ISACA CISM – Domain 03 – Information Security Program Development Part 7

50. Controls as Strategy Implementation Resources Part4

Now do these controls operate in the principle of least privilege, meaning that we can adjust the access, we can adjust the things that you’re allowed to do to a level that gives you just enough privileges to do the job and nothing more. In some cases we look for compartmentalization. We see a lot of times where if we use a web server as an example, we’re or I may have several applications running on a web server. And if somebody hacks into one of the applications and can take that application over. Then in a non compartmentalized type of web server, they could use that new advantage point of that application and begin to attack all the other applications running on that web server. If it was compartmentalized, then even if you take that over, you’re kind of stuck in that realm.

You can’t break out and take over other applications. We see examples of that with sometimes some virtualization. I know that we can create virtualized applications where maybe in a normal sense I can run an application once, but I can’t open it more than one time and I need to, so I could create them as their own little compartments and have them open up in their own little space and environment. Java calls that idea the sandbox, where whatever happens inside the sandbox can’t escape the sandbox. So if you’re opening up a Java application that is going to try to do something evil to your operating system, it’s kind of stuck in there. We look at controls that deal with segregation of duties. Segregation of duties just simply means it takes two or more people to complete a certain job.

And the goal for that is to make sure that no one person, if they decide to become corrupt and do something malicious, can do it by themselves. They would have to recruit somebody. And we often find that people are not as willing to try to recruit somebody to perpetrate an attack because the more people you ask, the more chances you’re going to get caught. I use the example oftentimes that if I have somebody responsible for doing backup, I don’t let them do restores. Because if they could do both backup and restores, they could back up files they don’t have permissions to see, restore them on systems where they can alter the permissions. And that could be leading to some bad things happening.

51. Common Control Practices

We also need transparency. Transparency is often the way of saying that the control is easy to use, it’s easy to manipulate, maybe even to the point where we can say, you know what, we don’t even notice it’s there. If I go to a website and I open up whatever website I go to, often the fact that I went through a firewall to get there is transparent to me. I said to put in my web browser, I want to go to this website, website, that website opens, and it seems to run very well. We also have trust and trust no one. So the purpose of trust is that we have to trust users to trust other services or other processes that are running. But the trust no one means that even though I’m trusting you, I’m going to check up on you anyway.

An example I thought of here was if I’m working at a point of sale and I’ve got this cash drawer that you are trusting me to work with, that you’re hoping I’m not going to fill my pockets up with your money and just run out the door. So during the day, as I help it in the exchange of sales and making change and doing things, you’re trusting me again with potentially a large sum of money. But at the end of the day, you’re still going to have somebody independent count my till and make sure that it comes out properly based on receipts. So in a way, you’re trusting me, but at the same time, we’re not trusting anyone. But that is putting in the auditing capability. And again, that helps us in basically making sure that we are trying to find ways that these controls can operate and make it very difficult goal to bypass him.

52. Countermeasures

When we look at the term countermeasures, really, they are controls that are put in place to respond to a specific threat. That’s why we often call them a targeted control. Now, remember that these countermeasures, as the controls, can be designed to be preventive, detective, or corrective. Now, the countermeasures like controls, are designed to be a response to a specific type of a threat. Not all of the countermeasures, though, are technical in nature. One countermeasure might be the implementation of training to be able to show people how social engineering works so they can become aware of ways in which people might try to trick them out of their passwords.

53. Technologies Part1

Now, when we talk about technologies, whatever technology we choose to help mitigate the risk might have constraints by the existing legacy architecture. Now, fortunately, these constraints can be minimized because there are a wide range of technology alternatives that are out there. So if I’m looking at technologies, let’s say, that are designed to help protect the network, and I might be looking for a technology such as a firewall, but maybe the firewall I wanted to buy will only work with Ethernet, and maybe my network has a legacy section that’s using token ring or some other type of media for the communications.

