C HAPTER 7 Information Systems Controls for Systems Reliability Part 1: Information Security © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 212 INTRODUCTION • Questions to be addressed in this chapter: – How does security affect systems reliability? – What are the four criteria that can be used to evaluate the effectiveness of an organization’s information security? – What is the time-based model of security and the concept of defense-in-depth? – What types of preventive, detective, and corrective controls are used to provide information security? – How does encryption contribute to security and how do the two basic types of encryption systems work? © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 212 INTRODUCTION • One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable, which means: – It provides an accurate, complete, and timely picture of the organization’s activities. – It is available when needed. – The information and the system that produces it is protected from loss, compromise, and theft. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 212 INTRODUCTION SYSTEMS RELIABILITY © 2006 Prentice Hall Business Publishing • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: Accounting Information Systems, 10/e Romney/Steinbart 4 of 212 INTRODUCTION SYSTEMS RELIABILITY • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: – Security • Access to the system and its data is controlled. SECURITY © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 212 INTRODUCTION CONFIDENTIALITY SYSTEMS RELIABILITY • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: – Security – Confidentiality • Sensitive information is protected from unauthorized disclosure. SECURITY © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 212 INTRODUCTION PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles Personal information about that contribute to systems customers collected through ereliability: commerce is collected, used, – – – Security disclosed, and maintained in an appropriate manner. Confidentiality Privacy SECURITY © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 212 INTRODUCTION PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles • that Data is processed: contribute to systems – Accurately reliability: – – – – –Security Completely –Confidentiality In a timely manner –Privacy With proper authorization Processing integrity SECURITY © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 212 INTRODUCTION SECURITY © 2006 Prentice Hall Business Publishing AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: – – – – – Security Confidentiality The system is available to meet Online privacyand contractual operational obligations. Processing integrity Availability Accounting Information Systems, 10/e Romney/Steinbart 9 of 212 INTRODUCTION SECURITY © 2006 Prentice Hall Business Publishing AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • Note the importance of security in this picture. It is the foundation of systems reliability. Security procedures: – Restrict system access to only authorized users and protect: • The confidentiality of sensitive organizational data. • The privacy of personal identifying information collected from customers. Accounting Information Systems, 10/e Romney/Steinbart 10 of 212 INTRODUCTION • Security procedures also: – Provide for processing integrity by preventing: SECURITY © 2006 Prentice Hall Business Publishing AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • Submission of unauthorized or fictitious transactions. • Unauthorized changes to stored data or programs. – Protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed. Accounting Information Systems, 10/e Romney/Steinbart 11 of 212 INTRODUCTION • In this chapter, we will focus on the Trust Services principle of information security. • Chapter 8 will discuss controls relevant to the other four reliability principles. • This chapter provides a broad introduction to the topic of information systems security. • Anyone interested in a career in information systems security would need to undertake additional detailed study. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 212 INTRODUCTION • There has been a dramatic rise in the number of reported security incidents in recent years, including: – – – – Denial of service attacks Fraud Loss of trade secrets Identity theft • Accountants and IS professionals need to understand basic principles of information security in order to protect their organizations and themselves. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 212 FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: – Security as a management issue, not a technology issue. – The time-based model of security. – Defense in depth. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 14 of 212 FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: – Security as a management issue, not a technology issue. – The time-based model of security. – Defense in depth. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 212 SECURITY AS A MANAGEMENT ISSUE • Though information security is a complex technical subject, security is first and foremost a top management issue, not an IT issue. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 212 SECURITY AS A MANAGEMENT ISSUE • Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS. – SOX Section 302 requires that the CEO and CFO certify the accuracy of the financial statements. – SOX Section 404 requires that the annual report include a report on the company’s internal controls. Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness. – Security is a key component of the internal control and systems reliability to which management must attest. – As identified in the COSO model, management’s philosophy and operating style are critical to an effective control environment. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 212 SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: – Develop and document policies. – Effectively communicate those policies to all authorized users. – Design and employ appropriate control procedures to implement those policies. – Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 212 SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: – Develop and document policies. – Effectively communicate those policies to all authorized users. – Design and employ appropriate control procedures to implement those policies. – Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 212 SECURITY AS A MANAGEMENT ISSUE • Policy Development – It’s more exciting to react to security issues than to prevent them. – However, it is important to develop a comprehensive set of security policies before designing and implementing specific control procedures. – Helps ensure that the security products you ultimately purchase protect each IS resource. – Developing a comprehensive set of security policies begins with taking an inventory of information systems resources, including: • Hardware • Software • Databases © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 212 SECURITY AS A MANAGEMENT ISSUE • Once the resources have been identified, they need to be valued in order to select the most cost-effective control procedures. – Not easy—particularly in valuing information itself. – Top management needs to be involved because they have a broader understanding of the organization’s mission and goals that will enable them to better assess the dollar impact caused by loss or disclosure of information resources. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 212 SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: – Develop and document policies. – Effectively communicate those policies to all authorized users. – Design and employ appropriate control procedures to implement those policies. – Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 212 SECURITY AS A MANAGEMENT ISSUE • Effective Communication of Policies – Security policies must be communicated to and understood by employees, customers, suppliers, and other authorized users. – Needs to be more than having people sign off that they’ve received and read a written document. – Employees should have regular reminders about security policies and training in how to comply. – Training and communication will only be taken seriously if management provides active support and involvement. – Sanctions must also be associated with these violations, again requiring management support for enforcement. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 212 SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: – Develop and document policies. – Effectively communicate those policies to all authorized users. – Design and employ appropriate control procedures to implement those policies. – Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 212 SECURITY AS A MANAGEMENT ISSUE • Design and Employ Appropriate Control Procedures – Control frameworks such as COBIT and Trust Services identify a variety of specific control procedures and tools that can be used to mitigate various security threats. – Options differ in terms of cost and effectiveness. – Determining the optimal level of investment in security involves evaluating cost-benefit trade-offs. – Systems personnel have knowledge about the technical merits of each alternative, as well as the risk of various threats. – Management insight is needed in identifying potential costs and ensuring that all relevant organizational factors are considered. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 212 SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: – Develop and document policies. – Effectively communicate those policies to all authorized users. – Design and employ appropriate control procedures to implement those policies. – Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 212 SECURITY AS A MANAGEMENT ISSUE • Monitor and Take Remedial Action – Security is a moving target. – Technology advances create new threats and alter the risks associated with existing threats. – Effective control involves a continuous cycle of: • • • • • Developing policies to address identified threats; Communicating those policies to all employees; Implementing specific control procedures to mitigate risk; Monitoring performance; and Taking corrective action in response to problems. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 27 of 212 SECURITY AS A MANAGEMENT ISSUE • Corrective actions often involve the modification of existing cycles, and the cycle starts all over. • Senior management must be involved to ensure that security policies remain consistent with and support the organization’s business strategy. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 212 FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: – Security is a management issue, not a technology issue. – The time-based model of security. – Defense in depth. