Chapter 2: Hardware Security Issues Information System Audit : © South-Asian Management Technologies Foundation Hardware Security Objective • Asset safeguarding – – – – • • • • Physical equipment protection Power supply Cabling security Other concerns Integrity Availability Effectiveness Efficiency Information System Audit : © South-Asian Management Technologies Foundation Asset Classification and Control • Hardware inventory register / Information Technology fixed asset register • Ownership of assets • Information asset classification guideline – Criticality assessment – Priority ranking • Labeling and handling of assets Information System Audit : © South-Asian Management Technologies Foundation Physical Equipment Placement and Protection • Minimize unnecessary access into work areas. • Computers handling sensitive data should be so placed that risk of over-looking during their use reduce. • Eating, drinking and smoking near information processing facilities should be prohibited. • Unauthorised access to the server room should be restricted. • Environmental conditions should be closely monitored Information System Audit : © South-Asian Management Technologies Foundation Physical Equipment Protection • Controls should be adopted to minimise the risk of potential threats including: • Fire • Explosives • Smoke • Water • Dust • Vibrations • Chemical effects • Electrical supply interference • Electromagnetic radiation • Thefts Information System Audit : © South-Asian Management Technologies Foundation Power Supply • Multiple feed to avoid single point failure in the power supply • Uninterruptible power supply (UPS) • Back-up generator • Contingency Plan • UPS capacity and demand monitoring • Emergency power switches should be located near emergency exits • Lightening protection • Cabling security Information System Audit : © South-Asian Management Technologies Foundation Cabling Security • • • • Protection of power and communication lines Protection of network cabling Separation of power from communication cables For sensitive and critical systems provide:– Alternate routing or transmission lines – Fibre optic cabling Information System Audit : © South-Asian Management Technologies Foundation Physical Access and Service Disruption • Choice of site – Consideration for flight paths, geological fault lines, power lines, potential terrorist targets. etc. • • • • Security perimeter Personnel identification and authorisation Inventory control program Movement monitoring and controls over removal of assets from secured environment. Information System Audit : © South-Asian Management Technologies Foundation Physical Access and Service Disruption • • • • • • • Fire Protection Adherence to Insurance contracts Intermediate holding areas Protection against forced entry Critical facilities key management Escorting of visitors Security of portable computing devices Information System Audit : © South-Asian Management Technologies Foundation Information System Facilities • Following facilities require to be protected – Physical Assets • Computer room including backup room • Computing equipment including network equipment used in distributed locations • Storage media including removable media – Soft Assets • Programming areas • Programming codes • Manuals and guidelines Information System Audit : © South-Asian Management Technologies Foundation Information System Facilities • Facilities requiring protection (Cont’d) – Logistics • • • • Off-site backup file storage facility Communications facilities Power sources Disposal sites Information System Audit : © South-Asian Management Technologies Foundation Management of Peripheral Devices • • • • • Place into the system on a need to use basis. Protected from unauthorised access. Do not connect separate modems to any machine lying with the auditee network. Monitored use of flash drives, floppy drives and other external media. Peripheral devices which are to be accessed by a number of persons, e.g. the line printer, should not be place near the main server. Information System Audit : © South-Asian Management Technologies Foundation Management of Removable Media • • • • Media should not be used or removed without authorisation. A record of all such removals should be maintained. Media should be stored in a safe and secure environment. If no longer required the previous contents of any re-usable media should be erased. Information System Audit : © South-Asian Management Technologies Foundation Management of Removable Media • Disposal of sensitive items should be logged. • Back-ups should be carried to an off-site secure place. • System document should be stored securely • Access to the system documentation should be restricted and logged. Information System Audit : © South-Asian Management Technologies Foundation Client-Server Architecture • The Client/Server environment comprises of the following main parts: – Front-end with end-user workstation – Back-end hosting the application server and the main processor. – Data server hosting the legacy data. In some cases the application server and data server are integrated into one leading to 2-tier client server architecture. Information System Audit : © South-Asian Management Technologies Foundation Client-Server Architecture • The goal of the client/server application is to optimise four factors: – – – – Location of the processing. Amount of network traffic. Location of data storage, and Amount of data storage. Information System Audit : © South-Asian Management Technologies Foundation Authentication Methodology • User-ids and Passwords to sign-on – Enforce use of individual user-ids and passwords to maintain identity and accountability – Enforce a choice of quality passwords – Force the users to change temporary passwords or vendor default passwords at the first log-on, – Specify minimum length of passwords say, 8 characters – Users to be aware that passwords are individual signatures – Maintain the secrecy of passwords – Masking of password on the screen when being entered – Limiting the number of attempts while logging-in Information System Audit : © South-Asian Management Technologies Foundation Authentication Methodology • Authentication devices – Smart Cards – Biometrics Information System Audit : © South-Asian Management Technologies Foundation Hardware Acquisition Planning Acquisition Disposal Implementation Operation and Maintenance Information System Audit : © South-Asian Management Technologies Foundation Hardware Acquisition • Planning – – – – Identification of requirement, Defining specification, Resources allocation for procurement, Cost-benefit analysis leading to acquisition justification, – Issue of purchase requisition Information System Audit : © South-Asian Management Technologies Foundation Acquisition • Requirement analysis – Components, criticality, reliability, availability, selection criteria • • • • • Analysis of alternatives Invitations to tender Receipt and comparative analysis of proposals Selection of the vendor Placement of the order Information System Audit : © South-Asian Management Technologies Foundation Selection Criteria • Price, performance, network instructions per second and delivery schedules • Upgradeability • Environmental requirements • Reliability statistics (MTBF) • Multi-vendor hardware interface compatibility, and integration • Maintenance requirement of vendor and customer Information System Audit : © South-Asian Management Technologies Foundation Selection Criteria • Configuration flexibility • Benchmark data and results from similar computing environments • User documentation • Availability of repairing facilities • Site specifications (floor space, electrical power requirements) Information System Audit : © South-Asian Management Technologies Foundation Hardware Implementation • • • • • Inspection Installation Trial run Testing Following procedures are to be documented – – – – vendor response time, equipment downtime, vendor performance, access to required devices, and allied. Information System Audit : © South-Asian Management Technologies Foundation Operation and Maintenance • Maintenance of efficiency to ensure an optimum uptime after installation. • Operating procedures and maintenance schedules, • Documentation of equipment failures, • Frequency of negative responses. • Equipment should be correctly maintained to ensure its continued availability and integrity. Information System Audit : © South-Asian Management Technologies Foundation Disposal • Cost of e-waste management. • Policy to identify disposal candidates and the process of disposal. • Removal of confidential data. • All damaged equipment has been put through a risk assessment study to determine whether they should be destroyed, repaired or discarded. Information System Audit : © South-Asian Management Technologies Foundation Hardware Maintenance • Maintenance is as per service interval and specifications recommended by the vendor. • Authorised maintenance personnel. • Documentation of actual and suspected faults. • Records of all preventive and corrective maintenance. • Appropriate controls should be adopted when sending equipment off premises for maintenance. • Adherence to insurance policy requirements. • Tracking of vendor response time. • Tracking of downtime and action taken. Information System Audit : © South-Asian Management Technologies Foundation Selecting the Maintenance Vendor • • • • • • Vendor’s primary business Maintaining a wide range of hardware Competitive prices Knowledge of hardware parts Spare parts Availability of diagnostic software Information System Audit : © South-Asian Management Technologies Foundation Evaluating Vendor Performance • Maintain a record to track vendor response time and system downtime • Use a credit methodology – Downtime credit – Response credit Information System Audit : © South-Asian Management Technologies Foundation Management of Obsolescence • Equipment Life Cycle – – – – – – – – Programming and Technical Skill Set Licensing cost Performance levels Technical Functionality Environmental Maintenance costs Acquisition costs Consumables Information System Audit : © South-Asian Management Technologies Foundation Problem Management • Effective system for logging, tracking, reporting, resolving and implementing problem and change management procedure – Formal procedure for identifying and reporting problems to the management. – Procedures to guide logging, analysing, resolving and escalating problems. – Procedures to ensure proper maintenance of problem management mechanism. Information System Audit : © South-Asian Management Technologies Foundation Problem Management • Documented procedures for – Interview of IS operations personnel. – Process for problem identification, detection and classification. • Inquire how frequently the problems are logged and reported to the management. • Record of status of problems. • Review procedures used for recording, evaluating and resolving or escalating any operating or processing problems Information System Audit : © South-Asian Management Technologies Foundation Problem Management • Identification of recurring problems • Process of assignment of problem to research and resolve along with expected number of hours, days, or cost necessary. • Review of problem reports by senior management. • Review of error-log entries to identify outstanding problems. • Review procedures for escalation of unresolved problems. • Adherence to standard resolution time targets. Information System Audit : © South-Asian Management Technologies Foundation Problem Management • A summarized problem report presented to the manager and senior management containing: – – – – Problem type and category, Number of occurrence in each category, Percentage of resolved and unresolved problems, Actual time lapsed in resolving the problem as compared to the standard, – Number of days a problem was open and – Cost to correct each problem. Information System Audit : © South-Asian Management Technologies Foundation Change Management • Reasons for unauthorized changes – The user responsible not aware of the change. – Change request procedures not formally established. – Change request form approving start of work