UNIT II_RISK_MITIGATION_PROCESS.pdf

Full Transcript

20 UNIT II RISK MITIGATION PROCESS 2.0 Learning Outcomes 2.1 Curriculum Mapping 2.2 Information Assurance in System Development and Acquisition 2.3 Information Assu...

20 UNIT II RISK MITIGATION PROCESS 2.0 Learning Outcomes 2.1 Curriculum Mapping 2.2 Information Assurance in System Development and Acquisition 2.3 Information Assurance Awareness, Training, and Education (AT&E) 2.4 Physical and Environmental Security Controls 2.5 Preventive Information Assurance Tools 2.6 Access Control 2.0 LEARNING OUTCOMES Upon completion of this module, the student should be able to: 1) Develop understanding on how to integrate information assurance activities into the system development life cycle to ensure proper identification, design, integration, and maintenance of applicable information assurance controls throughout an information system’s life cycle. 2) Develop understanding on the roles in the information assurance plan and how they fit into cybersecurity, information protection, information security, and finally information assurance. 3) Design a model for implementing physical and environmental security to protect an organization’s physical infrastructure, its equipment, and its facilities, as well as its employees, from physical events, threats, or incidents. 4) Discuss the tools and techniques for cases in which an organization chooses to prevent undesirable impact. 5) Apply techniques commonly used for access control. 2.1 CURRICULUM MAPPING Instruction: You map the ILOs to the COs by writing the CO code provided before the articulated ILO. Course Outcomes 1) Explain key concepts of information security such as design principles, cryptography, risk management, and ethics fundamental to integrating effective information assurance; 2) Discuss legal, ethical, and professional issues in information security; 3) Identify appropriate techniques to tackle and solve problems in the discipline of information security; and Apply various security and risk management tools for achieving information security and privacy. Intended Learning Outcomes _____ 1. Develop understanding on how to integrate information assurance activities into the system development life cycle to ensure proper identification, design, integration, and maintenance of applicable information assurance controls throughout an information system’s life cycle. _____ 2. Develop understanding on the roles in the information assurance plan and how they fit into cybersecurity, information protection, information security, and finally information assurance. 21 _____ 3. Design a model for implementing physical and environmental security to protect an organization’s physical infrastructure, its equipment, and its facilities, as well as its employees, from physical events, threats, or incidents. _____ 4. Discuss the tools and techniques for cases in which an organization chooses to prevent undesirable impact. _____ 5. Apply techniques commonly used for access control. 2.2 INFORMATION ASSURANCE IN SYSTEM DEVELOPMENT AND ACQUISITION Overview of the System Development Life Cycle The system development life cycle is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. In this phase, the need for a system is established, and the Initiation requirement capabilities of the system are stated. In this phase, a system based on the user’s input, time, and Acquisition/ financial constraints is purchased, outsourced, or developed. development This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle. This phase involves vigorous initial testing. Once satisfactory results Implementation are obtained, the system is installed or integrated. During this phase, the system is made to perform the intended task Operation/ and maintained. The system is also modified by adding new maintenance hardware and software when needed. This stage occurs when the system fails to cater to new expectations Disposal or requirements. Here, the system is disposed of and usually replaced by a new system. Table 2-1: Activities in a System Development Life Cycle Integrate information assurance activities into the system development life cycle to ensure proper identification, design, integration, and maintenance of applicable information assurance controls throughout an information system’s life cycle. Table 2-2 summarizes the activities in all phases of the system development life cycle. Security Activities and Definitions in the System Development Activities A. Initiation Phase - Ensure that the information assurance team is involved. - Establish the security requirements based on the sensitivity and categorization (classification) of information. - Conduct initial risk assessment. B. Development/Acquisition Phase - Analyze the security functional requirements. - Conduct formal risk assessment in greater depth than the initial risk assessment. - Determine the budget (costs of hardware, software, personnel, and training) - Develop a user/operational manual for the system. - Develop technical test cases. C. Implementation Phase - Develop test data (a copy of some parts of real data can be used). - Check that the functionality is exactly as specified in the system and can be used to its optimum level. - Ensure that after system testing and employee training, the system may be integrated at the operational site. D. Operation/Maintenance Phase - Schedule proper audits. 22 - Monitor to ensure that security controls continue to be effective and function as expected (reviewing logs and reports). E. Disposal Phase - Determine the archiving method. - Make sure there is written approval from the senior management to destroy information. - Delete, erase, and overwrite data as necessary. - Dispose of hardware and software as directed by the existing policy. Table 2-2: Secure System Development Life Cycle (SSDLC) in Information Assurance List of Software Security Vulnerabilities and Weaknesses Common types of software security weaknesses. 1. Bugs 2. Exposure of sensitive data 3. Flaws in Injection 4. Buffer overflow 5. Security misconfiguration 6. Broken access control 7. Insecure deserialization 8. Broken/Missing Authentication Bugs, in general, cause the software to behave in an unexpected manner. Pretty much all software contains minor (or major) bugs. Hackers can easily take advantage of some software bugs and cause much harm if you do not fix security vulnerabilities. While it is usually impossible to ship software with 0 bugs, it’s important to find and fix any serious bugs, especially ones that could pose a security risk. Exposure of sensitive data. Sensitive data includes things such as account numbers, addresses, financial data, health information, usernames, and passwords. All this data must be protected to keep it from falling into the wrong hands. Personal or sensitive data has to be protected with encryption and access controls to prevent unauthorized people from accessing it. If the software fails to protect this personal data due to security vulnerabilities, hackers who gain access to this information can use it to commit fraud and other crimes. Flaws in Injection. Injection flaws result in cyber attackers injecting malicious code into an application. This kind of software security vulnerability occurs when untrusted data is sent along with a query or command to an interpreter, which in turn will make the targeted system to execute unexpected commands. This kind of attack can also result in hackers gaining access to protected data stored in the database without the right authorization. Buffer overflow. Yet another common type of software security weakness, buffer overflow occurs when an attempt is made to store data that is