Chapter 5 Overview
•Importance of Information Security Management•Logical Access Exposures and Controls•Network Infrastructure Security
•Auditing Information Security Management and Logical Access Issues and Exposures•Auditing Network Infrastructure Security•Environmental Exposures and Controls•Physical Access Exposures and Controls
•Personal Computer “LAPTOP”Security (Logical/Physical) Access Issues
4
Chapter 5 Exam Content Area
“Protection of information assets—Provide assurance that the security architecture (policies, standards, procedures and
controls) ensures the confidentiality, integrity and availability of information assets.”
5Chapter 5 Summary
6
Importance of Information Security Management
7
Importance of Information Security Management
•Security Objectives to Meet Organization’s Business Requirements
–Ensure the integrity of the information stored on their computersystems–Preserve the confidentiality of sensitive data
–Ensure the continued availability of their information systems–
Ensure conformity to applicable laws, regulations and standards
8
Importance of Information Security Management
•Key Elements of Information Security Management
–Senior management commitment and support –Policies and procedures–Organization
–Security awareness and education–Monitoring and compliance–
Incident handling and response
9
Importance of Information Security Management
•Roles and Responsibilities–Executive management
–Process owners–Users
–Data owners
–Security committee
–Security specialists/advisors–IT developers–IS auditors–
External parties
1
10
Importance of Information Security Management
•Data Classification Measures
–Who has access rights and to what?
–Who is responsible for determining the access rights and access levels?–What approvals are needed for access?
11
Importance of Information Security Management
•Data classification operates on
•System access
•Security awareness and education•Monitoring and compliance•
Incident handling and response
12
Importance of Information Security Management
•Privacy issues and information security
•The goals of a privacy impact assessment
9Identifying the nature of personally identifiable information associated with business processes9Documenting the collection, use, disclosure and destruction of personally identifiable information
9Providing management with a tool to make informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk
13
Importance of Information Security Management
•Privacy issues and information security
•The goals of a privacy impact assessment include: (cont.)
9Creating a consistent format and structured process for analyzing both technical and legal compliance with relevant regulations
9Ensuring that accountability for privacy issues is incorporated clearly incorporated into the project9Reducing revisions and retrofitting of the information systems for privacy compliance
14Importance of Information Security Management15
Importance of Information Security Management
–Computer crime issues and exposures
•Threats to business include the following:
9Financial loss
9Legal repercussions
9Loss of credibility or competitive edge9Blackmail/industrial espionage
9Disclosure of confidential, sensitive or embarrassing information9Sabotage
16
Importance of Information Security Management
–Computer crime issues and exposures
•Computer crime vs. computer abuse
•“Crime”depending on statistics of the jurisdiction•Civil offense vs. criminal offence•
When should a crime be suspected?
17
Importance of Information Security Management
•Possible perpetrators include:
•Hackers
2
•Crackers
•Employees (authorized or unauthorized)9IS personnel9End users
•Former employees
•Interested or educated outsiders•Part-time and temporary personnel•Vendors and consultants•Accidental ignorant
18
Logical Access Exposures and Controls
19Logical Access Exposures and Controls
20
Logical Access Exposures and Controls
•Familiarization with the organization's IT environment
–These layers are:
9the network
9operating system platform9database and application layers
21
Logical Access Exposures and Controls
•Paths of Logical Access–General points of entry
9Network connectivity9Remote access9Operator console
9Online workstations or terminals
22
Logical Access Exposures and Controls
•Logical Access Control Software
prevents unauthorized access and modification to an organization’s sensitive data and use of system critical functions
23
Logical Access Exposures and Controls
•Logical access control software functionality
•General operating systems access control functions include:
9User identification and authentication mechanisms 9Restricted logon IDs
9Rules for access to specific information resources 9Create individual accountability and auditability9Create or change user profiles 9Log events
9Log user activities 9
Report capabilities
24
Logical Access Exposures and Controls
•Logical Access Control Software
•Database and/or application-level access control functions include:
9Create or change data files and database profiles
9Verify user authorization at the application and transaction levels9Verify user authorization within the application
9Verify user authorization at the field level for changes within a database9Verify subsystem authorization for the user at the file level
9
Log database/data communications access activities for monitoring access violations
25
Logical Access Exposures and Controls
3
•Identification and Authentication
–Logon-ids and passwords
9Features of passwords
9Password syntax (format) rules
–Token devices-one time passwords
–Biometric
26
Logical Access Exposures and Controls
•Identification and Authentication
–Single sign-on (SSO)
SSO is the process for the consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function. A single sign-on product that interfaces with:
9client-server and distributed systems
9mainframe systems
9network security including remote access mechanisms
27
Logical Access Exposures and Controls
•Identification and Authentication
–Single sign-on (SSO) advantages
9Multiple passwords are no longer required, therefore, whereby auser may be more inclined and motivated to select a stronger password
9It improves an administrator’s ability to manage users’accounts and authorizations to all associates systems9It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications9It reduces the time taken by users to log into multiple applications and platforms
28
Logical Access Exposures and Controls
•Identification and Authentication
–Single sign-on (SSO) disadvantages include:
9Support for all major operating system environments is difficult
9The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary
9The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets
29
Logical Access Exposures and Controls•Social Engineering
Is the human side of braking into a corporate network.
