390 likes | 405 Views
Information Security. Chapter 6. Describe general approaches to analyzing vulnerabilities and threats in information systems. Learning Objective 1. Overview.
E N D
Information Security Chapter 6
Describe general approaches to analyzing vulnerabilities and threats in information systems. Learning Objective 1
Overview • The term information security involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide – • Confidentiality: preserving authorized restrictions on access and disclosure. • Integrity: guarding against improper information modification or destruction. • Availability: ensuring timely and reliable access.
Overview • The information security management system (ISMS) is an organizational internal control process that controls the special risks associated with information within the organization. • The ISMS has the basic elements of any information system, such as hardware, databases, procedures, and reports. • The ISMS is part of the larger enterprise risk management (ERM) process by which management balances risk versus opportunities.
The Information Security in the Organization • The information security system must be managed by a chief security officer (CSO). • This individual should report directly to the board of directors in order to maintain complete independence. • A primary duty of the CSO is to present reports to the BOD for approval covering each phase of the life cycle:
Analyzing Vulnerabilitiesand Threats • Two Basic Approaches: • Quantitative approach to risk assessment • Qualitative approach to risk assessment
Analyzing Vulnerabilitiesand Threats • Quantitative Approach to Risk Assessment - each loss exposure is computed as the product of the cost of an individual loss times the likelihood of its occurrence. • Difficulties: • Identifying the relevant costs per loss and the associated likelihoods can be difficult. • Estimating the likelihood of a given failure requires predicting the future, which is very difficult.
Analyzing Vulnerabilitiesand Threats • Qualitative Approach to Risk Assessment – lists out the system’s vulnerabilities and threats and subjectively ranks them in order of their contribution to the company’s total loss exposures.
Analyzing Vulnerabilitiesand Threats • Regardless of the method used, an analysis must include loss exposure for the following areas: • Business interruption • Loss of software • Loss of hardware • Loss of facilities • Loss of service and personnel • Loss of reputation
Identify active and passive threats to information systems. Learning Objective 2
Vulnerabilities and Threats • A vulnerability is a weakness in a system. • A threat is a potential exploitation of a vulnerability.
Vulnerabilities and Threats • Two categories of threats: • Active threats include information systems fraud and computer sabotage. • Passive threats include system faults, as well as natural disasters (e.g., earthquakes, floods, fires, and hurricanes). • System faults represent component equipment failures such as disk failures, power outages, etc.
Individuals Posing a Threat to the Information System • There are three groups of individuals that could carry out an attack on an information system: • Computer and information systems personnel are often given a wide range of access privileges to sensitive data and programs. • Users are given narrow access, but can still find ways to commit fraud. • Intruders and attackers are given no access, but are highly capable.
Individuals Posing a Threat to the Information System • Computer and Information Systems Personnel include: • Computer maintenance personnel • Programmers • Network operators • Information systems administrative personnel • Data control clerks
Individuals Posing a Threat to the Information System • Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing or information technology. • An intruder is anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization.
Individuals Posing a Threat to the Information System • A hacker is an intruder who uses electronic and other means to break into or attack information systems for fun, challenge, profit, revenge, or other nefarious motives. • Not all hackers are malicious • White hat hackers legitimately probe systems for weaknesses to help with security. • Black hat hackers attack systems for illegitimate reasons. • Grey hat hackers are white hat hackers who skirt the edges of the law.
Methods of Attack by Information Systems Personnel and Users
Methods of Attack by Information Systems Personnel and Users • Input manipulation is used in most cases of insider computer fraud. • Program alteration is one of the least common methods. • Direct file alteration occurs when individuals find ways to bypass the normal process for inputting data into computer programs.
Methods of Attack by Information Systems Personnel and Users • Data theft is a serious problem. • Sabotage poses a serious danger to information systems. • Misappropriation or theft of informationoccurs when employees use company computers’ resources for their own personal use or their own business.
Identify key aspects of an information security system. Learning Objective 3
Methods of Attack by Information Systems Personnel and Users • Security measuresfocus on preventing and detecting threats. • Contingency plansfocus on correcting the effects of threats. • The basic elements of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) are important to the ISMS.
The Control Environment • Establishing a good control environment depends on seven factors: • Management philosophy and operating style • Organizational structure • Board of directors and its committees • Methods of assigning authority and responsibility • Management control activities • Internal audit function • Personnel policies and practices • External influences
Controls for Active Threats • The layered approach to access control involves erecting multiple layers of controls that separate the would-be perpetrator from his or her potential target. • Site-access controls – physically separates unauthorized individuals from information systems resources. • System-access controls – authenticate users with user IDs, passwords, IP addresses, and hardware devices. • File-access controls – prevent unauthorized access to data and program files.
Controls for Passive Threats • Preventative controls: • Fault-tolerance systems use redundant components to take over when one part of the system fails, so the system can continue operating with little or no interruption.
Controls for Passive Threats • Corrective controls: • File backups – • A full backup backs up all files on a given disk. • Each file contains an archive bit that is set to 0. • An incremental backup backs up only those files that have been modified since the last full or incremental backup. • A differential backup is the same as an incremental backup, and only the archive bits are not reset to 0.
Internet Security • Operating System Vulnerabilities: • Virtualization • Hypervisor • Web server vulnerabilities • Private network vulnerabilities • Vulnerabilities from server and communication programs
Internet Security • Cloud Computing • Cloud is a synonym for the Internet • Cloud computing is the use of cloud-based services and data storage. • Software as a Service (SaaS) • Grid computing involves clusters of interlinked computers that share common workloads. • General Security Procedures
Discuss contingency planning and other disaster risk management practices. Learning Objective 4
Disaster Risk Management • Disaster risk management is essential to ensure continuity of operations in the event of a catastrophe. • Prevention • Contingency planning
Disaster Risk Management • Disaster prevention is the first step in managing disaster risk. • Frequencies of disaster causes: • Natural disasters 30% • Deliberate actions 45% • Human error 25% • Disasters can be mitigated or avoided by a good security policy.
Disaster Risk Management • Contingency Planning for Disasters • A disaster recovery plan must be implemented at the highest levels in the company. • The first step in developing a disaster recovery plan is obtaining the support of senior management and setting up a planning committee.
Disaster Risk Management • The design of a disaster recovery plan should include three major components: • Assess the company’s critical needs. • List priorities for recovery. • Establish strategies and procedures.
Disaster Risk Management • A complete set of recovery strategies should take into account the following considerations: • Emergency response center • Escalation procedures • Alternate processing arrangements • Personnel relocation and replacements plans • Salvage plan • Plan for testing and maintaining the system
Information Security Standards • ISO/IEC 27000 12 Categories: • Risk assessment • Security policies • Organization and governance of IS • Asset management • Human resources • Physical and environmental security • Communications and operations management • Access control • IS acquisition, development, & maintenance • IS incident management • Business continuity management • Compliance
Information Security Standards • COBIT framework is divided into four domains: • Plan and Organize • Acquire and Implement • Deliver and Support • Monitor and Evaluate • COSO’s Internal Control – Integrated Framework: Guidance on Monitoring Internal Control.
Business Continuity Planning and Disaster Recovery Standards • A business continuity plan is a strategy to mitigate disruption to business operations in the event of a disaster. • In the U.S., various economic sectors and industries are subject to BCP compliance standards: • Security of Federal Automated Information Resources • Financial Institution Safeguards • Sound Practices for Management and Supervision • Specification for Business Continuity Management