too big for the memory space allocated. Attackers can use this software coding mistake, where the storage capacity of a program is overwritten, to take control of or to access your system. This vulnerability tends to be more common in software written in C and C++. Many programming languages have automatic protection against buffer overflow attacks. Security misconfiguration. One of the most common issues in software development, security misconfiguration is a result of incomplete configurations and default configurations that are not secure. For example, open cloud storage or misconfigured HTTP headers. In order to avoid this kind of software security weakness, you need to make sure you have properly configured your OS, frameworks, and applications. Likewise, all this must be updated whenever necessary. Broken access control. Broken user restrictions can cause severe software weaknesses. For example, if you have an admin panel for your website, you want to restrict that area 23 so only admin users can access it. If such restrictions are not enforced properly, hackers and other unauthorized people can easily take advantage of that vulnerability and access sensitive data or gain control of your system. Insecure deserialization. Insecure deserialization is a security weakness that is used by hackers to carry out injection attacks and DDoS attacks. In this type of vulnerability, untrusted data is used to implement attacks. Broken/Missing Authentication. Weaknesses in session management and credential management result in broken authentication, which means an attacker is able to compromise passwords or other information to access a user’s account. Improperly implemented authentication and session management can result in this kind of software vulnerability. What Is Secure Coding? Secure coding is to design and develop software by avoiding the weaknesses that lead to security-related vulnerabilities by adhering to the specified security standards, and industry best practices. Reasons for Inadequate Security Implementation In general, the following are a few reasons for inadequate security implementation in the application.  Priority is given for Functional Release than Security aspects.  Ignorance or No Awareness about Software Security and Hackers.  Not enough clarity on the Program or on the Software Design itself.  The complexity of the Program.  Not enough data, information on the live system where it will be deployed.  No consideration of Security in the SDLC phases.  Insufficient knowledge and understanding of the specifics of the language used in the software.  Not enough knowledge to the team and developers about Security Coding Guidelines. We know that it is not that all Developers and Testers are aware of the Security of an application and may not have an in-depth understanding of security vulnerabilities and exploits, especially to the application that they would be working upon. Generally, they will be familiar with, ‘How to code functionally’ but not all of them know ‘How to code securely’. Hence, the very important aspect for the organization to adopt Secure Coding Practices in their software is to first ‘Train People’. Therefore, training their team on Secure Coding Aspects, Best Security Coding Practices and the Correct Tool usage is very important. The most important Design Principle of Software Security is to ‘Implement Security by Design and Default’. Common Programming Errors to be Avoided Few common Programming Errors that need to be avoided are listed below:  Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).  Buffer Copy without Checking the Size of Input (‘Classic Buffer Overflow’).  Missing Authentication for Critical Function.  Missing or Incorrect Authorization.  Use of Hard-coded Credentials.  Missing Encryption of Sensitive Data.  Unrestricted Upload of File with Dangerous Type.  Reliance on Untrusted Inputs in a Security Decision.  Execution with Unnecessary Privileges.  Cross-Site Request Forgery (CSRF). 24  Download of Code Without Integrity Check.  Incorrect Calculation of Buffer Size.  Improper Restriction of Excessive Authentication Attempts.  URL Redirection to Untrusted Site (‘Open Redirect’).  Uncontrolled Format String.  Use of a One-Way Hash without a Salt. Checklist for Secure Code Practices Last, but not the least, after considering all the above points of Secure Software Development aspects, the Developers need to follow the Checklist established for the Secure Code Practices to ensure that things are not missed out. Given below are a few but not an exhaustive list. Input Validation:  Do not trust input, consider centralized input validation.  Do not rely on client-side validation.  Be careful with canonicalization issues.  Constrain, reject, and sanitize input. Validate for type, length, format, and range. Authentication:  Partition site by anonymous, identified, and authenticated area.  Use strong passwords.  Support password expiration periods and account disablement.  Do not store credentials (use one-way hashes with salt).  Encrypt communication channels to protect authentication tokens.  Pass forms authentication cookies only over HTTPS connections. Authorization:  Use least-privileged accounts.  Consider authorization granularity.  Enforce separation of privileges.  Restrict user access to system-level resources.  Use OAuth 2.0 protocol for Authentication and Authorization.  Carryout API Validation.  Whitelist allowable methods.  Protect privileged actions and sensitive resource collections.  Protect against Cross-site resource forgery (CSRF). Session Management:  Create a Session identifier on the server.  Terminate the session with the Logoff.  Generate a new session on re-authentication.  Set the ‘secure’ attribute for cookies transmitted over TLS. Cryptography:  Use cryptography while ‘Data in transit, Data in storage, Data in motion, Message Integrity’.  Do not develop your own. Use tried and tested platform features.  Keep unencrypted data close to the algorithm.  Use the right algorithm and key size.  Avoid key management (use DPAPI).  Cycle your keys periodically.  Store keys in a restricted location. Logging and Auditing:  Identify malicious behavior.  Know what good traffic looks like. 25  Audit and log activity through all of the application tiers.  Secure access to log files.  Back up and regularly analyze the log files. Output Encoding:  Carryout ‘Input Validation (XML, JSON….).  Use Parameterized query.  Carry out ‘Schema validation’.  Carry out Encoding (XML, JSON..).  Send Security Headers. 2.3 INFORMATION ASSURANCE AWARENESS, TRAINING, AND EDUCATION (AT&E) Some examples of information assurance risks attributed to employees include the following:  Using weak passwords  Downloading malware  Using of out-of-date antivirus signatures and software  Being unaware of becoming targets of social engineering attacks However, with a proper information assurance AT&E development program, users become the organization’s strongest information assurance asset. The AT&E program ensures that employees understand personal responsibility and organizational policies. It allows them to better use and protect information system resources entrusted to them. An effective AT&E program has four stages: literacy, awareness, training, and education (LATE). Not all employees will progress through the entire program to education nor is progression of all employees to education necessary for effectiveness. However, the AT&E program will not succeed if literacy is not established. Employees must have a common vocabulary to be able to communicate about information assurance. Purpose of the AT&E Program The purposes of information assurance AT&E are as to:  circulate and ensure effective implementation of the organization’s information assurance policies, procedures, and guidelines  cultivate a strong information assurance culture by making employees aware of their responsibilities with regard to information assurance  emphasize the fact that the organization is taking information assurance seriously and therefore will train its employees about the importance of protecting the organization’s information assets  encourage employees to seek additional education about information assurance  encourage employees to be more information assurance–conscious in their daily tasks, for example, by considering information assurance risks when making business decisions  highlight management’s support for and commitment to information assurance  inform employees about information assurance risks and controls in a general sense and provide more specific information and guidance where necessary Benefits of the AT&E Program The following are the benefits introduced by awareness, training, and education programs:  raises an organization’s reputation and brand.  