The best means of defense for social engineering is an ongoing security awareness program, wherein all employees are educated about the dangers social engineering can present.
30
Logical Access Exposures and Controls•Authorization Issues
–Typical access rights include:
9Read, inquiry or copy only
9Write, create, update or delete only 9Execute only
9
A combination of the above
31
Logical Access Exposures and Controls
•Authorization Issues
–Access control lists refer to:
9Users (including groups, machines, processes) who have been given permission to use a particular system resource9The types of access permitted
32
Logical Access Exposures and Controls
•Authorization Issues
•Logical access security administration
4
9Centralized environment9Decentralized environment
33
Logical Access Exposures and Controls
•Authorization Issues
•Advantages of conducting security in a decentralized environment
9
The security administration is on-site at the distributed location9Security issues are resolved in a more timely manner9Security controls are monitored on a more frequent basis
34
Logical Access Exposures and Controls
•Authorization Issues
–Remote access security
Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives. In providing this capability, a variety of methods and procedures are available to satisfy an organization’s business need for this level of access.
35
Logical Access Exposures and Controls
•Authorization Issues
–Remote access security risks include:
9
Denial of service 9Malicious third parties
9Misconfiguredcommunications software9Misconfigureddevices on the corporate computing infrastructure9Host systems not secured appropriately
9Physical security issues over remote users’computers
36
Logical Access Exposures and Controls
•Authorization Issues
–Remote access security controls include:
9Policy and standards9Proper authorizations
9Identification and authentication mechanisms
9Encryption tools and techniques, such as the use of VPN9System and network management
37Logical Access Exposures and Controls38Logical Access Exposures and Controls39Logical Access Exposures and Controls40Logical Access Exposures and Controls41Logical Access Exposures and Controls42Logical Access Exposures and Controls43Logical Access Exposures and Controls44Logical Access Exposures and Controls
45
Network Infrastructure Security
46
5
•LAN Security
Local area networks facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the securityof these programs and data.–LAN risk and issues –Dial-up access controls
47
•Client-Server Security
–Control techniques in place
¾Securing access to data or application¾Use of network monitoring devices¾Data encryption techniques¾Authentication systems
¾Use of application level access control programs
48
•Client/Server Security
•Client/server risks and issues
¾Access controls may be weak in a client-server environment.¾Change control and change management procedures.
