IT Sec E&A-Lecture 11_Students_Ver
IT Sec E&A-Lecture 11_Students_Ver
IT Sec E&A-Lecture 11_Students_Ver
Lecture 11
1
PROTECTING INFORMATION
ASSETS
CISA: Certified Information Systems Auditor (Study Guide)
Fourth Edition
David Cannon – Chapter 7
2
CHAPTER OBJECTIVES
3
CHAPTER OBJECTIVES Contd..
4
IMPLEMENTING ADMINISTRATIVE PROTECTION
v Administrative control protections are people-based activities in
the form of policies, standards, procedures, job roles, and
responsibilities.
v These are considered the weakest form of control yet represent a
necessary first step.
v Without a discipline of substantial monitoring, the violations of
the administrative controls will go unnoticed.
v Need for specific controls for protecting information through
administrative methods.
5
MANAGEMENT-SPONSORED CONTROLS
v It is the duty of executive management to identify the business
rules with specific priorities.
v Top executive management specifies what is acceptable and
unacceptable.
v Those rules will become known as their organizational culture.
v Executive management has a duty to lead the organization and
establish visible policies directing the use of organizational data
and IT systems.
v At a minimum, the policies support the IT mission and are
specifically mentioned in regulations.
v These policies should be endorsed, adopted, and visibly
advertised by executive management with a mandate for all
personnel to comply:
6
MANAGEMENT-SPONSORED CONTROLS
Ø Formal organizational reporting structure with accurate job
descriptions (maintained by HR for all personnel, including
contractors)
Ø Physical and environmental protection of IT assets
Ø Classification of data in the organization’s possession (by
value, type, or risk threshold)
Ø Records management policy (based on ISO 15489 with IT
backup/restore functions)
Ø Access control policy (all data and all departmental functions
across the organization)
Ø Personnel security policy (maintained by HR)
Ø Identification and authentication policy (authorized users,
devices, program access)
7
MANAGEMENT-SPONSORED CONTROLS
Ø Security planning policy with capital budgeting (created by the
steering committee with input from IT and Finance)
Ø Risk assessment policy focused on the likelihood of occurrence
or consequence of loss
Ø System and services acquisition policy (by Procurement)
Ø System protection policy (by Legal, CFO, and IT for all
computing devices)
Ø Communications protection policy (governing all connected
networks, IT, ISP, and telecom providers)
Ø Configuration management policy (by Quality, with mandatory
change control)
8
MANAGEMENT-SPONSORED CONTROLS
Ø Acceptable use policy (maintained by HR)
Ø Computing/communications maintenance policy (for systems
and devices)
Ø Media protection policy (print, electronic, CD, HDD, tape,
portable drives, and so forth)
Ø Telecommuting policy (for remote workers)
Ø Network connection and data-sharing with business partners
(Legal, IT, internal audit)
Ø Contingency planning policy (driven by program office,
business unit subcomponents)
Ø Incident response policy (HR, Legal, law enforcement, Facility,
and IT components)
9
MANAGEMENT-SPONSORED CONTROLS
Ø Audit and accountability policy (executive audit committee,
internal audit)
Ø Security assessment mandating use of specific technical
certification procedures (prerequisite to management
accreditation)
Ø Management accreditation policy (required for all systems at
each SDLC phase during feasibility, requirements, design, build,
and prior to entering production)
Ø Security awareness and required training policy (all users)
Ø General user awareness training and orientation policy (for all
employees and all contractors)
10
DATA CLASSIFICATION
v Fundamentally, there are only two types of protection for data:
Ø Classified means that the data is ranked somewhere in a
protection scheme (a.k.a. protection plan).
Ø Unclassified is synonymous with public records or unprotected
data.
v This type of design has been used for hundreds, if not thousands,
of years in government, military, and commerce.
v Unless confidential data is classified, users will not know how to
handle it properly.
v But all data is not created equal. Your client may require several
types of classification, each for a unique purpose.
v E.g., credit card data requires special security with partial records
destruction of account number segments and account
authenticators in accordance with PCI standards.
