Data Security - Computer Science

utterlypanoramicΑσφάλεια

30 Νοε 2013 (πριν από 4 χρόνια και 1 μήνα)

61 εμφανίσεις

CISA Review Manual 2009

Information

Security

Principles of Data Security

Data Inventory

Authentication

Audit Trail

Additional Audit Functions


Acknowledgments

Material is sourced from:


CISA® Review Manual 2011
, ©2010, ISACA. All rights reserved. Used by
permission.


CISM® Review Manual 2012
, ©2011, ISACA. All rights reserved. Used by
permission.


CISA ® Certified Information Systems Auditor All
-
in
-
One Exam Guide,

Peter
H Gregory, McGraw
-
Hill


Author: Susan J Lincke, PhD


Univ. of Wisconsin
-
Parkside

Reviewers/Contributors: Megan Reid, Kahili Cheng


Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit,
Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and/or source(s) and do not necessarily
reflect the views of the National Science Foundation.

Objectives

Student should know:


Define information security principles: need
-
to
-
know, least privilege,
segregation of duties, privacy


Define information security management positions: data owner, process
owner, data custodian, security administrator


Define access control techniques: mandatory, discretionary, role
-
based,
physical, single sign
-
on


Define authentication combination: single factor, two factor, three factor
multifactor


Define Biometric: FRR, FAR, FER, EER


Define elements of BLP: read down, write up, tranquility principle,
declassification


Define military security policy: level of trust, confidentiality principle


Define backup rotation, incremental backup, differential backup, degauss,
audit trail, audit reduction, criticality classification, sensitivity classification



Information Security Goals

CIA Triad

Confidentiality

Integrity

Availability

Conformity to Law

& Privacy Requirements

Information Security Principles

Need
-
to
-
know
: Persons should have ability to access data
sufficient to perform primary job and no more

Least Privilege
: Persons should have ability to do tasks
sufficient to perform primary job and no more

Segregation of Duties
: Ensure that no person can assume
two roles: Origination, Authorization, Distribution,
Verification

Privacy
: Personal/private info is retained only when a true
business need exists: Privacy is a liability


Retain records for short time

Personnel office should change permissions as jobs
change

Information Security Mgmt


Senior Mgmt Commitment


Policies & Procedures


To achieve CIA, Privacy, Legal Conformity


Allocation of Responsibility


Data Owner Responsibility


Security Awareness & Education


Audit & Compliance


Incident Handling & Response

President

Business

Executive

Chief Privacy

Officer
:

Protect

customer &

employee rights

Chief Info

Security Officer
:

Articulates &

enforces

policies

Data Owner
:

Responsible for

security of

data

Chief Security

Officer
:

Physical

Security

Security

Specialist
:

Design/ impl/ review

policies &

procedures

Security

Administrator
:

Administrates

computer &

Network security

Process

Owner
:

Responsible for

security of

process

IS Auditor

Independent

assurance of

security objectives

& controls

Some positions may be merged

Information Owner

or Data Owner


Is responsible for the data within business
(mgr/director
-

not IS staff)


Determines who can have access to data
and may grant permissions directly OR


Gives written permission for access
directly to security administrator, to
prevent mishandling or alteration


Periodically reviews authorization to
restrict authorization creep

Other Positions

Data Custodian


IS employee who
safeguards the data


May be Systems
Analyst or System
Administrator

Security Administrator


Allocates access to
employees based on
written documentation


Monitors access to
terminals and
applications


Monitors invalid login
attempts


Prepares security reports


Criticality Classification

Critical $$$$
: Cannot be performed manually.
Tolerance to interruption is very low

Vital $$
: Can be performed manually for very short
time

Sensitive $
: Can be performed manually for a
period of time, but may cost more in staff

Nonsensitive
¢
: Can be performed manually for
an extended period of time with little additional
cost and minimal recovery effort

Sensitivity Classification

(Example)

Proprietary:

Strategic
Plan

Confidential:

Salary &

Health Info

Privileged:

Product Plans

Public

Product Users Manual

near Release

Internal

Sensitivity Classification

Workbook

Sensitivity

Classification

Description

Information Covered

Proprietary

Protects competitive edge. Material is
of critical strategic importance to
the company. Dissemination could
result in serious financial impact.

Confidential

Information protected by
FERPA and
breach notification
law. Shall be
available on a need
-
to
-
know basis
only. Dissemination could result in
financial liability or reputation loss.

Student information & grades

Employee information

Privileged

Should be accessible to management
or affected parties only. Could
cause internal strife.