minimizes the severity and number of information assurance incidents.  provides better protection for assets.  reduces the risk of lawsuits against the organization. Design, Development, and Assessment of Programs - Before organizations embark on any information security awareness or training programs, take steps to ensure proper information assurance processes and 26 information assurance roles and responsibilities have been established. This will reveal that the organization is ready and committed to pursue the information assurance initiatives with the employees’ support. - A well-designed AT&E program begins with a needs analysis. Organizations should develop an AT&E strategy based on the results of this assessment. - Develop awareness and training materials to support the plan in the next phase. Security awareness and training materials are widely available on the Web and can be customized to any particular organization’s culture and strategic needs. - Survey forms, evaluation forms, and independent observations can always be used as input. Types of Learning Programs The types of programs usually consist of awareness, training, and education. There is also a subtle difference between training and education. The former emphasizes more on skill development especially in using the information system. The latter is more general in the sense that it imparts general knowledge, preparing the audience for a more mature life in managing security of information.  Information Assurance Awareness. An Information Security Awareness Program is an organized effort to make employees and customers aware of risks to personal and institutional information and information technology, and to provide them with the skills and knowledge necessary to avoid those risks.  Information Assurance Training. Training aims to teach or improve an individual’s skill, knowledge, or attitude, which allows a person to carry out a specific function, while awareness aims to focus an individual’s attention on an issue or a set of issues. Awareness explains “what” needs to be done and training explains “how” it should be done.  Information Assurance Education. In a training environment, the employee is taught to use specific skills as part of specific job performance. In an education context, the employee would be encouraged to examine and evaluate not only skills and methods of work but fundamental operating principles and tenants upon which job skills are based. A formal education program allows for acquisition of knowledge, skills, and proper understanding of their role at the holistic level. This will cultivate development of right behaviors, values, and wisdom. Why an Information Security Awareness Program? - Community members must understand security and privacy compliance requirements. - Breaches can have serious legal and financial implications. - Certain breaches must be investigated and reported promptly. - Community members have a critical role in risk mitigation. - Attackers are focusing on community members; it is important that they understand the risks to their credentials, and other dangers. - Community members need to understand how to work with security solutions. Security Education and Awareness Procedures 1) Purpose: Security education and awareness refers to the methodology followed for training, educating, and generating awareness for information technology security in the workplace. 2) Scope: In accordance with the “security standards” incorporated into the Health Information Portability and Accountability Act, security education and awareness methods must be an integral part of the College of Public Health Information Technology procedures and guidelines. Documented procedures for security education and training reduce the risk that key information technology assets are accessed inadvertently or inappropriately by persons without authority. 27 3) Applicability: Security education and awareness plan is applicable to all College of Public Health departmental administrators and supervisors responsible for supervising employees and students. The Office of Information Technology is also applicable as a participant/administrator of security education and awareness procedures. Employees and students must participate, learn, and adhere to security procedures. 4) Guidelines - Required: All College of Public Health departmental administrators and supervisors must understand the importance of security education and awareness, including the process of educating employees and students. - Required: Good communication between departmental administrators and the College of Public Health Office of Information Technology is required, including the process and procedures for security education and awareness. - Required: All collegiate faculty, staff, and students must be willing to participate, learn, and adhere to security procedures. 5) Security Education and Awareness Plan The collegiate Office of Information Technology recommends the following practices for educating faculty, staff, and students with regards to IT security. The majority of these recommendations come from the advice of the National Institute for Standards and Technology (NIST). - Promotional/Specialty Items: Awareness relies on reaching broad audiences with attractive packaging techniques. Messages or motivational slogans can easily serve as refreshers on promotional or specialty trinket items, such as: badge holders, biometric devices, calendars, coffee cups, first-aid kits, flags, frisbees, golf tees, greeting cards, magnets, mousepads, notes and note pads, postcards, security screensavers, and t-shirts. - Motivational Slogans: Examples of motivational slogans include: Security is everyone’s responsibility! SEC_RITY is not complete without U! - Logon Access Banners - Hands-on Training - Videos - Computer-based Awareness Materials - Web-based Awareness Materials - Posters or Flyers 28 - Briefings, Articles, Newsletters and Magazines - Exhibits 6) Contacts and Technical Experts The Five Elements of a Successful Security Awareness Program 1. Education On the Different Types of Cyber Threats o SPAM-This is not just limited to direct email anymore. You might receive an invite from a “friend” to add them on LinkedIn. Major social networks we trust are a common way for hackers to hide behind false identity and catch you in a weak moment. o MALWARE- Most simply defined as “malicious software,” malware is any type of software designed to cause harm to a device such as worms, viruses, trojans and rootkits. o PHISHING-This is the practice hackers use to essentially cast a wide net of bait and pull in whatever they catch. Phishing consists of emails that look genuine but include dangerous links that steal passwords or personal information. o WHALING- Whaling attacks specifically aim for high-profile individuals, such as politicians or CEOs of large corporations with high-profile access to data and financial information. However, small business owners aren’t exempt. o FRAUD PREVENTION- Businesses can face fraud in a number of ways. Identity theft tends to be the most prominent method with over 4.8 million reported cases in 2020. Other methods of fraud include: return fraud, money fraud, workers comp fraud and payroll fraud. 