Well, in today’s world there are many different technologies where the interfaces on a firewall can be swapped out with different ones as simply as buying a different interface card. Sometimes they’re expensive and just swapping it in. So, like I said, there are some wide alternatives that we have in technology to help us with those constraints, because I don’t think it would maybe be the best interest. Well, I do think it would be the best. Interest, but for cost types of constraints to rip out an entire infrastructure just so you can get this one firewall to be put in.

54. Technologies Part2

Now we’re going to talk about some of the common types of technology that could be used as a design control or as a design control point. And again, I’m going to give you the overviews and brief descriptions of these ideas just as we need in management, so that we don’t have to necessarily know that we’re going to work directly with or can configure any of these. But that the more we know, the more information we have about some of the expectations or some of the options, the better our choices are going to be in the overall management. So the first type of thing we see for design control are things like an Access Control list. Now, a little while ago I talked about some access control issues about mandatory access control and discretionary access control. Discretionary access control works pretty well as an example of an access control list because what happens is the owner of a file can list all of the users and their permissions that they want, whether they are going to have read or read, write or delete.

And each of those entries they put in is called an Access Control entry. And as we look at them as a list of entries, that’s what it is. It’s a list of what kind of access control can we have? If I take that same term of access control and put it into, let’s say, a firewall or onto a router there, the Access Control list is often a list of types of traffic that I’m going to permit or deny. And again, each one of those lines is an entry. So as traffic comes into this router, it’ll compare against that list of entries. And if it finds a matching entry, it’s going to say, all right, what’s my action, permit or deny. So those are types of technologies that we use. And as I just talked about, whether it’s letting you open a file or letting packets come through, it is functioning as a control point.

55. Technologies Part3

Data loss prevention? Well, there’s a lot of things we can think about with DLP. Data loss prevention might get us into the realm of backups and restores. But I also think one of the things we do to try to prevent data loss now is in getting into digital rights management. Now, digital rights management, I got to tell you, can be absolutely annoying as a user. There’s a vendor I work with that I do some training for, and all of their training materials are digitally protected through digital rights management. But here’s the point. I might get the certificate from the vendor to open up the files, but only on one computer. If I then fly across the country and I’m going to present this course and I want to use those files, I have to get a new certificate to open it up on that new computer and then be able to do the presentation.

But then if I go back to my hotel room, I can’t review anything because it’s signed. So their goal was data loss prevention. And again, I might make an argument that they kind of forgot at least my organization’s business objectives in the way in which they created the data loss prevention. But but they have a process that no matter where I am 24 hours a day, I can still figure out how to open up those files. It just takes a little time. So some of those things, again, you can see our control points. And what’s important about that is what’s interesting is now if somebody decides to email a confidential file that you have this data loss prevention on, just because they can email the file doesn’t mean that whoever receives it will ever be able to open it.

56. Technologies Part4

We see content filtering. Now, content filtering often is found in the world of email or in web pages. Sometimes we might even put it into the idea of technology. One company has called Web Sense. It seems to be pretty popular, but what it does is it basically is just what it sounds like. It says, okay, you’re trying to go to a web page. And as we’ve scanned through this web page, we found terms, words, graphics, things that are offensive, things that might not be appropriate for the work environment. Therefore, that content is not going to be allowed to your view. We’re going to block it out. Some people may use content filtering to screen emails and yes, right. Our corporations usually have a sign, a paper that says, we acknowledge that our email is not private, at least if we’re using it on their servers.

And they have the right to read everything we do. And they may again be looking for inappropriate information. Corporate secrets, trade secrets, those types of things going out. The database management systems, they’re all about having control points. What they’re designed to do is to control access to the data stored in the tables and they go through a whole series of things by creating views and stored procedures, having user accounts with authorized permissions at different levels. So again, they are certainly acting as a control point. We use encryption symmetric and asymmetric to be able to secure our data both while it’s stored on a drive or while it’s being transmitted across our networks.