Budgets

Public

Disclosure is not welcome, but would
not adversely impact the
organization

Teaching lectures

Wisconsin Statute 134.98

Restricted data includes:


Social Security Number


Driver’s license # or state ID #


Financial account number (credit/debit) and
access code/password


DNA profile (Statute 939.74)


Biometric data

National HIPAA protects:


Health status, treatment, or payment

Data Classification


How do we mark classified information?


How do we determine which data should be
classified to which class?


How do we store, transport, handle, archive
classified information?


How do we dispose of classified data?


What does the law say about handling this
information?


Who has authority to determine who gets
access, and what approvals are needed for
access?


Handling of Sensitive Data

Confidential

Privileged

Public

Access

Need

to

know

Need

to

know

Need

to

know

Paper

Storage

Locked

cabinet,

Locked

room

if

unattended

Locked

cabinet

Locked

room

if

unattended

Locked

cabinet

or

locked

room

if

unattended

Disk

Storage

Password
-
protected,

Encrypted

Password
-
protected

Encrypted

Password
-
Protected

Labeling

&

Handling

Clean

desk,

low

voice
,

No

SSNs,

ID

required

Clean

desk,

low

voice

Clean

desk,

low

voice

Transmission

Encrypted

Limited

email

or

email

security

notice

Encrypted

Archive

Encrypted

Encrypted

Disposal

Degauss

&

damage

disks

Shred

paper

Secure

wipe

Shred

paper

Reformat

disks

Storage & Destruction of
Confidential Information

Storage

Encrypt sensitive data

Avoid touching media surface

Keep out of direct sunlight

Keep free of dust & liquids



in firm container best

Avoid magnetic, radio, or vibrating fields

Use anti
-
static bags for disks

Avoid spikes in temperature for disks;


bring to room temperature before use

Write protect floppies/magnetic media

Store tapes vertically

Disposing of Media

Meet record
-
retention schedules

Reformat disk

Use “Secure wipe” tool

****If highly secure*****

Degauss = demagnetize

Physical destruction

Repair

Remove memory before


sending out for repair



Permission types


Read, inquiry, copy


Create, write, update, append, delete


Execute, check


Access Matrix Model (HRU)

File A

File B

File

C

Jack

Jack

rwx

rx

-

Jill

rwx

r

d

Jeff

r

rx

rwx

-

CISA Review Manual 2009

Information Asset Inventory

Asset Name

Course Registration

Value to
Organization

Records which students are taking which classes

Location

IS Main Center

Security Risk
Classification

Confidential, Vital

Asset Group

(IS Server)

Peoplesoft

Data Owner

Registrar: Monica Jones

Designated
Custodian

IS Operations: John
Levinsky

Granted Permissions

Read: Department Staff, Advising

Read/Write: Students, Registration

Access is permitted at any time/any terminal

Work

book

Question


The person responsible for deciding who
should have access to a data file is:

1.
Data custodian

2.
Data owner

3.
Security administrator

4.
Security manager

Question


Least Privilege dictates that:

1.
Persons should have the ability to do tasks
sufficient to perform their primary job and no more

2.
Access rights and permissions shall be
commensurate with a person’s position in the
corporation: i.e., lower layers have fewer rights

3.
Computer users should never have administrator
passwords

4.
Persons should have access permissions only for
their security level: Confidential, Private or
Sensitive

Question

A concern with personal or private information is
that:

1.
Data is not kept longer than absolutely
necessary

2.
Data encryption makes the retention of
personal information safe

3.
Private information on disk should never be
taken off
-
site

4.
Personal data is always labeled and handled
as critical or vital to the organization

Question


The person responsible for restricting
and monitoring permissions is the:

1.
Data custodian

2.
Data owner

3.
Security administrator

4.
Security manager

Authentication

Path Access

Login/Password

Biometrics

Remote Access

Security: Defense in Depth

Border Router

Perimeter firewall

Internal firewall

Intrusion Detection System

Policies & Procedures & Audits

Authentication

Access Controls

Four Layers of Logical Security

Database

App1

App2

System 1

System 2

Two layers of general access to Networks and Systems

Two layers of granularity of control to Applications and Databases


Access Control Techniques

Mandatory Access Control

Discretionary Access Control


Login

User

Group Permi…

John

John

Mgmt

rwx r x

June

June

Billing


r

May

May

Factory

r x r x

Al

Al

Billing


Don

Don

Billing

Role
-
Based Access Control


Login

Role

Permission

John

Mgr

A, B,C,D,E,F

June

Acct.

A,B,C

Al

Acct.

