1 Keamanan Sistem (CS4633)..:: Information Security Controls : Pertemuan #8 05/10/2006 Fazmah Arif Yulianto.

1

Keamanan Sistem (CS4633)

..:: Information Security Controls :

Pertemuan #805/10/2006

Fazmah Arif Yulianto

2

Types of Inf_Sec Controls

• Physical• Technical

(logical)• Administrative

(personnel)

• Preventive

• Detective

• Deterrent

• Corrective

• Recovery

3

Terminologies

• Preventive controls attempt to avoid the occurrence of unwanted events

• Detective controls attempt to identify unwanted events after they have occurred

• Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures

• Corrective controls either remedy the circumstances that allowed the unauthorized activity or return conditions to what they were before the violation

• Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation

4

Physical Controls: Preventive

• To prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, supporting utilities, computer hard copy, and input data media) and to help protect against natural disasters.

• Examples of these controls include:– Backup files and documentation, backup power– Fences, Security guards, Badge systems.– Double door systems, Locks and keys, Biometric access

controls.– Site selection.– Fire extinguishers etc.

5

Physical Controls: Detective

• Warn protective services personnel that physical security measures are being violated.

• Examples of these controls include:– Motion detectors.– Smoke and fire detectors.– Closed-circuit television monitors.– Sensors and alarms etc.

6

Some types of Physical Security

• Barriers: walls, fences, doors, gates etc.– Q: Who or what is the barrier intended to stop, and for

how long?• Locks: day access locks, after-hours locks,

emergency egress locks– Mechanical / electrical– door control system = authentication + door locking

devices– Lock vs lockpicking

• Alarms: primarily for letting us know if control is functioning properly — that is, has it been breached?– Q: who and what is it supposed to detect, and what is

the intended response?

7

Physical Security (cont’d)

• Lights and cameras: best suited for assessing a situation — a tool to extend the eyes (and sometimes ears) of the guard force.– A common misuse of cameras is assuming that they

will detect an intruder

• Antitheft, Antitamper, and Inventory Controls– Antitamper devices control access to ensure the

integrity of the protected asset – Antitheft devices and inventory controls are intended

to limit movement to a confined area

• …

8

Backup Files and Documentation

• Backup files should be stored far enough away from the active data or documentation to avoid destruction by the same incident that destroyed the original.

• Backup material should be stored in a secure location constructed of noncombustible materials, including two-hour rated fire walls.

• Backups of sensitive information should have the same level of protection as the active files of this information

9

Backup Power

• Backup power is necessary to ensure that computer services are in a constant state of readiness and to help avoid damage to equipment if normal power is lost.

• For short periods of power loss, backup power is usually provided by batteries.

• In areas susceptible to outages of more than 15–30 min., diesel generators are usually recommended.

10

Fire extinguisher

• Automatic water sprinkler: beware of the risk of water damage to computing equipments

• Carbon dioxide extinguishing systems were developed: save for equipments, lethal for human

• Halon extinguisher: usually harmless to equipment and less dangerous to personnel than carbon dioxide.– At a concentration of about 10%, Halon extinguishes

fire and can be safely breathed by humans– High cost

11

Biometric Access Controls

• Biometrics used for identification include fingerprints, handprints, voice patterns, signature samples, and retinal scans.

• Because biometrics cannot be lost, stolen, or shared, they provide a higher level of security than badges.

• Biometric identification is recommended for high-security, low-traffic entrance control.

12

More on biometrics

• Every person has unique physiological, behavioral, and morphological characteristics that can be examined and quantified.

• Biometrics is the use of these characteristics to provide positive personal identification.