¾The loss of network availability may have a serious impact on the business or service.¾Obsolescence of the network components
¾The use of modems to connect the network to other networks
49
•Client/Server Security
•Client/server risks and issues
¾The connection of the network to public switched telephone networks may be weak¾Changes to systems or data
¾Access to confidential data and data modification may be unauthorized
¾Application code and data may not be located on a single machineenclosed in a secure computer room, as with mainframe computing
50
•Internet Threats and Security
•Passive attacks
¾Network analysis¾Eavesdropping¾Traffic analysis
•Active attacks
¾Brute-force attack¾Masquerading¾Packet replay
¾Message modification
¾Unauthorized access through the Internet or web-based services¾Denial of service
¾Dial-in penetration attacks
¾E-mail bombing and spamming¾
E-mail spoofing
51
•Internet Threats and Security–Threat impact
¾Loss of income
¾Increased cost of recovery
¾Increased cost of retrospectively securing systems¾Loss of information ¾Loss of trade secrets¾Damage to reputation
¾Legal and regulatory noncompliance¾Failure to meet contractual commitments
6
¾Legal action by customers for loss of confidential data
52
•Internet Threats and Security
–Causal factors for internet attacks
9Availability of tools and techniques on the Internet9Lack of security awareness and training9Exploitation of security vulnerabilities9Inadequate security over firewalls
–Internet security controls
53
•Firewall Security Systems
–Firewall general features–Firewall types
•Router packet filtering
•Application firewall systems•Statefulinspection
54
•Firewall Security Systems
–Examples of firewall implementations
•Screened-host firewall•Dual-homed firewall
•Demilitarized zone (DMZ)
55
•Firewall Security Systems–Firewall issues
9A false sense of security
9The circumvention of firewall9Misconfiguredfirewalls9What constitutes a firewall
9Monitoring activities may not occur on a regular basis9Firewall policies
56
•Intrusion Detection Systems (IDS)
An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies.•Network-based IDSs•Host-based IDSs
57
•Intrusion Detection Systems (IDS)Components:
•Sensors that are responsible for collecting data
•Analyzers that receive inputofrom sensors and determine intrusive activity•An administration console•A user interface
58
•Intrusion Detection Systems (IDS)
Types include:
•Signature-based•Statistical-based•Neural networks
59
7
•Intrusion Detection Systems (IDS)
Features:
•Intrusion detection
•Gathering evidence on intrusive activity•Automated response•Security monitoring
•Interface with system tolls•
Security policy management
60
•Intrusion Detection Systems (IDS)
Limitations:
•Weaknesses in the policy definition•Application-level vulnerabilities•Backdoors into applications
•Weaknesses in identification and authentication schemes
61
•Encryption
–Key elements of encryption systems
9Encryption algorithm9Encryption key 9Key length
–Private key cryptographic systems–Public key cryptographic systems
62
•Encryption (Continued)
–Elliptical curve cryptosystem (ECC)–Quantum cryptography–Digital signatures
63
•Encryption (Continued)–Digital signatures
¾Data integrity¾Authentication¾Nonrepudiation¾Replay protection
64
•Encryption (Continued)
–Public key infrastructure
9Digital certificates
9Certificate authority (CA)9Registration authority (RA)9Certificate revocation list
9Certification practice statement (CPS)
65
•Encryption (Continued)
–Use of encryption in OSI protocols
¾Secure sockets layer (SSL)
¾Secure Hypertext Transfer Protocol (S/HTTP)¾IP security¾SSH
¾Secure multipurpose Internet mail extensions (S/MIME)¾Secure electronic transactions (SET)
8
66
Auditing Information Security Management and Logical Access Issues and Exposures
676869
•Auditing Information Security Management
–Review written policies, procedures and standards–Logical access security policies
–Formal security awareness and training–Data ownership (data classification scheme)–
Data owners
70
•Auditing Information Security Management (Continued)
–Data custodians
–Security administrator–Data users
–Documented authorizations–Terminated employee access–
Access standards
71
•Auditing Logical Access
–Familiarization with the organization's IT environment–Document access paths
–Interview systems personnel
–Review reports from access control software–
Review application systems operations manual
72
•Test Security
–Use of terminal cards and keys–Terminal identification–Logon-ids and passwords
–Controls over production resources
–
Logging and reporting of computer access violations
73
•Test Security (Continued)
–Follow-up access violations–Dial-up access controls
–Authorization of network changes
–Identification of methods of bypassing security and compensatingcontrols–
Review access controls and password administration
74
Auditing Network Infrastructure Security
9
75
•Auditing Remote Access
–Auditing Internet “Points of Presence”–Network penetration tests
–Full network assessment reviews–LAN networks assessments
–Development and authorization of network changes–Unauthorized changes
76
Environmental Exposures and Controls
77
•
Environmental Issues and Exposures
Environmental exposures are due primarily to naturally occurringevents, such as lightning storms, earthquakes, volcanic eruptions, hurricanes, tornados and other types of extreme weather conditions.
