CHAPTER 5

CONTROLS FOR INFORMATION SECURITY

Instructors Manual

Learning Objectives:

1. Explain the factors that influence information systems

reliability.

2. Describe how a combination of preventive, detective, and

corrective controls can be employed to provide reasonable
assurance about information security.

Questions to be addressed in this chapter:

1. What controls does Northwest Industries employ to prevent

unauthorized access to its accounting system?

2. How can successful and unsuccessful attempts to compromise the

companys accounting system be detected in a timely manner?

3. What procedures are in place to respond to security incidents?

Learning Objective One

Explain the factors that influence information

systems reliability.

One basic function of an accounting information system is to

provide information useful for decision making.

Figure 8-1 on page 230 shows the five fundamental principles that
contribute to the overall objective of systems reliability:

1. SecuritySecurity procedures restrict access to authorized

users only.

2. ConfidentialityBy restricting access, the confidentiality

of sensitive organizational information is protected.

3. PrivacyAlso, by restricting access, the privacy of personal

identifying information collected from customers is
protected.

4. Processing integritySecurity procedures provide for

processing integrity by preventing submission of
unauthorized or fictitious transactions as well as
preventing unauthorized changes to stored data or programs.

5. AvailabilitySecurity procedures provide protection against

 a variety of attacks, including viruses and worms, thereby
ensuring that the system is available when needed.

Multiple Choice 1

The five principles that contribute to the overall objective of systems

reliability include:
a. Effectiveness
b. Processing integrity
c. Plan and organize
d. Reliability

Learning Objective Two

Describe how a combination of preventive,

detective, and corrective controls can be
employed to provide reasonable assurance about
information security.

Before discussing the preventive, detective, and corrective controls, it

is helpful to understand the basic steps used by criminals to attack an
organizations information system:

1. Reconnaissance. Computer attackers begin by collecting information

about their target. Much valuable information can be obtained by
perusing an organizations financial statements, SEC filings,
Website, and press releases.

2. Attempt social engineering. Why go through all the trouble of

trying to break into a system if you can get someone to let you
in? Attackers will often try to use the information obtained
during their initial reconnaissance to socially engineer (i.e.,
trick) an unsuspecting employee into granting them access.

An attack known as spear phishing involves sending e-mails

purportedly coming from someone else in the organization that the
victim knows, or should know.

3. Scan and map the target. If an attacker cannot successfully

penetrate the target system via social engineering, the next step
is to conduct more detailed reconnaissance to identify potential
points of remote entry.

4. Research. Once the attacker has identified specific targets and

knows what versions of software are used, the next step is to find
known vulnerabilities for those programs.

5. Execute the attack and obtain unauthorized access to the system.

6. Cover tracks. After penetrating the victims information system,

most attackers will try to cover their tracks and come up with
back doors just in case their initial attack is discovered.
Preventive Controls

Five major types of preventive controls are listed in Table 8-1 on

page 233.

Preventive controls consist of two related functions:

authentication and authorization controls.

User Access Controls: Authentication and Authorization

Authentication focuses on verifying the identity of the person or

device attempting to access the system.

Users can be authenticated by verifying:

1. Something they know, such as passwords or personal

identification (PINs)

2. Something they have, such as smart cards or ID

badges

3. Some physical characteristic (referred to as a

biometric identifier), such as their fingerprints or
voice

Focus 8-1 on page 236 discusses some of the requirements for

creating strong passwords

1. Length

Most security experts recommend that strong passwords

include at least eight characters.

2. Multiple character types

Mixture of alphabetic, numeric, special characters,

uppercase, and lowercase

3. Randomness

Should not be found in dictionary

Words should not be preceded or followed by a number

Should not be employees personal interest, hobbies,

or other information

4. Change frequently

At least every 90 days and possibly every 30 days

Multifactor authentication is when two or all three

basic authentication methods are used

Authorization Controls
 Authorization restricts access of authenticated users to
specific portions of the system and specifies what actions
they are permitted to perform.

Access control matrix is a table specifying which portions

of the system users are permitted to access and what actions
they can perform (See Figure 8-4 on page 237).