11
DATA CLASSIFICATION
v The same is true for health care records, employment records,
and data on children.
v Don’t forget confidential business records, contracts, customer
lists, and research data and intellectual property such as unfiled
patents, trademarks, or copyrights.
v Even if the data originated in the public domain, it’s considered
proprietary information if the organization paid money or
consumed resources for special research, unique
implementation, or modification.
12
DATA CLASSIFICATION
13
DATA CLASSIFICATION
v Management’s duty is to specify how each of those data records
will be individually protected.
v This information protection classification plan (protection
scheme) then becomes the foundation of all data controls used
by the organization.
v Auditors need to remain aware that lack of a published
classification scheme usually indicates a control failure.
v In bigger organizations, the risk of failure and consequence are
substantially larger than with small organizations.
14
CHECKPOINT ?
Which of the following is the most appropriate method to
ensure confidentiality in data communications?
a. Secure hash algorithm (SHA-1)
b. Virtual private network (VPN)
c. Digital signatures
d. Digital certificates with public-key encryption
15
CHECKPOINT ?
Which of these is the most important purpose of using data
classification in the records management life cycle?
a. Specify specific handling requirements
b. Identify protection boundary
c. Provide financial budget planning data
d. Improve tracking of data usage
16
USING TECHNICAL PROTECTION
v Technical protection is also referred to as logical protection.
v A simple way to recognize technical protection is that technical
controls typically involve a hardware or software process to
operate.
v Technical Control Classification
Ø Technical protection may be implemented by using a combination of
mandatory controls or discretionary controls.
Ø Technical controls are considered very strong if used in combination
with administrative and physical controls.
Ø Technical controls should always be active and monitored and
should block unauthorized access attempts.
17
USING TECHNICAL PROTECTION
v Mandatory Access Controls (MACs)
Ø MACs use labels to identify the security classification of data based
on the Trusted Computing Base (TCB) developed during the Cold War
(1950–1990).
Ø A set of rules determines which person (subject) will be allowed to
access the data (object).
Ø The security label is compared to the user access level using subjects
(requestors), objects, internal CPU/RAM/device processing rules,
and containers.
Ø The comparison process requires an absolute match to permit
access.
18
MANDATORY ACCESS CONTROL
Example of a generalized illustrative example of MAC with
attribute-based access control (ABAC):
19
MANDATORY ACCESS CONTROL
v The process is explicit with fine-grained controls over internal
machine processing instructions.
v Absolutely no exceptions are made when MAC rules are in use
(a.k.a. enforcing).
v MAC control software running in the computer requires every
user request to follow a known sequence of processing within
the computer.
v MAC control software won’t allocate a CPU instruction, allocate a
RAM memory register, read anything, write anything, or transmit
data on the system bus unless the request completely matches
the internal process rule sequence created by the MAC security
administrator.
20
MANDATORY ACCESS CONTROL
v MAC rulesets enforce a series of individual control attributes in
the combination of individual security labels for each object (data
file, program, and device).
v This enforces a very tight version of least-privilege acceptable use
within the computer’s internal processing.
v This design, blocks the majority of breaches and escalation
attacks.
v Under MAC, control is centrally managed and all access is
forbidden unless explicit permission is specified for that user.
v The only way to gain access is to change the user’s formal
authorization level.
21
MANDATORY ACCESS CONTROL
v The government, military, large corporations, and small to
medium businesses use MAC with attribute-based access control
(ABAC) to tighten the technical control as much as possible.
v The MAC-ABAC labels contain security metadata
used to explicitly define acceptable use within the system’s
internal processing.
v This is the preferred method to secure computing environments,
especially systems governed by privacy regulations.
v In a MAC environment, it’s possible to consolidate all access
control into a centralized, a.k.a federated system environment.
v This is preferred over decentralized methods because it enforces
the maximum level of control.
