within the
organization.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
102 of 212
PREVENTIVE CONTROLS
• Many security incidents involve employees
rather than outsiders.
• These internal firewalls help restrict the
data and portions of the IS that particular
employees can access.
• Increases security and strengthens
internal control by providing another
segregation of duties.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
103 of 212
PREVENTIVE CONTROLS
• Modems are cheap and easy to install, so employees
are often tempted to install them on their desktops
without seeking permission or notifying anyone.
– Creates a huge hole in perimeter security, especially because
employees seldom configure any strong authentication controls.
– A single rogue modem creates a “back door” through which
attackers can successfully compromise the system.
– Computer security or internal audit staff should periodically
check for the existence of rogue modems.
– War dialing software (also used by hackers) can dial every
phone number assigned to the organization to identify those
connected to modems.
– Rogue modems should be disconnected and sanctions applied
to offending employees.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
104 of 212
PREVENTIVE CONTROLS
• Wireless Access
– Many organizations also provide wireless
access to their information systems.
• It’s convenient and easy.
• But anyone with a wireless NIC can attempt to
connect to the network.
• Ease of access provides another venue for attack
and extends the perimeter that must be protected.
• Wireless signals can often be picked up from miles
away by perpetrators in cars, nearby buildings, etc.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
105 of 212
PREVENTIVE CONTROLS
• Dial-Up Connections
– Many organizations still allow employees to dial into
their network from remote locations.
– Dial-in access often bypasses the firewalls.
– It is important to verify the identity of these users.
– Remote Authentication Dial-In User Service
(RADIUS) is a standard method for doing that.
• Users connect to a remote-access server and submit log-in
credentials.
• The remote-access server passes the credentials to the
RADIUS server, which does compatibility tests to
authenticate the user’s identity.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
106 of 212
PREVENTIVE
CONTROLS
• To secure wireless
access, all wireless
access points (devices
that accept incoming
wireless
communications and
permit connection to
the network) should
be located in the DMZ.
• Treats all wireless
access as if it was
coming in from the
Internet and forces it
to go through the main
firewall and intrusion
prevention systems.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
107 of 212
PREVENTIVE CONTROLS
• The following procedures should also be
followed to adequately secure wireless access:
– Turn on available security features
• Most wireless devices are sold and installed with these
features disabled.
• Example: encryption is usually turned off.
– Authenticate all devices attempting to establish
wireless access to the network before assigning them
an IP address.
• To do this, treat incoming wireless connections as dial-up
attempts and route them first through a RADIUS server or
other authorization device.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
108 of 212
PREVENTIVE CONTROLS
– Configure all authorized wireless NICs to operate only
in infrastructure mode.
• Forces the device to connect only to wireless access points.
• Wireless NICs configured in ad hoc mode can communicate
directly with any other device that has a wireless NIC.
Creates a security threat because it creates peer-to-peer
networks with no authentication controls.
– Turn off automatic broadcasting of the access point’s
address, called a service set identifier (SSID).
• Forces users to manually enter the wireless access point’s
SSID.
• Makes unauthorized access more difficult.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
109 of 212
PREVENTIVE CONTROLS
– Predefine a list of authorized MAC addresses
and configure wireless access points to only
accept connections from those MAC
addresses.
– Reduce broadcast strength of wireless access
points to make unauthorized reception more
difficult off premises.
– Locate wireless access points in the interior of
the building and use directional antennae to
make unauthorized access and
eavesdropping more difficult.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
110 of 212
PREVENTIVE CONTROLS
– As with modems, it’s easy and inexpensive for
employees to set up rogue wireless access
points.
• Should be periodically tested for and handled in
the same manner as rogue modems.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
111 of 212
PREVENTIVE CONTROLS
• Host and
Application
Hardening
– The fourth
layer of
defense is
host and
application
hardening.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
112 of 212
PREVENTIVE CONTROLS
• Routers, firewalls, and intrusion prevention systems are
designed to protect the network perimeter.
• Information security is enhanced by supplementing
preventive controls on the network perimeter with
additional preventive controls on the workstations,
servers, printers, and other devices (collectively referred
to as hosts) that comprise the organization’s network.
• Three areas deserve special attention:
– Host configuration
– User accounts
– Software design
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
113 of 212
PREVENTIVE CONTROLS
• Routers, firewalls, and intrusion prevention systems are
designed to protect the network perimeter.
• Information security is enhanced by supplementing
preventive controls on the network perimeter with
additional preventive controls on the workstations,
servers, printers, and other devices (collectively referred
to as hosts) that comprise the organization’s network.
• Three areas deserve special attention:
– Host configuration
– User accounts
– Software design
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
114 of 212
PREVENTIVE CONTROLS
• Host Configuration
– Hosts can be made more secure by modifying their
configurations.
• Default configurations of most devices typically turn on a
large number of optional settings that are seldom, if ever
used.
• Default installations of many operating systems turn on many
special purpose programs, called services, which are not
essential.