2. Email, Internet, Social Media And Privacy Policies - It is important to explicitly outline rules for browsing and social media usage on company devices, and while using company email addresses. The browsing habits of your employees can be one of the largest threats your company faces in the fight against malicious cyber schemes. - It is crucial that your cybersecurity training includes rules on “What Not to Click” and when to be hyper aware of social media emails that request a login. - Certain websites are higher risks than others. So, to ensure complete safety, include training on what websites and social networks might be off limits while on the clock. Better yet, invest in software that flags suspicious emails and websites. 3. Secure Password Policies Combined with Multifactor Authentication - Your passwords are the key to your cyber kingdom, and hackers have plenty of ways to try to crack the code. The primary way cyber bullies obtain important passwords is by making educated and calculated guesses until they get it right. Educate your employees on the major Do’s and Don’ts in creating secure passwords. - The most important passwords are both professional and personal email and social network passwords. If a hacker gains access to anyone’s email password they now 29 have the liberty to click “Forgot My Password” on just about any account you’ve created. - Scary, right? Make sure your employees are well-versed in creating solid, secure passcodes (or better yet, passphrases). - The gold standard for password security occurs when a secure password is combined with multifactor authentication (MFA). MFA, sometimes called two- factor authentication (2FA), is an additional electronic authentication method required to access a device, website or application. MFA methodology stems from a combination of three elements to authenticate a user's identity: knowledge, possession and inherence. - Application of MFA often varies and most services allow users to choose between a handful of authentication methods. Common MFA methods include one-time passwords (OTP) generated from a physical token, authenticator app or SMS message. Biometric authentication methods such as fingerprint or facial scans are becoming more common, especially in the mobile space. 4. Threat Recognition and Response Training - Phishing techniques have come a long way since the, “You’ve been selected to receive $100,000, we just need your wiring info” tactic. - For example, if employees receive an email that notifies them of a suspicious log-in attempt to their Google account, have them take another look. Often, these links can send users to a new page where inputting their login information grants the hacker the access they’re looking for. - Suspicious activity can also include urgent requests that invoke an impulse click or downloadable PDF links that are corrupted. Regardless of the tactic, employees must have an incident response plan. - What to do if you spot a suspicious email: notify your IT team immediately and do not click. Delete the email from your inbox or forward it to a secure inbox to be analyzed. - Just remember, always be on the lookout for unknown senders. 5. Regular Vulnerability Testing - As a part of your ongoing training, you can implement risk assessment on your computer networks and applications to pinpoint failure areas before they happen. - Highly trained professionals can administer vulnerability testing for you, identifying areas that compromise the privacy of your data and cause damage on multiple fronts. - Create periodic emails and clickable links that simulate phishers to see if your employees are still alert and up to date in recognizing phony accounts and requests. By scheduling weekly, bi-weekly or monthly simulated attacks, your employees will actually become defense assets. 2.4 PHYSICAL AND ENVIRONMENTAL SECURITY CONTROLS Physical and environmental security protects an organization’s physical infrastructure, its equipment, and its facilities, as well as its employees, from physical events, threats, or incidents. The main threats for physical and environmental security are:  Energy, for example, electricity  Equipment, for example, mechanical or electronic component failure  Fire and Chemical, for example, explosion, smoke, or industrial pollution  Human, for example, riot, war, terrorist attack, or bombing  Natural Disaster, for example, earthquake, volcano, landslide, or tornado  Pandemic disease, for example, bacteria or virus  Radiation, for example, electromagnetic pulse  Weather, for example, sandstorm, humidity, flood, or lightning 30 Benefits Organizations benefit by establishing physical and environmental security controls/countermeasures to protect information in storage, transit, and processing. These countermeasures help protect information-processing systems from the following events:  Environmental disruption. Natural disasters and man-made environmental problems are regarded as some of the most prevalent threats today. For example, fire can destroy buildings. Floods can cause damage to infrastructure, assets, and data.  Interruptions to service. Serious business interruption may cause business disaster. If an organization faces services disruptions because of breaches of physical security, the organization’s reputation will be at stake. This may lead to loss of public confidence.  Loss of system integrity. If intruders are able to gain physical access to hardware components, they may be able to bypass logical access controls. With this access, they may perform malicious acts on systems and components. These activities can cause loss of information system availability, confidentiality, and integrity.  Physical damage. The acts of sabotage or vandalism can impair hardware components. Damaged media may raise concerns on data confidentiality, integrity, and availability.  Physical theft. In the event of loss of hardware components because of physical theft (or robbery), organizational functions may be interrupted particularly if the organization does not have backup or fails to replace stolen components in a timely manner.  Unauthorized disclosure of information. Insufficient physical security controls may enable intruders to obtain easy access to an organization’s information assets. This will place the security of classified information at risk. Physical and environmental security is best managed using a layered defense approach. The layered defense approaches for physical and environmental security are divided into two broad areas:  Physical security of premises and offices  Physical security of equipment Physical Security of Premises and Offices  Physical Security of Premises. The first line of defense in safeguarding employees, information resources, and property is the security perimeter. Examples of ways to provide physical protection are fences and creating layered physical barriers around the premises and information-processing facilities, including a manned reception area, security guards, or intrusion alarm systems. Perimeter protection also includes deploying lockable doors and windows, grills for windows, and fire escapes.  