Group Assigment : Summary

Member of Group 1 : Class Z2

1. Fitri Nur Cholisa (2018310257)

2. Firliana Septi Ariestantya (2018310288)
3. Karlina Febriyanti (2018310294)
4. Elsa Putri Dwi Yustina (2018310295)

Chapter 8 : Controls for Information Security

Introduction

Now, in our social technology was popular, everything will be doing in technology
eventhough child that use social media and do a lot of games as their hobby until they want to be
gamers. There is an advantages and disadvantages about the technology depends how the
individuals use it. They can use it for something good like the hot issued now about the viruse
that makes many countries make a new rules and lock down for several times. The government
don’t allow their people to go around and better to stay at home. So the technology was really
support here, it is help everyone to connected each other until they can do their daily activities
and go around without intimidated the viruses. So, in my country every school, colleges, mall,
office space, etc are told to not open until specified time. With this situation our lecture must still
to do because we need to grow up and all over school, colleges, office space use technology to
get it and everything just happen like the daily eventhough we still have a hard work to do it.

It is not just for such this situation it also telling about communication from abroad. The
technology was grow up so well and it is proof with the Industry 4.0 that use technology as a
key. Every countries in this world will grow up bigger than before so it will be more bigger than
now. Like social media such an amazing thing in beginning 20 Century and now what? Everyone
know and use it like the children play their toys. It’s not a cool thing again and now just see in
the future what will be happen and then we will call that amazing thing again. But in industries
and spesific in business technology have disadvantage about their securities and also the safety
an important information about organization’s.
 So, this is the trust service framework organized IT-related controls into 5 priciple, such
as security or acces to the systme and its data is controller and restricted to legitimate users,
confidentiality or sensitive organizational information like marketing plan and protected from
unauthoritized disclosure, privacy or personal information about ; customer, employees,
suppliers, or business partners with internal policies and external regulatory requirements and is
protectedfrom unauthorizied disclosure, processing integrity and the last avaibility.

Two Fundamental Information Security Concept

1. Securities is a management issue, not just a technology

Effective information security requires the deployment of technological tools such as

firewalls, antivirus,, and encryption, senior management involvement and support troughout all
phrases of the security life cycle is absolutely essential for success. The first step is in the
security life cycle is to assess the information security-related threats that the organization faces
and select an appropriate response. The second step involves developing information security
policies and communicating them to all employees. Senior management must participate in
developing policies because they must decide the sanctions they are willing to impose for
noncompliance. The third step of the security life cycle involves the acquisition or building of
specific technological tools. Senior management must authorize investing the necessary
resources to mitigate the threats identified and achieve the desired level of security. And the last
step, in the security life cycle entails regular monitoring of performance to evaluate the
effectiveness of the organization’s information security program.
2. The Time-Based Model Of information Security

Time-Based Model Of Information security is to employ a combination of preventive,

detective, and corrective controls to protect information assets long enough for an organization to
detect that an attack is occurring and to take timely steps to thwart the attack before any
information is lost or compromised. zations attempt to satisfy the objective of the time-based
model of security by employing the strategy of defense-in-depth, which entails using multiple
layers of controls in order to avoid having a single point of failure. The time-based model of
security provides a means for management to identify the most cost-effective approach to
improving security by comparing the effects of additional nvestments in preventive, detective, or
corrective controls. Consequently, the time-based model of security is best used as a high-level
framework for strategic analysis, to clearly illustrate the principle of defense-in-depth and the
need to employ multiple preventive, detective, and corrective controls.

Understanding Targeted Attacks

Conduct reconnaissance is computer attackers begin by collecting information about their

target. Perusing an organization’s financial statements, Securities and Exchange Commission
(SEC) filings, website, and press releases can yield much valuable information. The objective of
this initial reconnaissance is to learn as much as possible about the target and to identify potential
vulnerabilities. Attempt Social Engineering such as Attackers will often try to use the
information obtained during their initial reconnaissance to “trick” an unsuspecting employee into
granting them access as social engineering and Social engineering can take place in countless
ways, limited only by the creativity and imagination of the attacker. Social engineering attacks
often take place over the telephone.
Sean and map the target If an attacker cannot successfully penetrate the target system via
social engineering, the next step is to conduct more detailed reconnaissance to identify potential
points of remote entry. The attacker uses a variety of automated tools to identify computers that
can be remotely accessed and the types of software they are running. Research, Once the attacker
has identified specific targets and knows what versions of software are running on them, the next
step is to conduct research to find known vulnerabilities for those programs and learn. Execute
the Attack, The criminal takes advantage of a vulnerability to obtain unauthorized access to the
target’s information system.
Cover tracks, After penetrating the victim’s information system, most attackers attempt to
cover their tracks and create “back doors” that they can use to obtain access if their initial attack
is discovered and controls are implemented to block that method of entry.
Protecting Information Resources