not authorised. – The user did not sign acceptance of change. – Inadequate changed source code review. – Lack of proper authorisation form approving the program for release to production environment. – Programming fraud. – .Information System Audit : © South-Asian Management Technologies Foundation Change Management • Review by the auditor – Determination of whether changes were authorized. – Whether change request form are in order – Written requests for changes along with expected completion time frame, expected cost, and proper authorization of the user and relevant manager. – Process for tracking and monitoring change requests. – Process for updating changes. – Source code comparison software. – Reporting procedure to senior management. Information System Audit : © South-Asian Management Technologies Foundation Networks and Communication • A network is the collection of information processing and communication resources, that connect different information assets, enabling them to share, access, and transmit information and data. Information System Audit : © South-Asian Management Technologies Foundation Network Security Measures • Auditor focuses on – Interfaces have adequate security controls – Authentication mechanisms users and equipment – Controlled access to network resources. • • • • Policy on use of network and network services Enforced path User authentication for external connections Node authentication Information System Audit : © South-Asian Management Technologies Foundation Network Security Measures • • • • • • • Segregation of networks Network connection control Network routing control Security of network services Network integrity Network equipment Change control Information System Audit : © South-Asian Management Technologies Foundation Network Security Measures • • • • Network monitoring Protection during transmission Network availability Wireless network considerations Information System Audit : © South-Asian Management Technologies Foundation Policy on Use of Network Services • The networks and network services which are allowed to be accessed • Authorization procedures for determining who is allowed to access which networks and services • Management controls and procedures to protect access to network connections and services • Consistency with the access control policy of the organization • Enabling network services only for business reasons Information System Audit : © South-Asian Management Technologies Foundation Policy on Use of Network Services • Removal or disabling of the unused or unwanted network services • Documented procedures including all critical parameter settings, scripts and configuration files for installation and operationalisation of a network operating system • Regular updating of security related software • Identification of the types of information which need to be logged Information System Audit : © South-Asian Management Technologies Foundation Enforced Path • Path from the user terminal to the computer service particularly for sensitive services. – Resource based • • • • • Dedicated lines Specified ports Monitoring (firewalls, IDS, etc.) Restricted roaming on the network Limited menu access – Policy based • Inward access control • Sub-domains restricting access • Access Control Policy Information System Audit : © South-Asian Management Technologies Foundation User Authentication for External Connection • • • • Cryptographic based technique Dedicated private lines. Call back on connection request. Node authentication – Node authentication establishes the identity of the remote computer before proceeding with responding to the request. Information System Audit : © South-Asian Management Technologies Foundation Segregation of network • Large networks is divided into multiple logical network domains of smaller size. – Independent and additional security controls on each of these domains. – The network segregation is effected by allocating a set of IP addresses to each network. Information System Audit : © South-Asian Management Technologies Foundation Connection and Routing Control • Network access policy – – – – Electronic mail; File transfer, one way and/or both way; Interactive access; Network access linked to day or date. • Restrict connection capability of users • Gateways for filtering traffic • Network routing control – Ensure that computer connections and information flows are in line with the access control policy. Information System Audit : © South-Asian Management Technologies Foundation Other Network Controls • • • • Security of network services Segregation of duty Procedures for management of remote equipment. Confidentiality and integrity of the data passing over public networks Information System Audit : © South-Asian Management Technologies Foundation Network Integrity • To prevent capture of a session during accidental or intentional communication line outage. – Provide network controls for the detection and reporting of dropped communications lines and timely termination of all associated computer sessions. – Re-authentication when the line drops occur. Information System Audit : © South-Asian Management Technologies Foundation Network Equipment • Prevent unauthorised use of network equipment – – – – Logical access controls Physically secured storage environment Physical security of network cables Maintenance and updation of network equipment inventory with periodic physical verification. Information System Audit : © South-Asian Management Technologies Foundation Network Monitoring • Protection against information disclosures, modifications or destruction – Implementation of usage and storage controls over network monitoring devices – Awareness among employees that the organisation may monitor their usage of information systems asset Information System Audit : © South-Asian Management Technologies Foundation Wireless Network Considerations • • • • • Access logging Guest Access End of wireless signals New access inclusions Vulnerability scanning – Antivirus and firewall software Information System Audit : © South-Asian Management Technologies Foundation