PROTECTION OF INFORMATION ASSETS – DOMAIN 5
Jan 17, 2016
PROTECTION OF INFORMATION ASSETS – DOMAIN 5
LOGICAL ACCESS EXPOSURES
•They are the primary means used to secure or protect information assets.
•They validate management-developed policies and procedures meant to protect these information assets.
•IS Auditors should thus be able to analyze the effectiveness of protections set in place to avoid losses due to exposure as the losses could vary from minimal to a total shut-down of operations.
LOGICAL ACCESS EXPOSURES•Exposures that arise via accidental or
intentional
•Exploitation of LAC weaknesses include technical exposures such as destroying data, compromising system usability, distracting processing resources at either the network, platform, database or application level.
•They include:
LOGICAL ACCESS EXPOSURES
•Data Leakage: siphoning or leaking info out of the computer, can involve dumping files to paper, or just stealing reports and tapes. The process leaves the original copy, so it may go undetected.
•Wire Tapping: eavesdropping on information being transmitted over communication lines.
LOGICAL ACCESS EXPOSURES
•Trojan Horses/Backdoors: malicious or fraudulent codes in an authorized or falsely authorized program
•Viruses: insertion of malicious code into other executable code that can self-replicate and spread from computer to computer via sharing of removable media, USB devices, or direct link with infected machine or code.
LOGICAL ACCESS EXPOSURES
•Worms: Destructive programs that destroy data, or use up tremendous computer or communication resources but doesn’t replicate like viruses. Such do not change other programs, but can run independently and travel from machine to machine across network connections by exploiting vulnerability weaknesses.
LOGICAL ACCESS EXPOSURES
•Logic Bombs: these are also programs, but unlike viruses do not self-replicate, but rather are programmed to “detonate” at a particular time and are generally used for extortion in exchange for the location of the bomb. They are often triggered by an activity.
LOGICAL ACCESS EXPOSURES
•Denial-Of-Service attack: disrupts or denies legitimate users service to a particular area or network
•War Driving: involves receiving wireless data from a laptop usually while driving.
•Piggy-backing: this involves an unauthorized person gaining access to a protected facility by following an authorized individual.
LOGICAL ACCESS EXPOSURES•Rounding Down: this involves rounding off
small amounts of money from a computerized transaction or account and re-routing the money into the perpetuators account.
•Salami Technique: similar to rounding down, but difference is that for rounding down, its in d smallest money fraction. All depends on the algorithm/formula built into the program.
GENERAL POINTS OF ENTRY
•Network Connectivity: through linking a PC to a segment of an organization’s network infrastructure, either through physical or a wireless connection. At a minimum, such access requires user identification and authentication to a domain-controlling server. Other points of access could be secondary e.g. to a particular DB or app.
GENERAL POINTS OF ENTRY
•Remote access: Here a user dials in remotely to an organization’s server, which requires the user to identify and authenticate himself for access to specific functions that can be performed remotely. Remote access points can be extensive and as such be generally controlled where possible.
OTHER POINTS OF ENTRY
•Online workstations or terminals: access in today’s client-server environments typically requires entering a logon ID and Pwd to gain access to the host computer system, and may also require further entry of authentication or identification for access to app-specific systems.
LOGICAL ACCESS CONTROL SOFTWARE•Access control software is used in
assuring the following:•CONFIDENTIALITY•INTEGRITY•AVAILABILITY The purpose of ACS is to prevent
unauthorized access and modification of data and the use of system critical functions.
LOGICAL ACCESS CONTROL SOFTWARE
•To achieve this kind of control, it is essential to apply access control across all layers of an organization’s IS architecture, i.e. networks, platforms, databases, and application systems, with each of them featuring some form of identification and authentication, access authorization, logging of user activities.
LOGICAL ACCESS CONTROL SOFTWARE
•The greatest degree is at NETWORK and OS levels. These systems are also referred to as general support systems.
•OS access control software interfaces with network access control software and reside on network devices (e.g. routers, firewalls) that manage and control external access to organizations’ networks.