Physical Entry Controls. Physical entry controls restrict access to information- processing resources by allowing only authorized individuals in the area. Minimal physical entry controls should include the positive identification of all employees, vendors, and visitors at each point of entry. The following provides further explanation about access controls for employees and visitors: - Employee access Restriction of employee access depends on the need for access, job function, and responsibilities. Positive identification and access control are mandatory; therefore, all employees should be required to wear some form of visible identification (ID badge) at all times whenever they are on the premises. 31 - Visitor access. Permit visitor access only to those areas where they have specific and official purposes. A record of visitors who enter the premises should be maintained. The dates and times of their admissions and departures should be logged. This recording may be accomplished with a card access control system, a sign-in log, or other mechanisms.  Securing Offices, Rooms, and Facilities. Secure areas are frequently called enclaves. For example, network and communications equipment rooms or human resources offices are enclaves that may require additional controls. Physical security is an ideal tool for compartmenting information; consider using badge readers or cipher locks that require a unique code, key, and/or badge for entry. By combining a badge with a key code, the organization has a two-factor physical access system.  Working in Secure Areas. The physical security should accommodate third parties working in the area. A secure work area may include closed circuit television (CCTV) and card-controlled doors.  Public Access Delivery and Loading Areas. It is important that access to areas such as entry, delivery, and loading areas is limited to authorized individuals. If possible, separate these entrance and exit areas from secure areas to minimize threats.  Duress. In high-risk environments, organizations should establish a duress alarm or code that gives a covert alert about an increased risk situations. For example, a physical security alarm causes the security operations center to call a guard station. The operations personnel asks the guard if everything is okay. The guard responds, “Everything is fine; the zebra system is down again.” The operation center immediately dispatches law enforcement to the guard’s location. What happened? The term “zebra system is down” is a predesignated signal to indicate the guard was under duress. Perhaps someone was threatening the guard and telling him he must tell the operations center “everything is fine” while thieves attempted to rob the organization. To be effective, duress codes must be maintained confidentially within the organization, and their implementation must be practiced by those who routinely use them. A duress alarm response procedure should be in place to ensure that every alarm is handled properly and immediately.  Physical Security of Equipment. Organizations should physically protect information-processing equipment to minimize the risk of unauthorized access to information, as well as to safeguard against loss or damage. For example, if someone has physical access to your network equipment, it is easier for them to modify the security profile of the equipment than by trying to do it electronically from offsite.  Equipment Placement and Protection. Organizations should secure equipment from environmental threats, hazards, and opportunities for unauthorized access. Organizational assets face destruction from exposure to fire, smoke, water, and other hazards, so information and information processing resources should be protected with a diverse set of countermeasures: - Fire Installing fire sensors, heat sensors, smoke sensors, fire extinguishers, or sprinkler systems can reduce risks from fire hazards. -Sprinklers. Water-based sprinklers should be dry pipe systems that do not have water in normal conditions. They work by displacing the oxygen in the room. 32 However, the gasses may be dangerous to personnel, and special training is necessary. The systems should sound an alarm for the fire, as well as alert personnel to leave the area before the fire-fighting material is deployed. -Smoke. Smoke may originate from malfunctioning computer systems or electrical fires, such as those caused by power transformers. Install smoke detectors both inside computer rooms and directly outside; ensure the smoke detectors work in the plenum areas above and below the room. Not only can the smoke damage sensitive equipment, but it may also cause a false alarm and set off fire suppression systems. -Water. Water can damage power supply facilities and information-processing equipment. There are two types of sprinkler systems: wet and dry. In wet systems, the pipes are always charged with water, while dry systems fill with water only if there is evidence of a fire. A “wet” pipe sprinkler system may cause damage by simple leakage or breakage from natural disasters.  Supporting Utilities. Organizations require supporting utilities such as electric power, heating and air conditioning, and telecommunications equipment, which if disrupted lead to a loss of availability.  Heating, ventilation, and air conditioning (HVAC). Computer systems that manage critical information should have air-conditioning units that provide continuous monitoring and recording of temperature and humidity. Humidity must be managed to minimize static electricity from low humidity and equipment damage from condensation from high humidity. Install heat sensors inside the computers, in the computer rooms, and directly outside the rooms to warn of any noticeable rise in temperature, through either an audible or a visible alarm. Equipment Maintenance. Organizations should perform maintenance of information processing equipment based on the manufacturer‘s recommended service intervals and specifications. The task of fixing and servicing the equipment should be done only by authorized personnel. Record all faults noticed, documented, and maintained. All maintenance services to the equipment either onsite or sent off the premises also need to be recorded and tracked. Physical Security of Equipment Off-Premises. Use of any equipment outside an organization’s premises should be authorized by management. Prior to granting authorizations, management should carefully consider the risks of working outside the organization. Users should also be educated about the approved methods of handling equipment off-premises, for example, using procedures to respond to locking down, damage, loss, and theft of equipment. Secure Disposal and Reuse of Equipment Proper protection and disposal of sensitive or confidential information is important. Take proper precautions to ensure that all information stored in the equipment is eradicated prior to donation or disposal. It is advisable that equipment with hard disks containing sensitive information should not be passed on. Equipment sent for repair is equally prone to unauthorized reading of data from deleted storage devices. Therefore, the device should undergo thorough erasing and overwriting to wipe out the data instead of via the standard delete function. If this is not practical, ship it for repair without the disk drive. Clear Desk and Clear Screen Policy On another physical security front, the implementation of a clear desk and clear screen 33 policy is an effective control for organization information assets. Apply the following guidelines: - Lock away classified material when not in the area. - Do not leave classified information on unattended printers. - Log off sessions or protect the system with a key lock whenever personal computers or computer terminals are left unattended; use passwords and protected screensavers to provide protection. - Secure incoming and outgoing mail boxes and unattended fax machines to avoid unauthorized access. - Use a suitable storage place (ideally in a cabinet or fire-resistant safe) when paper or electronic storage media that holds sensitive information is not needed. 