– Turning on unnecessary features and extra services:
• Maximizes the likelihood of successful installation without the
need for customer support.
• But the cost is that it creates security weaknesses.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
115 of 212
PREVENTIVE CONTROLS
• Every program contains flaws, called vulnerabilities,
and therefore represents a potential point of attack.
• Optional programs and features that are not used should
be disabled.
• Tools like the Microsoft Baseline Security Analyzer and
vulnerability scanners can identify unused and
unnecessary programs that represent potential security
threats.
• This process of turning off unnecessary features is called
hardening.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
116 of 212
PREVENTIVE CONTROLS
• In addition to hardening, two other preventive
controls should be applied to hosts on the
network:
– Every host should be running anti-virus software that
is regularly updated.
– Every host with sensitive information should have a
software-based firewall that is updated regularly.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
117 of 212
PREVENTIVE CONTROLS
• Routers, firewalls, and intrusion prevention systems are
designed to protect the network perimeter.
• Information security is enhanced by supplementing
preventive controls on the network perimeter with
additional preventive controls on the workstations,
servers, printers, and other devices (collectively referred
to as hosts) that comprise the organization’s network.
• Three areas deserve special attention:
– Host configuration
– User accounts
– Software design
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
118 of 212
PREVENTIVE CONTROLS
• Managing User Accounts and Privileges
– User accounts must be carefully managed, especially
when they have unlimited (administrative) rights on
the computer.
– Users who need administrative powers on a particular
computer should be assigned two accounts:
• One with administrative rights
• One with limited privileges
– Users should log in under the limited account to
perform routine duties.
• They should be logged into their limited account when
browsing the web or reading email.
• If they visit a compromised website or open an infected
email, the attacker will only acquire limited rights.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
119 of 212
PREVENTIVE CONTROLS
• When a user needs to exercise administrative
rights, such as installing new software, they
should use the account with administrative
rights.
– Windows—Right-click on desired command and
select RunAs option.
– Unix—use super user (SU) command.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
120 of 212
PREVENTIVE CONTROLS
• Default accounts must be managed when installing an
operating system.
– Windows creates a guest and administrator account.
– The guest account has limited power but provides anonymous
access so that it’s not possible to identify who used the account
and for what resources.
– The default guest account should be disabled.
– The default administrator account has unlimited power.
– Its default password is well-known, so it should be renamed and
given a strong password.
– One added measure is to create a new account with no rights
and name it Administrator to temporarily decoy and delay
attackers.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
121 of 212
PREVENTIVE CONTROLS
• Routers, firewalls, and intrusion prevention systems are
designed to protect the network perimeter.
• Information security is enhanced by supplementing
preventive controls on the network perimeter with
additional preventive controls on the workstations,
servers, printers, and other devices (collectively referred
to as hosts) that comprise the organization’s network.
• Three areas deserve special attention:
– Host configuration
– User accounts
– Software design
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
122 of 212
PREVENTIVE CONTROLS
• Software Design
– Controls are also needed over in-house development
and modification of programs, because poorly-written
code can be exploited to give attackers administrative
privileges.
– Primary weakness involves failing to adequately
screen input data.
– The most common input-related vulnerability is a
buffer overflow attack.
• Attacker sends a program more data than it can handle.
• May cause the system to crash or provide a command
prompt, giving the attacker full administrative privileges and
control.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
123 of 212
PREVENTIVE CONTROLS
• Most programs are loaded into random-access
memory (RAM) when they run.
– Often, programs need to pause temporarily to call
another program to perform a function.
– Information about the current state of the suspended
programs must be stored in RAM.
– When the subprogram has finished its task, the
address of the next computer instruction is written to
an area of RAM called the stack.
– Other information is written in an adjoining area of
RAM, called a buffer.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
124 of 212
PREVENTIVE CONTROLS
– A buffer overflow occurs when too much data
is sent to the buffer so that the instruction
address in the stack is overwritten.
– The program returns control to the address
pointed to in the stack.
– In a buffer overflow attack, that location
contains commands that enable the attacker
to take control of the system.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
125 of 212
PREVENTIVE CONTROLS
• This type of attack can only occur if the
programmer fails to include a check on the
amount of data being input.
– Can be prevented by sound programming practices.
– Internal auditors should routinely test all applications
developed in-house to be sure they are not vulnerable
to buffer overflow attacks.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
126 of 212
PREVENTIVE CONTROLS
• Encryption
– The final
layer of
preventive
controls.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
127 of 212
PREVENTIVE CONTROLS
• Encrypting sensitive stored data provides one
last barrier that must be overcome by an
intruder.
• Also strengthens authentication procedures and
plays an essential role in ensuring and verifying
the validity of e-business transactions.
• Therefore, accountants, auditors, and systems
professionals need to understand encryption.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
128 of 212
Plaintext
This is a
contract
for . . .
Key
+
PREVENTIVE
CONTROLS
Encryption
Algorithm
Cipher- Xb&j &m 2
text
ep0%fg . . .
