CISA REVIEW The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA. CISA REVIEW Chapter 5 – Protection of Information Assets Learning Objectives By the end of chapter 5, you should be able to: • Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets. • Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss. • Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded. • Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets. CISA REVIEW Chapter 5 – Protection of Information Assets To meet an organization's business requirements, it is important that security objectives include ensuring: • Continued availability of information systems • Integrity of the information stored on computer systems • Confidentiality of sensitive data • Conformity to applicable laws, regulations and standards • Adherence to trust and obligation requirements for any information relating to an identified or identifiable individual (i.e., data subject) in accordance with its privacy policy CISA REVIEW Chapter 5 – Protection of Information Assets Data should be treated as a core asset. Categorizing data is a major part of the task of classifying all information assets. Data classification as a control measure should define the following: • The owner of the information asset • Who has access rights (need to know) • The level of access to be granted • Who is responsible for determining the access rights and access levels • What approvals are needed for access • The extent and depth of security controls CISA REVIEW Chapter 5 – Protection of Information Assets Data integrity as it relates to security objectives generally refers to the accuracy, completeness, consistency, validity and verifiability of the data once they are entered into a system. CISA REVIEW Chapter 5 – Protection of Information Assets Privacy is an organization wide matter. An organization should systematically build privacy into its policies, standards and procedures by: • Defining the nature of personally identifiable information associated with business processes. • Document the collection, use, disclosure and destruction of personally identifiable information. • Ensure that accountability for privacy issues exists. • Be the foundation for informed policy, operations and system design decisions. The decisions should be based on an understanding of privacy risk and the options available for mitigating that risk. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Is "privacy" considered a separate security objective? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Is "privacy" considered a separate security objective? The importance of privacy impact assessments and the security measures implemented to protect privacy have been increased due to the amount of privacy legislation and regulation put in place in many jurisdictions and industries over the past years. As a result, organizations must ensure they take privacy requirements into consideration when formulating and implementing their information security governance. The level of privacy required will, therefore, be a driver when considering the traditional security objective of confidentiality and the security measures implemented in response to the level of confidentiality needed. As an IS auditor, you should be aware of the new and changing privacy laws and regulations related to your industry and test to ensure your organization is in compliance. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: How does involvement with external parties (e.g., outsourcers) affect security design, implementation and monitoring? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - How does involvement with external parties (e.g., outsourcers) affect security design, implementation and monitoring? The main consideration is that an organization should not allow its security to be lessened due to involvement with external parties. The organization must ensure the required security controls are defined and agreed to, and the ability to monitor controls established – and that all these are formally documented in a service level agreement (SLA). Where formal agreements are not practical (e.g., consumers purchasing goods using a web-enabled application) the organization must take comprehensive steps to ensure only very limited and controlled access is permitted. CISA REVIEW Chapter 5 – Protection of Information Assets All candidates for employment, contractors and third-party users should be adequately screened, especially for sensitive jobs. This includes the following: • Background verification checks on all candidates for employment, contractors and third-party users are carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, classification of information to be accessed and perceived risks. • A screening process for contractors and third-party users – Where contractors are provided through an agency, the contract with the agency should clearly specify the agency's responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. – Additionally, any agreements with the third party should clearly specify all responsibilities and notification procedures for screening. CISA REVIEW Chapter 5 – Protection of Information Assets Management should require employees, contractors and thirdparty users to apply security in accordance with the established policies and procedures of the organization. Specific responsibilities should be documented in approved job descriptions. This will help ensure that employees, contractors and third-party users are aware of information security threats and concerns, their responsibilities and liabilities. • Management responsibilities should be defined to ensure security is applied throughout an individual's employment within the organization. • To minimize possible security risks, employees, contractors and third-party users should be provided with an adequate level of awareness, education and training in security procedures. • An organization should establish a formal disciplinary process for handling security breaches. CISA REVIEW Chapter 5 – Protection of Information Assets Responsibilities should be in place to ensure that the exit of employees, contractors or