1 / 47

Information systems Security & IT auditing

Information systems Security & IT auditing. Dr. Ir. Paul Overbeek RE 06-53786475 October 2007 Paul.Overbeek@ois-NL.EU. Paul Overbeek Paul.Overbeek@OIS-NL.EU 06-53786475 Universities Eindhoven, Tilburg, Amsterdam Rotterdam, Nijenrode, Antwerpen and Dauphin/Parijs

myersv
Download Presentation

Information systems Security & IT auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information systemsSecurity & IT auditing Dr. Ir. Paul Overbeek RE06-53786475October 2007 Paul.Overbeek@ois-NL.EU

  2. Paul OverbeekPaul.Overbeek@OIS-NL.EU06-53786475Universities Eindhoven, Tilburg, Amsterdam Rotterdam, Nijenrode, Antwerpen and Dauphin/Parijs Partner OIS Information Risk & Security Management Information Risk & Security Management, Compliance & Privacybescherming

  3. Monitor Integrate Assess Architect PEOPLE PROCESS Applicatie - ICT Agenda You are here: • Business • Application Information • Technique Agenda Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges • Some Cases • Future watch: what is going to hit us next

  4. Digital identities…

  5. 6 pin-codes • 15 business passwords • 40 private internet passwords • Identity: • 1 person • 40 roles • Identity: who’s who where and when • How you are recognized by others • Passport • Driving license • 12 Identity cards • 3 telephones • 6 personnel-IDs • 10 club cards • Digid • SoFi • 06-53786475 • 3883582 • P044921 Identity

  6. Authorization & Access management Ten’s of identities One man So, is this a problem? • Could proper IT-security design have prevented this in, say: • 1960 • 1970 • 1980 • 1990 • 2000 • No future without past: Innovation & Change create history and legacy Even more roles

  7. Improvement needed Agenda • Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges • Some Cases • Future watch: what is going to hit us next

  8. IT-auditing: to provide assurance Providing assurance re objectives • How ‘sure’: limited, conditional, reasonable, absolute • ‘Absolute’ assurance seldom needed Objectives • Meeting business objectives: ‘From SOX to Semiconductor’ IT Auditing is: • An independent and unbiased assessment • Against specific, agreed upon or industry standards • Objectives are related to • confidentiality, integrity, availability • Effectiveness, efficiency, manageability and transparency Objects include: • Organisation, management en ICT • Information systems, architectures • Development… Sponsors for IT-auditing: • Usually top management or business process management • IT management • Other stakeholders: external oversight bodies, financial auditors (accountants), public, …

  9. Skills • A good IT-auditor is • Expertise both technical and some business knowledge • Unbiased • Socially capable • Communicative • Empathy towards his object • Theory & Practice • 2 years Post Master, 3 Years practice, Code of Conduct, Registered

  10. Objects for auditing • ICT: many views exist • Applications, middleware, OS, networks, components, architectures • Individual, the ‘bubble’, the chain or the unknown. • Organization: • Business alignment, ICT-management, development, maintenance, sourcing • HRM, Facilities, IM, MT, Finance, Admin, Legal,… • Involved partners: • Customers/clients, own personnel, IT-managers, developers, partners • Top management, oversight, accountant, public interest, stock holders, … • Where are the risks? • How to deal with risk in a responsible manner • Information Security, Risk Management & Compliance

  11. From Control Objectives to Controls Controls are designed such that control objectives are met Monitor Integrate Assess Control objective A: Control A.1 Control A.2 Control A.3 Control objective B: Control B.1 Control B.2 Control A.3 Control objective C: Control A.2 Control B.1 Architect PEOPLE PROCESS Applicatie - ICT ICT-security

  12. Imagine… In the ideal world • People are honest and do not make mistakes and know what to do • Business and IT-management processes are well designed and understood • Hardware does not fail and software is well designed, reliable, well maintained and… • Serves business purposes & risks In the ideal world, auditing would not be needed. • But… people make mistakes, processes hamper • While controls build in in ICT are of constant quality… • So… when and wherever possible, ICT controls are preferred

  13. Main Technical controls Identification & Authentication Authorization Logical Access control Integrity controls (input controls) Confidentiality controls (classification) Continuity controls / load balancing Cryptography Monitoring, logging/audit trails, vulnerability analysis, IDS & alerting Backup / alternate resourcing / restore And …. Hardening  do not forget this one! Controls should be balanced

  14. Paul Overbeek

  15. WoW of the IT-auditor (1/3) To assess security • Standards (applied risk or CO-based) • Code of Practice for Information Security Management • COBIT • Hardening standards • Legal requirement • Company / branch specific • Checklists, interviews, observation, testing, and…