22
DISCRETIONARY ACCESS CONTROL (DAC)
vIt uses an outdated design that allows a designated individual to
decide a broad level of user access.
vDAC uses simple permissions of read (r), write (w), and execute (x)
commonly seen in Microsoft Windows, Unix, and Linux.
vDAC access is usually distributed across the organization to
provide flexibility for specific use or adjustment to business
needs.
vThe data owner determines access control at their discretion
unless access is specified in the data’s RMS classification.
vComputers running DAC are very loose in enforcement by
comparison to MAC controls.
vDAC is not capable of enforcing modern processing restrictions.
23
DISCRETIONARY ACCESS CONTROL (DAC)
vIt is highly susceptible to escalation attacks.
vThe IS auditor needs to investigate how the decisions concerning
DAC access controls are selected, authorized, managed, and
reviewed at least annually.
vMany businesses still use discretionary access control because
their tech staff never put forth the effort to learn anything about
using stronger controls in MAC security.
24
OTHER ACCESS CONTROSL
Role-Based Access Controls
v Certain jobs require a particular level of access to fulfill the job
duties.
v Access that is granted on the basis of the job requirement is
referred to as role-based access control (RBAC).
v A user is given the level of access necessary to complete work for
their job.
v RBAC is used in both DAC and MAC security implementations.
v The system administrator position is an example of role-based
access control.
25
OTHER ACCESS CONTROSL
Role-Based Access Control - Example
v A Role is roughly equivalent to a Group in the directory system
and is simply a logical grouping of one or more users that have
some common affiliations, such as a same department, grade,
age, physical location, or user type.
v E.g., with RBAC, a user in the accounts payable clerk position
would automatically get added as a member (i.e. dynamic
membership) to the AP Role, granting him or her access to AP
functions in the accounting system.
26
OTHER ACCESS CONTROSL
Task-Based Access Controls
v While role-based access is used for job roles, task-based access
control (TBAC) refers to the need to perform a specific task.
v Individual tasks may need to be performed for the business to
operate.
v TBAC is used in both DAC and MAC security implementations.
v Common examples include limited testing, maintenance, data
entry, or access to a special report.
27
ATTRIBUTE-BASED ACCESS CONTROL (ABAC)
v ABAC can control access based on three different attribute types:
user attributes, attributes associated with the application or
system to be accessed, and current environmental conditions.
v E.g., allowing only users who are type=employees and have
department=HR to access the HR/Payroll system and only during
business hours within the same timezone as the company.
v Attributes may be the time of day, location, role of the person or
computer program (subject) requesting access, content of the
data (object), and everything else being tracked in the MAC
ruleset.
v ABAC is not only the most flexible and powerful of the four
access control models, but is also the most complex.
28
ATTRIBUTE-BASED ACCESS CONTROL (ABAC)
v Technically ABAC is capable of enforcing DAC, MAC, and RBAC.
v At its core, ABAC enables fine-grained access control, which
allows for more input variables into an access control decision.
29
OTHER ACCESS CONTROSL
30
OTHER ACCESS CONTROSL
31
APPLICATION SOFTWARE CONTROLS
v Application software controls provide security by using a
combination of
Ø User identity
Ø Authentication
Ø Authorization
Ø Accountability
v As you will recall, user identity is a claim that must be
authenticated (verified).
v Authorization refers to the right to perform a particular function.
v Accountability refers to holding a person responsible for their
actions.
v Most application software use access control lists to assign rights
or permissions. The access control list contains the user’s identity
and permissions assigned.
32
APPLICATION SOFTWARE CONTROLS
Database Views
v Data within the database can be protected by using database
views.
v The database view is a read restriction placed on particular
columns (attributes) in the database.
33
APPLICATION SOFTWARE CONTROLS
Database Views
34
APPLICATION SOFTWARE CONTROLS
Database Views
v Unfortunately, the data may still be accessible to a skilled
individual.
v A better method is to create a separate file extract without the
field data you want to keep confidential.
35
APPLICATION SOFTWARE CONTROLS
Restricted User Interface
v Another method of limiting access is to use a restricted user
interface.
v The restricted interface may be a menu with particular options
grayed out or not displayed at all.
v Menu access is preferred to prevent the user from having the
power of command-line arguments.
v The command line is difficult to restrict.
