Information Systems 365/765 Lecture 13Class Project – Security Audit
!!EXAMS!!• About 2/3 done correcting• Mostly pretty good• Those that were not good, please don’t worry. We can do some extra credit• You are all good students!
Good News and Bad News• The good news is that your exams look great! Well done! I am so proud of all of you!• The bad news is that this course will not be offered next semester• The scary news is that I might be entering the PhD program
Look at all the topics we have covered!• The Confidentiality, Availability and Integrity Triad• The five pillars of information security Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)• cyberwar Sarbanes-Oxley Act• cyber espionage USA PATRIOT Act• technical controls Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”)• administrative controls Electronic Communications Privacy Act (“ECPA”)• spoofing data and source integrity FERPA• check digits and checksums software vulnerabilities• data classification software bugs• data loss prevention unchecked user input• content scanning full disclosure• enterprise management tools limited disclosure• authentication responsible disclosure• paswords security through obscurity• dual factor authentication Buffer overflows• multi factor authentication Dangling pointers• knowledge based authentication Input validation errors, such as:• biometrics Format string bugs• shared secrets Improperly handling shell metacharacters so they are interpreted• digital certificates for authentiction purposes SQL injection• initial credentialing Code injection• single sign on E-mail injection• wireless authentication Directory traversal• hybrid authentication solutions Cross-site scripting in web applications• symmetric encryption Race conditions, such as:• asymmetric encryption Time-of-check-to-time-of-use bugs• steganography Symlink races• digital certificates for encryption Privilege-confusion bugs, such as:• non-repudiation Cross-site request forgery in web applications• information privacy Privilege escalation• privacy enhancing technologies User interface failures, such as:• social engineering definition Warning fatigue or user conditioning• social engineering methods Blaming the Victim Prompting a user to make a security decision without giving the user enough• social engineering real life example information to answer it.• social engineering defenses Race Conditions• pretexting physical security• phishing the 4 layers of physical security• road apples elements of network security• quid pro quo change control / change management• digital forensics risks of outsourcing information systems in relation to security concerns
So Now What?• Exams? No more!• Quizzes? Yeah, I owe you a few of those• How about a class project?• You know, something that requires some team effort!• Something that leverages all that knowledge you have gained
Security Audit• Security audit of ANY company which is publicly traded on the NYSE or NASDAQ• Requirements: company must have international operations
What to do• Meet your team mate!• Pick your company• Read their annual report, ignore the financial information if you want to. I’m more interested in the qualitative stuff• Work through the template, item by item
What to do• Write a 5 page Executive Summary, outlining your findings and suggestions in the following areas:• Security Policy, Organizational Security, Asset Classification and Control, Personnel Security, Physical and Environmental Security, Communications and Operations Management, Access Control, System Development and Maintenance, Business Continuity Management, Compliance.
What About Standards?• The nice thing about standards is that there are so many to choose from!
Why This Security Audit?• The ISO/IEC 27000 series is an information security standard published by the International Organization for Standardization (ISO)
Standards• ISO/IEC 27002 has directly equivalent national standards in several countries.
This Security Audit is Compliant• Australia• New Zealand• BrazilI• Denmark• Estonia• Japan• Lithuania• Netherlands• Peru• SpainUNE• SwedenSS• United Kingdom• Uruguay
Components of a Security Audit• Risk assessment• Security policy - management direction• Organization of information security - governance of information security• Asset management - inventory and classification of information assets• Human resources security - security aspects for employees joining, moving and leaving an organization• Physical and environmental security - protection of the computer facilities• Communications and operations management - management of technical security controls in systems and networks
Components of a Security Audit• Access control - restriction of access rights to networks, systems, applications, functions and data• Information systems acquisition, development and maintenance - building security into applications• Information security incident management - anticipating and responding appropriately to information security breaches• Business continuity management - protecting, maintaining and recovering business-critical processes and systems• Compliance - ensuring conformance with information security policies, standards, laws and regulations