Key
+
Decryption
Algorithm
Plaintext
This is a
contract
for . . .
© 2006 Prentice Hall Business Publishing
• Encryption is the
process of transforming
normal text, called
plaintext, into
unreadable gibberish,
called ciphertext.
• Decryption reverses
this process.
• To encrypt or decrypt,
both a key and an
algorithm are needed.
Accounting Information Systems, 10/e
Romney/Steinbart
129 of 212
PREVENTIVE CONTROLS
• Computers represent plaintext and ciphertext as a series
of binary digits (0s and 1s).
– The key is also a string of binary digits of a fixed length.
– A 128-bit key consists of a string of 128 0s and 1s.
• The algorithm is a formula for combining the key and the
text.
• Most documents are longer than the key, so the
computer first divides the plaintext or ciphertext into
blocks—each block being of equal length as the key.
• The computer then applies the algorithm to each block of
text.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
130 of 212
PREVENTIVE CONTROLS
• This process produces a ciphertext version of
the document or file equal in size to the original.
• To reproduce the original, the ciphertext is
divided into 128-bit blocks, and the decryption
key is applied to each block.
• Since each character in English is represented
by an 8-bit code, the length of each block would
be 16 characters long.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
131 of 212
PREVENTIVE CONTROLS
• Encryption Strength
– Three important factors determine the
strength of any encryption system:
• Key length;
• Longer keys provide stronger encryption
by reducing the number of repeating
blocks of ciphertext.
• Makes it harder for a would-be perpetrator
to spot patterns.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
132 of 212
PREVENTIVE CONTROLS
• Encryption Strength
– Three important factors determine the
strength of any encryption system:
• Key length
• Key management policies
• The procedures used to store and manage encryption keys are often
the most vulnerable aspect of the encryption system.
– If the keys have been compromised, the encryption can be easily
broken.
– Keys should not be stored on the computer that uses them.
– A copy should be stored in a secure location, known as a key
escrow, so that if an employee leaves the organization for any
reason, the data can be decrypted.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
133 of 212
PREVENTIVE CONTROLS
• Encryption Strength
– Three important factors determine the
strength of any encryption system:
• Key length
• Key management policies
• The nature of the encryption algorithm
• The nature of the algorithm also affects encryption strength.
– A strong algorithm is difficult, if not impossible, to break with
brute-force guessing techniques.
– Secrecy is not necessary for strength.
– Procedures used by the most accepted and widely-used
encryption algorithms are publicly available.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
134 of 212
PREVENTIVE CONTROLS
• Types of Encryption Systems
– There are two basic types of encryption
systems
• Symmetric encryption systems
• Asymmetric encryption systems
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
135 of 212
PREVENTIVE CONTROLS
• Types of Encryption Systems
– There are two basic types of encryption
systems
• Symmetric encryption systems
• Asymmetric encryption systems
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
136 of 212
PREVENTIVE CONTROLS
• Symmetric Encryption Systems
– Use the same key to encrypt and decrypt.
– Examples: DES and AES
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
137 of 212
PREVENTIVE CONTROLS
• Symmetric encryption advantages:
– It is much faster than asymmetric encryption.
• Symmetric encryption disadvantages:
– Both parties need to know the secret key, so a
method is needed to securely exchange the keys, and
email is not an appropriate solution.
– A different key needs to be created for each party with
whom the entity engages in encrypted transactions.
– Since both sides of a transaction are using the same
key, there is no way to prove which of the two parties
created a document.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
138 of 212
PREVENTIVE CONTROLS
• Types of Encryption Systems
– There are two basic types of encryption
systems
• Symmetric encryption systems
• Asymmetric encryption systems
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
139 of 212
PREVENTIVE CONTROLS
• Asymmetric encryption systems
– Use two keys:
• The public key is publicly available.
• The private key is kept secret and known only to
the owner of that pair of keys.
– Either key can be used to encrypt.
– Whichever key is used to encrypt, the other
key must be used to decrypt.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
140 of 212
PREVENTIVE CONTROLS
• Asymmetric encryption solves several problems with
symmetric keys.
– It doesn’t matter who knows the public key, because any text
encrypted with it can only be decrypted using the private key.
– The public key can be distributed by email or posted on a
website for anyone who wants to send an encrypted message to
the entity.
– Any number of parties can use the same public key to send
messages, because only the owner of the key can decrypt them.
– Since only one party has the private key, it’s possible to prove
who created a document, which provides a means for legallybinding electronic agreements.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
141 of 212
PREVENTIVE CONTROLS
• The main drawback to asymmetric encryption is
speed.
– Much (thousands of times) slower then symmetric
encryption.
– Too slow to exchange large amounts of data over the
Internet.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
142 of 212
PREVENTIVE CONTROLS
• So, e-business uses both types of encryption
systems:
– Symmetric encryption to encode most of the data
being exchanged.
