Information Security

Principles of Data SecurityData InventoryAuthentication

Audit TrailAdditional Audit Functions

AcknowledgmentsMaterial is sourced from: CISA® Review Manual 2011, ©2010, ISACA. All rights reserved. Used by

permission. CISM® Review Manual 2012, ©2011, ISACA. All rights reserved. Used by

permission. CISA ® Certified Information Systems Auditor All-in-One Exam Guide, Peter

H Gregory, McGraw-Hill

Author: Susan J Lincke, PhDUniv. of Wisconsin-Parkside

Reviewers/Contributors: Megan Reid, Kahili Cheng

Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

ObjectivesStudent should know:Define information security principles: need-to-know, least privilege, segregation of duties, privacyDefine information security management positions: data owner, data custodians, security administratorDefine access control techniques: mandatory, discretionary, role-based, physical, single sign-onDefine authentication combination: single factor, two factor, three factor multifactorDefine Biometric: FRR, FAR, FER, EERDefine elements of BLP: read down, write up, tranquility principle, declassificationDefine military security policy: level of trust, confidentiality principleDefine backup rotation, incremental backup, differential backup, degauss, audit trail, audit reduction, criticality classification, sensitivity classificationDevelop an information security classification scheme that addresses confidentiality and availability

Information Security Goals

CIA Triad

Confidentiality

Integrity Availability

Conformity to Law& Privacy Requirements

Information Security Principles

Need-to-know: Persons should have ability to access data sufficient to perform primary job and no more

Least Privilege: Persons should have ability to do tasks sufficient to perform primary job and no more

Segregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification

Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability Retain records for short time

Personnel office should change permissions as jobs change

Wisconsin Statute 134.98

Restricted data includes: Social Security Number Driver’s license # or state ID # Financial account number (credit/debit) and

access code/password DNA profile (Statute 939.74) Biometric dataNational HIPAA protects: Health status, treatment, or payment

President

BusinessExecutive

Chief Privacy OfficerProtect

customer & employee rights

Chief InfoSec. OfficerCreates andmaintains a sec. program

Data OwnerResponsible for

security ofdata

Chief Sec. OfficerPhysical Security

Security ArchitectDesign/ impl.

policies &procedures

Security Admin

Administrates computer &

network security

Process Owner

Responsible forsecurity of

process

IS AuditorIndependentassurance of

sec. objectives& controls

Some positions may be merged

DataCustodianMaintains and protects data:

Backup/restore/monitor/test

Chief Info. OfficerManages

Info. Technology

Information Owneror Data Owner Is responsible for the data within business

(mgr/director - not IS staff) Determines who can have access to data and

may grant permissions directly OR Gives written permission for access directly to

security administrator, to prevent mishandling or alteration

Periodically reviews authorization to restrict authorization creep

Other Positions

Data Custodian IS (security or IT)

employee who safeguards the data

Performs backup/restore Verifies integrity of data Documents activities May be System

Administrator

Security Administrator Allocates access to

employees based on written documentation

Monitors access to terminals and applications Monitors invalid login

attempts

Prepares security reports

Criticality Classification

Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low

Vital $$: Can be performed manually for very short time

Sensitive $: Can be performed manually for a period of time, but may cost more in staff

Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort

Sensitivity Classification(Example)

Proprietary:Strategic Plan

Confidential:Salary &

Health Info

Private:Product Plans

PublicProduct Users Manual

near Release

Internal

Sensitivity ClassificationWorkbook

SensitivityClassification

Description Information Covered

Proprietary Protects competitive edge. Material is of critical strategic importance to the company. Dissemination could result in serious financial impact.

Confidential Information protected by FERPA, PCI-DSS and breach notification law. Shall be available on a need-to-know basis only. Dissemination could result in financial liability or reputation loss.

Student information & grades,

Payment card information,Employee information

Private Should be accessible to management or for use with specific parties. Could cause internal strife or divulge trade secrets if released.