A,B,C

May

Factory

D,E,F

Pat

Factory

D,E,F


John

A, B, C, D, E, F

June

A, B, C

May

D, E, F

Al

A, B

Don

B, C

Pat

D, F

Tom

E, F

Tim

E

Access Control Techniques


Mandatory Access Control
: General
(system
-
determined) access control


Discretionary Access Control
: Person
with permissions controls access


Role
-
Based Access Control
: Access
control determined by role in organization


Physical Access Control
: Locks, fences,
biometrics, badges, keys




Workbook:

Role
-
Based Access Control

Role Name

Information Access

(e.g., Record or Form) and

Permissions (e.g., RWX)

Instructor

Grading Form RW

Student Transcript (current students) R

Transfer credit form R

Advising

Student Transcript (current students) R

Fee Payment R

Transfer credit form R

Registration

Fee Payment RW

Transfer credit form RW

Military Security Policy


Person has an Authorization Level or Level of Trust


(S,D) = (sensitivity, domain) for Subject


Object has a Security Class


Confidentiality Property
: Subject can access object if
it dominates the object’s classification level


Class

Finance

Engineering

Personnel

Top

Secret

Customer list

New plans

Secret

Dept.
Budgets

Code

Personnel
review

Confidential

Expenses

Emails

Salary

Non
-
Classified

Balance
sheet

Users
Manuals

Position

Descriptions

(Secret, Eng)

(Confid.,

Finance)

Bell and La Padula Model (BLP)

Property of Confinement
:


Read Down
: if Subject’s
class is >= Object’s class


Write Up
: if Subject’s
class is <= Object’s class

Tranquility Principle
:
Object’s class cannot
change

Declassification
: Subject
can lower his/her own
class



Top

Secret



Secret



Confidential



Non
-
Classified


Joe => (Secret)

System Access Control


Establish rules for access to information
resources


Create/maintain user profiles


Allocate user IDs requiring authentication (per
person, not group)


Notify users of valid use and access before and
upon login


Ensure accountability and auditability by logging
user activities


Log events


Report access control configuration & logs

Application
-
Level Access Control


Create/change file or database structure


Authorize actions at the:


Application level


File level


Transaction level


Field level


Log network & data access activities to
monitor access violations

Recommended Password Allocation

User allocated

randomly
-
generated

password

First time login:

change password

User

Security Admin

Verify user ID

(e.g., call back)

Notify

Security admin

Inform user

In controlled

manner

[Forgot


Password]

Enter 3 invalid

Passwords

Account

[locked]

[Invalid password

Attempts]

System

Automatically

unlocks

[Auto]

timeout

Account

[unlocked]

Account

[unlocked]

[Manual]

Password Rules


One
-
way encrypted using a strong algorithm


Never displayed (except ***)


Never written down and retained near terminal or in desk


Passwords should be changed every 30 days, by
notifying user in advance


A history of passwords should prevent user from using
same password in 1 year


Passwords should be >= 12 (better 16) characters,
including 3 of: alpha, numeric, upper/lower case, and
special characters


Passwords should not be identifiable with user, e.g.,
family member or pet name

Creating a Good Password

Merry Christmas

Bad

Password

Good

Password

Merry Xmas

mErcHr2yOu

MerryChrisToYou

MerChr2You

MerryJul

MaryJul

Mary*Jul

,rttuc,sd

J3446sjqw

(Keypad shift

Right …. Up)

(Abbreviate)

(Lengthen)

(convert vowels

to numeric)

M5rryXm1s

MXemrarsy

(Intertwine

Letters)

GladJesBirth

(Synonym)

Admin & Login ID Rules


Restrict number of admin accounts


Admin password should only be known by one user


Admin accounts should never be locked out, whereas
others are


Admin password can be kept in locked cabinet in sealed
envelope, where top manager has key


Login IDs should follow a confidential internal naming
rule


Common accounts: Guest, Administrator, Admin should
be renamed


Session time out should require password re
-
entry

Single Sign On

Advantages


One good password
replaces lots of
passwords


IDs consistent
throughout system(s)


Reduced admin work in
setup & forgotten
passwords


Quick access to
systems

Disadvantages


Single point of failure
-
> total
compromise


Complex software
development due to diverse
OS


Expensive implementation


Secondary Domains

App1

DB2

App3

Primary Domain (System)

Enter
Password

Authentication Combinations


Single Factor: Something you know


Login & Password


Multifactor Authentication: Using two or
more authentication methods. Add:


Two Factor: Add one of:


Something you have: Card or ID


Something you are or do: Biometric


Three Factor: Uses all three: e.g., badge,
thumb, pass code

Biometrics

Biometrics
: Who you are or what you do


Susceptible to error

False Rejection Rate (FRR):

Rate of users rejected in
error

False Acceptance Rate (FAR):