13

Some Biometric Performances

• Fingerprint Scan: False rejection rate = 9.4%; False acceptance rate = 0; Average processing time = 7 seconds

• Retinal scan: FRR = 1.5%; FAR = 1.5%; APT = 7 seconds

• Palm scan: FRR = 0; FAR = 0.00025%; APT = 2-3 seconds

• Hand geometry: FRR = 0.1%; FAR = 0.1%; ATP = 2 to 3 seconds

• Facial recognition: ATP = 2 seconds• Voice verification: FRR = 8.2%; FAR = 0.4%; ATP = 2 to

3 seconds

14

15

A basic role of physical security

to keep unwanted people / things out,

and to keep “insiders” honest

16

Technical Controls: Preventive

• To prevent unauthorized personnel or programs from gaining remote access to computing resources.

• Examples of these controls include:– Access control software.– Antivirus software.– Library control systems.– Passwords.– Smart cards.– Encryption.– Dial-up access control and callback systems. etc.

17

Technical Controls: Detective

• Warn personnel of violations or attempted violations of preventive technical controls.

• Examples of these include: – Audit trails – Intrusion detection expert systems

18

Access Control Software

• To control sharing of data and programs between users. • In many computer systems, access to data and

programs is implemented by access control lists that designate which users are allowed access.

• Access control software provides the ability to control access to the system by establishing that only registered users with an authorized log-on ID and password can gain access to the computer system.

• After access to the system has been granted, the next step is to control access to the data and programs residing in the system.

• The data or program owner can establish rules that designate who is authorized to use the data or program

19

Access Controls

• One among central issues in security

• Specify what users can do, what resources they can access, and what operations they can perform on a system

• The effectiveness of access control rests on the proper user authentication and on the correctness of the authorizations

20

An idealized model

21

Audit Control

• Concern a posteriori analysis of all the request and activities of users in the system requires logging

• Useful as/to: – Deterrent/pencegah– Find out about possible attempted or actual

violations– Determining possible flaws in the system– Hold users accountable for their actions

22

Control over access

• More security is not necessarily less access. That is, controlled access does not equal denied access

• Practically all controls fall somewhere in between providing complete access and total denial. Thus, it is the level of control over access — not the amount of access — that provides security.

23

Layered Defense

BREADTH

DEPTH

DETERRENCE

24

Layered Defense: Breadth

A single type of control rarely eliminates all vulnerabilities

– suppose one decides to control read access to data by using a log-on password. But the log-on password does not afford protection if one sends the data over the Internet. A different type of control (i.e., encryption) would therefore provide the additional coverage needed.

25

Layered Defense: Depth

• To be realistic with security, one must believe in failure Any given control is not perfect and will fail, sooner or later.

• Adds layers of additional access controls as a backstop measure.

• Example: The password will not stay secret forever embrace the common dictum, “something you have, something you know, and something you are.” (password, smartcard, fingerprint)

26

Layered Defense: Deterrence

• Simply putting enough controls in place that the cost or feasibility of defeating them without getting caught is more than the prize is worth.

• Examples: surveillance cameras, activity logging

27

Password

• Passwords are used to verify that the user of an ID is the owner of the ID.

• Fixed passwords that are used for a defined period of time are often easy for hackers to compromise

• Choosing ‘good’ passwords?• One-time password:

– Time-synchronized type– Challenge type

28

29

Administrative Controls: Preventive

• Personnel-oriented techniques for controlling people’s behavior to ensure the confidentiality, integrity, and availability of computing data and programs.

• Examples of preventive administrative controls include:– Security awareness and technical training.– Separation of duties.– Procedures for recruiting and terminating employees.– Security policies and procedures.– Supervision.– Disaster recovery, contingency, and emergency plans.– User registration for computer access.

30

Administrative Controls: Detective

• To determine how well security policies and procedures are complied with, to detect fraud, and to avoid employing persons that represent an unacceptable security risk.

• This type of control includes:– Security reviews and audits.– Performance evaluations.– Required vacations.– Background investigations.– Rotation of duties

31

32

References

• Harold F. Tipton, Types of Information Security Controls, Information Security Management Handbook, 5th ed., Harold F. Tipton & Micki Krause (editor), 2004, pp. 113-135

• Ravi S. Sandhu & Pierangela Samarati, Access Control: Principles and Practice