36
APPLICATION SOFTWARE CONTROLS
Security Label Bypass
v A major concern in security is the ability of users to bypass the
security label.
v The security label is a metadata control in MAC environments
that specifies who may access the file and how the file may be
used.
v The IS auditor should work with MAC security managers to
identify ways in which labels and security settings could be
bypassed.
v Additional compensating controls are necessary in certain
situations to protect against the bypassing of MAC security
labels.
37
AUTHENTICATION METHODS
v The first step of granting access is identification of the user:
v A user presents a claim of identity.
v The second step is to authenticate the user identity claim against
a known reference.
v The purpose of this authentication is to ensure that the correct
person is granted access.
v Identification is a one-to many search process that continues
until a match is found or the data list is exhausted.
v Authentication is a single-try process, also known as a
one-to-one process (compare only, no search). If a single attempt
fails, the authentication failed.
38
UNDERSTANDING TYPES OF AUTHENTICATION
v TYPE-1 Something a person knows
Ø Username – password, A secret question - answer
v TYPE-2 Something a person has in possession
Ø ATM card – PIN
Ø Smart card
Ø USB tokens (Hard token) username+password+token_number
39
UNDERSTANDING TYPES OF AUTHENTICATION
v TYPE-2 Something a person has in possession
Ø Soft tokens
o A.k.a Digital Certificates (bound to the computers’ CPU
electronic serial number)
o The software token captures unique information, including
the CPU’s electronic serial number during the initial
certificate-signing request.
o The resulting digital certificate contains this embedded
information to prove the identity of the computer.
o Soft tokens are not portable because each is assigned to a
specific computer.
40
UNDERSTANDING TYPES OF AUTHENTICATION
v Type 3: Physical Characteristic
Ø The third type of authentication is based on a unique physical
characteristic.
Ø The recording of physical characteristics and the matching
process is known as biometrics.
Ø This includes 3D body geometry; retina scan, finger prints,
palm prints, dental composition.
Ø Biometrics uses several unique physical characteristics to
authenticate the identity claimed by the user.
Ø This is accomplished by using either a grouping of physiological
characteristics or behavioural characteristics.
Ø You are expected to understand the different types of
biometric data used for authentication.
41
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v These are considered strong authenticators of the user’s identity
because they are difficult to forge.
v A risk still exists in the management of the biometric sample and
system implementation.
v Fingerprints have been used for many years to identify people,
especially criminals.
v In biometrics, attributes of the fingerprint sample are scored to
create an individual authentication template (not identify) the
user.
v Information about the user’s fingerprint attributes are recorded
into a biometrics database.
42
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v Rather than the actual image, only summary lists of fingerprint
features are recorded into a mathematical scoring record.
v These features include curvature, position, ridge patterns, delta
(separation), combined ridges (crossover), islands, and
bifurcation (ridge join).
v The feature data is recorded in minutiae points with a minutiae
map and then converted into physio-numeric data.
v When the user attempts to authenticate, the process runs very
fast as minutiae are identified by the acquisition sensor
hardware, computed into numeric data similar to the sample,
and compared to the reference template in the biometric
database.
43
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
44
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v Palm Print
Ø A person’s palm print is as unique as a fingerprint.
Ø Like a fingerprint, the palm of the hand contains a significant
number of unique minutiae plus additional wrinkle lines,
blood vessel patterns, and scars.
Ø The palm offers a larger volume of data, which is converted
into a numeric biometric template in a manner similar to
fingerprint minutiae.
45
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v Hand Geometry
Ø The concept of hand geometry is to measure the details of a
person’s hand in a three-dimensional image.
Ø The usual technique is to put your hand into a machine of
biometric sensors with your fingers spread between metal
pegs.
Ø Another method in hand geometry is to grasp a metal knob or
bar while sensors measure your knuckle creases or blood
vessel patterns.
Ø Hand geometry is quite effective.
