5. Execute the attack and obtain unauthorized access to the system.

Transcription

1 Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. Before discussing the preventive, detective, and corrective controls, it is helpful to understand the basic steps used by criminals to attack an organization s information system: 1. Reconnaissance. Computer attackers begin by collecting information about their target. Much valuable information can be obtained by perusing an organization s financial statements, SEC filings, Web site and press releases. 2. Attempt Social Engineering. Why go through all the trouble of trying to break into a system if you can get someone to let you in? Attackers will often try to use the information obtained during their initial reconnaissance to socially engineer (i.e., trick) an unsuspecting employee into granting them access. An attack known as spear phishing involves sending s purportedly coming from someone else in the organization that the victim knows, or should know. 3. Scan and Map the Target. If an attacker cannot successfully penetrate the target system via social engineering, the next step is to conduct more detailed reconnaissance to identify potential points of remote entry. 4. Research. Once the attacker has identified specific targets and knows what versions of software are used, the next step is to find known vulnerabilities for those programs. 5. Execute the attack and obtain unauthorized access to the system. 6. Cover Tracks. After penetrating the victim s information system, most attackers will try to cover their tracks and come up with back doors just in case their initial attack is discovered. Preventive Controls

2 Preventive controls consist of two related functions; authentication and authorization controls. Authentication Controls Authentication focuses on verifying the identity of the person or device attempting to access the system. Users can be authenticated by verifying: 1. Something they know, such as passwords or personal identification (PINs) 2. Something they have, such as smart cards or ID badges 3. Some physical characteristic (referred to as a biometric identifier), such as their fingerprints or voice Authorization Controls Authorization restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. Access control matrix is a table specifying which portions of the system users are permitted to access and what actions they can perform. When an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the user s authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action. Authentication and authorization should also apply to devices

3 Every workstation, printer, or other computing device needs a Network Interface Card (NIC) to connect to the organization s internal network. Each NIC has a unique identifier, referred to as its Media Access Control (MAC) address. Training Training is a critical preventive control as employees must understand and follow the organization s security policies. All employees should be taught why security measures are important to the organization s long-run survival. Some good security measures include: 1. Never open unsolicited attachments 2. Only use approved software 3. Never share or reveal your passwords 4. Taking steps to physically protect laptops Training is especially needed to educate employees about social engineering attacks, which use deception to obtain unauthorized access to information resources. Employees also need to be trained not to allow other people to follow them through restricted access entrances. This social engineering attack, called piggybacking, can take place not only at the main entrance to the building but also at any internal

4 locked doors, especially to rooms that contain computer equipment. Controlling Physical Access Controlling physical access to the system is absolutely essential. Within minutes a skilled attacker can gain physical access to the system and obtain sensitive data. Someone with unsupervised physical access could also insert special boot disks that provide direct access to every file on the computer and then copy sensitive files to a portable device such as a USB drive. An attacker with unsupervised physical access could simply remove the hard drive or even steal the entire computer. COBIT s 34 top-level control objectives, DS 12, focuses specifically on physical security. Focus 8-2 on page 250 describes an especially elaborate set of physical access controls referred to as a man-trap. This technique involves the use of specially designed rooms that serve as an entryway to the data center. They typically contain two doors, each of which uses multiple authentication methods to control access. Laptops, cell phones, and Personal Digital Assistant (PDA) devices require special attention. A PDA is a handheld computer that has had a significant impact on personal productivity. Laptop theft is a large problem. The major cost is not the price of replacing the laptop, but the loss of the confidential information it contains and the costs of notifying those affected. Controlling Remote Access Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems

5 Figure 8-4 on page 251 shows the relationship between an organization s information system and the Internet. A border router connects an organization s information system to the Internet. Behind the border router is the main firewall, which is either a special-purpose hardware device or software running on a generalpurpose computer. Firewall is a combination of security algorithms and router communications protocols that prevents outsiders from tapping into corporate databases and systems. The organization s Web servers and servers are placed in a separate network, called the demilitarized zone (DMZ) because it sits outside the corporate network yet is accessible from the Internet. Overview of TCP/IP and Routers Information travels throughout the Internet and internal local area networks in the form of packets. So, it s not documents or files that are sent to the printer. Instead they are broken down into packets and then sent to the printer. Well defined rules and procedures called protocols dictate how to perform these activities. Figure 8-5 on page 252 shows how two important protocols, referred to as TCP/IP, govern the process for transmitting information over the Internet.