When an employee attempts to access a particular information

systems resource, the system performs a compatibility test
that matches the users authentication credentials against
the access control matrix to determine whether that employee
should be allowed to access that resource and perform the
requested action.

Authentication and authorization should also apply to

devices.

Every workstation, printer, or other computing device

needs a Network Interface Card (NIC) to connect to the
organizations internal network.

Each NIC has a unique identifier, referred to as its

Media Access Control (MAC) address.

Training

Training is a critical preventive control as employees must

understand and follow the organizations security policies.

All employees should be taught why security measures are

important to the organizations long-run survival.

Some good security measures include:

1. Never open unsolicited e-mail attachments

2. Only use approved software

3. Never share or reveal your passwords

4. Take steps to physically protect laptops

Training is especially needed to educate employees about

social engineering attacks, which use deception to obtain
unauthorized access to information resources.

Employees also need to be trained not to allow other people

to follow them through restricted access entrances. This
social engineering attack, called piggybacking, can take
place not only at the main entrance to the building but also
at any internal locked doors, especially to rooms that
contain computer equipment.
 Controlling Physical Access

Controlling physical access to the system is absolutely

essential.

Within minutes a skilled attacker can gain physical

access to the system and obtain sensitive data.

Focus 8-3 on page 245 describes an especially elaborate set

of physical access controls referred to as a man-trap.

This technique involves the use of specially designed

rooms that serve as an entryway to the data center.

They typically contain two doors, each of which

uses multiple authentication methods to control
access.

Laptops, cell phones, and Personal Digital Assistant (PDA)

devices require special attention. A PDA is a handheld
computer that has had a significant impact on personal
productivity. Laptop theft is a large problem. The major
cost is not the price of replacing the laptop, but the loss
of the confidential information it contains and the costs of
notifying those affected.

Below is an excerpt from the Internet involving hackers

obtaining personal credit card information:

120 million accounts exposed?

Just how common is a source of heated debate in the credit card fraud
world, which has always been shrouded in secrecy. But one firm that
provides security services to merchants says its been told by the card
associations that last year, 60 million accounts were compromised, and
this year, that figure will double to around 120 million.
And everyone I talk to says that number is conservative, says Julie
Ferguson, co-founder of ClearCommerce Corp., which sells products
designed to stop data theft. Ferguson also chairs the Merchant Risk
Council, which studies credit card fraud and advocates for merchant
rights.

Visa, MasterCard, and American Express all dispute the numbers as an

exaggeration.

IT Solutions: Controlling Remote Access

Perimeter Defense: Routers, Firewalls, and Intrusion

Prevention Systems

Figure 8-6 on page 239 shows the relationship between an

organizations information system and the Internet.

A border router connects an organizations information

system to the Internet.

Behind the border router is the main firewall, which is

either a special-purpose hardware device or software running
on a general-purpose computer.

Firewall is a combination of security algorithms and router

communications protocols that prevents outsiders from
tapping into corporate databases and e-mail systems.

The organizations Web servers and e-mail servers are placed

in a separate network, called the demilitarized zone (DMZ)
because it sits outside the corporate network yet is
accessible from the Internet.

Overview of TCP/IP and Routers

Information travels throughout the Internet and internal

local area networks in the form of packets.

So, its not documents or files that are sent to the

printer. Instead they are broken down into packets and
then sent to the printer.

Well-defined rules and procedures called protocols dictate

how to perform these activities.

Figure 8-7 on page 240 shows how two important protocols,

referred to as TCP/IP, govern the process for transmitting
information over the Internet.
 The Transmission Control Protocol (TCP) specifies the
procedures for dividing files and documents into
packets to be sent over the Internet and the methods
for reassembly of the original document or file at the
destination.

The Internet Protocol (IP) specifies the structure of

those packets and how to route them to the proper
destination.

Every IP packet consists of two parts: a header and a body.

The header contains the packets origin and destination
addresses, as well as information about the type of data
contained in the body of the packet.

Special-purpose devices called routers are designed to read

the destination address fields in IP packet headers to
decide where to send (route) the packet next.

Filtering Packets

A set of rules, called an Access Control List (ACL),

determines which packets are allowed entry and which are
dropped.

Border routers typically perform what is called static

packet filtering, which screens individual IP packets based
solely on the contents of the source or destination fields
in the IP packet header.