third-party users from the organization is managed, and that the return of all equipment and the removal of all access rights are completed. • Ongoing security requirements and legal responsibilities • Responsibilities contained within any confidentiality agreement • Responsibilities and duties still valid after termination of employment should be contained in the contracts of the employees, contractors or third-party users. CISA REVIEW Chapter 5 – Protection of Information Assets The access rights of all employees, contractors and third-party users to information and IPFs should be removed at termination of their employment, contract or agreement, or adjusted upon change. The access rights that should be removed or adapted include: Physical and logical access • Keys • Identification (ID) cards • Information Processing Facilities (IPF) • Subscriptions • Removal from any documentation that identifies them as a current member of the organization CISA REVIEW Chapter 5 – Protection of Information Assets This should include notifying partners and relevant third parties when departing employees have access to the third-party premises. If departing employees, contractors or third-party users have known passwords for accounts remaining active, these should be changed at termination or change of employment, contract or agreement. Access rights for information assets and IPFs should be reduced or removed before employment terminates or changes, depending on the evaluation of risk factors such as: • Whether termination or change is initiated by the employees, contractors or third-party users, or by management and the reason for termination. • The current responsibilities of the employees, contractors or any other users. • The value of the assets currently accessible. CISA REVIEW Chapter 5 – Protection of Information Assets An IS auditor must be aware of four key concepts that help foster understanding of how to evaluate a logical access control mechanism: • Identification: How subjects are recognized by the logical access control mechanism (e.g., user name, user ID number) • Authentication: How subjects prove they are who they say they are (e.g., password, token, digital certificate) • Authorization / Access Control: How rules are established and evaluated to make an access control decision (e.g., should computer operators be able to change operations logs) • Monitoring: What security logging is in place and what capabilities it has (e.g., failed logons, successful access to a file) CISA REVIEW Chapter 5 – Protection of Information Assets One of the best practices is to integrate the review of access rights with human resource (HR) processes. When an employee transfers to a different function – i.e., promotions, lateral transfers or demotions – access rights are adjusted at the same time. Development of a security-conscious culture increases the effectiveness of access controls. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Why is monitoring an important control, if unauthorized system access is prevented in the first place? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Why is monitoring an important control, if unauthorized system access is prevented in the first place? An effective internal control structure requires multiple control layers that include preventive, detective and corrective techniques. While much effort goes toward preventing unauthorized access (user IDs, passwords, access permissions), it may be possible that these controls are bypassed due to deficiencies in programming, configuration, or even human error. As a result, it is important to monitor system access to detect unusual activity (e.g., user access at unusual times) that may indicate a security breach has occurred, and to correct the problem so that no future unauthorized access occurs. CISA REVIEW Chapter 5 – Protection of Information Assets Identification and authentication (I&A) is the process by which the logical access control software obtains identification information for the users and the credentials necessary to authenticate the information. I&A also include the actual validation of this information. • I&A is needed for most types of access control and is necessary for establishing user accountability. • I&A is the first line of defense for most systems because it prevents unauthorized people (or unauthorized processes) from entering a computer system or accessing an information asset. • I&A is a critical building block of computer security. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Can you list some of I&A's more common vulnerabilities that may be exploited to gain unauthorized system access? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Can you list some of I&A's more common vulnerabilities that may be exploited to gain unauthorized system access? • Weak authentication methods • The potential for users to bypass the authentication mechanism • The lack of confidentiality and integrity for the stored authentication information • The lack of encryption for authentication and protection of information transmitted over a network • The user's lack of knowledge on the risks associated with sharing authentication elements (e.g., passwords, security tokens) CISA REVIEW Chapter 5 – Protection of Information Assets The logon ID - Each user gets a unique logon ID that can be identified by the system. The format of logon IDs is typically standardized. • Logon ID syntax should follow an internal naming rule. • Default system accounts, such as Guest, Administrator and Admin, should be renamed whenever technically possible. • Logon IDs not used after a predetermined period of time should be deactivated to prevent possible misuse. This can be done automatically by the system or manually by the security administrator. • The system should automatically disconnect a logon session if no activity has occurred for a period of time. This reduces the risk of misuse of an active logon session left unattended because the user went to lunch, left for home, went to a meeting or otherwise forgot to log off. This is often referred to as a session timeout. CISA REVIEW Chapter 5 – Protection of