78
•Environmental Issues and Exposures–Power failures can be grouped into distinct categories
¾
Total failure (blackout)
¾Severely reduced voltage (brownout)¾Sags, spikes and surges
¾
Electromagnetic interference (EMI)
79
•Controls for Environmental Exposures
–Alarm control panels–Water detectors
–Handheld fire extinguishers–Manual fire alarms–Smoke detectors
–Fire suppression systems
–
Strategically locating the computer room
80
•Controls for Environmental Exposures (cont.)–Regular inspection by fire department
–Fireproof walls, floors and ceilings surrounding the computer room–Electrical surge protectors
–Uninterruptible power supply/generator–Emergency power-off switch–Power leads from two substations
81
•Controls for Environmental Exposures (cont.)–Wiring placed in electrical panels and conduit
–Prohibitions against eating, drinking and smoking within the information processing facility–Fire resistant office materials
–Documented and tested emergency evacuation plans
10
82
•Auditing Environmental Controls
–Water and smoke detectors–Handheld fire extinguishers–Fire suppression systems
–Regular inspection by fire department
–Fireproof walls, floors and ceilings surrounding the computer room–
Electrical surge protectors
83
•Auditing Environmental Controls (cont.)
–Power leads from two substations
–Fully documented and tested business continuity plan–Wiring placed in electrical panels and conduit–UPS/generator
–Documented and tested emergency evacuation plans–
Humidity/temperature control
84
Physical Access Exposures and Controls
85
•Physical Access Issues and Exposures–Physical access exposures
•Unauthorized entry
•Damage, vandalism or theft to equipment or documents
•Copying or viewing of sensitive ore copyrighted information•Alteration of sensitive equipment and information•Public disclosure of sensitive information•Abuse of data processing resources•Blackmail•
Embezzlement
86
•Physical Access Issues and Exposures
–Possible perpetrators
9Disgruntled9On strike
9Threatened by disciplinary action or dismissal9Addicted to a substance or gambling
9Experiencing financial or emotional problems9Notified of their termination
87
•Physical Access Controls
–Bolting door locks
–Combination door locks (cipher locks)–Electronic door locks–Biometric door locks–Manual logging–
Electronic logging
88
•Physical Access Controls (continued)
–Identification badges (photo IDs)–Video cameras–Security guards
–
Controlled visitor access
11
–Bonded personnel–Deadmandoors
89
•Physical Access Controls (continued)
–Not advertising the location of sensitive facilities–Computer workstation locks–Controlled single entry point–Alarm system
–
Secured report/document distribution cart
90
•Auditing Physical Access
–Touring the information processing facility (IPF)–Testing of physical safeguards
91
Personal Computer (Laptop)Security
92
•Mobile Computing Controls
–Engrave or brand a serial number and company name and logo –Use a cable locking system
–Back up business critical or sensitive data–Encrypt data
–Allocate passwords to individual files
–
Establish a theft response team and develop procedures to followwhen a laptop is stolen
93
•Access control table
•Asymmetric key (public key)•Authentication•Biometrics•Card Swipes
•Challenge/response token•Digital signature•
Dry-pipe
94
•Group Discussion•Questions
95
1.Which of the following BEST provides access control to payroll data being processed on a local server?A. Logging of access to personal informationB. Separate password for sensitive transactions
C. Software restricts access rules to authorized staffD. System access restricted to business hours
12
96
2. Which of the following concerns about the security of an electronic message would be addressed by digital signatures?
A. Unauthorized readingB. Theft
C. Unauthorized copyingD. Alteration
97
3. The MOST effective method for limiting the damage of an attack by a software virus is:A. software controls.
B. policies, standards and procedures.C. logical access controls.
D. data communication standards.
98
4. Which of the following BEST determines that complete encryption and authentication protocols exist for protecting information while transmitted?
A. A digital signature with RSA has been implemented.
B. Work is being done in tunnel mode with the nested services of AH and ESPC. Digital certificates with RSA are being used.
D. Work is being done in transport mode, with the nested services of AH and ESP
99
5. Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet?
A. Digital signature
B. Data encryption standard (DES)C. Virtual private network (VPN)D. Public key encryption
13
因篇幅问题不能全部显示,请点此查看更多更全内容