Chapter 8: Control for Information Security

The Trust Service Framework was developed jointly by the AICPA and
the CICA to provide guidance for assessing the reliability of information
systems.
The Trust Service Framework organizes IT-related controls into five
principles that jointly contribute to systems reliability:
1. Security- access both physical and logical to the system and its
data is controlled and restricted to legitimate users.
2. Confidentiality- sensitive organizational information is protected
from unauthorized disclosure (examples: marketing plans, trade
secrets)
3. Privacy-personal information about customers, employees,
suppliers, or business partners is collected, used, disclosed, and
maintained only in compliance with internal policies and external
regulatory requirements and is protected from unauthorized
disclosure.
4. Processing integrity-data are processed accurately, completely, in a
timely manner, and only with proper authorization.
5. Availability- the system and its information are available to meet
operational and contractual obligations.
Two fundamental information security concepts
 Security is a management issue, not just a technology issue
Step 1: in the security life cycle is to assess the information security
related threats that the organization faces and selects an appropriate
response. Information professionals possess the expertise to identify
potential threats and to estimate their likelihood and impact.
Step 2: involves developing information security policies and
communicating them to all employees.
  Senior management must be involved, periodic reminders about
security policies and training on how to comply with them are
necessary.
Step 3: involves the acquisition or building of specific technological
tools.
 Senior management must authorize investing the necessary
resources to mitigate the threats identified and achieve the desired
level of security.
Step 4: entails regular monitoring of performance to evaluate the
effectiveness of the organizations information security program.
 Therefore, management must periodically reassess the
organization’s risk response and, when necessary, make changes to
information security policies and invest in new solutions to ensure
that the organization’s information security efforts support its
business strategy in a manner that is consistent with management’s
risk appetite.

The time-based model of information security

The goal of time-based model of information security is to employ a
combination of preventive, detective, and corrective controls to protect
information assets ling enough for an organization to detect that an
attack is occurring. Model can be expressed in the following formula:
P>D+R, where
P= the time it takes an attacker to break through the various controls that
protect the organizations information assets
D= the time it takes for the organization to detect that an attack is in
progress
R= the time it takes to respond to and stop the attack
If the equation is satisfied then the organizations information security
procedure are effective.
Defense-in-depth entails using multiple layers of controls in order to
avoid having a single point of failure.
 the use of overlapping, complementary, and redundant controls
increases overall effectiveness because if one control fails or gets
circumvented, another may succeed.
Understanding targeted attacks
1. Conduct reconnaissance: Objective is to learn as much as possible
about the target and to identify potential vulnerabilities
2. Attempt social engineering: deception to obtain unauthorized
access to information resources
3. Scan and map the target: the use of a variety of automated tools to
identify computers that can be remotely accessed and the types of
software they are running.
4. Research: once specific targets are identified, the next step is to
conduct research to find known vulnerabilities for those programs
and learn how to take advantage of those vulnerabilities
5. Execute and attack: the criminal takes advantage of a vulnerability
to obtain unauthorized access to the targets information system
6. Cover tracks: most attackers attempt to cover their tracks and
create back doors
 Protecting Information Resources
(Preventive, detective, and corrective controls)
TIME-BASED MODEL
EXAMPLES
COMPONENT
 ● People
Creation of a “security-aware” culture
Training
 ● Process: User access controls
(authentication and authorization)
 ● Process: Penetration Testing
 ● Process: Change controls and
change management
 ● IT solutions

Anti-malware
Protection
Network access controls (firewalls,
intrusion prevention sys- tems, etc.)

Device and software hardening

(configuration controls)

Encryption

 ● Physical security: access controls

(locks, guards, etc.)
  ● Log analysis
Detection  ● Intrusion detection systems
 ● Continuous monitoring

 ● Computer incident response teams

(CIRT)
Response  ● Chief information security officer
(CISO)

People: creation of a “security-conscious” culture

Management’s risk attitude and behaviors create either an internal
environment that supports and reinforces sound internal control or one
that effectively negates written control policies. Top management must
lead by example.