6 The Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets to be sent over the Internet and the methods for reassembly of the original document or file at the destination. The Internet Protocol (IP) specifies the structure of those packets and how to route them to the proper destination. Every IP packet consists of two parts: a header and a body. The header contains the packet s origin and destination addresses, as well as information about the type of data contained in the body of the packet. Special-purpose devices called routers are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next. Filtering Packets A set of rules, called an Access Control List (ACL), determines which packets are allowed entry and which are dropped. Border routers typically perform what is called static packet filtering, which screens individual IP packets based solely on the contents of the source or destination fields in the IP packet header. A stateful packet filtering maintains a table that lists all established connections between the organization s computers and the Internet. Stateful packet filtering is still limited to examining only information in the IP packet header. Clearly, control over incoming mail would be more effective if each envelope or package were opened and inspected.

7 Deep Packet Inspection Stateful packet filtering is still limited to examining only information in the IP packet header. Undesirable mail can get through if the return address is not on the list of unacceptable sources. Clearly, control over incoming mail would be more effective if each envelope or package were opened and inspected. Such a process called deep packet inspection provides this added control. Intrusion prevention systems (IPS) are designed to identify and drop packets that are part of an attack. Defense-in-Depth The use of multiple perimeter filtering devices is actually more efficient than trying to use only one device. Figure 9-4 on page 284 illustrates one other dimension of the concept of defense-in-depth: the use of a number of internal firewalls to segment different departments within the organization. Dial-Up Connections The Remote Authentication Dial-In User Service (RADIUS) is a standard method that verifies the identity of users attempting to connect via dial-in-access.

8 Modems are cheap and easy to install. If an employee installs their own personal modem that they purchased for the office computer, the modem is called a rogue modem. This in turn creates a back door in which a hacker could easily gain access to the company s system. To detect these unauthorized, rogue modems, either computer security or internal auditing uses war dialing software. This software calls every telephone number assigned to the organization to identify those which are connected to modems; which in turn identifies the rogue modems. Wireless Access The following procedures need to be followed to adequately secure wireless access: 1. Turn on available security features. 2. Authenticate all devices attempting to establish wireless access to the network before assigning them an IP address. 3. Configure all authorized wireless Network Interface Cards (NICs) to operate only in infrastructure mode, which forces the device to connect only to wireless access points. 4. Use noninformative names for the access point s address, which is called a Service Set Identifier (SSID). 5. Predefine a list of authorized Media Access Control (MAC) addresses and configure wireless access points to only accept connections if the device s MAC address is on the authorized list. 6. Reduce the broadcast strength of wireless access points to make unauthorized reception off-premises more difficult. 7. Locate wireless access points in the interior of the building and use directional antennas to make unauthorized access and eavesdropping more difficult.

9 Host and Application Hardening Routers, firewalls, and intrusion prevention systems are designed to protest the network perimeter. However, information system security is enhanced by supplementing preventive controls. Three areas deserve special attention: 1. Host configuration 2. User accounts 3. Software design 1. Host Configuration Hosts can be made more secure by modifying their configurations. Every program running on a host represents a potential point of attack because it probably contains flaws, called vulnerabilities, that can be exploited to either crash the system or take control of it. Microsoft Baseline Security Analyzer and vulnerability scanners can be used to identify unused and, therefore, unnecessary programs that represent potential security threats. This process of turning off unnecessary features is called hardening. 2. Managing User Accounts and Privileges

10 Users who need administrative powers on a particular computer should be assigned two accounts: one with administrative rights and another that has only limited privileges. It is especially important that they be logged into their limited regular user account when browsing the Web or reading their Software Design As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. The most common input-related vulnerability is referred to as a buffer overflow attack, in which an attacker sends a program more data than it can handle. Most programs set aside a fixed amount of memory, referred to as a buffer, to hold user input. However, if the program does not carefully check the size of data being input, an attacker may enter many times the amount of data that was anticipated and overflow the buffer.