Information Assets The password provides individual authentication. Accordingly, a password should be easy for the user to remember but difficult for an intruder to guess. • Initial passwords may be allocated by the security administrator or generated by the system itself. When the user logs on for the first time, the system should force a password change to improve confidentiality. Initial password assignments should be randomly generated. The ID and password should be communicated in a controlled manner to ensure only the appropriate user receives this information. New accounts without an initial password assignment should be suspended. • If the wrong password is entered for a predefined number of times, typically three, the logon ID should be automatically locked out. • Users that have forgotten their password must notify the security administrator. This is the only person with sufficient privileges to reset the password and, in case this is necessary, to unlock the logon ID. The security administrator should reactivate the logon ID only after verifying the user's identification (challenge/response system). To verify, the security administrator should return the user's call after verifying his or her extension or calling a supervisor for verification. CISA REVIEW Chapter 5 – Protection of Information Assets The password cont., • To reduce the risk of an intruder gaining access to other users' logon IDs, passwords should not be displayed in any form. They are normally masked on a computer screen. They should not be shown on computer reports, kept on index or card files, or written on pieces of paper taped somewhere near the terminal or inside a person's desk. These are the first places a potential intruder will look. • Passwords should be changed periodically. On a regular basis (e.g., every 30 days), the user should change his or her password. The frequency of changing a password should depend on the criticality of the information access level, the nature of the organization, the IS architecture and technologies used, etc. Passwords should be changed by users at their terminal or workstation rather than at the administrator's terminal or in any location where their new password might be observed. The best method is to force the change by notifying the user prior to the password expiration date. The risk of allowing voluntary password changes is that, generally, users will not change their passwords unless forced to do so. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Why are dynamic passwords considered superior to static passwords? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Why are dynamic passwords considered superior to static passwords? • Static passwords (also known as "reusable passwords") suffer from the main weaknesses that they are reused over an extended time period (e.g., 90 days). As a result, there is a greater chance that they may be discovered by an unauthorized user. Examples of discovery methods may range from simple "shoulder surfing," to brute-force password cracking attacks, to eavesdropping an unencrypted password on a network. • In contrast, dynamic passwords (usually "one-time passwords") are not reused. The password is typically generated by a small device (a "token") or via program, and is valid for a short period of time only – a common limit is 60 seconds. In addition, once the password is entered, it is no longer valid for reuse. This eliminates the effectiveness of attacks for password discovery noted above. • Dynamic passwords generated by a token are usually combined with a static password like a PIN, known only to the token's user. Both must be combined to produce the required password for system access; hence, this is one form of "two-factor" authentication since it requires something only the user has (the token) and something only the user knows (the PIN). CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: What are some common weaknesses found when evaluating logical access controls? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - What are some common weaknesses found when evaluating logical access controls? • Sharing user IDs between multiple people – eliminates accountability for user actions. • Poor password quality (e.g., too short, easily guessed, not changed regularly) – increases risk that a password will become known and permit unauthorized access. • Overly permissive access rules or rules granting access by default – increases risk of accidental or intentional unauthorized access to programs or data. • Lack of security monitoring and follow-up – staff may be unaware of attacks against the system, or other error conditions, that may result in unauthorized access or other problems. CISA REVIEW Chapter 5 – Protection of Information Assets Instructions: Here are four items and four IS audit procedures. Match each item to its corresponding IS audit procedure. Items • Logon ID and Password • Logging and Reporting of Computer Access Violations • Bypassing Security and Compensating Controls • Review Access Controls and Password Administration Procedures • Verifying that passwords are changed periodically • Analyze global configuration settings for password strength in the system application and compare this with the organization's security policy. • Attempts to access computer transactions or data for which access is not authorized • Looking for special system maintenance logon IDs, operating system exits, installation utilities and input/output (I/O) devices CISA REVIEW Chapter 5 – Protection of Information Assets Answer: Logon ID and Password Analyze global configuration settings for password strength in the system application and compare this with the organization's security policy. Logging and Reporting of Computer Access Violations Attempts to access computer transactions or data for which access is not authorized Bypassing Security and Compensating Controls Looking for special system maintenance logon IDs, operating system exits, installation utilities and input/output (I/O) devices Review Access Controls and Password Administration Verifying that passwords are changed periodically CISA REVIEW Chapter 