– Asymmetric encryption to safely send the symmetric
key to the recipient for use in decrypting the
ciphertext.
– Asymmetric encryption can also be used in
combination with a process called hashing to create
digital signatures.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
143 of 212
PREVENTIVE CONTROLS
• Hashing
– Hashing takes plaintext of any length and transforms
it into a short code called a hash.
– Two widely-used hashing algorithms are:
• MD5—Produces a 128-bit hash of the original message.
• SHA-1—Produces a 160-bit hash.
– Hashing differs from encryption in that:
• Encryption always produces ciphertext similar in length to the
plaintext, but hashing produces a hash of a fixed short
length.
• Encryption is reversible, but hashing is not; you cannot
transform a hash back into its original plaintext.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
144 of 212
PREVENTIVE CONTROLS
• Digital Signatures
– Asymmetric encryption and hashing are used to
create digital signatures.
– A digital signature is information encrypted with the
creator’s private key.
• That information can only be decrypted using the
corresponding public key.
• So successful decryption with an entity’s public key proves
the message could only have been created by the entity that
holds the corresponding private key.
• The private key is known only to its owner, so only the owner
could have created the message.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
145 of 212
PREVENTIVE CONTROLS
• Asymmetric encryption is slow, so digital
signatures are not normally created by using the
private key to encrypt the entire contract,
purchase order, or other document being
exchanged.
– The document is first hashed.
– The hash is then encrypted, using the sender’s
private key, to create the digital signature.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
146 of 212
PREVENTIVE CONTROLS
• The hash is not only efficient but also provides a means
for establishing that the message was not altered in
transmission to the recipient.
– Hashing algorithms use every bit in the original plaintext to
calculate the hash value.
– If any character is changed in the document, a different hash
value will be produced.
– So, when the recipient receives the document and the digital
signature and proceeds to decrypt both, he can create a new
hash of the document using the same hashing algorithm.
– If the new hash value matches the decrypted digital signature,
the recipient is assured that the plaintext document matches the
document the sender originally created.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
147 of 212
PREVENTIVE CONTROLS
• Successfully using a public key to decrypt a document or
file proves that it was created by the entity possessing
the corresponding private key.
– But how can you know whether the entity with the private key is
really who they purport to be?
– Also, how do you get hold of the entity’s public key to decrypt it
in the first place?
– If you have the sender provide their public key to you directly,
you are not protected from an impersonation.
– Answers involve the use of digital certificates and the creation of
a public key infrastructure.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
148 of 212
PREVENTIVE CONTROLS
• A digital certificate is an electronic document, created
and digitally signed by a trusted third party.
–
–
–
–
Certifies the identity of the owner of a particular public key.
Contains that party’s public key.
These certificates can be stored on websites.
Browsers are designed to automatically obtain a copy of that
digital certificate and use the public key contained therein to
communicate with the website.
– You can manually examine the contents of a website’s digital
certificate by double-clicking on the lock icon that appears in the
lower, right-hand corner of the browser window.
– Digital certificates provide an automated method for obtaining an
organization’s or individual’s public key.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
149 of 212
PREVENTIVE CONTROLS
• The term public key infrastructure (PKI) refers to the
system and processes used to issue and manage
asymmetric keys and digital certificates.
– An organization that issues public and private keys and records
the public key in a digital certificate is called a certificate
authority.
– E-business typically uses commercial certificate authorities, such
as Thawte or Verisign.
– The certificate authority:
• Hashes the information stored on a digital certificate
• Encrypts that hash with its private key
• Appends that digital signature to the digital certificate
– Provides a means for validating the authenticity of the certificate.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
150 of 212
PREVENTIVE CONTROLS
• Organizations can create their own digital
certificates for internal use.
• Though not likely to be used externally, they do
enable the organization to use public and private
keys to provide stronger authentication of users.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
151 of 212
PREVENTIVE CONTROLS
• The Trust Services framework contains a list of criteria
that can be used to evaluate the overall reliability of a
particular certificate authority.
– One important factor concerns the procedures use by the CA to
verify the identify of an applicant for a digital certification.
• Several classes of digital certificates exist:
– Cheapest and least trustworthy may only verify the
applicant’s email address.
– Most expensive may require verification of the applicant’s
identity through credit checks and tax returns.
– Second issue is the CA’s procedures for updating certificates
and revoking expired certificates.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
152 of 212
PREVENTIVE CONTROLS
• EXAMPLE OF ENCRYPTION IN E-BUSINESS
– Let’s go through an example of how the encryption
process would work in a transaction where Northwest
Industries (a fictional company) is submitting a
competitive bid to the federal government.