Professor research, Student homework,

Budgets

Public Disclosure is not welcome, but would not adversely impact the organization

Teaching lectures

Data Classification

How do we mark classified information? How do we determine which data should be

classified to which class? How do we store, transport, handle, archive

classified information? How do we dispose of classified data? What does the law say about handling this

information? Who has authority to determine who gets access,

and what approvals are needed for access?

Handling of Sensitive Data

Confidential Private PublicAccess Need to know Need to know Need to knowPaper Storage

Locked cabinet,

Locked room if unattended

Locked cabinet

Locked room if unattended

Locked cabinet or locked room if unattended

Disk Storage Password-protected,

Encrypted

Password-protected

Encrypted

Password-Protected

Labeling & Handling

Clean desk, low voice,

No SSNs, ID required

Clean desk,

low voice

Clean desk,

low voiceTransmission Encrypted

Limited email or append email security notice

Encrypted

Archive Encrypted EncryptedDisposal Degauss & damage disks

Shred paper

Secure wipe

Shred paper

Reformat disks

Storage & Destruction of Confidential Information

StorageEncrypt sensitive dataAvoid touching media surfaceKeep out of direct sunlightKeep free of dust & liquids – in firm container bestAvoid magnetic, radio, or vibrating fieldsUse anti-static bags for disksAvoid spikes in temperature for disks; bring to room temperature before useWrite protect floppies/magnetic mediaStore tapes vertically

Disposing of MediaMeet record-retention schedulesReformat diskUse “Secure wipe” tool****If highly secure*****Degauss = demagnetize Physical destruction

RepairRemove memory before sending out for repair

Permission types

Read, inquiry, copy Create, write, update, append, delete Execute, check

Access Matrix Model (HRU)

File A File B File C Jack

Jack rwx rx -

Jill rwx r d

Jeff r rx rwx -

CISA Review Manual 2009

Information Asset Inventory Asset Name Course Registration

Value to Organization Records which students are taking which classes

Location IS Main Center

Sensitivity & CriticalityClassifications

Sensitive, Vital

IS System/Server Name

Peoplesoft

Data Owner Registrar: Monica Jones

DesignatedCustodian

IS Operations: John Johnson

Granted Permissions Read: Department Staff, AdvisingRead/Write: Students, Registration

Access is permitted at any time/any terminal

Workbook

Question

The person responsible for deciding who should have access to a data file is:

1. Data custodian

2. Data owner

3. Security administrator

4. Security manager

Question

Least Privilege dictates that:1. Persons should have the ability to do tasks sufficient

to perform their primary job and no more2. Access rights and permissions shall be

commensurate with a person’s position in the corporation: i.e., lower layers have fewer rights

3. Computer users should never have administrator passwords

4. Persons should have access permissions only for their security level: Confidential, Private or Sensitive

Question

A concern with personal or private information is that:1. Data is not kept longer than absolutely necessary2. Data encryption makes the retention of personal

information safe3. Private information on disk should never be taken

off-site 4. Personal data is always labeled and handled as

critical or vital to the organization

Question

The person responsible for restricting and monitoring permissions is the:

1. Data custodian

2. Data owner

3. Security administrator

4. Security manager

Authentication & Access Control

Path AccessLogin/PasswordBiometricsRemote Access

Security: Defense in Depth

Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls

Four Layers of Logical Security

DatabaseApp1

App2

System 1 System 2

Two layers of general access to Networks and SystemsTwo layers of granularity of control to Applications and Databases

Password Rules

One-way encrypted using a strong algorithm Never displayed (except ***) Never written down and retained near terminal or in desk Passwords should be changed every 30 days, by notifying

user in advance A history of passwords should prevent user from using same

password in 1 year Passwords should be >= 8 (better 12) characters, including 3

of: alpha, numeric, upper/lower case, and special characters Passwords should not be identifiable with user, e.g., family

member or pet name

Authentication Combinations

Single Factor: Something you knowLogin & Password

Multifactor Authentication: Using two or more authentication methods. Add:Two Factor: Add one of:

Something you have: Card or ID Something you are or do: Biometric

Three Factor: Uses all three: e.g., badge, thumb, pass code

CISA Review Manual 2009

Biometrics with Best Response & Lowest EER

Type (Top Best) Advantages Disadvantages

Palm Social acceptance Physical contact

Hand (3D) Social acceptance, low storage

Not unique, injury affects

Iris No direct contact High cost, high storage

Retina Low FAR High cost, 1-2 cm away: invasive

Fingerprint Low cost, More storage=Lower EER

Physical contact-> grime ->poor quality image

Voice Phone use, social acceptance

High storage, playback, voice change, background noise

Signature Easy to use, low cost Uniqueness, writing onto tablet differs from paper

Face Social acceptance Not unique, overcome with high storage

Biometrics

Biometrics: Who you are or what you do Susceptible to error

False Rejection Rate (FRR): Rate of users rejected in error

False Acceptance Rate (FAR): Rate of users accepted in error

Failure to Enroll Rate (FER): Rate of users who failed to successfully register

Equal Error Rate EER:

FRR = FARFAR increasesFRR increases

Biometric Info Mgmt & Security (BIMS) Policy Identification & authentication procedures Backup authentication Safe transmission/storage of biometric data Security of physical hardware Validation testing

Auditors should ensure documentation & use is professional

Single Sign OnAdvantages One good password

replaces lots of passwords

IDs consistent throughout system(s)

Reduced admin work in setup & forgotten passwords

Quick access to systems

Disadvantages Single point of failure -> total

compromise Complex software

development due to diverse OS

Expensive implementation

Secondary Domains

App1 DB2 App3

Primary Domain (System)

Enter Password

Recommended Password Allocation

User allocatedrandom password

or sent email w. link

First time login:change

password

UserSecurity Admin

Verify user ID(e.g., email)

NotifySecurity

Inform user in controlled

manner

[Forgot Password]

Enter 5 invalidpasswords

Account[locked]

[Invalid passwordAttempts]

System automatically

unlocks

[Auto Timeout]

Account[unlocked]

Account[unlocked]

[Manual]

SubsequentLogins

Admin & Login ID Rules

Restrict number of admin accounts Admin password should only be known by one user Admin accounts should never be locked out, whereas

others are Admin password can be kept in locked cabinet in sealed

envelope, where top manager has key Login IDs should follow a confidential internal naming rule Common accounts: Guest, Administrator, Admin should

be renamed Session time out should require password re-entry

Access Control Techniques

Mandatory Access Control Discretionary Access Control

File User Group Permi…A John Mgmt rwx, r xB June Billing , r C May Factory r x, r xD Al BillingE Don Billing

Role-Based Access Control

Login Role PermissionJohn Mgr A, B,C,D,E,FJune Acct. A,B,CAl Acct. A,B,CMay Factory D,E,FPat Factory D,E,F

JohnA, B, C, D, E, F

JuneA, B, C

MayD, E, F

AlA, B

DonB, C

PatD, F

TomE, F

TimE

Access Control Techniques

Mandatory Access Control: General (system-determined) access control

Discretionary Access Control: Person with permissions controls access

Role-Based Access Control: Access control determined by role in organization

Physical Access Control: Locks, fences, biometrics, badges, keys

Workbook:

Role-Based Access ControlRole Name Information Access

(e.g., Record or Form) andPermissions (e.g., RWX)

Instructor Student Records: Grading Form RW Student Transcript (current students) R Transfer credit form R

Advising Student Records: Student Transcript (current students) R Fee Payment R Transfer credit form R

Registration Student Records: Fee Payment RW Transfer credit form RW

System Access Control

Establish rules for access to information resources Create/maintain user profiles Allocate user IDs requiring authentication (per

person, not group) Notify users of valid use and access before and

upon login Ensure accountability and auditability by logging

user activities Log events Report access control configuration & logs

Application-Level Access Control

Create/change file or database structure Authorize actions at the:

Application levelFile levelTransaction levelField level

Log network & data access activities to monitor access violations

Which Computer Do You Trust?

You plan to make a purchase on-line…

Your office computer?A library or college computer?