A stateful packet filtering maintains a table that lists all

established connections between the organizations computers
and the Internet.

Stateful packet filtering is still limited to

examining only information in the IP packet header.

Clearly, control over incoming mail would be more effective

if each envelope or package were opened and inspected.

Deep Packet Inspection

Stateful packet filtering is still limited to examining only

information in the IP packet header.

Undesirable mail can get through if the return address is

not on the list of unacceptable sources. Clearly, control
over incoming mail would be more effective if each envelope
or package were opened and inspected.

Such a process, called deep packet inspection, provides this

added control.

Intrusion prevention systems (IPS) are designed to identify

and drop packets that are part of an attack.
 Defense-in-Depth

The use of multiple perimeter filtering devices is actually

more efficient than trying to use only one device.

Dial-Up Connections

The Remote Authentication Dial-In User Service (RADIUS) is a

standard method that verifies the identity of users
attempting to connect via dial-in-access.

Modems are cheap and easy to install. If an employee

installs their own personal modem that they purchased for
the office computer, the modem is called a rogue modem. This
in turn creates a back door in which a hacker could easily
gain access to the companys system.

To detect these unauthorized, rogue modems, either

computer security or internal auditing uses war
dialing software. This software calls every telephone
number assigned to the organization to identify those
which are connected to modems; which in turn
identifies the rogue modems.

Wireless Access

The following procedures need to be followed to adequately

secure wireless access:

1. Turn on available security features.

2. Authenticate all devices attempting to establish

wireless access to the network before assigning them
an IP address.

3. Configure all authorized wireless Network Interface

Cards (NICs) to operate only in infrastructure mode,
which forces the device to connect only to wireless
access points.

4. Use noninformative names for the access points

address, which is called a Service Set Identifier
(SSID).

5. Predefine a list of authorized Media Access Control

(MAC) addresses and configure wireless access points
to only accept connections if the devices MAC
address is on the authorized list.

6. Reduce the broadcast strength of wireless access

points to make unauthorized reception off-premises
more difficult.

7. Locate wireless access points in the interior of the

building and use directional antennas to make
unauthorized access and eavesdropping more difficult.
 Focus 8-2 on page 244 identifies major issues and
solutions of security relating to mobile devices.

Host and Application Hardening

Routers, firewalls, and intrusion prevention systems are

designed to protect the network perimeter.

However, information system security is enhanced by

supplementing preventive controls.

Three areas deserve special attention:

1. Host configuration

2. User accounts

3. Software design

1. Host Configuration

Hosts can be made more secure by modifying their

configurations. Every program running on a host
represents a potential point of attack because it
probably contains flaws, called vulnerabilities, that can
be exploited to either crash the system or take control
of it.

Microsoft Baseline Security Analyzer and vulnerability

scanners can be used to identify unused and, therefore,
unnecessary programs that represent potential security
threats. This process of turning off unnecessary features
is called hardening.

2. Managing User Accounts and Privileges

Users who need administrative powers on a particular

computer should be assigned two accounts: one with
administrative rights and another that has only limited
privileges.

It is especially important that they be logged into

their limited regular user account when browsing the
Web or reading their e-mail.

3. Software Design

As organizations have increased the effectiveness of

their perimeter security controls, attackers have
increasingly targeted vulnerabilities in application
programs.

The most common input-related vulnerability is referred

to as a buffer overflow attack, in which an attacker
sends a program more data than it can handle.
 Most programs set aside a fixed amount of memory,
referred to as a buffer, to hold user input.

However, if the program does not carefully check the size

of data being input, an attacker may enter many times the
amount of data that was anticipated and overflow the
buffer.

Multiple Choice 2

Social engineering attacks that take place via e-mail are known as:
a. bluesnarfing
b. spear phishing
c. phreaking
d. vishing

Multiple Choice 3

An example of preventive controls would include:

a. log analysis
b. authorization controls
c. encryption
d. A and B
e. B and C

Multiple Choice 4

A biometric identifier includes:

a. passwords
b. fingerprints
c. smart cards
d. PINs

Answer to Multiple Choice Questions:

Multiple Choice Question Answers

Number Answer
1 B
2 B
3 E
4 B