– Keep in mind that this is serious business. Defense
contractors regularly submit bids to the federal
government for contracts in the millions and billions of
dollars. At the time of bid submission, the contractors
themselves may have spent hundreds of thousands
or millions of dollars just developing the bids.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
153 of 212
PREVENTIVE CONTROLS
– The stakes can be very high and protection measures
are very tight. Prior to electronic submission of these
bids, serious physical measures were taken to deliver
bids. One defense contractor, for example, would
send 3-6 different employees on different flights to
Washington, D.C., to deliver a single bid to the
Pentagon. An employee of this contractor revealed
that bids were intercepted on more than one
occasion.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
154 of 212
PREVENTIVE CONTROLS
CA
The N.W. employee
connects to the
government agency’s
website and clicks on the
button for submitting
bids on open contracts.
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
155 of 212
PREVENTIVE CONTROLS
CA
The browser moves to a
secure web page
displaying the lock icon.
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
156 of 212
PREVENTIVE CONTROLS
CA
• The software on N.W.’s
computer:
– Obtains the digital
certificate for the
federal agency;
– Verifies the validity of
the certificate; and
– Opens the certificate to
get the federal agency’s
public key.
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
157 of 212
PREVENTIVE CONTROLS
CA
• The federal computer
does the same with
NW’s digital certificate
and key.
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
158 of 212
PREVENTIVE CONTROLS
• NW now has the federal
agency’s public key, and
the federal agency now
has NW’s public key.
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
159 of 212
PREVENTIVE CONTROLS
• The NW employee clicks
a button to attach and
submit the company’s
bid.
NW’s
Bid
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
160 of 212
PREVENTIVE CONTROLS
• Before submitting the bid, NW’s encryption software goes
through several steps.
• The encryption software first creates a hash of the bid,
using a publicly available hashing algorithm like MD5.
NW’s
Bid
Hash of
NW Bid
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
161 of 212
PREVENTIVE CONTROLS
Coded
w/ NW
private
key
NW’s
Bid
• Next, the hash is encrypted
using NW’s private key.
• This encrypted hash is
NW’s digital signature.
Digital
signature
Hash of
NW Bid
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
162 of 212
PREVENTIVE CONTROLS
• The bid itself is then encrypted with a
symmetric key, such as AES.
Coded
w/ symmetric
key
Coded
w/ NW
private
key
NW’s
Bid
Hash of
NW Bid
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
163 of 212
PREVENTIVE CONTROLS
Coded
w/ symmetric
key
Coded
w/ NW
private
key
NW’s
Bid
Hash of
NW Bid
• NW also needs to
send a copy of the
symmetric key to
the federal agency.
Symmetric
Key
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
164 of 212
PREVENTIVE CONTROLS
Coded
w/ symmetric
key
Coded
w/ NW
private
key
Coded w/
USA public
key
NW’s
Bid
Hash of
NW Bid
Symmetric
Key
• They encrypt the
symmetric key
using the federal
agency’s public
key.
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
165 of 212
• A package is then electronically transmitted to the federal
agency including:
PREVENTIVE CONTROLS
– The bid encrypted with a symmetric key.
– The symmetric key encrypted with the federal agency’s public key.
– The digital signature (encrypted hash).
Coded
w/ symmetric
key
Coded
w/ NW
private
key
Coded w/
USA public
key
NW’s
Bid
Hash of
NW Bid
Symmetric
Key
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
166 of 212
• A package is then electronically transmitted to the federal
agency including:
PREVENTIVE CONTROLS
– The bid encrypted with a symmetric key.
– The symmetric key encrypted with the federal agency’s public key.
– The digital signature (encrypted hash).
Coded
w/ symmetric
key
NW’s
Bid
Coded
Coded
w/w/
symNW
metric
private
key
key
NW’s
Hash of
NW
Bid Bid
Coded
Coded
Coded Coded
Coded Coded
Coded
Coded
w/ Coded
Coded
Coded
w/
Coded
w/
Coded w/w/Coded
w/w/w/
symNW
symw/
NW
w/
symw/ NW
w/ NW
USA
w/ public
sym-USA w/
NW
public
USA public
USA
public
USA
public private
metric
private
metric
private metric
private
key
metric
private
key
key
key
key
keykey key
key
key
key
key
key
key
NW’s
Hash
of Hash
Symmetric
of
Symmetric
NW’s
Hash of NW’s
Symmetric
Hash
of
Symmetric
Symmetric
NW’s
Hash of
Bid
Key
Bid Bid
Key
NW
Bid NW
Key NW Bid
NWBid
Bid
Key
Key
Bid
NW Bid
USA Public
Symmetric
Key
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
Coded w/
USA public
key
USA
Accounting Information Systems, 10/e
Romney/Steinbart
167 of 212
PREVENTIVE CONTROLS
• The federal agency then uses
NW’s public key to decrypt the
digital signature.
Coded
w/ symmetric
key
Coded
w/ NW
private
key
Coded w/
USA public
key
NW’s
Bid
Hash of
NW Bid
Symmetric
Key
USA Public
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
USA
Accounting Information Systems, 10/e
Romney/Steinbart
168 of 212
PREVENTIVE CONTROLS
• They use their own private key
to decrypt the symmetric key.
