In Part 1 of this article series, we discussed Information Security Management, or ISM. This second installment will cover the implementation and monitoring of security controls, including logical access controls, remote access controls, network security, controls/detection tools against information system attacks, security testing techniques and controls that prevent data leakage.
Implementation and Monitoring of Security Controls
Security controls should focus on the integrity of data, the data classification system, and the policies in places that ensure that data is handled properly.
Logical Access Controls
Ensure there are policies in place on access and access controls – logical access controls at both operating system level and the application level are designed to protect information assets by sustaining policies and procedures. The management override is akin to a fail-safe mechanism. Overall, these controls manage the identification, authentication and restriction of users to authorized functions and data.
Types and Principles of Access
Types and principles of access include subject access (identification of individual having an ID), service access (data passing through an access point), least privilege, segregation of duties and split custody.
Example: Target may have avoided their notorious 2013 breach if they had not failed to follow the principle of least privilege. An HVAC contractor with a permission to upload executables broadens the attack surface for cybercriminals.
Example: As an example of Edward Snowden’s revelations, the NSA decided to apply the principle of least privilege and revoked higher-level powers from 90% of its employees.
Ensure there are occasional or event-driven change and recovery policies – reactivation with a new password so long as the user identity can be verified. People often use weak passwords, tend to share them or transmit/store them in cleartext; a succession of failed attempts to login with a password should result in locking out the account.
Biometrics can replace passwords in future by creating a system that can restrict access based on unique physical attributes or behavior. Issues with this approach include false reject rate (FRR), false accept rate (FAR) and crossover error rate (CER), and privacy.
Example: To unlock mobile devices, the scientist in Yahoo’s Research Labs are experimenting with utilizing ears, knuckles, and fingertips as biometric passwords.
Single Sign-On (SSO)
This technique consolidates access operations among various systems into one centralized administrative function. SSO interfaces with client servers (local and remote users) and distributed systems, mainframe systems and network security, including remote access mechanisms.
Access Control Lists
Access control lists (ACLs) are the equivalent of a register in which the system enlists users who have permission to access and use a given system resource. ACLs can store information on users’ type of access.
Example: To illustrate the usefulness of access control lists, consider a medical research experiment where the files that contain experimental results have an ACL that permits read-and-write access to all members of a research group except for one member, who is working on another experiment whose results should not be influenced by the results of the first one.
System Access Audit Logging
Almost all access control software automatically logs and report access attempts, which forms an audit trail to observe any suspicious activities and potential hacking attempts (e.g., brute-force attack on a specifically-targeted high-profile logon ID). Recording all activities may be useful in the context of digital investigations
Access to the logs should be restricted.
Tools for Log Analysis include, but are not limited to: audit reduction tools, trend/variance detection tools, attack-signature detection tools and SIEM systems.
Actions an Auditor Should Undertake When Evaluating Logical Access Controls
An auditor should identify sensitive data/systems, document, evaluate and test controls over potential access and access paths, and evaluate the adequacy of the security environment.
Controls and Risks Associated With Virtualization of Systems
Moving away from a physical medium towards a virtual one, there are many important aspects one should consider: physical and logical access validation (because many virtual machines may be running in one physical system), proper configuration and network segregation (no interference among various VMs).
A 2015 Kaspersky Labs survey proved that recovery costs in the wake of a cyberattack on a virtualized infrastructure are twice as high as an attack on a physical environment. Moreover, only 27% deployed defensive mechanisms specifically designed to protect virtual environments.
Configuration, Implementation, Operation and Maintenance of Network Security Controls
Perimeter security controls such as firewalls and IDS/IPS ward off most cyberattacks against the enterprise’s network. The auditor needs to know the effectiveness of these security controls and the policies and procedures that regulate network incidents.
Other important matters are network management, legal complications with respect to online activities, network administrator procedures and service legal agreements with third parties.
Internet use, remote access and networks will all require auditing. Network infrastructure security and general network controls will require additional attention.
LAN Security Issues
An auditor should identify and document LAN topology and network design, signs of segmentation, LAN administrator and LAN owner, groups of LAN users, applications used on the LAN, and procedures for network design, support, and data security.
Wireless Security Threats
Security requirements include: authenticity, non-repudiation, accountability and network availability.
There are many forms of malicious access to WLANs. These include but are not limited to: war driving/walking/chalking, passive attacks and sniffing.
Detection Tools and Control Techniques
Countermeasures against various types of malware include but are not limited to: policies, education, patch management, anti-virus software, and procedural/technical controls.
Antivirus software, regular updates, layered systems (e.g., inner, perimeter, and BOYD), and honeypots and are useful detection tools and deterrents against malware.
Employee education is equally important and should not be ignored. Simple common sense on the part of employees can close multiple attack vectors, such as email phishing attempts.