LOGICAL ACCESS CONTROL SOFTWARE
•GENERAL OPERATING AND/OR APPLICATION SYSTEMS ACCESS CONTROL FUNCTIONS INCLUDE:
•Create or change user profiles•Assign user ID and authentication•Apply user logon limitation rules•Create individual accountability and
auditability by logging user activities•Establish rules for access to specific
resources
LOGICAL ACCESS CONTROL SOFTWARE
•Log events•Report capabilities
•Database and/or application-level access control functions include:
•Create or change user profiles•Verify user authorization @ d app. And
transaction level•Verify user authorization within the
application
LOGICAL ACCESS CONTROL SOFTWARE
•Verify subsystem authorization for the user at the file level
•Log database/data communication access activities activities for monitoring access violations
IDENTIFICATION AND AUTHENTICATION
•Process of establishing and proving one’s identity. Essential for establishing user accountability, i.e. linking specific activities to specific people
•Some common vulnerabilities that may be exploited to gain unauthorized access include
•Weak authentication methods•Potential for users to bypass authentication
mechanism
IDENTIFICATION AND AUTHENTICATION
•Lack of confidentiality and integrity for the stored authentication mechanism.
•Lack of encryption for authentication and protection of information transmitted over a network.
•User’s lack of knowledge on the risks associated with sharing authentication elements.
IDENTIFICATION AND AUTHENTICATION
•Authentication is : •Something you know e.g. ??, something you
have e.g. ?? And something you are e.g. ??•These techniques can be used
independently or in combination to authenticate and identify a user.
•When it is single factor, its something u know e.g. ID and PW. When its combined with something you have, it’s a TWO-FACTOR authentication
I AND A BEST PRACTICES• ID’S not used after a period of time should
be de-activated to prevent possible misuse. This can be done automatically by the system or manually by an administrator.
•The system should automatically disconnect a logon session if no activity has occurred for a period of time, this reduces the risk of misuse of an active logon session.
FEATURES OF PASSWORDS
•Easy to remember, but difficult to guess•Initial one may be allocated by
administrator or generated by the system itself, and the system should prompt the user to change password immediately.
•If a wrong pass is entered a pre-defined number of times, the logon ID should be automatically locked out which could be permanent or temporary.
FEATURES OF PASSWORDS
•Users that have forgotten their passwords should notify the administrator. The administrator should re-activate the account after verifying the user’s identification (challenge/response system)
•Passwords should be one-way encrypted internally to the computer and should be masked anywhere they are represented.
FEATURES OF PASSWORDS
•Should be changed periodically and this depends on the criticality of the asset being protected
•Should be unique to an individual
•All these should be formalized in a policy and made as a mandatory requirement.
FEATURES OF PASSWORDS
•Ideally, Passwords should be a minimum of 8 characters in length , and that sometimes depends on the capability of the system being used.
•Combination if at least three of the ffg; alpha, numeric, upper and lower case, and special characters.
•Should not be particularly identifiable with the user, and previous PW’s should not be used
BIOMETRICS
•Based on a unique, measurable attribute or trait for verifying the identity of a human being.
•Involves the use of a reader device that interprets the individual’s biometric features before granting access.
•Entering an individual’s biometric involves enrollment process by storing a user’s particular features
BIOMETRICS
•3 quantitative measures define its performance/ accuracy:
•FRR - FALSE REJECTION RATE
•FAR - FALSE ACCEPTANCE RATE
•FER - FAILURE TO ENROL RATE
BIOMETRICS
•FRR – or type-1 error rate, is the number of times an individual granted authority is falsely rejected by the system.
•An aggregate measure of type-1 error rates is the failure-to-enrol rate FER , i.e. the proportion of people who fail to be enrolled successfully
BIOMETRICS
•FAR – False Acceptance Rate or type-2 error is the number of times an individual not granted authority to use a system is falsely accepted by the system.
•When FRR & FER are equal, then there is an EER – Equal error rate.
•THE LOWER THE OVERALL MEASURE, THE MORE EFFECTIVE THE BIOMETRIC
BIOMETRICS
•Generally the ordering of biometric devices with the best response times and lowest times and lowest EER’s are palm , hand ,iris ,retina , fingerprint and voice, respectively.
•The concept of biometrics should address the ffg:
•Integrity, Nonrepudiation, Authenticity.
BIOMETRICS
•The stages are; Enrollment, Transmission and Storage, Verification, Identification and the Termination process.
BIOMETRICS•Palm , hand geometry , Iris , Retina ,
Fingerprint , Face.• In order of effectiveness; •Signature Recognition: signature dynamics
and it’s a feature analysis program. i.e. includes speed, pen pressure, directions, stroke length.
•Voice recognition; changing the accoustic signal of a person’s voice and translating into a unique digital code.