5 – Protection of Information Assets Real World Example: An organization was implementing a new financial accounting application that consisted of a number of separate modules (e.g., payables, general ledger). Each module stored its data in tables within a database management system. While the application included security features that controlled which users could access which functions, the database tables could be directly accessed because the default database user ID and password used by the application to store and retrieve data were set to well-known default values. Think About It: Where is the information security risk in this situation? CISA REVIEW Chapter 5 – Protection of Information Assets Real World Example: Answer – The security risk here is that knowledgeable users could bypass security within the application, and directly add or modify important business data. CISA REVIEW Chapter 5 – Protection of Information Assets Question: What do you, as an IS audit expert, think could have been done to prevent this organization from being in this situation? CISA REVIEW Chapter 5 – Protection of Information Assets Answer: The organization's database management team should have been more aware of the security weakness due to default passwords. This could have been achieved if the organization had more detailed security governance (e.g., a security baseline prohibiting use of default passwords), and improved security awareness training. CISA REVIEW Chapter 5 – Protection of Information Assets This section discusses common attack methods and techniques. To properly evaluate whether an organization's information assets are safe from these attacks, an IS auditor must understand how these types of attack function and what an organization must do to protect itself. There is a general assumption that attack tools exploit only highly sophisticated vulnerabilities discovered by genius-level hackers. While there are certainly examples of these, there are also many attacks that target the use of weak security options that are easily discovered and exploited. Examples include trying default passwords, attacking vulnerable services running with greater privileges than necessary, and attacking services that are not required but are configured to run by default (e.g., some web servers). CISA REVIEW Chapter 5 – Protection of Information Assets Technical exposures are unauthorized activities which interfere with normal processing. These can be intentional or unintentional, and involve activities such as implementation or modification of data and software, locking or misusing user services, destroying data, compromising system usability, distracting processing resources, or spying data flow or user activities at either the network, platform (operating system), database or application level. CISA REVIEW Chapter 5 – Protection of Information Assets Data leakage involves siphoning or leaking information out of the computer. Examples include dumping files to paper or stealing computer reports and tapes. Unlike product leakage, data leakage leaves the original copy, so it may go undetected. Wire tapping occurs when someone eavesdrops on information being transmitted over telecommunications lines. The use of Trojan horses and/or backdoors occurs when someone hides malicious, fraudulent code in an authorized or falsely authorized computer program. This hidden code is executed whenever the authorized program is executed. A Denial of Service attack disrupts or completely denies service to legitimate users, networks, systems or other resources. The intent of any such attack usually is malicious in nature and often takes little skill because the requisite tools are readily available. CISA REVIEW Chapter 5 – Protection of Information Assets A computer shutdown is initiated through terminals or personal computers connected directly (online) or remotely (dial-up lines) to the computer. Only individuals who know a high-level logon ID usually can initiate the shutdown process, but this security measure is effective only if proper security access controls are in place for the high-level logon ID and the telecommunications connections into the computer. Piggybacking is the act of following an authorized person through a secured door or electronically attaching to an authorized telecommunications link to intercept and possibly alter transmissions. CISA REVIEW Chapter 5 – Protection of Information Assets Trapdoors are any area of authorized operating system code used for insertion of specific logic, such as program interrupt – i.e., to inspect data during processing. • Trapdoors may exist because of testing or maintenance reasons. Sometimes programmers insert code that allows them to bypass the integrity of an OS for the purpose of debugging at the development time or later during maintenance and system improvements. Trap doors should be eliminated in the final editing of code, but sometimes they are forgotten or intentionally left for future access into the system. • The exposure risk with trapdoors is that the logic inserted could be used to obtain unauthorized access rights. Additionally, logic design flaws and programming errors in complex programs may also introduce unwanted trapdoors into a system. CISA REVIEW Chapter 5 – Protection of Information Assets Rounding down is when someone draws off small amounts of money (the rounding fraction) from a computerized transaction or account and reroutes this amount to the perpetrator's account. Since the amounts are so small, they are rarely noticed, although it would be easy to detect irregularities by summing the rounding fractions. Proper rounding should give a total close to zero. A salami technique involves the slicing of small amounts of money from a computerized transaction or account – similar to the rounding down technique. The difference between the rounding down technique and the salami technique is that in rounding down, the program rounds off by the smallest money fraction. CISA REVIEW Instructions: Here are seven items and descriptions. Match each item to its corresponding description. Items • Wire tapping • Trojan horses • Denial of service (DoS) • Piggybacking • Salami technique Descriptions • Eavesdropping on information being transmitted over telecommunications lines • Hiding fraudulent code in an authorized or falsely authorized computer program • Disrupts or completely denies service to legitimate users • Electronically attaching to an authorized telecommunications link to intercept and alter transmissions • Slicing off small amounts of money from a computerized transaction or account CISA REVIEW Answers • Wire tapping Eavesdropping on information being transmitted over telecommunications lines • Trojan horses Hiding fraudulent code in an authorized or falsely authorized computer program • Denial of service (DoS) Disrupts or completely denies service to legitimate users • Piggybacking Electronically attaching to an authorized telecommunications link to intercept and alter transmissions • Salami technique Slicing off small amounts of money from a computerized transaction or account CISA REVIEW Chapter 5 – Protection of Information Assets Social engineering is the human side of breaking into a computer system by playing on vulnerabilities of interpersonal relations and deception to obtain confidential information from unknowing employees. A common example of this would be tricking someone to give away confidential information (e.g., passwords and IP addresses) by answering questions over the phone with someone that person does not know or replying to an e-mail from an unknown person. An organization's best defense against social engineering attacks is to proactively have an ongoing security awareness program wherein all employees and third parties (who have access to the organization's facilities) are educated about the risks involved in falling prey to social engineering attacks. Simply having strong technical security countermeasures are often not enough to protect an information system. The weakest link in the security chain are often the people using the system. CISA REVIEW Chapter 5 – Protection of Information Assets Methods that malicious entities may use to gain access to wireless devices related to wireless local area networks (WLANs) include, but are not limited to, war driving and war chalking. CISA REVIEW Chapter 5 – Protection of Information Assets War driving is when an individual drives around businesses or residential neighborhoods scanning with a notebook computer, hacking tool software and sometimes with a global position system (GPS) for wireless network names. Someone driving around the vicinity of a wireless network might be able to see the wireless network name, but whether that person will be able to do anything beyond viewing the wireless network name is determined by the use of wireless security. If an organization does not have wireless security enabled and properly configured, war drivers can send data, interpret the data sent on the wireless network, access the shared resources of the wireless or wired network (shared files, private web sites), install viruses, modify or destroy confidential data, and use the Internet connection without the knowledge or consent of the owner. For example, a malicious user might use the Internet connection to send thousands of spam e-mails or launch attacks against other computers. The malicious traffic would be traced back to the owner's home. CISA REVIEW Chapter 5 – Protection of Information Assets War chalking is when an individual has marked a series of symbols (outward-facing crescents) on sidewalks and walls to indicate nearby wireless access points. These markings are used to identify hotspots, where other computer users can connect to the Internet wirelessly and at no cost. CISA REVIEW Chapter 5 – Protection of Information Assets Firewalls are designed to protect the most vulnerable point between a network and the Internet. Most firewalls: • Block access to particular sites on the Internet. • Prevent certain users from accessing certain servers or services. • Monitor communications between an internal and an external network. • Monitor and record all communications between an internal network and the outside world to investigate network penetrations or detect internal subversion. • Protect against viruses and attacks directed to exploit known operating system vulnerabilities (these are additional capabilities offered by some firewalls). • Firewalls are hardware and software combinations that are built using routers, servers and a variety of software. CISA REVIEW Chapter 5 – Protection of Information Assets Firewall Types: An analogy To compare the operation of packet filtering versus applicationlevel (proxy) firewall functions, consider a scenario where the firewall is acting as if it were a security guard at an organization who is designated as the only person in the organization who may communicate with outsiders, and therefore all messages must be passed through this individual. CISA REVIEW Chapter 5 – Protection of Information Assets Firewall Types: An analogy If acting like a packet filter firewall, the guard looks at each word of the message only. The guard can decide to allow or deny sending the word based only on the word itself, plus details on the sender and intended recipient. This can be very useful since some words are easy to identify as objectionable, and especially since looking at one word can be done quickly. However, looking at a single word lacks context – a word within one message may be acceptable, but in the context of another message, it may not be permissible. CISA REVIEW Chapter 5 – Protection of Information Assets Firewall Types: An analogy If acting like an application-level (proxy) firewall, the guard sees the whole message, and can therefore evaluate it in its entirety. In addition to the sender and recipient, the guard can note restrictions such as the size of the message, time of day it is being sent, organization the recipient works for and other considerations not available from a single word. The guard can also log the important details about the message as well as whether it was sent. As a result, more complex and sophisticated security decisions can be implemented, but at the cost of taking longer