Chapter 8. Protection of Assets

The protection of assets is one of the key concerns of an auditor. The first step in protecting assets is typically access control—protecting the point at which authorized users are allowed access and unauthorized users are denied access. Another key area is the placement of controls to protect assets. These controls are typically designed to deter, delay, prevent, and detect issues. A large portion of this chapter deals with encryption. Encryption is one of the primary controls used to protect data at rest and data in motion. The chapter concludes by examining the ways security can be breached and assets may be exposed.

1. Which of the following is seen as the weakest form of authentication?

a. Something you know

b. Something you have

c. Something you are

d. Somewhere you are

2. Which of the following best describes the equal error rate?

a. This measurement indicates the point at which FRR does not equal FAR.

b. This measurement indicates the point at which FRR is lower than FAR.

c. This measurement indicates the point at which FRR is higher than FAR.

d. This measurement indicates the point at which FRR equals FAR.

3. Which of the following is the best example of SSO?

a. RADIUS

b. Diameter

c. TACACS

d. Kerberos

4. If Cathy uses the same credentials to obtain access to Company A and Company B, this is best described as which of the following?

a. RADIUS

b. Federation

c. SSO

d. Two-factor authentication

5. An audit found that controls were needed for the integrity of data. Which of the following algorithms is used for integrity?

a. RSA

b. DES

c. MD5

d. SSH

6. Which of the following is a symmetric algorithm?

a. RSA

b. DES

c. MD5

d. ECC

7. Which of the following is an asymmetric algorithm?

a. RSA

b. DES

c. MD5

d. AES

8. Which of the following can be used for the protection of email?

a. SMIME

b. 3DES

c. Twofish

d. SAFER

9. Which of the following is the highest business level classification?

a. Confidential

b. Top secret

c. Private

d. Restricted

10. Which of the following attack techniques requires the hacker to have both the plaintext and the ciphertext of one or more messages?

a. Ciphertext only

b. Known ciphertext

c. Known plaintext

d. Man-in-the-middle

This section examines both logical and physical access controls. For logical access controls, user identification and authentication (verifying that users are who they say they are) are considered the first steps of the process. Auditors should verify that users are restricted to only authorized functions and data.

Authentication is the second step in the I&A process. It is commonly referred to as a one-to-one process because it is a comparative process; no search is involved. Three authentication methods exist:

Authentication by knowledge: What a user knows

Authentication by ownership: What a user has

Authentication by characteristic: What a person is and does

Answers to the “Do I Know This Already?” Quiz:

1. A;

2. D;

3. D;

4. B;

5. C;

6. B;

7. A;

8. A;

9. A;

10. C

Passwords are perishable; they grow stale and need to be changed on a regular basis. Most of us lack the cognitive ability to create several complex, unique, and unrelated passwords on a daily or weekly basis. Imagine the following situation: You have just started a new job, and your boss has asked that you create several login passwords. Do you invent hard-to-remember, complex passwords; do you use something that you can easily remember when you return the next day; or do you write down the password? Most individuals will choose an easy password or write it down rather than risk forgetting the password and creating a bad impression.

One of the responsibilities of an auditor is to verify password policies and ensure that they are strong enough to protect the confidentiality, integrity, and availability (CIA) of information and assets. Good password policies should offer the following guidelines regarding password characteristics:

Do not use personal information.

Do not use common words or names.

Ensure that passwords are complex and use upper- and lowercase letters, numbers, and characters (such as !@#$%^&).

Require that passwords be changed regularly.

Have session timeouts.

Limit logon attempts to a small number of times, such as three successive attempts.

1. The server sends the user a value.

2. The value is entered into the token device.

3. The token performs a hashing process on the entered value.

4. The new, computed value is displayed on the LCD screen of the token device.

5. The user enters the displayed value into the computer for authentication.

Fingerprint

Hand geometry

Palm scan

Voice pattern

Retina pattern/scan

Iris pattern/recognition

Signature dynamics

Facial recognition

Keystroke dynamics

Important concerns for an auditor when examining biometric systems include the following:

Accuracy: Accuracy demonstrates how well the system can separate authentic users from imposters.

User acceptance: Will users accept the system? The chosen biometric system must fit the environment.

Misuse: Some users may look for ways to bypass or cheat the system. With the right tools (some kind of putty or gel imprint), ingenuity, and a morally ambivalent coworker, an employee can “clock in” without even being there.

Processing speed: Tied closely to user acceptance, processing speed indicates how quickly the decision to accept or deny is made. Slow systems tend to frustrate users and, thus, result in lower acceptance.

False reject rate (FRR): The FRR is the percentage of legitimate users who are denied access. This is also known as a Type I error.

False accept rate (FAR): This measurement is the percentage of users who are allowed access but who are not authorized users. It is also known as a Type II error.

Equal error rate (EER): This measurement indicates the point at which FRR equals FAR. Low numbers indicate that the system has greater accuracy. Figure 8-1 shows an example.