Ø Data is converted into a numeric biometric template in a
manner similar to fingerprint minutiae.
46
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v Retina Scan
Ø The retina, located at the rear of the eyeball, contains a
unique pattern of tiny veins that reflect light.
Ø The red-eye in photographs is the reflection of the retina.
Ø Changes in the retina occur during a person’s life.
Ø Some of these changes may signal the onset of a new medical
condition, such as stroke or diabetes.
Ø Users may be concerned about physiological issues or the
possible invasion of privacy.
Ø Overall, retina scanning is very reliable.
47
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
48
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v Iris Scan
Ø Iris-scanning technology is based on visible features of
freckles, rings, and furrows in the color ring surrounding the
eye’s pupil.
Ø The iris provides stable data from one year of age through a
person’s entire life.
Ø The visible features and their location are combined to form
an iris-code digital template.
Ø To use an iris scanner, a person is asked to look into an
eyepiece and focus on a displayed image.
Ø A biometric camera sensor records data of the iris and
compares it to the biometric database to ensure that the
viewer is a living person.
49
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v Iris Scan
Ø Colored contacts would be detected because the iris would
not change (or move) as the eye refocuses during the scan.
Ø Iris scanning is very dependable.
50
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v Face Scan
Ø Decades-old face-scanning technology uses a series of still
images captured by video camera.
Ø The technology uses three-dimensional measurements of
facial features, including the position of eye sockets, nose,
mouth openings, ear geometry, and heat pattern
thermography.
Ø The feature data is extracted from the image to form a
numeric facial biometric template of 1,000 to 1,500 bytes.
51
BIOMETRICS USING PHYSIOLOGICAL CHARACTERISTICS
v DNA Analysis
Ø This tried and true method has been in use for a long time.
Ø Initially DNA cells are collected from the mouth, hair follicles,
and blood.
Ø It is very intrusive and still used in government or
military-related activities.
Ø DNA analysis can be tricked using certain medical treatments
for cancer and organ transplants.
52
BIOMETRICS USING BIHAVIORAL CHARACTERISTICS
v Behavioral characteristics are considered a weak type of
authentication because of concerns about their authenticity.
v Behavior is easier to forge than physical characteristics.
v Examples?
53
BIOMETRICS USING BIHAVIORAL CHARACTERISTICS
v Behavioral characteristics are considered a weak type of
authentication because of concerns about their authenticity.
v Behavior is easier to forge than physical characteristics.
v Examples
Ø Signature dynamics
Monitored for time duration, pressure, and technique
Disadvantage is that many individuals do not write their
signature consistently.
54
BIOMETRICS USING BIHAVIORAL CHARACTERISTICS
Ø Voice Pattern
o Voice pattern recognition is an inexpensive method of
identifying a person by the way they talk.
o Not the same as speech recognition.
o Speech recognition assembles sounds into words.
o Voice pattern analysis checks for characteristics of pitch,
tone, and sound duration.
o A person’s voice is analyzed for unique sound
characteristics, tone, inflection (stress), and speed.
55
BIOMETRICS USING BIHAVIORAL CHARACTERISTICS
Ø Voice Pattern
o The typical method is to ask a user to repeat a particular
passphrase.
o The characteristics of the passphrase are converted into a
digital template.
o Voice pattern recognition is less expensive and less
accurate than other types of biometrics.
o Voice authentication can be fooled by recorded audio
playback of a person’s voice.
56
BIOMETRICS USING BIHAVIORAL CHARACTERISTICS
Ø Body Movement (Pattern Analysis)
o Physical body locomotion (also known as movement) is one
of the oldest methods of authentication.
o For example, the subtle unique or dramatic way a person
walks, moves, shuffles, or limps has been recognized for
thousands of years.
57
BIOMETRICS USING BIHAVIORAL CHARACTERISTICS
Ø Body Movement (Pattern Analysis)
o Physical body locomotion (also known as movement) is one
of the oldest methods of authentication.
o For example, the subtle unique or dramatic way a person
walks, moves, shuffles, or limps has been recognized for
thousands of years.