2.5 PREVENTIVE INFORMATION ASSURANCE TOOLS The following sections discuss tools used to establish preventive controls. Preventive Information Assurance Tools Content Filters Content Filters. Content filters control the access of end users to portions of the Internet. These tools allow network administrators to block access selectively to certain types of web sites based on predefined local policy. For example, video streaming sites can be blocked to conserve bandwidth. Content filters are implemented by several industries with differing levels of success and acceptance. In some areas, this practice has been controversial. Typically, the benefit of blocking malicious web sites outweighs the social cost of restricting browsing. The most successful implementations of content filters contain a process through which users can request web sites be unblocked after it has been analyzed to determine whether it should be opened for use. Cryptographic Protocols and Tools. Cryptography is a technique for hiding information by transforming it so that only authorized individuals can access it in its original form. All others are denied access since they cannot decrypt the information. Cryptographic tools also provide confidentiality, integrity, and nonrepudiation protection. Encryption techniques for hosts range from encryption of the entire hard disk, database encryption, selective folder (group of files) encryption, or individual file encryption. Specially designed secure network protocols are used to secure data traveling over networks such as the Internet. Examples of protocols that implement network services include Secure Sockets Layer (SSL), Transport Layer Security (TLS), and IP Security (IPSec) protocols. SSL and TLS are preferred information security protocols in web environments, while IPSec protocols are preferred for implementing virtual private networks (VPNs). Firewalls. A firewall is a security device in the form of computer hardware or software. It can help protect your network by acting as an intermediary between your internal network and outside traffic. It monitors attempts to gain access to your operating system and blocks unwanted incoming traffic and unrecognized sources. Network Intrusion Prevention System. NIPS is a type of network security software that detects malicious activity on a network, reports information about said activity, and takes steps to block or stop the activity from occurring automatically. NIPS uses packet inspection as well as anomaly, signature, and policy-based inspections to evaluate whether the traffic is legitimate or not. Proxy Servers. Proxy servers act as an intermediary between clients and the Internet by allowing clients to make indirect connections to other network services through them. Proxy servers can be configured to require authentication of the end user, restricting communication to a defined set of protocols, applying access control restrictions, and carrying out auditing and logging. Care should be used with proxy servers since they can be used to disguise sources of traffic (anonymized). The simplest form of a proxy server is called a gateway. They can also be used to cache web content. 34 Public Key Infrastructure. PKI is a general term that defines the technology used to encrypt and authenticate data during transmissions. Encryption makes the data unreadable, allowing only authorized entities to decrypt (i.e. read) them. Authentication ensures data integrity by proving that 1) the data is not modified during transmission, and that 2) the sender of the data is who they claim to be. As mentioned above, authentication is the process of verifying the integrity of data and the identity of the sender. This is done through a digital certificate. - Digital Certificates. In the digital world, each entity is associated with a digital certificate that serves as its identity. An entity does not have to be a person or a device, it can literally be anything, like a software program, a process, or even an action. Just as how we prove our identity in the real world with passports and photo IDs, in the digital world, a digital certificate does the job. - Certified Authorities. Let us say you want to log in to your online banking account. In this case, you, as the client, is sending a request to the bank’s server to retrieve your account information and display it through the web application. In this process, the bank’s server verifies your digital certificate generated by the certified authority (CA) trusted by the bank. (Just as how the immigration officer trusts your passport’s issuance authority.) Certified authorities are usually third-party firms that specialize in generating digital certificates. For example, Penta Security’s ISign+ is a certified authority that issues digital certificates trusted by many financial institutions. PKI works by encrypting data (in this case, digital certificate) with a cryptographic key, while having a separate key for decrypting it. The point here is to have one key for encryption and another for decryption. One of them is a private key, held by the key owner, while the other is a public key, shared with the public. The process works like this. The owner of the certificate first encrypts it with the private key, then hands over the public key to the bank. The bank would decrypt it with the public key and verify the owner’s identity, and authenticate the user to access their account. An easy-to-understand encryption is an old-fashioned shift cipher (substitution cipher), or what’s more commonly known as the Caesar cipher. In this type of encryption, plaintext letters “shift” a set number of spaces depending on the secret key. For example, the word “CERTIFICATE” becomes the ciphertext “IKXZOLOIGZK” if your key is “6” because you’ve shifted each letter six spaces. 35 A basic example of how a shift cipher (Caesar cipher) works. The main ways that PKI security can be used are:  Securing emails  Securing web communications (such as retail transactions)  Digitally signing software  Digitally signing applications  Encrypting files  Decrypting files  Smart card authentication Virtual Private Networks. A VPN creates a secure tunnel between your device (e.g. smartphone or laptop) and the internet. The VPN allows you to send your data via an encrypted, secure connection to an external server: the VPN server. From there, your data will be sent onward to its destination on the internet. Rerouting your internet traffic through a VPN server has several advantages. First, it helps you hide your identity online. Second, it secures your data. And third, it allows you to use the internet more freely. Connecting to a VPN is generally quite simple. After subscribing to a VPN provider, you download and install the VPN software. You then select a server you want to connect to and the VPN will do the rest. When the connection has been established, the following will happen to your data: 1. The VPN software on your computer encrypts your data traffic and sends it to the VPN server through a secure connection. The data also goes through your Internet Service Provider, but they can no longer snoop because of the encryption. 