Coded
w/ symmetric
key
NW’s
Bid
USA Public
Hash of
NW Bid
Symmetric
Key
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
Coded w/
USA public
key
USA
Accounting Information Systems, 10/e
Romney/Steinbart
169 of 212
PREVENTIVE CONTROLS
• They use the symmetric key
that they’ve just decrypted to
decrypt the actual bid.
Coded
w/ symmetric
key
NW’s
Bid
USA Public
Symmetric
Key
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
Hash of
NW Bid
USA
Accounting Information Systems, 10/e
Romney/Steinbart
170 of 212
PREVENTIVE CONTROLS
• They use the same publiclyavailable hashing program
that was used by NW (MD5 in
this case) to create their own
hash of NW’s bid.
Hash of
NW Bid
NW’s
Bid
USA Public
Symmetric
Key
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
Hash of
NW Bid
USA
Accounting Information Systems, 10/e
Romney/Steinbart
171 of 212
PREVENTIVE CONTROLS
• They then compare their own
hash of the bid to the hash
that was transmitted by NW.
• What will it mean if the two
hashes are not identical?
Hash of
NW Bid
NW’s
Bid
USA Public
Symmetric
Key
N.W. Public
N.W.
© 2006 Prentice Hall Business Publishing
Hash of
NW Bid
USA
Accounting Information Systems, 10/e
Romney/Steinbart
172 of 212
PREVENTIVE CONTROLS
• Assuming everything is in order and the
hashes do match, the federal agency
then sends an acknowledgment to NW
that their bid has been received.
Hash of
NW Bid
N.W.
© 2006 Prentice Hall Business Publishing
NW’s
Bid
Hash of
NW Bid
Symmetric
Key
A-OK
USA
Accounting Information Systems, 10/e
Romney/Steinbart
173 of 212
PREVENTIVE CONTROLS
• Effects of Encryption on Other Layers of
Defense
– Encryption protects the confidentiality and privacy of
the transmission and provides for authentication and
non-repudiation of transactions.
– It also causes some problems.
– The firewall cannot effectively inspect encrypted
packets.
– So one alternative is to have these packets routed to
the DMZ, where they are decrypted and then passed
back to the firewall.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
174 of 212
PREVENTIVE CONTROLS
– The problem with the preceding approach is that it
leaves the incoming packets vulnerable to sniffing
attacks and therefore compromises their
confidentiality and privacy.
– Allowing them through the firewall without being
encrypted compromises the organization’s security.
– Anti-virus and intrusion detection systems also have
difficulty dealing with encrypted packets.
– Makes it important for the organization to consider
these trade-offs in designing and implementing
security procedures.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
175 of 212
DETECTIVE CONTROLS
• Preventive controls are never 100%
effective in blocking all attacks.
• So organizations implement detective
controls to enhance security by:
– Monitoring the effectiveness of preventive
controls; and
– Detecting incidents in which preventive
controls have been circumvented.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
176 of 212
DETECTIVE CONTROLS
• Authentication and authorization controls represent the
organization’s policies governing access to the system
and limits the actions that can be performed by
authorized users.
• Actual system use must be examined to assess
compliance through:
–
–
–
–
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
177 of 212
DETECTIVE CONTROLS
• Authentication and authorization controls represent the
organization’s policies governing access to the system
and limits the actions that can be performed by
authorized users.
• Actual system use must be examined to assess
compliance through:
–
–
–
–
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
178 of 212
DETECTIVE CONTROLS
• Log Analysis
– Most systems come with extensive
capabilities for logging who accesses the
system and what specific actions each user
performed.
• Logs form an audit trail of system access.
• Are of value only if routinely examined.
• Log analysis is the process of examining logs to
monitor security.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
179 of 212
DETECTIVE CONTROLS
• The log may indicate unsuccessful attempts to
log in to different servers.
• The person analyzing the log must try to
determine the reason for the failed attempt.
Could be:
– The person was a legitimate user who forgot his
password.
– Was a legitimate user but not authorized to access
that particular server.
– The user ID was invalid and represented an
attempted intrusion.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
180 of 212
DETECTIVE CONTROLS
• Log analysis should be done regularly to detect
problems in a timely manner.
– Not easy because logs can quickly grow in size.
– So system administrators use software tools to
efficiently strip out routine log entries so that they can
focus their attention on anomalous behavior.
– Also supplement log analysis with software tools
called intrusion detection systems to automate the
monitoring process.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
181 of 212
DETECTIVE CONTROLS
• Authentication and authorization controls represent the
organization’s policies governing access to the system
and limits the actions that can be performed by
authorized users.
• Actual system use must be examined to assess
compliance through:
–
–
–
–
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
182 of 212
DETECTIVE CONTROLS
• Intrusion Detection Systems
– A major weakness of log analysis is that it is
labor intensive and prone to human error.
– Intrusion detection systems (IDS) represent
an attempt to automate part of the monitoring.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
183 of 212
DETECTIVE CONTROLS
• An IDS creates a log of network traffic that was
permitted to pass the firewall.