Your children’s computer?

Trusted Computing Base (TCB)

Trusted Hardware

Trusted Operating System

TrustedApp 1

TrustedApp 2

Trusted

App 3

Trusted Hardware

Trusted Operating System

TrustedService

1

TrustedService

2

Trusted

Service 3

Trusted network

Trusted app hasHorizontal dependencies: operating system, hardwareVertical dependencies: server applications, network, authentication server, …

Processing requires Dependencies

Vertical Dependencies:Secret App requiresSecret-level databaseSecret-level OSSecret-level hardware

Horizontal Dependencies:Secret App requires:Secret-level serversSecret-level communicationsSecret-level authentication

Trusted Computing Base (TCB)

Trusted Hardware

Trusted OS

TrustedApp 1

TrustedApp 2

TrustedApp 3

Trusted Hardware

TrustedOS

TrustedService

1

TrustedService

2

TrustedService

3

Trusted network

Security Policy

Encapsulated security impl.

Encapsulated security impl.

TCB Subset: Verified security policy, provides reliabilityEncapsulated security implementation provides rapid implementation

Bell and La Padula Model (BLP)

Property of Confinement: Read Down: if Subject’s

class is >= Object’s class Write Up: if Subject’s class

is <= Object’s class

Tranquility Principle: Object’s class cannot change

Declassification: Subject can lower his/her own class

Top Secret

Secret

Confidential

Non-Classified

write

read

& write

read

read

Joe => (Secret)

Military Security Policy

Person has an Authorization Level or Level of Trust (S,D) = (sensitivity, domain) for Subject (potentially Project)

Object has a Security Class Confidentiality Property: Subject can access object if it dominates the object’s classification

level

Class Finance Engineering Personnel

Top Secret Customer list New plans

Secret Dept. Budgets

Code Personnel review

Confidential Expenses Emails Salary

Non-Classified

Balance sheet

Users Manuals

Position Descriptions

(Secret, Eng)(Confid., Finance)

BIG Data

Alice Winter 222 Pine Dr. 262-513-2341 Birth=1989 Diabetic

Options include:Encryption, access control, firewall, security intelligenceObfuscate: Make data unclearDistribute data across multiple locations

No single location has useful data (e.g., RAID)

Blacklist: Not storedOr access via permission

Anonomize: Alter via statistical distribution

Whitelist: Permitted to see

IS Auditor Verifies…

Written Policies & Procedures are professional & implemented

Access follows need-to-know Security awareness & training implemented Data owners & data custodians meet responsibility for

safeguarding data Security Administrator provides physical and logical

security for IS program, data, and equipment Authorization is documented and consistent with reality See CISA Review Manual for specific details

Question

A form of biometrics that is considered invasive by users is:

1. Retina

2. Iris

3. 3D hand

4. Signature

Question

A form of biometrics that is not prone to error is

1. Retina

2. Voice

3. Finger

4. Signature

Question

Julie is a Data Owner. She configures permissions in the database to enable users to access the forms she thinks they should be able to access. This technique is known as

1. Bell and La Padula Model

2. Mandatory Access Control

3. Role-Based Access Control

4. Discretionary Access Control

CISA Review Manual 2009

Question

John has a security clearance of (Engineering, Confidential). Using Bell and La Padula Model, John can write to:

1. Confidential

2. Top Secret, Secret, and Confidential

3. Confidential and Unclassified

4. Unclassified

CISA Review Manual 2009

Audit Trails

Audit Trail

Audit trail tracks responsibility Who did what when? Periodic review will help to find excess-authority access, login

successes & failures, and track fraud Attackers often want to change the audit trail (to hide tracks) Audit trail must be hard to change:

Write-once devices Digital signatures Security & systems admins and managers may have READ-only

access to log Audit trail must be sensitive to privacy

Personal information may be encrypted

Audit Trail Tools

Audit Reduction: Filter important logs - eliminate unimportant logs

Attack/Signature Detection: A sequence of log events may signal an attack (e.g., 1000 login attempts)

Trend/ Variance-Detection: Notices changes from normal user or system behavior (e.g., login during night)

Question

Audit trails:

1. Should be modifiable only by security administrators

2. Should be difficult to change (e.g., write-once)

3. Should only save important logs, using log reduction

4. Should avoid encryption to ensure no loss and quick access

Definitions extracted from:All-In-One CISA Exam Guide

Interactive Crossword Puzzle

To get more practice the vocabulary from this section click on the picture below. For a word bank look at the previous slide.