People: Training
 Employees must understand how to follow the organizations
security policies. Training is especially needed to educate
employees about social engineering attacks.
  Role-playing exercises are particularly effective for increasing
sensitivity to and skills for dealing with social engineering attacks.
 Security awareness is important for senior management too
because spear phishing have been targeted at them.
 Information security professionals must keep up to date with new
developments in technology.
 An organizations investment is security training will be effective
only if management clearly demonstrates that it supports
employees who follow prescribed security policies.
 Especially important in combating social engineering attacks
 Top management also needs to support the enforcement of
sanctions, up to and including dismissal, against employees who
willfully violate security policies.
Process: User access controls
An employee may also become a threat to an organizations security.
To accomplish that objective, COBIT 5 management practices
DSS05.04 stressed the need for controls to manage user identity and
logical access so that it is possible to uniquely identify everyone who
accesses the organization’s information system and track the actions that
they perform. Implementing DSS05.04 involves the use of two related
but distinct types of user access controls: authentication and
authorization

Authentication Control: is the process of verifying the identity of the

person or device attempting the access the system. The objective is to
ensure that only legitimate users can access the system. Three
credentials can be used
 1. Something the person knows, such as password or personal
identification number
2. Smart card of ID badge
3. Biometric identifier such as fingerprints or typing patterns
Each authentication method has its limitations. Passwords could be
guessed, ID card lost, and biometric identifiers carry negative
connotations.
Effectiveness of using passwords as authentication credentials depends
upon many factors
 Length
 Multiple character types
 Randomness
 Changed frequency
 Kept secret

Examples of applying the principle of defense-in-depth:

Multifactor: The use of two or more types of authentication credentials
in conjunction to achieve a greater level of security. Example: smart
card and password (better than multimodal b/c credentials are
independent to one another)
Multimodal authentication: The use of multiple authentication
credentials of the same type to achieve a greater level of security.
Example: password, user ID, and recognition of a graphic image.
Authorization controls:
Authorization: is the process of restricting access of authenticated users
to specific portions of the system and limiting what actions they are
permitted to perform. (Adequate segregation of duties)
Access control matrix: a table used to implement authorization controls.
Compatibility test: matching the users authentication credentials against
the access control matrix to determine whether that employee should be
allowed to access that resource and perform the requested action.
It is important to regularly update the access control matrix
Process: Penetration Testing
COBIT 5 processes MEA01 and MEA02 state the need to periodically
test the effectiveness of business processes and internal control.
Penetration test: an authorized attempt to break into the organizations
information system. Made to identify where additional protections are
most needed to increase the time and effort required to compromise they
system.
Process: Change controls and change management
change control and change management: the formal process used to
ensure that modifications to hardware, software, or processes do not
reduce systems reliability.
Good change control often result in better operation performance
because there are fewer problems to fix.
COBIT (BAI06) and (BAI07) deal with managing changes
Characteristics of a well-designed change control and change
management process include:
 Documentation of all change requests, identifying the nature of the
change, its rationale, date of the request, and outcome of the
request.
 Documented approval of all change requests by appropriate levels
of management. It
 is especially important that senior management review and approve
major changes to processes and systems in order to ensure that the
proposed change is consistent with the organization's long-term
strategic plans.
 Testing of all changes in a separate system, not the one used for
daily business processes. This reduces the risk that "bugs" in
modifications disrupt normal business.
 Conversion controls to ensure that data is accurately and
completely transferred from the old to the new system. Internal
auditors should review the conversion process.
 Updating of all documentation (program instructions, system
descriptions, procedures manuals, etc.) to reflect the newly
implemented changes.
 A special process for timely review, approval, and documentation
of "emergency changes" as soon after the crisis as is practical. All
emergency changes need to be logged to provide an audit trail. A
large number or marked increase in the number of emergency
changes is a potential red flag of other problems (poor
configuration management procedures, lack of preventive
maintenance, or political "game-playing" to avoid the normal
change control process).
 Development and documentation of "backout" plans to facilitate
reverting to previous configurations if the new change creates
unexpected problems.
 Careful monitoring and review of user rights and privileges during
the change process to ensure that proper segregation of duties is
maintained.
IT solutions: Antimalware controls
Malware can damage or destroy information or provide a means for
unauthorized access.
COBIT 5 section DSS05.01 lists malware protections
1. Malicious software awareness education
2. Installation of antimalware protection tools on all devices
3. Centralized management of patches and updates to antimalware
software
4. Regular review of new malware threats
5. Filtering of incoming traffic to block potential sources of
malware
6. Training employees not to install shared or unapproved software
IT solutions: Network access controls
COBIT 5 management practices DSS05.02 addressed security of the
organizations network
Perimeter defense: routers, firewalls, and intrusion prevention systems:
Border router: connects and organizations information system to the
internet.
Firewall: a special purpose hardware device or software running a
general-purpose computer that controls both inbound and outbound
communication between the system and other networks.
Demilitarized zone (DMZ): A separate network located outside the
organizations internal information system that permits controlled access
from the internet.
Controlling access by filtering packets:
Access control list (ACL)- A set of IF-THEN rules used to determine
what to do with anything packets.
ACL examines the source address field in the IP packet header to block
packers from specific undesirable sources. All other packets with the
organizations IP address in the destination field are passed to the main
firewall for further screening.
Firewalls do not block all traffic, but only filter it.
Packet filtering: a process that uses various fields in a packet’s IP and
TCP headers to decide what to do with the packet.
Deep packet inspections: a process that examines the data in the body of
a TCP packet to control traffic, rather than looking only at the
information in the IP and TCP headers.
Intrusion prevention systems (IPS): Software or hardware that monitors
patterns in the traffic flow to identify and automatically block attacks.
Using defense in depth to Restrict Network Access:
The use of multiple perimeter filtering devices is more efficient and
effective than relying on only one device.
Securing wireless access:
Many organizations also provide wireless access to their information
systems.
In addition, the following procedures need to be followed to adequately
secure wireless access:
● Turn on available security features. Most wireless equipment is sold
and installed with these features disabled. For example, the default
installation configuration for most wire- less routers does not turn on
encryption.
● Authenticate all devices attempting to establish wireless access to the
network before assigning them an IP address. This can be done by
treating incoming wireless connec- tions as attempts to access the
network from the Internet and routing them first through a remote access
server or other authentication device.
● Configure all authorized wireless devices to operate only in
infrastructure mode, which forces the device to connect only to wireless
access points. (Wireless devices can also
be set to operate in ad hoc mode, which enables them to communicate
directly with any other wireless device. This is a security threat because
it creates peer-to-peer networks with little or no authentication controls.)
In addition, predefine a list of authorized MAC addresses, and configure
wireless access points to accept connections only if the device’s MAC
address is on the authorized list.
● Use noninformative names for the access point’s address, which is
called a service set identifier (SSID). SSIDs such as “payroll,”
“finance,” or “R&D” are more obvious tar- gets to attack than devices
with generic SSIDs such as “A1” or “X2.”
● Reduce the broadcast strength of wireless access points, locate them
in the interior of the building, and use directional antennas to make
unauthorized reception off-premises more difficult. Special paint and
window films can also be used to contain wireless signals within a
building.
● Encrypt all wireless traffic. This is absolutely essential to protect the
confidentiality and privacy of wireless communications because they are
transmitted “over the air” and, therefore, are inherently susceptible to
unauthorized interception.