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 212 TIME-BASED MODEL OF SECURITY • Given enough time and resources, any preventive control can be circumvented. • Consequently, effective control requires supplementing preventive procedures with: – Methods for detecting incidents; and – Procedures for taking corrective remedial action. • Detection and correction must be timely, especially for information security, because once preventive controls have been breached, it takes little time to destroy, compromise, or steal the organization’s economic and information resources. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 212 TIME-BASED MODEL OF SECURITY • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: – Preventive • Limit actions to those in accord with the organization’s security policy and disallow all others. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 212 TIME-BASED MODEL OF SECURITY • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: – Preventive – Detective Identify when preventive controls have been breached. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 212 TIME-BASED MODEL OF SECURITY • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: – Preventive – Detective – Corrective © 2006 Prentice Hall Business Publishing • Repair damage from problems that have occurred • Improve preventive and detective controls to reduce likelihood of similar incidents. Accounting Information Systems, 10/e Romney/Steinbart 33 of 212 TIME-BASED MODEL OF SECURITY • The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: – P = Time it takes an attacker to break through the organization’s preventive controls – D = Time it takes to detect that an attack is in progress – C = Time to respond to the attack • These three variables are evaluated as follows: – If P > (D + C), then security procedures are effective. – Otherwise, security is ineffective. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 34 of 212 TIME-BASED MODEL OF SECURITY • The model provides management with a means to identify the most cost-effective approach to improving security by comparing the effects of additional investments in preventive, detective, or corrective controls. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 35 of 212 TIME-BASED MODEL OF SECURITY • EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: – – – – Measure 1 would increase P by 5 minutes. Measure 2 would decrease D by 3 minutes. Measure 3 would decrease C by 5 minutes. Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. • Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.) © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 36 of 212 The most cost-effective choice would therefore be Measure 4, because for the same money, it creates a greater distance between the time it takes a perpetrator to breakby into a systemit.and the time it You may be able to solve this problem eyeballing If not, one way to solve it is to assume some values for D, and takes initial the company toP, detect and C. thwart the attack. So let’s assume that P = 15 min., D = 5 min., and C = 8 min. At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min. With Measure 1, P is increased by 5 minutes: – 20 – (5 + 8) = 7 min. With Measure 2, D is decreased by 3 minutes: – 15 – (2 + 8) = 5 min. With Measure 3, C is decreased by 5 min. – 15 – (5 + 3) = 7 min. With Measure 4, P is increased by 3 minutes and C is reduced by 3 min. – 18 – (5 + 5) = 8 min. TIME-BASED MODEL OF SECURITY • • • • • • • © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 37 of 212 FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: – Security is a management issue, not a technology issue. – The time-based model of security. – Defense in depth. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 212 DEFENSE IN DEPTH • The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. • If one layer fails, another may function as planned. • Computer security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access. • Redundancy also applies to detective and corrective controls. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 212 DEFENSE IN DEPTH Major types of preventive controls used for defense in depth include: – Authentication controls (passwords, tokens, biometrics, MAC addresses) – Authorization controls (access control matrices and compatibility tests) – Training – Physical access controls (locks, guards, biometric devices) – Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) – Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) – Encryption © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 40 of 212 DEFENSE IN DEPTH • Detective controls include: – Log analysis – Intrusion detection systems – Managerial reports – Security testing (vulnerability scanners, penetration tests, war dialing) © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 41 of 212 DEFENSE IN DEPTH • Corrective controls include: – Computer Emergency Response Teams – Chief Security Officer (CSO) – Patch Management © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 42 of 212 PREVENTIVE CONTROLS • Major types of preventive controls used for defense in depth include: – Authentication controls (passwords, tokens, biometrics, MAC addresses) – Authorization controls (access control matrices and compatibility tests) – Training – Physical access controls (locks, guards, biometric devices) – Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) – Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) – Encryption © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 43 of 212 PREVENTIVE CONTROLS • The objective of preventive controls is to prevent security incidents from happening. • Involves two related functions: – Authentication • Focuses on verifying the identity of the person or device attempting to gain access. – Authorization • Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 44 of 212 PREVENTIVE CONTROLS • Users can be authenticated by verifying: – Something they know, such as passwords or PINs. – Something they have, such as smart cards or ID badges. – Some physical characteristic (biometric identifier), such as fingerprints or voice. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 45 of 212 PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication method and also the most controversial. – An effective password must satisfy a number of requirements: • Length Longer is better. Should be at least 8 characters. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 46 of 212 PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication method and also the most controversial. – An effective password must satisfy a number of requirements: • Length • Multiple character types Use a mix of upper-and lowercase alphabetic, numeric, and special characters. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 47 of 212 PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication • Passwords should not be wordsmethod found in the dictionary or dictionary words preceded or and also the most controversial. – followed by a number such as 4dog or dog4. An effective password must satisfy a number • Should not be related to the employee’s personal interests or hobbies, because specialof requirements: purpose, password-cracking dictionaries can be • Lengthfound on the Internet containing the most passwords • Multiplecommon character types related to various topics. • Random © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 48 of 212 PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication method and also the most controversial. – An effective password must satisfy a number of requirements: • • • • Length • The most important Multiple character types requirement. • A password must be kept secret to be effective. Random Secret © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 212 PREVENTIVE CONTROLS • A password that meets the preceding criteria is typically difficult to memorize—exacerbated by the typical requirement that the password be changed every 90 days. • So most people either: – Select passwords that can be easily guessed but can be memorized; or – Select passwords that meet the criteria for a strong password but write them down. – When the password is written down, it changes from something the employee knows to something the employee has, which can be stolen and used. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 212 PREVENTIVE CONTROLS • As a result of this dilemma, some security experts argue for abandoning the quest to develop and use strong passwords. – They note that a major component of help desk costs is associated with resetting passwords. – They suggest reliance on dual-factor authentication methods, such as a combination of a smart card and a PIN number. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 51 of 212 PREVENTIVE CONTROLS • Other experts disagree. – They note that operating systems can now accommodate passwords longer than 15 characters. – So users can create strong but easy-to-remember paraphrases like: Idlike2binParis. – Long paraphrases dramatically increase the effort required to crack them by guessing. – So this group argues that longer length, coupled with the fact that it is easier to remember a long paraphrase than a strong password, should dramatically cut help desk costs while improving security. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 52 of 212 PREVENTIVE CONTROLS • Each authentication method has its limitations. – Passwords • Can be guessed, lost, written down, or given away. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 212 PREVENTIVE CONTROLS • Each authentication method has its limitations. – Passwords – Physical identification techniques • Include cards, badges, and USB devices. • Can be lost, stolen, or duplicated. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 212 • Expensive and often cumbersome • Not yet 100% accurate, sometimes rejecting legitimate users and allowing unauthorized people • Some techniques like fingerprints may carry negative connotations that hinder acceptance. • Security concerns surround the storage of this data. limitations. – If the data is compromised, it could create serious, lifelong problems for the donor. – Passwords – Unlike passwords or tokens, biometric identifiers cannot be replaced ortechniques changed. – Physical identification PREVENTIVE CONTROLS • Each authentication method has its – Biometric techniques © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 212 PREVENTIVE CONTROLS • Although none of the three basic authentication methods is foolproof by itself, the use of two or three in conjunction, known as multi-factor authentication, is quite effective. • Example: Using a palm print and a PIN number together is much more effective than using either method alone. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 212 PREVENTIVE CONTROLS • Authorization controls are implemented by creating an access control matrix. – Specifies what part of the IS a user can access and what actions they are permitted to perform. – When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 212 PREVENTIVE CONTROLS User Identification Code Number Password 12345 ABC 12346 DEF 12354 KLM 12359 NOP 12389 RST 12567 XYZ Files A 0 0 1 3 0 1 B 0 2 1 0 1 1 Programs C 1 0 1 0 0 1 1 0 0 0 0 0 1 2 0 0 0 0 3 1 3 0 0 0 0 0 1 4 0 0 0 0 0 1 • Who has the authority to delete Program 2? Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 58 of 212 PREVENTIVE CONTROLS User Identification Code Number Password 12345 ABC 12346 DEF 12354 KLM 12359 NOP 12389 RST 12567 XYZ Files A 0 0 1 3 0 1 B 0 2 1 0 1 1 Programs C 1 0 1 0 0 1 1 0 0 0 0 0 1 2 0 0 0 0 3 1 3 0 0 0 0 0 1 4 0 0 0 0 0 1 • Which files can user 12354 access? Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 212 PREVENTIVE CONTROLS User Identification Code Number Password 12345 ABC 12346 DEF 12354 KLM 12359 NOP 12389 RST 12567 XYZ Files A 0 0 1 3 0 1 B 0 2 1 0 1 1 Programs C 1 0 1 0 0 1 1 0 0 0 0 0 1 2 0 0 0 0 3 1 3 0 0 0 0 0 1 4 0 0 0 0 0 1 • Which programs can user 12354 access? Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 60 of 212 PREVENTIVE CONTROLS The access control matrix should be regularly updated, so that an employee who changes job duties cannot accumulate a set of rights that are incompatible with proper segregation of duties. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 61 of 212 PREVENTIVE CONTROLS • Authentication and authorization can be applied to devices as well as users. – Every workstation, printer, or other computing device needs a network interface card (NIC) to connect to the organization’s network. – Each network device has a unique identifier, referred to as its media access control (MAC) address. – It is possible to restrict network access to only those devices which have a recognized MAC address or to use MAC addresses for authorization. – For example, payroll or EFT applications should be set only to run from authorized terminals. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 62 of 212 PREVENTIVE CONTROLS • Although authentication and authorization controls are key to restricting access to IS resources, a number of other preventive controls are necessary to provide adequate security. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 63 of 212 PREVENTIVE CONTROLS These are the multiple layers of preventive controls that reflect the defense-in-depth approach to satisfying the constraints of the time-based model of security. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 212 PREVENTIVE CONTROLS • Training - The first layer of preventive controls is training. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 65 of 212 PREVENTIVE CONTROLS • People play a critical role in information security. • The effectiveness of specific control procedures depends on how well employees understand and follow the organization’s security policies. • Employees should be taught why security measures are important to the organization’s long-run survival. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 66 of 212 PREVENTIVE CONTROLS • Employees should be trained to follow safe computing practices, such as: – Never open unsolicited email attachments. – Use only approved software. – Never share or reveal passwords. – Physically protect laptops, especially when traveling. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 67 of 212 PREVENTIVE CONTROLS • Train employees about social engineering attacks, which use deception to obtain unauthorized access. – Do not divulge passwords or other info about their accounts or workstation configuration to anyone who contacts them by phone, email, or IM, even if they claim to be part of systems security staff. – Do not allow other people (employees or outsiders) to follow them through restricted-access entrances. • This type of piggybacking can take place at main entrances and at internal locked doors. • Often succeeds because people feel it is rude not to let the other person come through with them. • Role-playing exercises are particularly helpful here. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 68 of 212 PREVENTIVE CONTROLS • It is also important to invest in continuing professional education for information security specialists. – New technology developments create new security threats and make old solutions obsolete. – Organizations frequently fail to invest in this vital training. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 212 PREVENTIVE CONTROLS • It is also useful to keep abreast of recent hacking developments. – “White hat” organizations monitor hacker activities and publish findings on the Web. • How the activities are perpetrated. • How network administrators can protect themselves from each approach. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 212 PREVENTIVE CONTROLS – Underground journals, books and cracker Websites provide information on how to break into systems, including how to: • Breach a server • Generate virus code • Hide your identity – These sites should be monitored to stay abreast of current approaches and protect your system. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 212 PREVENTIVE CONTROLS • Top management must also provide support for training. – Providing funding – Demonstrating that they support employees who follow prescribed security policies. • Especially important for combating social engineering attacks. – Enforcing consequences against employees who willfully violate security policies. • Sends strong message to other employees. • May mitigate consequences to the organization if the employee has engaged in illegal behavior. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 212 PREVENTIVE CONTROLS • Controlling Physical Access – Physical access controls are the second layer of preventive controls. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 73 of 212 PREVENTIVE CONTROLS • Within a few minutes, a skilled attacker with unsupervised direct physical access to the system can successfully obtain access to sensitive data. – Special boot disks exist that, when inserted, provide the person with unfettered privileges and rights on the computer. – Keystroke loggers can be installed on the PC through hardware or software, which will capture every one of the authorized user’s keystrokes, including his ID and password. – A diskette with a publicly available utility can be inserted in a PC which will instantly capture any ID number or password that has been entered on that PC, since the time it was last booted.. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 74 of 212 PREVENTIVE CONTROLS • Physical access control begins with entry points to the building itself. – Should be one regular entry point unlocked during normal office hours. – Fire codes require emergency exits. • These should not permit entry from outside. • Should be connected to an alarm that is triggered if someone leaves through the exit. – A receptionist or security guard should be stationed at the main entrance of the building to: • Verify the identity of employees. • Require that visitors sign in and be escorted to their destination. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 75 of 212 PREVENTIVE CONTROLS • Once inside the building, physical access to rooms housing computer equipment must be restricted. – Rooms should be securely locked. – All entries and exits should be monitored by closed-circuit TV. – Multiple failed access attempts should trigger an alarm. – Rooms with servers with highly sensitive data should supplement regular locks with: • Card readers; • Numeric keypads; or • Biometric devices. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 76 of 212 PREVENTIVE CONTROLS • Access to wiring used in LANs must be restricted to prevent wiretapping. – Cables and wiring should not be exposed in areas accessible to casual visitors. – Wall jacks not in use should be physically disconnected from the network. – Wiring closets should be securely locked. • If shared with other tenants of a building, the telecommunications equipment should be placed inside locked steel cages. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 77 of 212 PREVENTIVE CONTROLS • Physical access security must be cost effective. – Requires top management involvement to ensure resources are properly valued and that the access controls are appropriate for that value. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 78 of 212 PREVENTIVE CONTROLS • Laptops, cell phones, and PDA devices require special attention. – Laptop theft is a major problem, and the major cost is not the price of the laptop but the loss of the confidential information and the costs of notifying those affected. – To deal with laptop theft, employees should be trained to always lock their laptops to an immovable object— even while in the office. – Sensitive data should only be stored on removable media, not the hard drive, and special care should be taken to restrict access to the removable media. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 79 of 212 PREVENTIVE CONTROLS – Because theft is always possible, confidential or sensitive data should be encrypted during storage to minimize the likelihood that a thief can access it. – Some organizations install special software on laptops so that if one is stolen, it will automatically dial a toll-free number and reveal its current location when the thief attempts to connect to the Internet. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 80 of 212 PREVENTIVE CONTROLS • Cell phones and PDAs increasingly store confidential information and need the same types of controls used for laptops. • Access to network printers should also be restricted, because they often store document images on their hard drive. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 81 of 212 PREVENTIVE CONTROLS • Controlling Remote Access – The third layer of defense is control of remote access. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 82 of 212 PREVENTIVE CONTROLS • Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems – This figure shows the relationship between an organization’s information system and the Internet. – A device called a border router connects an organization’s information system to the Internet. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 83 of 212 PREVENTIVE CONTROLS Behind the border router is the main firewall, either a specialpurpose hardware device or software running on a general purpose computer. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 84 of 212 PREVENTIVE CONTROLS Web servers and email servers are placed in a separate network called the demilitarized zone (DMZ), because it sits outside the corporate network but is accessible from the Internet. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 85 of 212 PREVENTIVE CONTROLS • Together, the border router and firewall act as filters to control which information is allowed to enter and leave the organization’s information system. • To understand how they function, we first need to discuss how information is transmitted on the Internet. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 86 of 212 PREVENTIVE CONTROLS • Information traverses the Internet and internal networks in the form of packets. – Documents and files that you send to a printer or to a colleague are first divided into packets. – The packets are sent over the LAN and maybe the Internet to their destination. – The device receiving the packets must reassemble them. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 87 of 212 PREVENTIVE CONTROLS • This process is governed by TCP/IP, two protocols for transmitting information over the Internet. – Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets and for reassembly at the destination. – Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 88 of 212 PREVENTIVE CONTROLS • The structure of IP packets facilitates their efficient transmission over the Internet. – Every IP packet consists of two parts. • Header – contains the packet’s origin and destination addresses, as well as info about the type of data contained in the body. • Body. – The IP protocol prescribes the size of the header and the sequence of the information fields in it. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 89 of 212 PREVENTIVE CONTROLS • Special purpose devices called routers read the destination address fields in packet headers to decide where to send (route) the packet next. – The current version of the IP protocol, IPv4, uses 32bit long addresses. • Consist of four 8-bit numbers separated by periods. – When users type a URL in their browser, e.g., www.prenticehall.com, the name is translated into the appropriate address, i.e., 165.193.123.253. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 90 of 212 PREVENTIVE CONTROLS – An organization’s border router checks the contents of the destination address field of every packet it receives. • If the address is not that of the organization, the packet is forwarded to another router on the Internet. • If the destination address matches the organization, the packet undergoes one or more tests before being allowed in. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 91 of 212 PREVENTIVE CONTROLS • A set of rules called an access control list (ACL) determine which packets are allowed in and which are dropped. – Border routers typically perform a static packet filtering, which screens individual packets based only on the contents of the source and/or destination fields in the packet header. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 92 of 212 PREVENTIVE CONTROLS • ACL normally specifies that the following packets should not be allowed entry. – Packets with illegal source addresses. Certain source addresses are reserved for internal use and cannot be routed over the Internet: • 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0 – 192.168.255.255 – The preceding packets would not be allowed in because they are either errors or attacks. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 93 of 212 PREVENTIVE CONTROLS • Packets with the organization’s IP address as the source address. – Does not make sense that an internal message is routed over the Internet, so these are typically spoofed addresses and not allowed in. • Border router ACLs often contain several additional rules that specify other types of packets that should be denied entry. • The ACL rules mainly focus on dropping packets, but the last rule in the ACL specifies that any packet not dropped should be forwarded to the firewall. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 94 of 212 PREVENTIVE CONTROLS • The firewall will subject the packet to more detailed testing before allowing it to enter the internal network. • Like the border router, firewalls use ACLs to determine what to do with each packet. – Firewalls are designed to act as filters and only permit packets that meet specific conditions to pass. – The final rule in the firewall ACL usually specifies that any packet not allowed entry by a previous rule should be dropped. – Firewalls don’t block all traffic, but only filter it. – Certain traffic passes through. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 95 of 212 PREVENTIVE CONTROLS • Firewalls use more sophisticated techniques than border routers to filter packets. – Most employ stateful packet filtering. – Static packet filtering would examine each IP packet in isolation, but stateful packet filtering maintains a table that lists all established connections between the organization’s computers and the Internet. – The firewall consults this table to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer. – Enables the firewall to reject specially crafted attack packets that would have passed a simple static packet filter. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 96 of 212 PREVENTIVE CONTROLS • Stateful packet filtering is still limited to examining only information in the IP packet header—the same as screening mail by looking at just the destination and return addresses on the envelope. – Process is fast and catches patently undesirable packages. – Limited effectiveness because undesirable mail can get through if the return address is not on the list of unacceptable sources. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 97 of 212 PREVENTIVE CONTROLS • Control would be more effective if each envelope or package were opened and inspected. • A process called deep packet inspection examines the data in the body of an IP packet to provide more effective access control. • The process takes more time, and therefore the added cost is loss of speed. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 98 of 212 PREVENTIVE CONTROLS • Deep packet inspection is the heart of a new type of filter called intrusion prevention systems (IPS). – IPS are designed to identify and drop packets that are part of an attack. – Uses several techniques to identify undesirable packets: • Checking packet contents against a database of patterns (signatures) of known attack methods. • Developing a profile of “normal” traffic and using statistical analysis to identify packets that don’t fit the profile. • Using rule bases that specify acceptable standards for specific types of traffic and dropping packets that don’t conform. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 99 of 212 PREVENTIVE CONTROLS • The major benefit of this approach is that it blocks not only known attacks for which signatures already exist, but also blocks new attacks that violate the standards. • IPS is a promising addition to the security arsenal, but does have problems. – Slows overall throughput. – Prone to false alarms, resulting in rejection of legitimate traffic. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 100 of 212 PREVENTIVE CONTROLS • Much research is being undertaken to improve the intelligence of IPS, and they are likely to become an important part of an organization’s security toolkit. – Will not replace firewalls and routers; they are complementary tools and provide another layer of perimeter defense. – Border routers will filter out obviously bad packets and pass the rest to the firewall. – The firewall does more detailed checking, allowing in only those packets purporting to contain specific types of data for specific types of programs and dropping others. – The IPS does deep packet inspection on the packets that proceed through the firewall to verify that the data does indeed conform to the organization’s security policies. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 101 of 212 PREVENTIVE CONTROLS • Another dimension of the defense-indepth concept is the use of a number of internal firewalls to segment different departments within the organization. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 102 of 212 PREVENTIVE CONTROLS • Many security incidents involve employees rather than outsiders. • These internal firewalls help restrict the data and portions of the IS that particular employees can access. • Increases security and strengthens internal control by providing another segregation of duties. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 103 of 212 PREVENTIVE CONTROLS • Modems are cheap and easy to install, so employees are often tempted to install them on their desktops without seeking permission or notifying anyone. – Creates a huge hole in perimeter security, especially because employees seldom configure any strong authentication controls. – A single rogue modem creates a “back door” through which attackers can successfully compromise the system. – Computer security or internal audit staff should periodically check for the existence of rogue modems. – War dialing software (also used by hackers) can dial every phone number assigned to the organization to identify those connected to modems. – Rogue modems should be disconnected and sanctions applied to offending employees. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 104 of 212 PREVENTIVE CONTROLS • Wireless Access – Many organizations also provide wireless access to their information systems. • It’s convenient and easy. • But anyone with a wireless NIC can attempt to connect to the network. • Ease of access provides another venue for attack and extends the perimeter that must be protected. • Wireless signals can often be picked up from miles away by perpetrators in cars, nearby buildings, etc. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 105 of 212 PREVENTIVE CONTROLS • Dial-Up Connections – Many organizations still allow employees to dial into their network from remote locations. – Dial-in access often bypasses the firewalls. – It is important to verify the identity of these users. – Remote Authentication Dial-In User Service (RADIUS) is a standard method for doing that. • Users connect to a remote-access server and submit log-in credentials. • The remote-access server passes the credentials to the RADIUS server, which does compatibility tests to authenticate the user’s identity. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 106 of 212 PREVENTIVE CONTROLS • To secure wireless access, all wireless access points (devices that accept incoming wireless communications and permit connection to the network) should be located in the DMZ. • Treats all wireless access as if it was coming in from the Internet and forces it to go through the main firewall and intrusion prevention systems. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 107 of 212 PREVENTIVE CONTROLS • The following procedures should also be followed to adequately secure wireless access: – Turn on available security features • Most wireless devices are sold and installed with these features disabled. • Example: encryption is usually turned off. – Authenticate all devices attempting to establish wireless access to the network before assigning them an IP address. • To do this, treat incoming wireless connections as dial-up attempts and route them first through a RADIUS server or other authorization device. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 108 of 212 PREVENTIVE CONTROLS – Configure all authorized wireless NICs to operate only in infrastructure mode. • Forces the device to connect only to wireless access points. • Wireless NICs configured in ad hoc mode can communicate directly with any other device that has a wireless NIC. Creates a security threat because it creates peer-to-peer networks with no authentication controls. – Turn off automatic broadcasting of the access point’s address, called a service set identifier (SSID). • Forces users to manually enter the wireless access point’s SSID. • Makes unauthorized access more difficult. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 109 of 212 PREVENTIVE CONTROLS – Predefine a list of authorized MAC addresses and configure wireless access points to only accept connections from those MAC addresses. – Reduce broadcast strength of wireless access points to make unauthorized reception more difficult off premises. – Locate wireless access points in the interior of the building and use directional antennae to make unauthorized access and eavesdropping more difficult. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 110 of 212 PREVENTIVE CONTROLS – As with modems, it’s easy and inexpensive for employees to set up rogue wireless access points. • Should be periodically tested for and handled in the same manner as rogue modems. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 111 of 212 PREVENTIVE CONTROLS • Host and Application Hardening – The fourth layer of defense is host and application hardening. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 112 of 212 PREVENTIVE CONTROLS • Routers, firewalls, and intrusion prevention systems are designed to protect the network perimeter. • Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts) that comprise the organization’s network. • Three areas deserve special attention: – Host configuration – User accounts – Software design © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 113 of 212 PREVENTIVE CONTROLS • Routers, firewalls, and intrusion prevention systems are designed to protect the network perimeter. • Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts) that comprise the organization’s network. • Three areas deserve special attention: – Host configuration – User accounts – Software design © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 114 of 212 PREVENTIVE CONTROLS • Host Configuration – Hosts can be made more secure by modifying their configurations. • Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever used. • Default installations of many operating systems turn on many special purpose programs, called services, which are not essential. – Turning on unnecessary features and extra services: • Maximizes the likelihood of successful installation without the need for customer support. • But the cost is that it creates security weaknesses. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 115 of 212 PREVENTIVE CONTROLS • Every program contains flaws, called vulnerabilities, and therefore represents a potential point of attack. • Optional programs and features that are not used should be disabled. • Tools like the Microsoft Baseline Security Analyzer and vulnerability scanners can identify unused and unnecessary programs that represent potential security threats. • This process of turning off unnecessary features is called hardening. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 116 of 212 PREVENTIVE CONTROLS • In addition to hardening, two other preventive controls should be applied to hosts on the network: – Every host should be running anti-virus software that is regularly updated. – Every host with sensitive information should have a software-based firewall that is updated regularly. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 117 of 212 PREVENTIVE CONTROLS • Routers, firewalls, and intrusion prevention systems are designed to protect the network perimeter. • Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts) that comprise the organization’s network. • Three areas deserve special attention: – Host configuration – User accounts – Software design © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 118 of 212 PREVENTIVE CONTROLS • Managing User Accounts and Privileges – User accounts must be carefully managed, especially when they have unlimited (administrative) rights on the computer. – Users who need administrative powers on a particular computer should be assigned two accounts: • One with administrative rights • One with limited privileges – Users should log in under the limited account to perform routine duties. • They should be logged into their limited account when browsing the web or reading email. • If they visit a compromised website or open an infected email, the attacker will only acquire limited rights. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 119 of 212 PREVENTIVE CONTROLS • When a user needs to exercise administrative rights, such as installing new software, they should use the account with administrative rights. – Windows—Right-click on desired command and select RunAs option. – Unix—use super user (SU) command. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 120 of 212 PREVENTIVE CONTROLS • Default accounts must be managed when installing an operating system. – Windows creates a guest and administrator account. – The guest account has limited power but provides anonymous access so that it’s not possible to identify who used the account and for what resources. – The default guest account should be disabled. – The default administrator account has unlimited power. – Its default password is well-known, so it should be renamed and given a strong password. – One added measure is to create a new account with no rights and name it Administrator to temporarily decoy and delay attackers. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 121 of 212 PREVENTIVE CONTROLS • Routers, firewalls, and intrusion prevention systems are designed to protect the network perimeter. • Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts) that comprise the organization’s network. • Three areas deserve special attention: – Host configuration – User accounts – Software design © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 122 of 212 PREVENTIVE CONTROLS • Software Design – Controls are also needed over in-house development and modification of programs, because poorly-written code can be exploited to give attackers administrative privileges. – Primary weakness involves failing to adequately screen input data. – The most common input-related vulnerability is a buffer overflow attack. • Attacker sends a program more data than it can handle. • May cause the system to crash or provide a command prompt, giving the attacker full administrative privileges and control. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 123 of 212 PREVENTIVE CONTROLS • Most programs are loaded into random-access memory (RAM) when they run. – Often, programs need to pause temporarily to call another program to perform a function. – Information about the current state of the suspended programs must be stored in RAM. – When the subprogram has finished its task, the address of the next computer instruction is written to an area of RAM called the stack. – Other information is written in an adjoining area of RAM, called a buffer. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 124 of 212 PREVENTIVE CONTROLS – A buffer overflow occurs when too much data is sent to the buffer so that the instruction address in the stack is overwritten. – The program returns control to the address pointed to in the stack. – In a buffer overflow attack, that location contains commands that enable the attacker to take control of the system. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 125 of 212 PREVENTIVE CONTROLS • This type of attack can only occur if the programmer fails to include a check on the amount of data being input. – Can be prevented by sound programming practices. – Internal auditors should routinely test all applications developed in-house to be sure they are not vulnerable to buffer overflow attacks. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 126 of 212 PREVENTIVE CONTROLS • Encryption – The final layer of preventive controls. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 127 of 212 PREVENTIVE CONTROLS • Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder. • Also strengthens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions. • Therefore, accountants, auditors, and systems professionals need to understand encryption. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 128 of 212 Plaintext This is a contract for . . . Key + PREVENTIVE CONTROLS Encryption Algorithm Cipher- Xb&j &m 2 text ep0%fg . . . Key + Decryption Algorithm Plaintext This is a contract for . . . © 2006 Prentice Hall Business Publishing • Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. • Decryption reverses this process. • To encrypt or decrypt, both a key and an algorithm are needed. Accounting Information Systems, 10/e Romney/Steinbart 129 of 212 PREVENTIVE CONTROLS • Computers represent plaintext and ciphertext as a series of binary digits (0s and 1s). – The key is also a string of binary digits of a fixed length. – A 128-bit key consists of a string of 128 0s and 1s. • The algorithm is a formula for combining the key and the text. • Most documents are longer than the key, so the computer first divides the plaintext or ciphertext into blocks—each block being of equal length as the key. • The computer then applies the algorithm to each block of text. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 130 of 212 PREVENTIVE CONTROLS • This process produces a ciphertext version of the document or file equal in size to the original. • To reproduce the original, the ciphertext is divided into 128-bit blocks, and the decryption key is applied to each block. • Since each character in English is represented by an 8-bit code, the length of each block would be 16 characters long. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 131 of 212 PREVENTIVE CONTROLS • Encryption Strength – Three important factors determine the strength of any encryption system: • Key length; • Longer keys provide stronger encryption by reducing the number of repeating blocks of ciphertext. • Makes it harder for a would-be perpetrator to spot patterns. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 132 of 212 PREVENTIVE CONTROLS • Encryption Strength – Three important factors determine the strength of any encryption system: • Key length • Key management policies • The procedures used to store and manage encryption keys are often the most vulnerable aspect of the encryption system. – If the keys have been compromised, the encryption can be easily broken. – Keys should not be stored on the computer that uses them. – A copy should be stored in a secure location, known as a key escrow, so that if an employee leaves the organization for any reason, the data can be decrypted. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 133 of 212 PREVENTIVE CONTROLS • Encryption Strength – Three important factors determine the strength of any encryption system: • Key length • Key management policies • The nature of the encryption algorithm • The nature of the algorithm also affects encryption strength. – A strong algorithm is difficult, if not impossible, to break with brute-force guessing techniques. – Secrecy is not necessary for strength. – Procedures used by the most accepted and widely-used encryption algorithms are publicly available. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 134 of 212 PREVENTIVE CONTROLS • Types of Encryption Systems – There are two basic types of encryption systems • Symmetric encryption systems • Asymmetric encryption systems © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 135 of 212 PREVENTIVE CONTROLS • Types of Encryption Systems – There are two basic types of encryption systems • Symmetric encryption systems • Asymmetric encryption systems © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 136 of 212 PREVENTIVE CONTROLS • Symmetric Encryption Systems – Use the same key to encrypt and decrypt. – Examples: DES and AES © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 137 of 212 PREVENTIVE CONTROLS • Symmetric encryption advantages: – It is much faster than asymmetric encryption. • Symmetric encryption disadvantages: – Both parties need to know the secret key, so a method is needed to securely exchange the keys, and email is not an appropriate solution. – A different key needs to be created for each party with whom the entity engages in encrypted transactions. – Since both sides of a transaction are using the same key, there is no way to prove which of the two parties created a document. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 138 of 212 PREVENTIVE CONTROLS • Types of Encryption Systems – There are two basic types of encryption systems • Symmetric encryption systems • Asymmetric encryption systems © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 139 of 212 PREVENTIVE CONTROLS • Asymmetric encryption systems – Use two keys: • The public key is publicly available. • The private key is kept secret and known only to the owner of that pair of keys. – Either key can be used to encrypt. – Whichever key is used to encrypt, the other key must be used to decrypt. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 140 of 212 PREVENTIVE CONTROLS • Asymmetric encryption solves several problems with symmetric keys. – It doesn’t matter who knows the public key, because any text encrypted with it can only be decrypted using the private key. – The public key can be distributed by email or posted on a website for anyone who wants to send an encrypted message to the entity. – Any number of parties can use the same public key to send messages, because only the owner of the key can decrypt them. – Since only one party has the private key, it’s possible to prove who created a document, which provides a means for legallybinding electronic agreements. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 141 of 212 PREVENTIVE CONTROLS • The main drawback to asymmetric encryption is speed. – Much (thousands of times) slower then symmetric encryption. – Too slow to exchange large amounts of data over the Internet. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 142 of 212 PREVENTIVE CONTROLS • So, e-business uses both types of encryption systems: – Symmetric encryption to encode most of the data being exchanged. – Asymmetric encryption to safely send the symmetric key to the recipient for use in decrypting the ciphertext. – Asymmetric encryption can also be used in combination with a process called hashing to create digital signatures. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 143 of 212 PREVENTIVE CONTROLS • Hashing – Hashing takes plaintext of any length and transforms it into a short code called a hash. – Two widely-used hashing algorithms are: • MD5—Produces a 128-bit hash of the original message. • SHA-1—Produces a 160-bit hash. – Hashing differs from encryption in that: • Encryption always produces ciphertext similar in length to the plaintext, but hashing produces a hash of a fixed short length. • Encryption is reversible, but hashing is not; you cannot transform a hash back into its original plaintext. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 144 of 212 PREVENTIVE CONTROLS • Digital Signatures – Asymmetric encryption and hashing are used to create digital signatures. – A digital signature is information encrypted with the creator’s private key. • That information can only be decrypted using the corresponding public key. • So successful decryption with an entity’s public key proves the message could only have been created by the entity that holds the corresponding private key. • The private key is known only to its owner, so only the owner could have created the message. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 145 of 212 PREVENTIVE CONTROLS • Asymmetric encryption is slow, so digital signatures are not normally created by using the private key to encrypt the entire contract, purchase order, or other document being exchanged. – The document is first hashed. – The hash is then encrypted, using the sender’s private key, to create the digital signature. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 146 of 212 PREVENTIVE CONTROLS • The hash is not only efficient but also provides a means for establishing that the message was not altered in transmission to the recipient. – Hashing algorithms use every bit in the original plaintext to calculate the hash value. – If any character is changed in the document, a different hash value will be produced. – So, when the recipient receives the document and the digital signature and proceeds to decrypt both, he can create a new hash of the document using the same hashing algorithm. – If the new hash value matches the decrypted digital signature, the recipient is assured that the plaintext document matches the document the sender originally created. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 147 of 212 PREVENTIVE CONTROLS • Successfully using a public key to decrypt a document or file proves that it was created by the entity possessing the corresponding private key. – But how can you know whether the entity with the private key is really who they purport to be? – Also, how do you get hold of the entity’s public key to decrypt it in the first place? – If you have the sender provide their public key to you directly, you are not protected from an impersonation. – Answers involve the use of digital certificates and the creation of a public key infrastructure. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 148 of 212 PREVENTIVE CONTROLS • A digital certificate is an electronic document, created and digitally signed by a trusted third party. – – – – Certifies the identity of the owner of a particular public key. Contains that party’s public key. These certificates can be stored on websites. Browsers are designed to automatically obtain a copy of that digital certificate and use the public key contained therein to communicate with the website. – You can manually examine the contents of a website’s digital certificate by double-clicking on the lock icon that appears in the lower, right-hand corner of the browser window. – Digital certificates provide an automated method for obtaining an organization’s or individual’s public key. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 149 of 212 PREVENTIVE CONTROLS • The term public key infrastructure (PKI) refers to the system and processes used to issue and manage asymmetric keys and digital certificates. – An organization that issues public and private keys and records the public key in a digital certificate is called a certificate authority. – E-business typically uses commercial certificate authorities, such as Thawte or Verisign. – The certificate authority: • Hashes the information stored on a digital certificate • Encrypts that hash with its private key • Appends that digital signature to the digital certificate – Provides a means for validating the authenticity of the certificate. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 150 of 212 PREVENTIVE CONTROLS • Organizations can create their own digital certificates for internal use. • Though not likely to be used externally, they do enable the organization to use public and private keys to provide stronger authentication of users. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 151 of 212 PREVENTIVE CONTROLS • The Trust Services framework contains a list of criteria that can be used to evaluate the overall reliability of a particular certificate authority. – One important factor concerns the procedures use by the CA to verify the identify of an applicant for a digital certification. • Several classes of digital certificates exist: – Cheapest and least trustworthy may only verify the applicant’s email address. – Most expensive may require verification of the applicant’s identity through credit checks and tax returns. – Second issue is the CA’s procedures for updating certificates and revoking expired certificates. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 152 of 212 PREVENTIVE CONTROLS • EXAMPLE OF ENCRYPTION IN E-BUSINESS – Let’s go through an example of how the encryption process would work in a transaction where Northwest Industries (a fictional company) is submitting a competitive bid to the federal government. – Keep in mind that this is serious business. Defense contractors regularly submit bids to the federal government for contracts in the millions and billions of dollars. At the time of bid submission, the contractors themselves may have spent hundreds of thousands or millions of dollars just developing the bids. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 153 of 212 PREVENTIVE CONTROLS – The stakes can be very high and protection measures are very tight. Prior to electronic submission of these bids, serious physical measures were taken to deliver bids. One defense contractor, for example, would send 3-6 different employees on different flights to Washington, D.C., to deliver a single bid to the Pentagon. An employee of this contractor revealed that bids were intercepted on more than one occasion. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 154 of 212 PREVENTIVE CONTROLS CA The N.W. employee connects to the government agency’s website and clicks on the button for submitting bids on open contracts. N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 155 of 212 PREVENTIVE CONTROLS CA The browser moves to a secure web page displaying the lock icon. N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 156 of 212 PREVENTIVE CONTROLS CA • The software on N.W.’s computer: – Obtains the digital certificate for the federal agency; – Verifies the validity of the certificate; and – Opens the certificate to get the federal agency’s public key. N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 157 of 212 PREVENTIVE CONTROLS CA • The federal computer does the same with NW’s digital certificate and key. N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 158 of 212 PREVENTIVE CONTROLS • NW now has the federal agency’s public key, and the federal agency now has NW’s public key. USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 159 of 212 PREVENTIVE CONTROLS • The NW employee clicks a button to attach and submit the company’s bid. NW’s Bid USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 160 of 212 PREVENTIVE CONTROLS • Before submitting the bid, NW’s encryption software goes through several steps. • The encryption software first creates a hash of the bid, using a publicly available hashing algorithm like MD5. NW’s Bid Hash of NW Bid USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 161 of 212 PREVENTIVE CONTROLS Coded w/ NW private key NW’s Bid • Next, the hash is encrypted using NW’s private key. • This encrypted hash is NW’s digital signature. Digital signature Hash of NW Bid USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 162 of 212 PREVENTIVE CONTROLS • The bid itself is then encrypted with a symmetric key, such as AES. Coded w/ symmetric key Coded w/ NW private key NW’s Bid Hash of NW Bid USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 163 of 212 PREVENTIVE CONTROLS Coded w/ symmetric key Coded w/ NW private key NW’s Bid Hash of NW Bid • NW also needs to send a copy of the symmetric key to the federal agency. Symmetric Key USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 164 of 212 PREVENTIVE CONTROLS Coded w/ symmetric key Coded w/ NW private key Coded w/ USA public key NW’s Bid Hash of NW Bid Symmetric Key • They encrypt the symmetric key using the federal agency’s public key. USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 165 of 212 • A package is then electronically transmitted to the federal agency including: PREVENTIVE CONTROLS – The bid encrypted with a symmetric key. – The symmetric key encrypted with the federal agency’s public key. – The digital signature (encrypted hash). Coded w/ symmetric key Coded w/ NW private key Coded w/ USA public key NW’s Bid Hash of NW Bid Symmetric Key USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 166 of 212 • A package is then electronically transmitted to the federal agency including: PREVENTIVE CONTROLS – The bid encrypted with a symmetric key. – The symmetric key encrypted with the federal agency’s public key. – The digital signature (encrypted hash). Coded w/ symmetric key NW’s Bid Coded Coded w/w/ symNW metric private key key NW’s Hash of NW Bid Bid Coded Coded Coded Coded Coded Coded Coded Coded w/ Coded Coded Coded w/ Coded w/ Coded w/w/Coded w/w/w/ symNW symw/ NW w/ symw/ NW w/ NW USA w/ public sym-USA w/ NW public USA public USA public USA public private metric private metric private metric private key metric private key key key key keykey key key key key key key key NW’s Hash of Hash Symmetric of Symmetric NW’s Hash of NW’s Symmetric Hash of Symmetric Symmetric NW’s Hash of Bid Key Bid Bid Key NW Bid NW Key NW Bid NWBid Bid Key Key Bid NW Bid USA Public Symmetric Key N.W. Public N.W. © 2006 Prentice Hall Business Publishing Coded w/ USA public key USA Accounting Information Systems, 10/e Romney/Steinbart 167 of 212 PREVENTIVE CONTROLS • The federal agency then uses NW’s public key to decrypt the digital signature. Coded w/ symmetric key Coded w/ NW private key Coded w/ USA public key NW’s Bid Hash of NW Bid Symmetric Key USA Public N.W. Public N.W. © 2006 Prentice Hall Business Publishing USA Accounting Information Systems, 10/e Romney/Steinbart 168 of 212 PREVENTIVE CONTROLS • They use their own private key to decrypt the symmetric key. Coded w/ symmetric key NW’s Bid USA Public Hash of NW Bid Symmetric Key N.W. Public N.W. © 2006 Prentice Hall Business Publishing Coded w/ USA public key USA Accounting Information Systems, 10/e Romney/Steinbart 169 of 212 PREVENTIVE CONTROLS • They use the symmetric key that they’ve just decrypted to decrypt the actual bid. Coded w/ symmetric key NW’s Bid USA Public Symmetric Key N.W. Public N.W. © 2006 Prentice Hall Business Publishing Hash of NW Bid USA Accounting Information Systems, 10/e Romney/Steinbart 170 of 212 PREVENTIVE CONTROLS • They use the same publiclyavailable hashing program that was used by NW (MD5 in this case) to create their own hash of NW’s bid. Hash of NW Bid NW’s Bid USA Public Symmetric Key N.W. Public N.W. © 2006 Prentice Hall Business Publishing Hash of NW Bid USA Accounting Information Systems, 10/e Romney/Steinbart 171 of 212 PREVENTIVE CONTROLS • They then compare their own hash of the bid to the hash that was transmitted by NW. • What will it mean if the two hashes are not identical? Hash of NW Bid NW’s Bid USA Public Symmetric Key N.W. Public N.W. © 2006 Prentice Hall Business Publishing Hash of NW Bid USA Accounting Information Systems, 10/e Romney/Steinbart 172 of 212 PREVENTIVE CONTROLS • Assuming everything is in order and the hashes do match, the federal agency then sends an acknowledgment to NW that their bid has been received. Hash of NW Bid N.W. © 2006 Prentice Hall Business Publishing NW’s Bid Hash of NW Bid Symmetric Key A-OK USA Accounting Information Systems, 10/e Romney/Steinbart 173 of 212 PREVENTIVE CONTROLS • Effects of Encryption on Other Layers of Defense – Encryption protects the confidentiality and privacy of the transmission and provides for authentication and non-repudiation of transactions. – It also causes some problems. – The firewall cannot effectively inspect encrypted packets. – So one alternative is to have these packets routed to the DMZ, where they are decrypted and then passed back to the firewall. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 174 of 212 PREVENTIVE CONTROLS – The problem with the preceding approach is that it leaves the incoming packets vulnerable to sniffing attacks and therefore compromises their confidentiality and privacy. – Allowing them through the firewall without being encrypted compromises the organization’s security. – Anti-virus and intrusion detection systems also have difficulty dealing with encrypted packets. – Makes it important for the organization to consider these trade-offs in designing and implementing security procedures. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 175 of 212 DETECTIVE CONTROLS • Preventive controls are never 100% effective in blocking all attacks. • So organizations implement detective controls to enhance security by: – Monitoring the effectiveness of preventive controls; and – Detecting incidents in which preventive controls have been circumvented. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 176 of 212 DETECTIVE CONTROLS • Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users. • Actual system use must be examined to assess compliance through: – – – – Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 177 of 212 DETECTIVE CONTROLS • Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users. • Actual system use must be examined to assess compliance through: – – – – Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 178 of 212 DETECTIVE CONTROLS • Log Analysis – Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. • Logs form an audit trail of system access. • Are of value only if routinely examined. • Log analysis is the process of examining logs to monitor security. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 179 of 212 DETECTIVE CONTROLS • The log may indicate unsuccessful attempts to log in to different servers. • The person analyzing the log must try to determine the reason for the failed attempt. Could be: – The person was a legitimate user who forgot his password. – Was a legitimate user but not authorized to access that particular server. – The user ID was invalid and represented an attempted intrusion. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 180 of 212 DETECTIVE CONTROLS • Log analysis should be done regularly to detect problems in a timely manner. – Not easy because logs can quickly grow in size. – So system administrators use software tools to efficiently strip out routine log entries so that they can focus their attention on anomalous behavior. – Also supplement log analysis with software tools called intrusion detection systems to automate the monitoring process. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 181 of 212 DETECTIVE CONTROLS • Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users. • Actual system use must be examined to assess compliance through: – – – – Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 182 of 212 DETECTIVE CONTROLS • Intrusion Detection Systems – A major weakness of log analysis is that it is labor intensive and prone to human error. – Intrusion detection systems (IDS) represent an attempt to automate part of the monitoring. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 183 of 212 DETECTIVE CONTROLS • An IDS creates a log of network traffic that was permitted to pass the firewall. – Analyzes the logs for signs of attempted or successful intrusions. – Most common analysis is to compare logs to a database containing patterns of traffic associated with known attacks. – An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 184 of 212 DETECTIVE CONTROLS • IDS sensors are usually located in several places. – Most common is just inside the main firewall. – Some may be placed inside each internal firewall to monitor the effectiveness of policies governing employee access to resources. – Sometimes located just outside the main firewall. • Provides means to monitor the number of attempted intrusions that are blocked. • Can provide early warning that the organization is being targeted. – May also be located on individual hosts to provide warnings of attempts to compromise those systems. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 185 of 212 DETECTIVE CONTROLS • Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users. • Actual system use must be examined to assess compliance through: – – – – Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 186 of 212 DETECTIVE CONTROLS • Managerial Reports – Management reports are another important detective control. – The Information Systems Audit and Control Association (ISACA) and the IT Governance Institute have developed a comprehensive framework for information systems controls called Control Objectives for Information and Related Technology (COBIT). • Specifies 34 IT-related control objectives • Provides: – Management guidelines that identify crucial success factors associated with each objective. – Key performance indicators that can be used to assess their effectiveness. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 187 of 212 DETECTIVE CONTROLS • One of the 34 objectives is to provide adequate security so that the organization’s information is protected from unauthorized access or loss. – Key performance indicators for this objective: • Downtime caused by security incidents. • Number of systems with IDS installed. • Time to react to security incidents once detected. – Management could use COBIT materials to develop a scorecard for monitoring the effectiveness of existing security measures. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 188 of 212 DETECTIVE CONTROLS • Although regular review of periodic performance reports can help ensure that security controls are adequate, surveys indicate that many organizations fail to regularly monitor security. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 189 of 212 DETECTIVE CONTROLS • Authentication and authorization controls represent the organization’s policies governing access to the system and limits the actions that can be performed by authorized users. • Actual system use must be examined to assess compliance through: – – – – Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 190 of 212 DETECTIVE CONTROLS • Security Testing – The effectiveness of existing security procedures should be tested periodically. • One approach is vulnerability scans, which use automated tools designed to identify whether a system possesses any well-known vulnerabilities. • Security websites such as the Center for Information Security (www.cisecurity.org) provide: – Benchmarks for security best practices. – Tools to measure how well a system conforms. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 191 of 212 DETECTIVE CONTROLS • Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security. • This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 192 of 212 DETECTIVE CONTROLS • The teams try every possible way to compromise a company’s system, including: – Masquerading as custodians, temporary workers, or confused delivery personnel to get into offices to locate passwords or access computers. – Using sexy decoys to distract guards. – Climbing through roof hatches and dropping through ceiling panels. • Some claim they can get into 90% or more of the companies they attack. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 193 of 212 CORRECTIVE CONTROLS • Detection of attempted and successful intrusions is important but is worthless if not followed by corrective action. • Two of the Trust Services framework criteria for effective security are the existence of procedures to: – React to system security breaches and other incidents. – Take corrective action on a timely basis. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 194 of 212 CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team. – Designation of a specific individual with organization-wide responsibility for security. – An organized patch management system. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 195 of 212 CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team. – Designation of a specific individual with organization-wide responsibility for security. – An organized patch management system. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 196 of 212 CORRECTIVE CONTROLS • Computer Emergency Response Team – A key component to being able to respond to security incidents promptly and effectively is the establish of a computer emergency response team (CERT). • • Responsible for dealing with major incidents. Should include technical specialists and senior operations management. – Some potential responses have significant economic consequences (e.g., whether to temporarily shut down an e-commerce server) that require management input. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 197 of 212 CORRECTIVE CONTROLS • The CERT should lead the organization’s incident response process through four steps: – Recognition that a problem exists • Typically occurs when an IDS signals an alert or as a result of a system administrator’s log analysis. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 198 of 212 CORRECTIVE CONTROLS • The CERT should lead the rganization’s incident response process through four steps: – Recognition that a problem exists – Containment of the problem • Once an intrusion is detected, prompt action is needed to stop it and contain the damage. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 199 of 212 CORRECTIVE CONTROLS • The CERT should lead the rganization’s incident response process through four steps: – Recognition that a problem exists – Containment of the problem – Recovery • Damage must be repaired. • May involve restoring data from backup and reinstalling corrupted programs (discussed more in Chapter 8). © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 200 of 212 • Once recovery is in process, the CERT should lead analysis of how the incident occurred. • Steps should be taken to modify existing security policy and minimize the likelihood of a similar incident. • An important decision is whether to try to incident response through four catch process and punish the perp. – If the perpetrator will be pursued, steps: forensic experts should be involved ensure that all possible – Recognition that immediately a problemtoexists evidence is collected and maintained – Containment of the problem in a manner that makes it admissible in court. – Recovery CORRECTIVE CONTROLS • The CERT should lead the rganization’s – Follow-up © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 201 of 212 CORRECTIVE CONTROLS • Communication is vital to all four steps, so multiple methods are needed for notifying members of CERT (e.g., email, phone, cell phone). © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 202 of 212 CORRECTIVE CONTROLS • It is also important to practice the incident response plan, including the alert process, so that gaps can be discovered. Regular practice helps identify the need for change in response to technological changes. • – EXAMPLE: A CERT practicing an incident response in Texas recently realized that the password to a web address that was vital to the incident response had been changed. The CERT did not have the new password. Better to find this out on a trial run and make provision for the CERT to be immediately notified of any future password changes than to discover it in a live incident. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 203 of 212 CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team. – Designation of a specific individual with organization-wide responsibility for security. – An organized patch management system. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 204 of 212 CORRECTIVE CONTROLS • A chief security officer (CSO): – Should be independent of other IS functions and report to either the COO or CEO. – Must understand the company’s technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. – Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions. – Works with the person in charge of building security, as that is often the entity’s weakest link. – Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 205 of 212 CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team. – Designation of a specific individual with organization-wide responsibility for security. – An organized patch management system. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 206 of 212 CORRECTIVE CONTROLS • Patch Management – Another important corrective control involves fixing known vulnerabilities and installing latest updates to: • • • • Anti-virus software Firewalls Operating systems Application programs – The number of reported vulnerabilities rises each year. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 207 of 212 CORRECTIVE CONTROLS • A primary cause of the rise in reported vulnerabilities is the ever-increasing size and complexity of software. • Many widely-used programs contain millions of lines of code. • Even if 99.9% error free, there would still be 100 vulnerabilities per million lines. • Both hackers and security consultants constantly search for these vulnerabilities. • Once discovered, the question is how to take advantage of them. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 208 of 212 CORRECTIVE CONTROLS • Hackers usually publish instructions for doing so (known as exploits) on the Internet. • Although it takes skill to discover the exploit, once published, it can be executed by almost anyone. • Attackers who execute these programmed exploits are referred to as script kiddies. • A patch is code released by software developers to fix vulnerabilities that have been discovered. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 209 of 212 CORRECTIVE CONTROLS • Patch management is the process for regularly applying patches and updates to all of an organization’s software. • Challenging to do because: – Patches can have unanticipated side effects that cause problems, which means they should be tested before being deployed. – There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 210 of 212 CORRECTIVE CONTROLS • Intrusion Prevention Systems may provide great promise if they can be quickly updated to respond to new vulnerabilities and block new exploits, so that the entity can buy time to: – Thoroughly test the patches – Apply the patches. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 211 of 212 SUMMARY • In this chapter, you’ve learned: – How security affects systems reliability. – The four criteria that can be used to evaluate the effectiveness of an organization’s information security. – What the time-based model of security is, as well as the concept of defense-in-depth. – The types of preventive, detective, and corrective controls that are used to provide information security. – How encryption contributes to security and how the two basic types of encryption systems work. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 212 of 212