Rate of users accepted in
error

Failure to Enroll Rate (FER):

Rate of users who failed to
successfully register

Equal Error Rate


EER:



FRR = FAR

FAR increases



FRR increases

CISA Review Manual 2009

Biometrics with Best Response &
Lowest EER

Type
(Top Best)

Advantages

Disadvantages

Palm

Social acceptance

Physical contact

Hand (3D)

Social acceptance, low
storage

Not unique, injury affects

Iris

No direct contact

High cost, high storage

Retina

Low FAR

High cost, 1
-
2 cm away:
invasive

Fingerprint

Low cost, More
storage=Lower EER

Physical contact
-
> grime
-
>poor
quality image

Voice

Phone use, social
acceptance

High storage, playback, voice
change, background noise

Signature

Easy to use, low cost

Uniqueness, writing onto tablet
differs from paper

Face

Social acceptance

Not unique, overcome with high
storage

Biometric Info Mgmt & Security
(BIMS) Policy


Identification & authentication procedures


Backup authentication


Safe transmission/storage of biometric
data


Security of physical hardware


Validation testing

Auditors should ensure documentation &
use is professional

IS Auditor Verifies…


Written Policies & Procedures are professional &
implemented


Access follows need
-
to
-
know


Security awareness & training implemented


Data owners & data custodians meet responsibility for
safeguarding data


Security Administrator provides physical and logical
security for IS program, data, and equipment


Authorization is documented and consistent with reality


See Chapter 5.5 CISA Review Manual for specific details


Question


A form of biometrics that is considered
invasive by users is:

1.
Retina

2.
Iris

3.
3D hand

4.
Signature


Question


A form of biometrics that is not prone to
error is

1.
Retina

2.
Voice

3.
Finger

4.
Signature

Question


Julie is a Data Owner. She configures
permissions in the database to enable users to
access the forms she thinks they should be able
to access. This technique is known as

1.
Bell and La
Padula

Model

2.
Mandatory Access Control

3.
Role
-
Based Access Control

4.
Discretionary Access Control

CISA Review Manual 2009

Question


John has a security clearance of
(Engineering, Confidential). Using Bell
and La
Padula

Model, John can write to:

1.
Confidential

2.
Top Secret, Secret, and Confidential

3.
Confidential and Unclassified

4.
Unclassified

CISA Review Manual 2009

Data Storage

Protection

Storage

Audit Trail

Backup & Offsite Library


Backups are kept off
-
site (1 or more)


Off
-
site is sufficiently far away (disaster
-
redundant)


Library is equally secure as main site; unlabelled


Library has constant environmental control
(humidity
-
, temperature
-
controlled, UPS,
smoke/water detectors, fire extinguishers)


Detailed inventory of storage media & files is
maintained


Backup Rotation:

Grandfather/Father/Son

Grandfather

Dec ‘09 Jan ‘10 Feb ‘10 Mar ‘10 Apr ‘10

May 1 May 7 May 14 May 21

May 22 May 23 May 24 May 25 May 26 May 27 May 28

Father

Son

graduates

Frequency of backup = daily, 3 generations

Incremental & Differential Backups

Daily Events

Full

Differential

Incremental

Monday: Full Backup

Monday

Monday

Monday

Tuesday: A Changes

Tuesday

Saves A

Saves A

Wednesday: B Changes

Wed’day

Saves A + B

Saves B

Thursday: C Changes

Thursday

Saves A+B+C

Saves C

Friday: Full Backup

Friday

Friday

Friday


If a failure occurs on Thursday, what needs to be
reloaded for Full, Differential, Incremental?


Which methods take longer to backup? To
reload?

Backup Labeling

Data Set Name = Master Inventory

Volume Serial # = 12.1.24.10

Date Created = Jan 24, 2010

Accounting Period = 3W
-
1Q
-
2010

Offsite Storage Bin # = Jan 2010

Backup could be disk…

Audit Trail


Audit trail tracks responsibility


Who did what when?


Periodic review will help to find excess
-
authority access, login
successes & failures, and track fraud


Attackers often want to change the audit trail (to hide
tracks)


Audit trail must be hard to change:


Write
-
once devices


Digital signatures


Security & systems admins and managers may have READ
-
only
access to log


Audit trail must be sensitive to privacy


Personal information may be encrypted

Audit Trail Tools

Audit Reduction
: Emphasize important logs
-

eliminate unimportant logs

Trend/ Variance
-
Detection
: Notices
changes from normal user or system
behavior (e.g., login during night)

Attack/Signature Detection
: A sequence
of log events may signal an attack (e.g.,
1000 login attempts)

Question


Audit trails:

1.
Should be modifiable only by security
administrators

2.
Should be difficult to change (e.g., write
-
once)

3.
Should only save important logs, using log
reduction

4.
Should avoid encryption to ensure no loss and
quick access



Definitions extracted from:

All
-
In
-
One CISA Exam Guide

Interactive Crossword Puzzle


To get more practice the vocabulary from
this section click on the picture below. For
a word bank look at the previous slide.