2. The encrypted data from your computer is decrypted by the VPN server. 3. The VPN server will send your data on to the internet and receive a reply, which is meant for you, the user. 4. The traffic is then encrypted again by the VPN-server and is sent back to you. 5. The VPN-software on your device will decrypt the data so you can actually understand and use it. The VPN application runs in the background of your computer, tablet, or smartphone. You can access the internet as you normally would and will not notice anything different – save for the fact that you will be able to get around online restrictions. Preventive Information Assurance Controls The full suite of preventive information assurance mechanisms that can be used follows. 1) Backups. A backup is a copy of information assets: data, software, or hardware. It is an essential preventive process for information assurance; it mitigates risks and helps to ensure business continuity. A backup makes restoration (restitution) possible when needed, ensuring that data can be recovered when needed, software can be recovered during application corruption, and hardware is replaceable during disaster. There are also different types of backup, such as full backup, differential backup, incremental backup, and mirror backup, which can be conducted at different 36 times. Backing up systems is important, but more important is the correct restoration of the backup. 2) Change Management and Configuration Management If an organization is to remain competitive, it should be prepared to change continuously since the environment is not static. Change comes from a variety of sources. The following are sources of change drivers that should be addressed and managed effectively in the business and IT environment: - Alliances and partnerships - Business market demands - Competitive markets - Operational issues - Regulations changes Change management and configuration management work hand-in-hand. The change management system defines and controls a configuration. For example, maintaining accurate configuration information for all the constituent parts of the IT service and infrastructure involves identifying, recording, and tracking all IT components. In addition, it includes versions, constituent components, and relationships of configurations. 3) IT Support. During day-to-day operations, the IT support or help-desk employees encounter myriad problems. Information technology support should be able to identify the nature of the problem and determine whether the problem should be raised to a higher level. Maintenance of logs and appropriate SPC activities may narrow down the problem. 4) Media Controls and Documentation. Organizations must safeguard all media, including tapes, disks, and printouts. Operational controls addressing media protection may include the following: - Environmental protection against problems relating to fires, air conditioning, and humidity - Logging of usage (for example, users should check in and check out the media) - Maintenance of the media including overwriting or erasing of data and disposal of media - Prevention of unauthorized access - Proper labeling of media providing information such as the owner’s name, date of creation, version, and classification Storage considerations, such as off-site locations or in locked server rooms 5) Patch Management. It is part of configuration management. Common practices for an effective patch management include the following: standardized patch management policies, procedures, and tools. Examine tools to assist, facilitate, and automate the patch management process. - Establishing dedicated resources. One of the most important items in a patch management process is to ensure that roles and responsibilities are identified and defined for those involved in maintaining an organization’s systems and applications. Their task would be to ensure that these systems and applications are updated with the current released patches. - Monitoring and identifying relevant vulnerabilities and patches. Currently, vulnerabilities and patches appear on a daily basis. Organizations must identify and monitor vulnerabilities proactively. Ensure software in use is supported by the vendor and the vendor is contractually required to address security issues discovered. 37 - Identifying risk in applying a patch. Apart from considering the criticality of vulnerability, an organization should consider the importance of the system in question to operations and the risk of applying a patch. The organization has the option not to follow the vendor’s advice. This is to ensure that the patch management process does not disrupt the systems’ operations. - Testing a patch before installing. Implementing the patch management process assures the information of the IT infrastructure; however, organizations should first assess the patches in a test environment. This is to determine the impact of installing the patch and making certain that it does not disrupt the IT operations. Such testing will help determine whether a patch functions as intended and does not have an adverse effect on the existing system. 2.6 ACCESS CONTROL This section presents a discussion about the importance and the techniques commonly used for access control. 1) Access Control: The Benefits. In today’s global business, an authorized user should have access to required resources at any time and from anywhere (availability). Access control is the first line of defense to protect the system from unauthorized modification (integrity). A benefit of access control is that it serves as an auditing tool. You can use auditing tools to trace information security breaches, incidents, and events. 2) Access Control Types. There are two broad types of access control: physical and logical. Organizations usually manage physical access with human, technological, or mechanical controls. A physical control might be biometric identification technology used to restrict entry to a property, a building, or a room to authorized persons. Logical access controls manage access based on processes such as identification, authentication, authorization, and accountability. Examples of logical access controls are digital signatures and hashing. 3) Access Control Models. An access control model defines how subjects access objects. There are three types of access control models: discretionary, mandatory, and nondiscretionary (also known as role based). An organization’s mission or business requirements will drive the type of model used. An organization can opt for one of the following mentioned models or a combination of them. Organizations should also consider their culture and the nature of business to decide which model to use. - Discretionary Access Control Model. In a discretionary access control (DAC) model, the owner of the object determines the access policy. The owner decides which subjects may access the object and what privileges the subject has. For example, the file owner on a network defines which subjects (who) can access files and what privileges a subject can have over those files, such as reading, deletion, or modification. Windows, Apple, and various Linux systems adopt the DAC model. DAC Example  It is through the discretionary model that Sean can share his hard drive with Michelle so that Michelle can copy all of Sean’s presentations.  Sean can also block access to his hard drive from his manager since the manager may not approve of his sharing presentations with other divisions.  A further weakness of DAC systems is that if Sean receives malicious code, it executes at Sean’s privilege level.  