Information Systems 365/765Lecture 13

Class Project – Security Audit

!!EXAMS!!

• About 2/3 done correcting

• Mostly pretty good• Those that were not

good, please don’t worry. We can do some extra credit

• You are all good students!

Good News and Bad News• The good news

is that your exams look great! Well done! I am so proud of all of you!

• The bad news is that this course will not be offered next semester

• The scary news is that I might be entering the PhD program

Look at all the topics we have covered!

• The Confidentiality, Availability and Integrity Triad• The five pillars of information security• cyberwar• cyber espionage• technical controls• administrative controls• spoofing data and source integrity• check digits and checksums• data classification• data loss prevention• content scanning• enterprise management tools• authentication• paswords• dual factor authentication• multi factor authentication• knowledge based authentication• biometrics• shared secrets• digital certificates for authentiction purposes• initial credentialing• single sign on• wireless authentication• hybrid authentication solutions• symmetric encryption• asymmetric encryption• steganography• digital certificates for encryption• non-repudiation

• information privacy• privacy enhancing technologies• social engineering definition• social engineering methods• social engineering real life example• social engineering defenses• pretexting• phishing• road apples• quid pro quo• digital forensics

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

Sarbanes-Oxley ActUSA PATRIOT ActCounterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”)Electronic Communications Privacy Act (“ECPA”)FERPAsoftware vulnerabilitiessoftware bugsunchecked user inputfull disclosurelimited disclosureresponsible disclosuresecurity through obscurityBuffer overflows Dangling pointers Input validation errors, such as: Format string bugs Improperly handling shell metacharacters so they are interpreted SQL injection Code injection E-mail injection Directory traversal Cross-site scripting in web applications Race conditions, such as: Time-of-check-to-time-of-use bugs Symlink races Privilege-confusion bugs, such as: Cross-site request forgery in web applications Privilege escalation User interface failures, such as: Warning fatigue or user conditioningBlaming the Victim Prompting a user to make a security decision without giving the user enough information to answer it.Race Conditionsphysical securitythe 4 layers of physical securityelements of network securitychange control / change managementrisks of outsourcing information systems in relation to security concerns

So Now What?

• Exams? No more!• Quizzes? Yeah, I owe you a few of

those• How about a class project?• You know, something that requires

some team effort!• Something that leverages all that

knowledge you have gained

Security Audit• Security audit of ANY

company which is publicly traded on the NYSE or NASDAQ

• Requirements: company must have international operations

What to do• Meet your team mate!• Pick your company• Read their annual

report, ignore the financial information if you want to. I’m more interested in the qualitative stuff

• Work through the template, item by item

What to do

• Write a 5 page Executive Summary, outlining your findings and suggestions in the following areas:

• Security Policy, Organizational Security, Asset Classification and Control, Personnel Security, Physical and Environmental Security, Communications and Operations Management, Access Control, System Development and Maintenance, Business Continuity Management, Compliance.

What About Standards?

• The nice thing about standards is that there are so many to choose from!

Why This Security Audit?

• The 'ISO/IEC 27000 series' is an information security standard published by the International Organization for Standardization (ISO)

Standards

• ISO/IEC 27002 has directly equivalent national standards in several countries.

This Security Audit is Compliant

• Australia • New Zealand• BrazilI• Denmark  • Estonia  • Japan  • Lithuania  • Netherlands  • Peru  • SpainUNE  • SwedenSS  • United Kingdom• Uruguay

Components of a Security Audit

• Risk assessment • Security policy - management direction • Organization of information security -

governance of information security • Asset management - inventory and

classification of information assets • Human resources security - security

aspects for employees joining, moving and leaving an organization

• Physical and environmental security - protection of the computer facilities

• Communications and operations management - management of technical security controls in systems and networks

Components of a Security Audit• Access control - restriction of access

rights to networks, systems, applications, functions and data

• Information systems acquisition, development and maintenance - building security into applications

• Information security incident management - anticipating and responding appropriately to information security breaches

• Business continuity management - protecting, maintaining and recovering business-critical processes and systems

• Compliance - ensuring conformance with information security policies, standards, laws and regulations

A Word of Advice