This section discusses the preventive, detective, and corrective controls that organizations
commonly use to protect information resources. Although all of the pieces are necessary, we
discuss the “people” component first becauseit is the most important. Management must create a
“security-conscious” culture and employees must be trained tofollow security policies and
practice safe computing behaviors.
  People: Creation of a “Security-Conscious” culture

The same principle holds regarding information security. Indeed, COBIT 5 specifically
identifies an organization’s culture and ethics as one of the critical enablers for effective
information security. To create a security-conscious culture in which employees comply with
organizational policies, top management must not only communicate the organization’s security
policies, but must also lead by example. Conversely, if employees observe managers violating an
information security policy
 People: training

All employees should be taught why security measures are important to the organization’s
long-run survival. aptops. Training is especially needed to educate employees about social
engineering attacks. employees should be taught never to divulge passwords or other information
about their accounts or their workstation configurations to anyone who contacts them by
telephone, e-mail, or instant messaging and claims to be part of the organization’s information
systems security function. Security awareness training is important for senior management, too,
because in recent years many social engineering attacks, such as spear phishing, have been
targeted at them. However, an organization’s investment in security training will be effective
only if management clearly demonstrates that it supports employees who follow prescribed
security policies.
 Process:User Access Controls
Organizations need to implement a set of controls designed to protect their information assets
from unauthorized use and access by employees. To accomplish that objective, COBIT 5
management practice DSS05.04 stresses the need for controls to manage user identity and logical
access so that it is possible to uniquely identify everyone who accesses the organization’s
information system and track the actions that they perform. Implementing DSS05.04 involves the
use of two related but distinct types of user access controls: authentication controls and
authorization controls. Authentication controls restrict who can access the organization’s
information system. Authorization controls limit what those individuals can do once they have
been granted access.
Three types of credentials can be used to verify a person’s identity:
1. Something the person knows, such as passwords or personal identification numbers (PINs)
2. Something the person has, such as smart cards or ID badges
3. Some physical or behavioral characteristic (referred to as a biometric identifier) of the
person, such as fingerprints or typing patterns.
Individually, each authentication method has its limitations. Passwords can be guessed, lost,
written down, or given away. Authorization controls are often implemented by creating an access
control matrix.
 Process:Penetration Testing
COBIT 5 control processes MEA01 and MEA02 state the need to periodically test the
effectiveness of business processes and internal controls (including security procedures).
Penetration testing provides a rigorous way to test the effectiveness of an organization’s
information security. A penetration test is an authorized attempt by either an internal audit team
or an external security consulting firm to break into the organization’s information system.
 Process:Change Controls and Change Management
Change control and change management refer to the formal process used to ensure that
modifications to hardware, software, or processes do not reduce systems reliability. Good change
control often results in better operating performance because there are fewer problems to fix.
Companies with good change management and change control processes also experience lower
costs when security incidents do happen. Characteristics of a well-designed change control and
change management process include:
● Documentation of all change requests, identifying the nature of the change, its rationale, date
of the request, and outcome of the request.
● Documented approval of all change requests by appropriate levels of management. It is
especially important that senior management review and approve major changes to processes
and systems in order to ensure that the proposed change is consistent with the organization’s
long-term strategic plans.
● Testing of all changes in a separate system, not the one used for daily business processes. This
reduces the risk that “bugs” in modifications disrupt normal business.
● Conversion controls to ensure that data is accurately and completely transferred from the old to
the new system. Internal auditors should review the conversion process.
● Updating of all documentation (program instructions, system descriptions, procedures
manuals, etc.) to reflect the newly implemented changes.
● A special process for timely review, approval, and documentation of “emergency changes” as
soon after the crisis as is practical. All emergency changes need to be logged to provide an
audit trail. A large number or marked increase in the number of emergency changes is a
potential red flag of other problems (poor configuration management procedures, lack of
preventive maintenance, or political “game-playing” to avoid the normal change control
process).
● Development and documentation of “backout” plans to facilitate reverting to previous
configurations if the new change creates unexpected problems.
● Careful monitoring and review of user rights and privileges during the change process to
ensure that proper segregation of duties is maintained.
 IT Solutions: Antimalware Control
Malware can damage or destroy information or provide a means for unauthorized access.
Therefore, COBIT 5 section DSS05.01 lists malware protection as one of the keys to effective
security, specifically recommending the following:
1. Malicious software awareness education
2. Installation of antimalware protection tools on all devices
3. Centralized management of patches and updates to antimalware software
4. Regular review of new malware threats
5. Filtering of incoming traffic to block potential sources of malware
6. Training employees not to install shared or unapproved software.