to review and evaluate the entire message. CISA REVIEW Chapter 5 – Protection of Information Assets Organizations that implement firewalls are not without risk and must be aware of several issues. • The majority of incidents are caused by insiders, who are not controlled by firewalls. • The circumvention of firewalls through the use of modems may connect users directly to ISPs. • Misconfigured firewalls may allow unknown and dangerous services to pass through freely. • Monitoring activity logs may not occur on a regular basis. CISA REVIEW Chapter 5 – Protection of Information Assets Statement Firewalls are used to protect an organization from data traveling between the Internet and the corporate network. When implementing a firewall, most organizations will follow a deny-all philosophy. Once a firewall is in place, no unauthorized access to or from outside the organization can occur. True or False? CISA REVIEW Chapter 5 – Protection of Information Assets Statement True or False? Firewalls are used to protect an organization from data traveling between the Internet and the corporate network. True When implementing a firewall, most organizations will follow a deny-all philosophy. True Once a firewall is in place, no unauthorized access to or from outside the organization can occur. False CISA REVIEW Chapter 5 – Protection of Information Assets Real-World Example An organization wanted to better regulate their internal network traffic by installing a firewall between major portions of their network. IS management directed that this had to be accomplished by a specific date. When management asked whether the firewall was installed by the date specified, the answer was "yes." However, what was not communicated was that, although the firewall installation was complete, no restrictive firewall rules were in place – instead, an "any-to-any" rule was in place, which allowed traffic to continue to flow freely throughout the network. Think About It: Where is the information security risk in this situation? CISA REVIEW Chapter 5 – Protection of Information Assets Real-World Example: Answer – • Although management was advised that the firewall was technically "in place," it was not providing the required controls over network traffic. In this situation the firewall was essentially just being used as a router. • Accordingly, without implementing any restrictive firewall rules, there is a much greater risk of unauthorized access to network traffic and network-attached computing resources. • In this case, the project was viewed not as one to implement restrictions over internetwork access, but instead to install a network device. Security requirements were not reflected in the project plan, and the firewall was permitted to "go live" with no restrictions in place. CISA REVIEW Chapter 5 – Protection of Information Assets Encryption is the process of converting a plaintext message into a secure-coded form of text called ciphertext, which cannot be understood without converting back via decryption (the reverse process) to plaintext. This is done via a mathematical function and a special encryption/decryption password called the key. Encryption generally is used to: • Protect data in transit over networks from unauthorized interception and manipulation. • Protect information stored on computers from unauthorized viewing and manipulation. • Deter and detect accidental or intentional alterations of data. • Verify the authenticity of a transaction or document. CISA REVIEW Chapter 5 – Protection of Information Assets Key elements of encryption systems include the following: • Encryption algorithm: A mathematically based function or calculation that encrypts/decrypts data. • Encryption keys: A piece of information that is used within an encryption algorithm (calculation) to make the encryption or decryption process unique. Similar to passwords, a user needs to use the correct key to access or decipher a message. The wrong key will decipher the message into an unreadable form. • Key length: A predetermined length for the key. The longer the key, the more difficult it is to compromise in a brute-force attack where all possible key combinations are tried. CISA REVIEW Chapter 5 – Protection of Information Assets The effectiveness of an encryption system depends on: • a combination of the algorithm strength • secrecy and difficulty of compromising a key • the nonexistence of back doors by which an encrypted file can be decrypted without knowing the key • the inability to decrypt an entire ciphertext message if the way a portion of it decrypts is known (called a known-text attack) • the properties of the plaintext known by a perpetrator CISA REVIEW Chapter 5 – Protection of Information Assets Private key cryptographic systems are based on a symmetric encryption algorithm. In private key encryption: • A secret (private) key encrypts the plaintext to the ciphertext. • The same key is used to decrypt the ciphertext to the corresponding plaintext. • A private key is symmetric because the encryption key is the same as the decryption key. CISA REVIEW Chapter 5 – Protection of Information Assets Public key cryptographic systems developed for key distribution solve the problem of getting symmetric keys into the hands of two people who do not know each other but who want to exchange information in a secure manner. Based on an asymmetric encryption process, two keys work together as a pair as follows: Each user has a pair of keys—a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can only be decrypted with the corresponding (recipient’s) private key. The keys are related mathematically, but the private key cannot feasibly be derived from the public key. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: What happens if an encryption key is lost? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - What happens if an encryption key is lost? • Good quality encryption algorithms do not contain back doors. As a result, if a secret key (used with one-key encryption) is lost, it will not be possible to recover any message encrypted with that key. If a private key (used with two-key encryption) is lost, it will not be possible to recover material encrypted with the corresponding public key. • The use of a public key infrastructure (PKI) helps ensure keys are recoverable (but only using a secure process) and helps decrease the chance that encrypted material is not recoverable in the event of lost keys. CISA REVIEW Chapter 5 – Protection of Information Assets A digital signature is an electronic identification of a person or entity created by using a public key algorithm. Digital signatures assure the recipient of the integrity of the data and the authentication and nonrepudiation of the sender. • Digital signatures verify the integrity of the data by computing a cryptographic hashing algorithm against the entire message or electronic document, which generates a smaller extrapolated version of the original message, typically around 128 bits. • Digital signatures verify the identity of the sender by enciphering the message digest using the sender's private key, which "signs" the document with the sender's digital signature for message authenticity. To decipher, the receiver would use the sender's public key, proving that the message could only have come from the sender, which provides nonrepudiation. CISA REVIEW Chapter 5 – Protection of Information Assets A virus is any type of self-propagating computer program that attacks a host system by sending out requests to the operating system and attaching itself to other programs. Worms are variants of viruses that exploit security weaknesses in operating system configurations instead of physically attaching themselves to another program. The common element is that the computer has received and executed instructions that carry out the malicious intent (e.g., deleting files, allowing remote control), presumably inadvertently. The function of antivirus tools is to identify the malicious code, typically by its recognizable signature, and prevent the computer from executing it. CISA REVIEW Chapter 5 – Protection of Information Assets Viruses can be transmitted: • From the Internet when files are downloaded to computers via web browsers. • As attachments to e-mail, so that when word-processing software opens the attachment, the system becomes infected if it is not using scanning software to review unopened attachments. • From files received through online services, computer bulletin board systems, LANs and even shrink-wrapped software sold in retail stores. CISA REVIEW Chapter 5 – Protection of Information Assets An organization must have a comprehensive and dynamic antivirus program to effectively reduce the risk of infiltration by computer viruses and worms. The two most common ways to protect against these threats is to: • establish preventive controls, such as sound management policies and procedures, and • implement detective controls, such as technical means, which include antivirus software. CISA REVIEW Chapter 5 – Protection of Information Assets For each item below, identify if it is a technical control or management policy and procedural control? • • • • • • Build all systems from original, clean master copies. Have vendors run demonstrations on their machines. Ensure a sound and effective backup plan is in place. Use antivirus software. Use boot virus protection. Prepare a virus eradication procedure and identify a contact person. CISA REVIEW Chapter 5 – Protection of Information Assets Answers : Each category is followed by the appropriate statements. Management Policy and Procedural Controls • Build all systems from original, clean master copies. • Have vendors run demonstrations on their machines. • Ensure a sound and effective backup plan is in place. • Prepare a virus eradication procedure and identify a contact person. Technical Controls • Use antivirus software. • Use boot virus protection. CISA REVIEW Chapter 5 – Protection of Information Assets Antivirus software is both the most effective and most common tool for protecting networks and host-based computer systems against viruses. The functionality of antivirus tools has steadily expanded to include other types of undesirable software like worms, Trojan horses, or spyware. Antivirus software is not an effective tool against viruses unless it is updated regularly. Antivirus software should be used on virtually all processing components within an organization. This includes workstations, laptops, file servers, web servers, mail servers, firewalls, PDAs, and any other network-connected computer where programs and data can be shared. CISA REVIEW Chapter 5 – Protection of Information Assets To protect corporate networks and an organization's interconnected network, a common strategy is to use virusscanning software, referred to as virus walls, as an integral part of firewall technologies. Virus walls: • Scan incoming traffic with the intent of detecting and removing viruses before they enter the protected network. • Are often are updated automatically with new virus signatures by their vendors on a scheduled basis or on an as-needed basis when dangerous new virus strains emerge. • Provide facilities to log virus incidents and deal with the incident in accordance with preset rules. CISA REVIEW Chapter 5 – Protection of Information Assets Real-World Example: An organization implemented antivirus scanning software on its mail servers in order to detect viruses before they were received by end users. However, after months of use, a decreased throughput performance problem on the servers was observed by mail server administrators, who, without proper investigation, attributed the problem to the antivirus software. To restore performance, the administrators decided to disable the antivirus scanning. Think About It: Where is the information security risk in this situation? CISA REVIEW Chapter 5 – Protection of Information Assets Real World Answer: The security risk here is that large volumes of inbound mail, which should be scanned by the antivirus software, were not being scanned. Problems may occur if mail comes into the organization containing viruses and other malware. This lack of antivirus scanning could result in widespread virus outbreaks within the organization, potentially crippling processing capabilities, and causing lost data or breaches of confidentiality or availability. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: What do you, as an IS audit expert, think could have been done to prevent this organization from being in this situation? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - The organization's server administrators should have been more aware of the importance of antivirus scanning as well as the fact that it was a required security procedure. Simply deciding to disable the scans should have been understood as an unacceptable breach of security governance. CISA REVIEW Chapter 5 – Protection of Information Assets Real-World Example: In addition to the usual Internet-facing firewall, an organization made use of internal firewalls to achieve various security zones within their network. This permitted, for example, better controlling access to production systems from users on the business office network. A new business function and application being introduced within the organization required offering access to the Internet. Business-area management group responsible for the new application had IT connect this internal firewall directly to the internet as part of the deployment of this application. Think About It: Where is the information security risk in this situation? CISA REVIEW Chapter 5 – Protection of Information Assets Real-World Example: Answer - Business unit management was able to bypass security requirements and the protection of the approved security architecture. As a result, internal networks and connected computing resources were exposed to attacks and other attempts through unauthorized access from the Internet. CISA REVIEW Chapter 5 – Protection of Information Assets The first step in any data classification scheme is to perform or gather a detailed inventory of the information assets that need to be classified. The inventory record of each information asset should include the following: • A clear and distinct identification of the asset • Its relative value to the organization • Its location • Its security/risk classification • Its asset group (where the asset forms part of a larger information system) • Its owner • Its designated custodian CISA REVIEW Chapter 5 – Protection of Information Assets Data classification as a control measure should define the following: • The owner of the information asset • Who has access rights (need to know) • The level of access to be granted • Which individual is responsible for determining the access rights and access levels • What approvals are needed for access • The extent and depth of security controls CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Who is responsible for determining the security classification for data? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Who is responsible for determining the security classification for data? Many individuals believe that the decisions about data classification are made by an organization's IT staff. However, to have a truly effective protection of information assets program, a defined data owner is normally responsible for determining the security classification for data. This designated data owner (as defined in information security governance) should decide what security classification is appropriate for their data, using the classification scheme mandated by the organization. This is because the data owner is accountable for protecting the data, and advising the data custodians (typically the IT staff) on what access restrictions are required. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: What is the organizational security risk associated with misuse of information if or when a user is not instructed on how to deal with information at particular security levels? CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - What is the organizational security risk associated with misuse of information if or when a user is not instructed on how to deal with information at particular security levels? The risk is that a user might reveal confidential information simply because he or she did not know that the requirements prohibited disclosure. Social engineering relies on this kind of misunderstanding at the end-user level. CISA REVIEW Chapter 5 – Protection of Information Assets In order to properly evaluate how an organization protects its information assets, the IS auditor must be aware of issues involving the storing, retrieval, transportation and disposition of confidential information. This section of the module discusses what information should be protected during these processes and methods of storing and shipping certain media. CISA REVIEW Chapter 5 – Protection of Information Assets To protect all information assets, an organization's management should define and implement procedures to prevent access to or loss of sensitive information and software from computers, disks and other equipment or media when they are stored, disposed of or transferred to another user. This should be done for the following: • Backup files of databases • Disposal of media previously used to hold confidential information • Management of equipment sent for offsite maintenance • Transportation of confidential information on hard drives or other magnetic media • Storage records CISA REVIEW Chapter 5 – Protection of Information Assets The "Delete" function provided by most operating systems will not prevent confidential data from being accessed because the deleted file can be recovered because it simply releases the space used by the file, without first removing its data contents. Even "reformatting" the media on which confidential information is stored is not adequate, since tools and techniques exist to recover data on reformatted drives. Other than physically destroying the media, the most important means of protecting confidential data while it is stored, retrieved or transported is using encryption tools. Additionally, most encryption packages include a "secure delete" function that overwrites the file with a series of data patterns that eliminate all traces of the original data from the storage media.