300 likes | 441 Views
Technical Protection of Assets. INFS 6310 Dr. Charles H. Apigian capigian@mtsu.edu. Excerpts from Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2 nd edition, SYBEX Publishing , CoBIT 4.1, and ISO17799. Technical Aspects of Information Assets.
E N D
Technical Protection of Assets INFS 6310 Dr. Charles H. Apigian capigian@mtsu.edu Excerpts from Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing, CoBIT 4.1, and ISO17799
Technical Aspects of Information Assets • Technical Control Classifications • Authentication Methods • Biometrics • Network Access Protection • Kerberos SSO • Firewalls • Intrusion Detection • Remote Dial-Up Access • Wireless Access • Encryption Methods • Design for Redundancy • Telephone Security • Technical Security Testing Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing
Technical Control Classifications • Mandatory • Uses labels and a set of rules • Discretionary • Allows a designated individual to decide the level of access. (Flexible) • Role-Based • Certain jobs have level of access • Task-Based • Enable the need to perform a specific task (limited testing, data entry, etc.) Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing
Authentication Methods • Identification • A claim of identity by which a search process is used to compare known entities until there is a match or the list is exhausted. • Authentication • A single match of the identity claim against reference information. • Something you know (for example, a password) • Something you have(for example, an ID badge or a cryptographic key) • Something you are(for example, a voice print or other biometric)
Biometrics • Types of Physiological Characteristics • Fingerprint • Palm print • Hand geometry • Retina scan • Iris scan • Face scan • Types of Behavioral Characteristics • Signature dynamics • Voice pattern
Using Biometrics • Feasibility • Requirements • System Selection • System configuration • Implementation • Post-implementation • Biometric system disposal phase Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing
Problems with biometrics • Enrollment • Failure to enroll • False rejection • False acceptance • Equal error/crossover error rate • Throughput rate Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing
Network Access Protection • OSI Model • Hubs, switches and routers • Firewalls • Intrusion Detection
OSI Model • Open Systems Interconnect (OSI) reference model • Provides basis for communication among computers over networks
Types of Networks • LAN - Local Area Network • WLAN - Wireless Local Area Network • WAN - Wide Area Network • MAN - Metropolitan Area Network • SAN - Storage Area Network, System Area Network, Server Area Network, or sometimes Small Area Network • CAN - Campus Area Network, Controller Area Network, or sometimes Cluster Area Network • PAN - Personal Area Network • DAN - Desk Area Network www.compnetworking.about.com
Network Configurations www.webopedia.com
Hub or a Switch? • Hubs and switches are the same except… • Dumb Hubs pass along all network traffic they receive (e.g. PA system) • Switches (“switching hubs”) are clever enough to only pass on relevant networktraffic to recipients (like aphone call) M.Kelley et al.
Routers • 3 main roles… • Route packets across networks and internet • Security device that guards the connection between a LAN and the outside world (another LAN or a WAN.) • Divide LANs into self-contained, protected areas, e.g. admin / student networks in a school.
Routers • Act as a firewall at home, replacing software firewalls like Zone Alarm • Can be programmed to only allow authorized incoming and outgoing traffic. • Ex. can block certain sites, forbid MP3 music files to enter. • Most home routers also have a built-in mini-switch but remember … a switch is not a router! • Home routers often combine: switch, ADSL modem, print server
Firewalls • Firewalls • Used to secure connections to unsecured network such as Internet • Provide defense against: • Poor authentication • Weak software • Spoofing • Scanners and crackers
Firewalls Schou, Corey and Dan Shoemaker, “Information Assurance for the Enterprise: A Roadmap to Information Security”, 1st Edition, McGraw-Hill Irwin (2007)
Firewalls • Packet-filtering firewalls • Use filters (rules) to determine which packets should be allowed, based on metrics such as: IP addresses, contained protocols • Stateful packet-filtering (inspection) firewalls • Connection information maintained in state tables • Validated packets forwarded based on rule set defined for particular connection • Application proxy firewalls • Shielding and filtering mechanism between public and private networks, allowing complete shielding of applications
Comparison of Firewall Technologies Schou, Corey and Dan Shoemaker, “Information Assurance for the Enterprise: A Roadmap to Information Security”, 1st Edition, McGraw-Hill Irwin (2007)
Intrusion Detection Systems (IDSs) • Detects a violation of its configuration and activates alarm • Many IDSs enable administrators to configure systems to notify them directly of trouble via e-mail or pagers • Systems can also be configured to notify an external security service organization of a “break-in” IDS Terminology • Alert or alarm • False attack stimulus • False negative • False positive • Noise • Site policy • Site policy awareness • True attack stimulus • Confidence value • Alarm filtering