 IT Solutions: Network Access Controls
The various methods that can be used to satisfy COBIT 5 management practice DSS05.02,
which addresses security of the organization’s network and all means of connecting to it.
PERIMETER DEFENSE: ROUTERS, FIREWALLS, AND INTRUSION PREVENTION
SYSTEMS
Routers and firewalls control access by filtering individual packets. Organizations own
one or more border routers that connect their internal networks to the Internet Service Provider.
Those border routers and the organization’s main firewall use sets of IF-THEN rules, called
Access Control Lists (ACLs), to determine what to do with arriving packets. The border router
must examine the destination IP address field in the IP packet header to determine whether the
packet is intended for the organization or should be forwarded back out onto the Internet. If the
packet’s destination IP address is the organization, the rules in the border router’s ACL examine
the source address field in the IP packet header to block packets from specific undesirable
sources (e.g., known gambling or porn sites). All other packets with the organization’s IP address
in the destination field are passed to the main firewall for further screening. Packet filtering is
fast and can catch patently undesirable traffic, but its effectiveness is limited. IPSs use two
primary techniques to identify undesirable traffic patterns. The simplest approach is to compare
traffic patterns to a database of signatures of known attacks. A more complicated approach
involves developing a profile of “normal” traffic and using statistical analysis to identify packets
that do not fit that profile. The beauty of this approach is that it blocks not only known attacks,
for which signatures already exist, but also any new attacks that violate the standards.
Using Defense-in-Depth to Restrict Network Access. The use of multiple perimeter filtering
devices is more efficient and effective than relying on only one device. Thus, most organizations
use border routers to quickly filter out obviously bad packets and pass the rest to the main
firewall. The main firewall does more detailed checking, and then other firewalls perform deep
packet inspection to more fully protect specific devices such as the organization’s web server and
e-mail server. In addition, an IPS monitors the traffic passed by the firewalls to identify and
block suspicious network traffic patterns that may indicate that an attack is in progress.
Securing Wirelees Access. Many organizations also provide wireless access to their information
systems. Wireless access is convenient and easy, but it also provides another venue for attack
and extends the perimeter that must be protected. Important part of securing wireless access is to
place all wireless access points (the devices that accept incoming wireless communications and
permit the sending device to connect to the organization’s network) in the DMZ. This treats all
wireless access as though it were coming in from the Internet and forces all wireless traffic to go
through the main firewall and any IPSs that are used to protect the perimeter of the internal
network. In addition, the following procedures need to be followed to adequately secure wireless
access:
Turn on available security features. Most wireless equipment is sold and installed with these
features disabled. For example, the default installation configuration for most wireless routers
does not turn on encryption.
● Authenticate all devices attempting to establish wireless access to the network before assigning
them an IP address. This can be done by treating incoming wireless connections as attempts to
 access the network from the Internet and routing them first through a remote access server or
other authentication device.
● Configure all authorized wireless devices to operate only in infrastructure mode, which forces
the device to connect only to wireless access points. (Wireless devices can also be set to
operate in ad hoc mode, which enables them to communicate directly with any other wireless
device. This is a security threat because it creates peer-to-peer networks with little or no
authentication controls.) In addition, predefine a list of authorized MAC addresses, and
configure wireless access points to accept connections only if the device’s MAC address is on
the authorized list.
● Use noninformative names for the access point’s address, which is called a service set
identifier (SSID). SSIDs such as “payroll,” “finance,” or “R&D” are more obvious targets to
attack than devices with generic SSIDs such as “A1” or “X2.”
● Reduce the broadcast strength of wireless access points, locate them in the interior of the
building, and use directional antennas to make unauthorized reception off-premises more
difficult. Special paint and window films can also be used to contain wireless signals within a
building.
● Encrypt all wireless traffic. This is absolutely essential to protect the confidentiality and
privacy of wireless communications because they are transmitted “over the air” and, therefore,
are inherently susceptible to unauthorized interception.
 IT Solutions: Device and Software Herdening Controls
COBIT 5 management practice DSS05.03 describes the activities involved in managing
endpoint security. Three areas deserve special attention:
1. Endpoint configuration. Endpoints can be made more secure by modifying their
configurations. This process of modifying the default configuration of endpoints to eliminate
unnecessary settings and services is called hardening. In addition to hardening, every endpoint
needs to be running antivirus and firewall software that is regularly updated. It may also be
desirable to install intrusion prevention software directly on the endpoint to prevent
unauthorized attempts to change the device’s hardened configuration.
2. User account management.COBIT 5 management practice DSS05.04 stresses the need to
carefully manage all user accounts, especially those accounts that have unlimited
(administrative) rights on that computer. Administrative rights are needed in order to install
 software and alter most configuration settings. hese powerful capabilities make accounts with
administrative rights prime targets for attackers. Therefore, employees who need
administrative powers on a particular computer should be assigned two accounts: one with
administrative rights and another that has only limited privileges. Although the attacker can