HEALTH FIRST CASE STUDY

Designing Information Security

Jamie Ramon MD

Doctor

Chris Ramon RD

Dietician

Terry

Licensed

Practicing Nurse

Pat

Software Consultant

Define Sensitivity Classification

Sensitivity

Classification

Description

Information
Covered

Proprietary

Protects

competitive

edge
.

Material

is

of

critical

strategic

importance

to

the

company

and

its

dissemination

could

result

in

serious

financial

impact
.


Confidential

Information

protected

by

law
.

Shall

be

made

available

or

visible

on

a

need
-
to
-
know

basis

only
.

Dissemination

could

result

in

financial

liability

or

reputation

loss
.


Privileged

Should

be

accessible

to

management

or

affected

parties

only
.

Could

cause

internal

strife

or

external

embarrassment

if

released
:

for

use

with

particular

parties

within

the

organization
.

Public

Disclosure

is

not

welcome,

but

would

not

adversely

impact

the

organization

OR

Information

is

public

record

Define Sensitivity Classification

Proprietary:

Strategic
Plan

Confidential:

Salary &

Health Info

Privileged:

Product Plans

Public

Product Users Manual

near Release

How should classes be treated?

Table 4.1.2: Handling of Sensitive Data



Proprietary

Confidential

Privileged

Access

Need

to

know

Need

to

know

Need

to

know

Paper

Storage

Locked

cabinet,

Locked

room

if

unattended

Locked

cabinet

Locked

room

if

unattended

Locked

cabinet

or

locked

room

if

unattended

Disk

Storage

Password
-
protected,

Encrypted

Password
-
protected

Encrypted

Password
-
Protected

Labeling

and

Handling

‘Confidential’

Clean

desk,


low

voice,

shut

door

policy

Clean

desk,

low

voice,

shut

door

policy

Clean

desk,

low

voice,

shut

door

policy

Transmission

Encrypted

Encrypted



Archive

Encrypted

Encrypted



Disposal

Degauss

&

damage

disks

Shred

paper

Secure

wipe,

damage

disks

Shred

paper

Reformat

disks

Special








Define Roles & Role
-
Based
Access Control

Role

Name

Information Access (e.g., Record or Form
)


and

Permissions
(e.g., RWX)













Health Plan Eligibility

Health

Plan
:




Eligibility
:

Active

Maximum

Benefit
:

Co
-
Pay
:


Deductible
:

Exclusions

In
-
Plan

Benefits

Out
-
of
-
Plan

Benefits


Coordination

of

Benefits


Specific Procedure Request

Procedure

Coverage

Max
.

Coverage

Co
-
pay

/

Non
-
covered

Dates




Patient

Resp

Amounts

Information Asset Inventory

Asset Name

Course Registration

Value to
Organization

Records which students are taking which classes

Location

IS Main Center

Security Risk
Classification

Confidential, Vital

IS Server

Peoplesoft

Data Owner

(Who decides who should have access?)

Designated
Custodian

(Who takes care of backups and sys admin
functions?)

Granted Permissions

Read: Department Staff, Advising

Read/Write: Students, Registration

Access is permitted at any time/any terminal

Work

book

Reference

Slide #

Slide Title

Source of Information

5

Information Security Principles

CISA: page 117


119 & CISM: page 187

6

Information Security Mgmt

CISM: page 94, 95

10

Criticality Classification

CISA: page 127 Exhibit 2.18

16

Storage & Destruction Confidential Information

CISA: page 346, 347

27

Access Control Techniques

CISA: page 323, 385

31

System Access Control

CISA: page 337

32

Application
-
Level Access Control

CISA: page 337

34

Password Rules

CISA: page 338, 339

36

Admin & Login ID Rules

CISA: page 338, 339

37

Single Sign On

CISA: page 341

39

Biometrics

CISA: page 339

40

Biometrics with Best Response & Lowest EER

CISA: page 339, 340

41

Biometric Info Mgmt & Security (BIMS) Policy

CISA: page 341

48

Backup & Offsite Library

CISA: page 301, 302

49

Backup Rotation: Grandfather/Father/Son

CISA: page 303

50

Incremental & Differential Backups

CISA: page 304

53

Audit Trail Tools

CISA: page 345