And the goal of the encryption depends on the type of data and the type of encryption that we need. As we talk about symmetric or asymmetric, it’s a matter of having one key for opening or encrypting and decrypting a file or having two keys for the same process. And in some of these cases we can get authentication and even non repudiation as benefits of encryption. We see hashing as another control point. Hashing is really a one way mathematical process that helps us with integrity. Now here the control point is to make sure that something hasn’t changed. We see lots of programs that can run on servers. An example company has a program called Tripwire. And what Tripwire does is it hashes all of your system or operating system files. And when it hashes a file, the goal is regardless of how big the file is, the resulting hash is usually between 128 or 160 bits or longer depending on the hashing algorithm.

But the big point is if that file changes by one little bit, one little bit that was a one or becomes a zero or zero to a one, then the hash is going to be completely different, that even humans reading it can see the difference. And this program is Tripwire will go through, you boot up and it looks at your system files. Things that shouldn’t change compares those hashes with what they have stored. And if something’s changed, it sends you alert that maybe it was altered, maybe it was replaced with something that has some sort of malware in it. So we have those types of control points. The whole idea of the Open System Interconnect, the OSI model, was to be able to have control points at different layers and to be able to encourage open standards to be able to replace different protocols and have them still communicate with layers above and below.

But again, it was designed as control points at each of these specific layers that we work in. Network communications operating systems obviously have a lot of control points in there, just with who can log in and the creation of user accounts and having a discretionary access control type of design. Your public and private key encryption, that comes back to the Asymmetric encryption, but that allows us to have those third parties that can verify the authentication of those people communicating with us. It allows us to offer non repudiation where you can’t deny that a transaction took place and allows us still to encrypt information when we’re sending it, so that it can be hopefully immune from people eavesdropping and getting the information.

On the network side of this. Route filtering we use route filtering often to be able to control the direction in which traffic can flow. In other words, if I have a very secure port of my network that I only want people from the inside of my company and the inside of my network to be able to get to that destination, I’m going to filter that route from being sent to any other outside routers. Because normally in routing protocols, every route I have on a router is sent to all of its neighbors. But route filtering says, you know what, don’t send these routes because that way now these public routers, if they don’t have a way of getting to the destination, which for you is very secret, the router is going to drop the packets. So, in a way, route filtering is like an instantaneous firewall.

We can also, of course, utilize, as we’ve talked about before, firewalls and access control lists to do traffic and packet filtering, making decisions by looking at where it’s going and what kind of protocol and where it came from. We also have IP security that we often call IPsec, which is a great way of encrypting our conversations over a public entity or a public network like the Internet. In fact, if you’ve ever worked from home and you had to open up what they call the VPN, the Virtual Private Network, it gets that name because it’s trying to create a private communication with your company. But over the Internet, we also utilize IP security to keep those communications from being eavesdropped. I mean, it doesn’t mean that they can’t eavesdrop on the communication, but what they’ll see is encrypted and hopefully useless to them.

57. Personnel Part1

Now, as we deal with personnel, we need to know that they have the they’re defined roles and responsibilities, but we also need to know or have an inventory of what their skills are. Now, in the term of roles, we often look at this acronym of Raci responsible, Accountable, Consulted and Informed. And we can use these. There are charts that can be used to help define the various roles that are associated with developing your information security program. In other words, that’s where basically we’re saying in this role, here’s what you’re responsible for, here’s where you’re accountable. You’ve been trained, hopefully informed and consulted about how to do the job. Now, often there are going to be some designations as far as the way in which these roles work. And if I designate a role to an individual, it should not be just because of that individual, but by the virtue of what their job is.

In fact, in a lot of work I’ve done, in a lot of classification and compensation studies about coming up with the proper job classification and function. And then other people worked on what that job should pay. But in doing that and working in the It realm, a lot of the studies that I was a part of was to see if the work that somebody was doing actually matched the job description that they had or the job function. And if it didn’t, we had to reconcile that. But it was important that we never created a job description around what a person can do. I mean, yes, I might have the brightest It person on my staff that I’ve ever seen, and they can do a lot of things, but it would be bad practice to try to create a role just for that person. Because if that person decides to quit now, I’d have to find somebody equally capable to fulfill that job or I’d have to dissolve that job and break it back down again. So in that same idea that the roles we have are done by the virtue of the job function and that’s how they’re assigned to the individual.

• Category: Uncategorized