It Solutions: Device and software hardening controls:

Endpoints: Collective term for the workstations, servers, printers, and
other devices that comprise an organization’s network.
COBIT 5 management practices DSS05.03 describes the activities
involved in managing endpoint security:
1. Endpoint configuration
2. User account management
3. Software design
Endpoint configuration:
Vulnerabilities: flaws in programs that can be exploited to either crash
the system or take control of it.
Turning on unnecessary features and extra services makes it more likely
that installation will be successful without the need for customer
support. Any optional programs and features that are not used should be
disabled.
Vulnerability scanners: Automated tools designed to identify tools
designed to identify whether a give system possesses any unused and
unnecessary programs that represent potential security threats.
Exploit: A program designed to take advantage of a known vulnerability
Patch: Code released by software developers that fixes a particular
vulnerability
Patch management: the process of regularly applying patches and
updates to software.
Hardening: the process of modifying the default configuration
unnecessary settings and services.
Bring Your Own Device (BYOD), makes endpoint configuration much
more complex to manage effectively.
User account management:
COBIT 5 management practice DSS05.04 stressed that need to carefully
manage all user accounts, especially those accounts that have unlimited
(administrative) rights on that computer.
Employees with administrative rights should have two accounts. One
with administrative rights and the other with limited privileges to
perform daily duties.
Finally, it is important to change the default passwords on all
administrative accounts that are created during initial installation.
Software Design:
IT Solutions: Encryption:
Provides a final layer of defense to prevent unauthorized access to
sensitive information.
Detecting Attacks:
COBIT 5 DSS05.07 describes the activities that organizations also need
to enable timely detection of intrusion and problems.
Three types of detective controls
Log Analysis: is the process of examining logs to identify evidence of
possible attacks.
It is important to analyze and log any failed attempts to log on to a
system and failed attempts to obtain access to specific information
resources.
Logs need to be analyzed regularly to detect problems in a timely
manner.
Intrusion Detection Systems: A system that created logs of all network
traffic that was permitted to pass the firewall and then analyzes those
logs for signs of attempted or successful intrusion.
Continuous monitoring: COBIT 5 management practice APO01.08
stresses the importance of continuously monitoring both employee
compliance with the organization’s information security policies and
overall performance of business processes.
Responding to attacks:
two particularly important controls:
 Establish a computer incident response team
 Designation of a specific individual, typically referred to as the
Chief Information Security Officer with organization-wide
responsibility for information security.
Computer incident response team- A team that is responsible for
dealing with major security incidents. should include not only technical
specialists but also senior operations management, because some
potential responses to security incidents have significant economic
consequences.

The CIRT should lead the organization’s incident response process

through the following four steps:
1. Recognition that a problem exists. Typically, this occurs when
an IPS or IDS signals an alert, but it can also be the result of log
analysis by a systems administrator.
2. Containment of the problem. Once an intrusion is detected,
prompt action is needed to stop it and to contain the damage.
3. Recovery. Damage caused by the attack must be repaired. This
may involve eradicating any malware and restoring data from
backup and reinstalling corrupted programs. We will discuss
backup and disaster recovery procedures in more detail in Chapter
10.
 4. Follow-up. Once recovery is in process, the CIRT should lead the
analysis of how the incident occurred. Steps may need to be taken
to modify existing security policy and procedures to minimize the
likelihood of a similar incident occurring in the future. An
important decision that needs to be made is whether to attempt to
catch and punish the perpetrator. If the organization decides that it
wants to prosecute the attacker(s), it needs to immediately involve
forensic experts to ensure that all possible evidence is collected
and maintained in a manner that makes it admissible for use in
court.
Chief Information Security Officer: COBIT 5 identifies organizational
structure as a critical enabler to achieve effective controls and security
Security Implications of Virtualization, Cloud Computing, and the
Internet of Things
virtualization - Running multiple systems simultaneously on one
physical computer.
cloud computing - Using a browser to remotely access software, data
storage, hardware, and applications.
Internet of Things- refers to the embedding of sensors in a multitude of
devices (lights, heating and air conditioning, appliances, etc.) so that
those devices can now connect to the Internet.