– Analyzes the logs for signs of attempted or successful
intrusions.
– Most common analysis is to compare logs to a
database containing patterns of traffic associated with
known attacks.
– An alternative technique builds a model representing
“normal” network traffic and uses various statistical
techniques to identify unusual behavior.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
184 of 212
DETECTIVE CONTROLS
• IDS sensors are usually located in several places.
– Most common is just inside the main firewall.
– Some may be placed inside each internal firewall to monitor the
effectiveness of policies governing employee access to
resources.
– Sometimes located just outside the main firewall.
• Provides means to monitor the number of attempted
intrusions that are blocked.
• Can provide early warning that the organization is being
targeted.
– May also be located on individual hosts to provide warnings of
attempts to compromise those systems.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
185 of 212
DETECTIVE CONTROLS
• Authentication and authorization controls represent the
organization’s policies governing access to the system
and limits the actions that can be performed by
authorized users.
• Actual system use must be examined to assess
compliance through:
–
–
–
–
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
186 of 212
DETECTIVE CONTROLS
• Managerial Reports
– Management reports are another important detective control.
– The Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute have developed a
comprehensive framework for information systems controls
called Control Objectives for Information and Related
Technology (COBIT).
• Specifies 34 IT-related control objectives
• Provides:
– Management guidelines that identify crucial success
factors associated with each objective.
– Key performance indicators that can be used to assess
their effectiveness.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
187 of 212
DETECTIVE CONTROLS
• One of the 34 objectives is to provide adequate
security so that the organization’s information is
protected from unauthorized access or loss.
– Key performance indicators for this objective:
• Downtime caused by security incidents.
• Number of systems with IDS installed.
• Time to react to security incidents once detected.
– Management could use COBIT materials to develop a
scorecard for monitoring the effectiveness of existing
security measures.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
188 of 212
DETECTIVE CONTROLS
• Although regular review of periodic performance
reports can help ensure that security controls
are adequate, surveys indicate that many
organizations fail to regularly monitor security.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
189 of 212
DETECTIVE CONTROLS
• Authentication and authorization controls represent the
organization’s policies governing access to the system
and limits the actions that can be performed by
authorized users.
• Actual system use must be examined to assess
compliance through:
–
–
–
–
Log analysis
Intrusion detection systems
Managerial reports
Periodically testing the effectiveness of existing security
procedures
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
190 of 212
DETECTIVE CONTROLS
• Security Testing
– The effectiveness of existing security
procedures should be tested periodically.
• One approach is vulnerability scans, which use
automated tools designed to identify whether a
system possesses any well-known vulnerabilities.
• Security websites such as the Center for
Information Security (www.cisecurity.org) provide:
– Benchmarks for security best practices.
– Tools to measure how well a system conforms.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
191 of 212
DETECTIVE CONTROLS
• Penetration testing provides a rigorous
way to test the effectiveness of an
organization’s computer security.
• This testing involves an authorized attempt
by either an internal audit team or external
security consulting firm to break into the
organization’s IS.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
192 of 212
DETECTIVE CONTROLS
• The teams try every possible way to
compromise a company’s system, including:
– Masquerading as custodians, temporary workers, or
confused delivery personnel to get into offices to
locate passwords or access computers.
– Using sexy decoys to distract guards.
– Climbing through roof hatches and dropping through
ceiling panels.
• Some claim they can get into 90% or more of the
companies they attack.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
193 of 212
CORRECTIVE CONTROLS
• Detection of attempted and successful intrusions
is important but is worthless if not followed by
corrective action.
• Two of the Trust Services framework criteria for
effective security are the existence of
procedures to:
– React to system security breaches and other
incidents.
– Take corrective action on a timely basis.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
194 of 212
CORRECTIVE CONTROLS
• Three key components that satisfy the
preceding criteria are:
– Establishment of a computer emergency
response team.
– Designation of a specific individual with
organization-wide responsibility for security.
– An organized patch management system.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
195 of 212
CORRECTIVE CONTROLS
• Three key components that satisfy the
preceding criteria are:
– Establishment of a computer emergency
response team.
– Designation of a specific individual with
organization-wide responsibility for security.
– An organized patch management system.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
196 of 212
CORRECTIVE CONTROLS
•
Computer Emergency Response Team
–
A key component to being able to respond to
security incidents promptly and effectively is the
establish of a computer emergency response
team (CERT).
•
•
Responsible for dealing with major incidents.
Should include technical specialists and senior operations
management.
– Some potential responses have significant economic
consequences (e.g., whether to temporarily shut down
an e-commerce server) that require management input.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
197 of 212
CORRECTIVE CONTROLS
•
The CERT should lead the organization’s
incident response process through four
steps:
– Recognition that a problem exists
• Typically occurs when an IDS signals an
alert or as a result of a system
administrator’s log analysis.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
198 of 212
CORRECTIVE CONTROLS
•
The CERT should lead the rganization’s
incident response process through four
steps:
– Recognition that a problem exists
– Containment of the problem
• Once an intrusion is detected, prompt
action is needed to stop it and contain the
damage.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
199 of 212
CORRECTIVE CONTROLS
•
The CERT should lead the rganization’s
incident response process through four
steps:
– Recognition that a problem exists
– Containment of the problem
– Recovery
• Damage must be repaired.