HEALTH FIRST CASE STUDY

Designing Information Security

Jamie Ramon MDDoctor

Chris Ramon RDDietician

TerryLicensed

Practicing Nurse

PatSoftware Consultant

Define Sensitivity Classification

Sensitivity

Classification

Description Information Covered

Proprietary Protects competitive edge. Material is of critical strategic importance to the company and its dissemination could result in serious financial impact.

Confidential Information protected by law. Shall be made available or visible on a need-to-know basis only. Dissemination could result in financial liability or reputation loss.

Privileged Should be accessible to management or affected parties only. Could cause internal strife or external embarrassment if released: for use with particular parties within the organization.

Public Disclosure is not welcome, but would not adversely impact the organization

OR

Information is public record

Define Sensitivity Classification

Medical appointments

Credit card information

Budget

Personnel records

Patient treatmentContracts & Licenses

Business

Statistics

How should classes be treated?Table 4.1.2: Handling of Sensitive Data

  Proprietary Confidential PrivilegedAccess Need to know Need to know Need to knowPaper Storage Locked cabinet,

Locked room if unattended

Locked cabinetLocked room if unattended

Locked cabinet or locked room if unattended

Disk Storage Password-protected,Encrypted

Password-protectedEncrypted

Password-Protected

Labeling and Handling

‘Confidential’Clean desk, low voice,shut door policy

Clean desk,low voice,shut door policy

Clean desk,low voice,shut door policy

Transmission Encrypted Encrypted  Archive Encrypted Encrypted  Disposal Degauss & damage

disksShred paper

Secure wipe, damage disksShred paper

Reformat disks

Special      

Define Roles & Role-Based Access Control

Role Name Information Access (e.g., Record or Form)

and Permissions (e.g., RWX)         

Health Plan EligibilityHealth Plan: Eligibility: ActiveMaximum Benefit: Co-Pay: Deductible:ExclusionsIn-Plan Benefits Out-of-Plan Benefits Coordination of Benefits

Specific Procedure RequestProcedure Coverage Max. Coverage Co-pay / Non-coveredDates Patient Resp Amounts

Information Asset Inventory Asset Name Course Registration

Value to Organization

Records which students are taking which classes

Location IS Main Center

Security Risk Classification

Sensitive, Vital

IS Server Peoplesoft

Data Owner (Who decides who should have access?)

Designated Custodian

(Who takes care of backups and sys admin functions?)

Granted Permissions Read: Department Staff, AdvisingRead/Write: Students, Registration

Access is permitted at any time/any terminal

Workbook

ReferenceSlide # Slide Title Source of Information

5 Information Security Principles CISA: page 117 – 119 & CISM: page 187

6 Information Security Mgmt CISM: page 94, 95

10 Criticality Classification CISA: page 127 Exhibit 2.18

16 Storage & Destruction Confidential Information CISA: page 346, 347

27 Access Control Techniques CISA: page 323, 385

31 System Access Control CISA: page 337

32 Application-Level Access Control CISA: page 337

34 Password Rules CISA: page 338, 339

36 Admin & Login ID Rules CISA: page 338, 339

37 Single Sign On CISA: page 341

39 Biometrics CISA: page 339

40 Biometrics with Best Response & Lowest EER CISA: page 339, 340

41 Biometric Info Mgmt & Security (BIMS) Policy CISA: page 341

48 Backup & Offsite Library CISA: page 301, 302

49 Backup Rotation: Grandfather/Father/Son CISA: page 303

50 Incremental & Differential Backups CISA: page 304

53 Audit Trail Tools CISA: page 345