use other tools to eventually obtain administrative rights on that machine, other security
controls might detect and thwart such attempts to escalate privileges before they can be
completed.
3. Software desing. As organizations have increased the effectiveness of their perimeter security
controls, attackers have increasingly targeted vulnerabilities in application programs. Buffer
overflows, SQL injection, and cross-site scripting are common examples of attacks against the
software running on websites. These attacks all exploit poorly written software that does not
thoroughly check user-supplied input prior to further processing. SQL injection attacks occur
whenever web application software that interfaces with a database server does not filter user
input, thereby permitting an attacker to embed SQL commands within a data entry request and
have those commands executed on the database server. Cross-site scripting attacks occur when
web application software does not carefully filter user input before returning any of that data to
the browser, in which case the victim’s browser will execute any embedded malicious script.
 IT Solutions: Encryption
Encryption provides a final layer of defense to prevent unauthorized access to sensitive
information because of its importance to achieving the security principles of protecting
confidentiality of organizational information and the privacy of personal information collected
from customers, employees, and business partners.
 Physical Security : Access Control
It is absolutely essential to control physical access to information resources. A
skilled attacker needs only a few minutes of unsupervised direct physical access in order
to bypass existing information security controls. Physical access control begins with entry
points to the building itself. Ideally, there should only be one regular entry point that
remains unlocked during normal office hours. Fire codes usually require additional
emergency exits, but these should not permit entry from the outside and should be
connected to an alarm system that is automatically triggered whenever the fire exit is
opened. In addition, either a receptionist or a security guard should be stationed at the
 main entrance to verify the identity of employees. Visitors should be required to sign in
and be escorted by an employee wherever they go in the building.
Once inside the building, physical access to rooms housing computer equipment
must also be restricted. These rooms should be securely locked and all entry/exit
monitored by closed-circuit television systems. Multiple failed access attempts should
trigger an alarm. Rooms housing servers that contain especially sensitive data should
supplement regular locks with stronger technologies—card readers, numeric keypads, or
various biometric devices, such as iris or retina scanners, fingerprint readers, or voice
recognition.
COBIT 5 management practice DSS05.06 stresses the importance of also
restricting physical access to network printers, because they often store document images
on their hard drives. There have been cases where intruders have stolen the hard drives in
those printers, thereby gaining access to sensitive information.
Detecting Attacks
As noted earlier, preventive controls are never 100% effective in blocking all attacks.
Therefore, COBIT 5 management practice DSS05.07 describes the activities that organizations
also need to enable timely detection of intrusions and problems.
 Log Analysis
Most systems come with extensive capabilities for logging who accesses the
system and what specific actions each user performed. These logs form an audit trail of
system access. Like any other audit trail, logs are of value only if they are routinely
examined. Log analysis is the process of examining logs to identify evidence of possible
attacks.
It is especially important to analyze logs of failed attempts to log on to a system
and failed attempts to obtain access to specific information resources. The goal of log
analysis is to determine the reason for this failed log-on attempt. One possible
explanation is that rjones is a legitimate user who forgot his or her password.
Logs need to be analyzed regularly to detect problems in a timely manner. This is
not easy, because logs can quickly grow in size. Another problem is that many devices
produce logs with proprietary formats, making it hard to correlate and summarize logs
from different devices. Software tools such as log management systems and security
 information management systems attempt to address these issues by converting vendor-
specific log formats into common representations and producing reports that correlate
and summarize information from multiple sources. Nevertheless, log analysis ultimately
requires human judgment to interpret the reports and identify situations that are not
“normal.”
 Intrusion Detecting Systems
Network intrusion detection systems (IDSs) consist of a set of sensors and a
central monitoring unit that create logs of network traffic that was permitted to pass the
firewall and then analyze those logs for signs of attempted or successful intrusions. Like
a network IPS, a network IDS functions by comparing observed traffic to its rulebase. In
addition, an IDS can be installed on a specific device to monitor unauthorized attempts to
change that device’s configuration. The main difference between an IDS and an IPS is
that an IDS only produces a warning alert when it detects a suspicious pattern of network
traffic; it is then up to the human responsible for monitoring the IDS to decide what
course of action to take. In contrast, an IPS not only issues an alert but also automatically
takes steps to stop a suspected attack.
 Continuous Monitoring
COBIT 5 management practice APO01.08 stresses the importance of
continuously monitoring both employee compliance with the organization’s information
security policies and overall performance of business processes. Such monitoring is an
important detective control that can timely identify potential problems and identify
opportunities to improve existing controls. Measuring compliance with policies is
straightforward, but effectively monitoring performance requires judgment and skill.
Accountants can provide value by drawing on COBIT 5’s discussion of possible metrics
for evaluating information security to help management design effective reports that
highlight areas most in need of attention.