58
CHECKPOINT ?
Which of the following is the least dependable form of
biometrics?
a. Hand geometry
b. Facial recognition
c. Signature analysis
d. Iris scanning
59
MANAGING BIOMETRIC SYSTEMS
v Biometrics comprises technology-based systems and hence
requires a disciplined approach.
v Each biometric system follows an SDLC approach.
v Auditors will encounter a growing number of clients using or
planning to implement biometric systems.
v Remember that auditors don’t need to be technicians.
v Your job as auditors is to witness whether executive managers
did their job of selecting the right system and how it is governed.
60
MANAGING BIOMETRIC SYSTEMS
Phase-1 Biometric Feasibility
v Management determines the need, purpose, and function for
biometrics.
v Real planning considers the following points:
Ø Analysis of regulations and classification of data to be
protected.
Ø Physical environment, mission, and people. What problem is
biometrics going to solve?
Ø Effect of biometrics on employees, customers, and business
partners.
61
MANAGING BIOMETRIC SYSTEMS
Phase-1 Biometric Feasibility
Ø Data collection may be difficult because of perceptions of
intrusiveness, possible misuse, implications of system failure,
and moral concerns.
Ø Return on investment (ROI) after analysis of initial cost,
ongoing operation, maintenance, and comparison of
alternatives.
62
MANAGING BIOMETRIC SYSTEMS
Phase-2 Biometric Requirements
v Identification of the ownership roles, custodian duties, and users
of the system.
v Executive support in the form of a signed biometrics policy,
budget, and delegation of authority.
v Physical access restrictions covering both the biometric system
and the area it will protect.
v Logical (technical) access needs to be restricted to prevent direct
access into the data repository.
v Special methods such as single sign-on (SSO) are necessary for
interfacing to other applications without risk of compromising the
biometric repository.
63
MANAGING BIOMETRIC SYSTEMS
Phase-2 Biometric Requirements
v Workout details about biometric standards, data storage capacity,
security, maintenance, backup, and restoration procedures.
v Functionality for the intended use. Will it do the job? Is additional
functionality needed, such as the ability to export data for FBI
background investigations? If so, the system needs to have that
capability plus the implementation of a design using the Common
Biometric Exchange Formats Framework (CBEFF) with the
Electronic Fingerprint Transmission Specification (EFTS).
v Risk analysis for what happens when this system fails.
v The two most common failures are rejecting authorized people
and mistakenly accepting an attacker.
64
MANAGING BIOMETRIC SYSTEMS
Phase-3 System Selection
65
MANAGING BIOMETRIC SYSTEMS
Phase-4 System Configuration
v Installing hardware and software
v Calibrating and recalibrating the system
v Following operating procedures for enrollment, security,
transmission, processing, backup, and restoration
v Using transaction controls
v Monitoring the systems and logs
v Detecting system compromise plus use of corresponding incident
response procedures
v Connecting the biometric system interface to other systems
66
MANAGING BIOMETRIC SYSTEMS
Phase-5-6 Biometric Implementation and post Implementation
67
MANAGING BIOMETRIC SYSTEMS
Phase-7 Biometrics System Disposal
v Regulations related to the system
v Record retention requirements, and ways to archive the data.
68
DRAWBACKS OF BIOMETRIC SYSTEMS
v Failure to Enrol (due to image quality, calibration issues, or
scanner’s inability to interpret physical abnormalities).
v False Rejection Rate (FRR) (also called type 1 error)
v False Acceptance Rate (FAR) (also called type 2 error)
v Equal Error Rate (EER): An equal balance of speed and accuracy.
The EER is the location on a DET (Detection Error Tradeoff) curve
where the FAR and FRR are equal. In general, the lower the EER
value, the higher the accuracy of the biometric system.
v Crossover Error Rate (CER): Setting the biometric system to favor
accuracy over speed, or vice versa, is known as the crossover
error rate (CER)
69
DRAWBACKS OF BIOMETRIC SYSTEMS
70
THANKS
71