• May involve restoring data from backup
and reinstalling corrupted programs
(discussed more in Chapter 8).
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
200 of 212
• Once recovery is in process, the CERT
should lead analysis of how the incident
occurred.
• Steps should be taken to modify existing
security policy and minimize the
likelihood of a similar incident.
• An important decision is whether to try to
incident response
through
four
catch process
and punish the
perp.
– If the perpetrator will be pursued,
steps:
forensic experts should be involved
ensure that all possible
– Recognition that immediately
a problemtoexists
evidence is collected and maintained
– Containment of the
problem
in a manner
that makes it admissible
in court.
– Recovery
CORRECTIVE CONTROLS
•
The CERT should lead the rganization’s
– Follow-up
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
201 of 212
CORRECTIVE CONTROLS
•
Communication is vital to all four steps,
so multiple methods are needed for
notifying members of CERT (e.g., email,
phone, cell phone).
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
202 of 212
CORRECTIVE CONTROLS
•
It is also important to practice the incident response
plan, including the alert process, so that gaps can be
discovered.
Regular practice helps identify the need for change in
response to technological changes.
•
–
EXAMPLE: A CERT practicing an incident response in Texas
recently realized that the password to a web address that was
vital to the incident response had been changed. The CERT
did not have the new password. Better to find this out on a
trial run and make provision for the CERT to be immediately
notified of any future password changes than to discover it in a
live incident.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
203 of 212
CORRECTIVE CONTROLS
• Three key components that satisfy the
preceding criteria are:
– Establishment of a computer emergency
response team.
– Designation of a specific individual with
organization-wide responsibility for
security.
– An organized patch management system.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
204 of 212
CORRECTIVE CONTROLS
• A chief security officer (CSO):
– Should be independent of other IS functions and report to either
the COO or CEO.
– Must understand the company’s technology environment and
work with the CIO to design, implement, and promote sound
security policies and procedures.
– Disseminates info about fraud, errors, security breaches,
improper system use, and consequences of these actions.
– Works with the person in charge of building security, as that is
often the entity’s weakest link.
– Should impartially assess and evaluate the IT environment,
conduct vulnerability and risk assessments, and audit the CIO’s
security measures.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
205 of 212
CORRECTIVE CONTROLS
• Three key components that satisfy the
preceding criteria are:
– Establishment of a computer emergency
response team.
– Designation of a specific individual with
organization-wide responsibility for security.
– An organized patch management system.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
206 of 212
CORRECTIVE CONTROLS
• Patch Management
– Another important corrective control involves
fixing known vulnerabilities and installing
latest updates to:
•
•
•
•
Anti-virus software
Firewalls
Operating systems
Application programs
– The number of reported vulnerabilities rises
each year.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
207 of 212
CORRECTIVE CONTROLS
• A primary cause of the rise in reported
vulnerabilities is the ever-increasing size and
complexity of software.
• Many widely-used programs contain millions of
lines of code.
• Even if 99.9% error free, there would still be 100
vulnerabilities per million lines.
• Both hackers and security consultants constantly
search for these vulnerabilities.
• Once discovered, the question is how to take
advantage of them.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
208 of 212
CORRECTIVE CONTROLS
• Hackers usually publish instructions for doing so
(known as exploits) on the Internet.
• Although it takes skill to discover the exploit,
once published, it can be executed by almost
anyone.
• Attackers who execute these programmed
exploits are referred to as script kiddies.
• A patch is code released by software
developers to fix vulnerabilities that have been
discovered.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
209 of 212
CORRECTIVE CONTROLS
• Patch management is the process for regularly
applying patches and updates to all of an
organization’s software.
• Challenging to do because:
– Patches can have unanticipated side effects that
cause problems, which means they should be tested
before being deployed.
– There are likely to be many patches each year for
each software program, which may mean that
hundreds of patches will need to be applied to
thousands of machines.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
210 of 212
CORRECTIVE CONTROLS
• Intrusion Prevention Systems may provide great
promise if they can be quickly updated to
respond to new vulnerabilities and block new
exploits, so that the entity can buy time to:
– Thoroughly test the patches
– Apply the patches.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
211 of 212
SUMMARY
• In this chapter, you’ve learned:
– How security affects systems reliability.
– The four criteria that can be used to evaluate the
effectiveness of an organization’s information security.
– What the time-based model of security is, as well as
the concept of defense-in-depth.
– The types of preventive, detective, and corrective
controls that are used to provide information security.
– How encryption contributes to security and how the
two basic types of encryption systems work.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
212 of 212
Download