  16. WoW (2/3) • Tools – general IT infra / Networks • Penetration testing tool boxes & services (good guys hacking) • Outside in, inside in, black/white • Mostly used for outside in & general infrastructure • Interception of communication (sniffers) and reuse authentication info • Honey pots • Mimic trustworthy machines and use proxy opportunities • Use ‘scouts’: agents / Trojans / non-destructive viruses • Listen to wireless networks • Stress-testing DOS • Known 1st day Exploits, X-site scripting, bugs • Vulnerability scanners • Automated tools that check policies (‘settings’) against known vulnerabilities • SOC

  17. WoW (3/3) • Tools – specific • Toolkits for SAP, Oracle, Peoplesoft, … check for common vulnerabilities and • Check for possible SoD conflicts • ICT-management tools • Aim at management processes and tools, e.g. HP-openview, CA,… • Confuse them, blind them, make them look somewhere else

  18. Monitor Integrate Assess Architect PEOPLE PROCESS Applicatie - ICT Agenda Agenda • Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges & trends • Some Cases to discuss • Future watch: what is going to hit us next

  19. Some challenges Positive: • Security technology starts to become mandatory and to be fully integrated in new Apps Open questions • Major challenges for the next generation IS’s: • Horizontal & vertical integration of security functionality • Handling Spaghetti-type information systems • How to work with components in different phases of the maturity cycle • Current security technology inflexible for changes (nor in business, nor in IS’s) • ‘The information system’ as we used to know it doesn’t really exist anymore: • Ever changing configuration of the a Chain of partners, technology and locations • Tomorrow’s architectures for security (CIA) of information and ICT

  20. Some Challenges Network • Network boundaries are vanishing: Deperimeterisation • Jericho: bring controls towards • the information itself (self contained info & applications) • The platforms • Assume a hostile environment • From prevention to detect/correct • Instead of ‘keeping the bad guys out’ •  ‘bring good guys in and control behavior’ • See Jericho-forum

  21. Identity & access management • Aha, see intro

  22. Platforms • Virtualization • The OS does not know where the hardware is • The SAN could be in Poland • The CPUs in India • Fundamental authentication problems • No approach towards sw integrity • Failure –is- an option

  23. Applications • Assume safe underlying infrastructure • Authorization chaos • Cross application • Align to the real use / business needs New IT is coming much closer to your soul • See future watch How to design ‘secure’ information systems How to design safe ICT environments (designing architectures in spaghetti and lasagna view)

  24. Monitor Integrate Assess Architect PEOPLE PROCESS Applicatie - ICT Agenda Agenda • Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges & trends • Some Cases to discuss • Future watch: what is going to hit us next

  25. Past: B2C or B2A or Some B2B Characteristics 1-2-1 Single place of storage Asymmetric trust relationship PEOPLE PEOPLE PROCESS PROCESS Applicatie - ICT Applicatie - ICT Case: Current Web

  26. Value Chain: B2B2B…. (Sinatra) Trusted networks of partners: BmBmB (BeeGees) Normal business rules apply From unilateral to multilateral communication Trust but verify Consistency in trusted sources of information Discover and develop fruitful relationships Transforming Relationships into transactions Conditions: transparency in service offering, authenticity of involved parties, integrity of transactions PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Future Web x.y B2B2B BmBmB

  27. PEOPLE PEOPLE PROCESS PROCESS Applicatie - ICT Applicatie - ICT Web x.y: Common Controls required Control objectives are not that different between parties

  28. Transactions: Integrity Volume Confidentiality/privacy Traceability Non repudiation Identification and Authenticity Natural / legal Authorization Access control Monitoring transactions Relational integrity Transparency Costs Service, delivery, … Return, storno Complaints Assurance … Which control objectives applyECP.NL + Thuiswinkel.org draft list of control objectives address a.o:

  29. Case 2: Auction • Relationship • One transaction or…. 5? • Which authorization context applies?

  30. Case 3 Relationship • Who is the owner of this information • Who is responsible for what • Who has the right or obligation to make changes • Is this a public or a private space…

  31. Case 4: Virtual world or real…? • Who owns this environment • Who is responsible for what • Who is who • Enforce or correct behavior • Detect mall-usage • Rules of the game and their enforcement

  32. Examples • Consumer should have a list of current outstanding transactions • Transactions should be traceable and monitorable • Responsibilities clear • Pseudonimity • Authenticationof the real source

  33. New ICT-security challenges • Balancing controls • Control objectives: common set • Emphasis on controls in web-applications • Common set of controls to be defined • “Terms of engagement” • Key: relationship, transaction, ownership

  34. Window of opportunities

  35. Future watch Agenda • Some Cases • Future watch: what is going to hit us next

  36. Tele presence

  37. Personal Real close In, around, with you You and your friends…

  38. Navigation, positioning, who, what, when en weather

  39. Smile, you’re on candid cameraBiometry

  40. Digital paper,foldable key boards and screens 3d input and presentation

  41. All IP – voice, image – almost free

  42. Navigation & automation

  43. Body & mind - health

  44. Ad hoc networkingSmart dust

  45. Summary We ain’t seen nothing yet Thanks & Enjoy

  46. History

More Related