Why Use an IDS? • Prevent problem behaviors by increasing the perceived risk of discovery and punishment • Detect attacks and other security violations • Detect and deal with preambles to attacks • Document existing threat to an organization • Act as quality control for security design and administration, especially of large and complex enterprises • Provide useful information about intrusions that take place
Types of IDSs and Detection Methods • IDSs operate as network-based, host-based, or application-based systems • All IDSs use one of two detection methods: • Signature-based • Examines data traffic in search of patterns that match known signatures (predetermined attack patterns) • Statistical anomaly-based • Collects statistical summaries by observing traffic that is known to be normal. The stat IDS will sample network activity and using statistical methods compare the sample to the baseline (normal) activity. • Network vs. Host vs. Application based
Checklist for auditing network equipment • Review controls around developing and maintaining configurations. • Ensure that appropriate controls are in place for any vulnerabilities. • Verify that all unnecessary services are disabled. • Ensure good SNMP mgt. practices are followed. • Review and evaluate procedures for creating user accounts • Ensure that appropriate password controls are used. • Verify that secure management protocols are used when possible. • Ensure that backups exist for configuration files • Verify that logging is enabled and sent to a centralized system. • Evaluate use of Network Time Protocol. • Verify that a banner is configured to make all users aware of company policy for use and monitoring. • Ensure that access controls are applied to the console port. • Ensure that all network equipment is stored in a secured location. • Ensure that a standard naming convention is used for all devices. • Verify that standard, documented procedures exist for building network devices. Davis, Schiller, and Wheeler, “IT Auditing: Using Controls to Protect Information Assets”, 1st Edition, McGraw-Hill Irwin (2007)
Additional Checklists Switches • Verify that admins avoid using VLAN 1. • Evaluate the use of trunk autonegotiation. • Evaluate the use of VLANs. • Disable all unused ports, and put them in an unused VLAN. • Verify that thresholds exist that limit broadcast/multicast traffic on ports. Routers • Verify that inactive interfaces on the router are disabled. • Ensure that the router is configured to save all core dumps. • Verify that routing updates are authenticated. • Verify that IP source routing and IP directed broadcasts are disabled. Firewalls • Verify that all packets are denied by default • Ensure that inappropriate internal and external IP addresses are filtered. Davis, Schiller, and Wheeler, “IT Auditing: Using Controls to Protect Information Assets”, 1st Edition, McGraw-Hill Irwin (2007)
VPNs • Connects remote users over an insecure public network • Connection is virtual because it is temporary with no physical presence. • Creates an encrypted tunnel to securely pass data • Between 2 machines • From a machine to a network • From a network to a network • An Auditor should ensure • A good user ID and strong password are used • An approval process for granting remote access • Policies state minimum security requirements for computers accessing the network remotely. • That business partners access is removed when no longer needed • Controls are in place so that unauthorized connections cannot be made and they are logged. Schou, Corey and Dan Shoemaker, “Information Assurance for the Enterprise: A Roadmap to Information Security”, 1st Edition, McGraw-Hill Irwin (2007)
Auditing Wireless LANS • Ensure access points are running latest approved software. • Eval the use of controls around centralized WLAN mgt. • Verify that mobile clients are running protective software. • Eval the security of the chosen authentication method. • Eval the security of the chosen communication method. • Eval the use of security monitoring software and processes. • Verify NO rogue access pts. • Eval procedures in place for tracking end-user trouble tickets. • Eval that appropriate security policies are in place. Davis, Schiller, and Wheeler, “IT Auditing: Using Controls to Protect Information Assets”, 1st Edition, McGraw-Hill Irwin (2007)
Encryption Methods • Private Key • Public Key • Digital signatures • Digital Certificates
Auditing the use of Encryption • Ensure that network encryption is implemented • Verify that encryption of data at rest is implemented where appropriate • Verify how management is controlling and governing the use of encryption. • Verify the safe storage of keys.
Technical Security Testing • Network scanning • Vulnerability scanning • Password cracking • Log review • Penetration testing
IS Auditing Procedures IS Auditing Guidelines • G22 Business-to-consumer (B2C) E-commerce Review • G24 Internet Banking • G25 Review of Virtual Private Networks • G27 Mobile Computing • G33 General Considerations on the Use of the Internet • G36 Biometric Controls • G38 Access Controls • P2 - Digital Signatures • P3 - Intrusion Detection • P4 - Viruses and other Malicious Code • P6 - Firewalls • P8 - Security Assessment—Penetration Testing and Vulnerability Analysis