Ethical Hacking Training – Resources (InfoSec)
Security Testing Techniques
Begin by knowing your tools. You’ll need tools to evaluate network security and possible risks, as well as suitable mitigation techniques. Be sure to check lists of known network vulnerabilities.
Third parties may be able to provide testing services such as penetration testing. Penetrating testing, also called intrusion testing or ethical hacking, is where outside pentesters use every technique or source a potential attacker could use (open-source gathering, searching for backdoors, guessing passwords, using known exploits) to test your security. This is especially good for testing firewalls.
You should also be aware of social engineering testing. This gives you a chance to see how your staff holds up in case of a social engineering attack, such as a phone scammer trying to get people’s passwords.
Controls and Risks Associated with Data Leakage
Data leakages occur when there is a risk of sensitive information becoming public, typically by accident. The IS auditor needs to ensure that there are effective data classification policies, security awareness training and periodic audits with respect to data leakage prevention.
Note that data leakage has a totally different meaning when it comes to machine learning. Information from outside the training set could corrupt the learning capabilities of the model because it may introduce something that the model otherwise would not know.
Anyone handling or testing encryption should be familiar with encryption algorithm techniques and key length: note that complex algorithms and large keys are somewhat impractical for everyday use. Be aware of cryptographic systems, such as AES 128/256-bit and old 64-bit DES.
Other areas of interest include encryption in communications; secure socket layer (SSL)/transport layer security (TLS); secure HTTP (HTTPS); IPSec – Internet protocol security; Secure Shell (SSH);and secure multipurpose Internet mail extensions (S/MIME).
Public Key Infrastructure (PKI) Components and Digital Signature Techniques
PKI establishes a trusted communication channel where parties can exchange digital keys in a safe manner. It’s widely used in e-commerce and online banking.
PKI is based on digital certificates (public key and identifying information) that are issued and cryptographically signed by a certificate authority. Validation is through the certificate authority, while a registration authority ensures third-party validation. When dealing with PKI, watch for digital certificates’ expiration dates, and be certain to check the certificate revocation list (CRL).
Controls Associated with Peer-to-Peer Computing, Instant Messaging and Web-Based Technologies
P2P computing may result in fast dissemination of viruses, worms, Trojans, spyware and so on directly among computers, as there is no central server. Meanwhile, social media risks include inappropriate sharing of information about sensitive data, staffing issues and organizational data; URL spoofing; cyberstalking; using vulnerable applications; phishing; downloading malicious attachments and clicking on malicious links.
Example: In 2016, the Facebook “fake friend” phishing scam rose to prominence. Users received a Facebook message claiming that they had been mentioned by a friend in a comment, but upon clicking on this message, it would automatically download malware onto their computers in the form of a malicious Chrome browser extension. After the installation, this malware snatched users’ Facebook account so that it could steal their data and propagate further.
To control this, implement a P2P computing policy which includes social network use and instant messaging. Corporate messaging boards are more secure than Facebook. Promote monitoring, education and awareness, and ban some types of peer-to-peer communications to narrow the net.
Controls and Risks Associated with the Use of Mobile and Wireless Devices
When dealing with mobile and wireless devices, secure Wi-Fi is required, because most of these devices communicate via a Wi-Fi network.
Implement mobile device controls, including stringent data storage, remote wipes, and theft response procedures. Clarify your workplace’s policy regarding employees bringing their own devices to work.
Voice Communications Security (PBX, VoIP)
In these cases, voice communications have been translated to binary code. This means they are still digitally-based
Increasingly common these days is VoIP or Voice over IP. VoIP boasts lower costs compared to traditional phone services; however, they tend to have worse security than ordinary phones, and one needs to protect both the data and the voice. Wiretapping is a possibility. Security measures include encrypting communications and ensuring that all software is up-to-date and patched.
Alternately, private branch exchange or PBX is a phone system that can operate for both voice and data. It provides simultaneous calls through multiple telephone lines
Example: In 2014, cybercriminals broke into the phone network of Foreman Seeley Fountain Architecture and managed to steal $166,000 worth of calls from the firm via premium-rate telephone numbers in Gambia, Somalia and the Maldives. Typically, hackers pull off such a scheme over a weekend when nobody is at work, forwarding sometimes as many as 220 minutes’ worth of calls per minute to a premium line. The criminals withdraw their cuts usually through Western Union, moneygram or wire transfer.
This concludes our look at best practices for the implementation of monitoring and security controls. Some of our sources are listed below, for your perusal. Join us soon for Part 3, when we’ll be examining physical and environmental protection of information assets.
What is Least Privilege & Why Do you Need It?, Beyond Trust
Data-drained Target hurries to adopt chip-and-PIN cards, Naked Security
Security of Virtual Infrastructure, Kaspersky Lab
IBM Security Services 2014, Cyber Security Intelligence Index, IBM Global Technology Services