Finally, if Sean does not know what every person is involved in, he may inadvertently give access to the wrong person for the wrong reason. This necessitates a strong need for information assurance AT&E programs in organizations using DAC. 38 - Role-Based Access Control Model. The role-Based Access Control (RBAC) model uses a centrally managed set of rules, which grants access to objects based on the roles of the subject. Since subjects are not assigned permission directly like with other models, they acquire it through their role (or roles), and the management of access becomes relatively easier. - Mandatory Access Control Model. A mandatory access control (MAC) is a more sophisticated model commonly used to control access to sensitive or controlled data in systems with multiple levels of classification. In MAC systems, the owner does not establish the access policy. In fact, the system decides on the access control based on the information security classification and policy rules. Here subjects have labels reflecting their category or classification (e.g., secret, top secret, and confidential), and objects are similarly categorized or classified MAC Example  Gereon has a clearance for documents classified secret, but the document he has requested has the classification of top secret.  His access in this case will be denied because his clearance is not equal to, or higher than, the classification of the object.  Gereon may also have a secret document that he wants to post to the top- secret file system.  In this case, he will be denied because the label of the object he wants to post is not equal to, or higher than, the file system he wants to use (based on the Biba rule). 4) Access Control Techniques. Selecting an access control model needs to complement the selection of proper access control techniques. The following section sheds light on the techniques that can be used based on the model that has been selected. - Rule-Based Access Control. A rule-based access control uses simple rules to determine the result of privileges, which a subject can have over an object. This just determines what can and cannot be allowed. The configuration rules of routers are another good example of rule-based access controls, which are the same for all, rather than specific to an individual. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object. - Access Control Matrix. An access control matrix or access matrix is usually a static, abstract, formal computer protection and information assurance model used in computer systems. When implemented, it characterizes the relationship of each subject to every object in the system. An access control matrix represents the relationship of subjects and objects in a tabulated form. Each cell (intersection of the subject and object) defines the privileges for the “right to use” the object by the subject. - Access Control Lists. An ACL is another technique used to represent accessibility. An ACL is a list containing information about the individual or group permission given to an object; the ACL specifies the access level and functions allowed onto the object. There are two types of ACLs. Network ACLs are implemented on servers and routers (layer 3). File system ACLs implement file access by tracking subjects’ access to objects. Clearly, an ACL should be well protected from unauthorized modification. - Capability Tables. A capability table is an authorization table that identifies a subject and specifies the access right allowed to that subject. The rows of the table list the capabilities that the subject can have with respect to all of the objects. A capability table is bound to a subject, whereas an ACL is bound to an object. Capability tables are frequently used to implement the RBAC model. 39 - Constrained User Interfaces. A constrained user interface is a way to limit access of subjects to a resource or information by presenting them with only the information, function, or access to the resource for which they have privileges. For example, the operating system of an ATM is capable of all kinds of commands, but a user is presented with the constrained/limited options to do personal banking. - Content-Dependent Access Control. This technique is used in databases. As the name suggests, access to objects is dependent on the content of the objects themselves. This access control technique aims at controlling the availability of information by means of views. Example of a Content-Dependent Access Control  Jack and Jill are two customer service employees of a bank.  When Jack logs on to the client complaints system, he can just see the pending complaint details handled by him but will not be able to see the pending complaint details handled by Jill. - Context-Dependent Access Control. Context-dependent access control defines the access controls of a subject on objects based on a context or situation. A firewall is a good example of context dependent access control because it understands the necessary steps of communication pertaining to specific protocols. 5) Access Control Administration. The administration of access controls is critical to implementing access controls. Access control administration can be centralized or decentralized. The following section discusses the two modes of access control administration. - Centralized Access Control Administration. The central administration may be contained in a department, unit, or information security administrator. This management approach ensures uniformity across the organization. This approach can be slow because all changes are processed by a single entity. - Decentralized Access Control Administration. Decentralized management gives control to people who are closer to the objects. This mode is usually faster since changes are made to a function rather than to the whole organization. It does not have the organizational momentum caused by just one entity making all the changes. However, decentralized access control does not ensure uniformity. 40 CHECK YOUR PROGRESS 2 Instructions: 1) Where do you think security should fit into the SDLC? Why? 2) If a program has no syntax errors, can we assume that it is secure? 3) Select at least two (applicable) and describe how the following physical security of premises and offices are implemented in a certain institution: a) Physical Security of Premises b) Physical Entry Controls c) Securing Offices, Rooms, and Facilities d) Working in Secure Areas e) Public Access Delivery and Loading Areas f) Duress g) Physical Security of Equipment h) Equipment Placement and Protection i) Supporting Utilities j) Heating, ventilation, and air conditioning (HVAC) 4) Select at least one (applicable) and describe how an institution implements the following preventive information assurance controls? a) Backups b) Change Management and Configuration Management c) IT Support. d) Media Controls and Documentation e) Patch Management 5) Select at least one (applicable) and describe how the following access control techniques are implemented by a certain institution? a) Rule-Based Access Control b) Access Control Matrix c) Access Control Lists d) Capability Tables e) Constrained User Interfaces f) Content-Dependent Access Control g) Context-Dependent Access Control LABORATORY ACTIVITY 2.1 1) Demonstrate at least one of the secure code practices using a programming language or tool of your choice. 2) Create a security education and awareness plan in any of the following forms: a) Promotional/specialty items; b) hands-on training; c) videos; d) computer-based awareness materials; e) web-based awareness materials; f) posters or flyers; briefings, articles, newsletters and magazines; and g) exhibits.

Use Quizgecko on...
Browser
Browser