No matter which of the three primary types of authentication methods is used, the user most likely will have to log on many times onto many different systems throughout the work day.

Distributed systems

Mainframe systems

Local users

Remote users

Network security mechanisms

Implementing single sign-on is challenging because most logical networks are heterogeneous. Networks, operating systems, mainframes, distributed systems, and databases must all be integrated to work together. Advantages to single sign-on include the following:

Efficient logon process

Stronger passwords created by users

No need for multiple passwords

Enforcement of timeout and attempt thresholds across the entire platform

Centralized administration

Single sign-on does have some drawbacks: It is expensive, and if attackers gain entry, they have access to everything. Including unique platforms also can be challenging. Examples of popular single sign-on systems are Kerberos and SESAME.

Massachusetts Institute of Technology (MIT) created Kerberos, which provides several key services:

Security: Kerberos protects authentication traffic so that a network eavesdropper cannot easily impersonate a user.

Reliability: The service is available to users when needed.

Transparency: For the end user, the process is transparent.

Scalability: Kerberos supports everything from a small number of users to a large number of clients and servers.

Kerberos consists of three parts: the client, the server, and a trusted third-party key distribution center (KDC) that mediates between them. The KDC is composed of two systems:

Authentication service: The authentication service issues ticket-granting tickets (TGTs) that are good for admission to the ticket-granting service (TGS). Before network clients can obtain tickets for services, they must obtain a TGT from the authentication service.

Ticket-granting service: Clients receive tickets to specific target services through this service.

Kerberos follows a structured approach to authentication (see Figure 8-2):

1. The client asks the KDC for a ticket, making use of the authentication service (AS).

2. The client receives the encrypted ticket and the session key.

3. The client sends the encrypted TGT to the TGS and requests a ticket for access to the application server.

4. The TGS decrypts the TGT by using its own private key and returns the ticket to the client, which allows it to access the application server.

5. The client sends this ticket along with an authenticator to the application server.

6. The application server sends confirmation of its identity to the client.

Today’s systems are much more distributed than in the past and have a much greater reliance on the Internet. At the same time, there has been a move toward service-enabled delivery of services. There has also been a move to create web services that have a more abstract architectural style. This style, known as service-oriented architecture (SOA), attempts to bind together disjointed pieces of software. A CISA candidate should have some knowledge of several components in this realm, such as the following:

Web Services Security (WS Security): WS Security is an extension to Simple Object Access Protocol (SOAP) that is designed to add security to web services.

Extensible Markup Language (XML): Years ago, Hypertext Markup Language (HTML) dominated the web. Today, XML is the standard framework. XML is a standard that allows for a common expression of metadata. XML typically follows the SOAP standard.

Service Provisioning Markup Language (SPML): SPML is an XML-based framework that can be used to exchange access control information between organizations so that a user logged into one entity can have the access rights passed to the other.

Security Assertion Markup Language (SAML): SAML is an example of a new protocol designed for cross-web service authentication and authorization. Over time, this protocol holds promise to improve new generations of web services. SAML is an XML-based open standard designed for authentication and authorization between security domains. The protocol was created by the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit consortium that develops and adopts open standards for the global information society. One product of the group’s work is SAML. SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject. At the core of SAML is the XML schema that defines the representation of security data; this can be used to pass the security context between applications. SAML assertions are communicated by a web browser through cookies or URL strings.

OpenID: OpenID is an open standard that is used as an authentication scheme. OpenID allows users to log on to many different websites using the same identity on each of the websites. For example, you may log in to a news site with your Facebook username and password. OpenID, which was developed by the OpenID Foundation, works as a set of standards that includes OpenID Authentication, Attribute Exchange, Simple Registration Extension, and Provider Authentication Policy Exchange.

Shibboleth: Shibboleth is a distributed web resource access control system. Shibboleth enhances federation by allowing the sharing of web-based resources. When using Shibboleth, the target website trusts the source site to authenticate its users and manage their attributes correctly. The disadvantage of this model is that there is no differentiation between authentication authorities and attribute authorities.

Where Are You From (WAYF): WAYF is a single sign-on methodology which allows the use of one single login to access several web-based services. When a claimant submits a request to access a remote website to which the claimant has not authenticated, the remote website forwards the claimant’s login request to a WAYF service. The WAYF service creates connections between the login systems at the connected institutions and external web-based services.

The following are some common methods for centralized authentication:

Remote Access Dial-In User Service (RADIUS)

Diameter

Terminal Access Control Access Control System (TACACS)

Diameter is designed to use two items. The first is the base protocol that is designed to provide secure communication between Diameter devices and enables various types of information to be transmitted, such as headers, security options, commands, and attribute/value pairs (AVPs). The second item is the extensions. Extensions are built on top of the base protocol to allow various technologies to use Diameter for authentication. This component is what interacts with other services, such as VoIP, wireless, and cell phone authentication. Finally, Diameter offers an upgrade path from RADIUS, but RADIUS components cannot talk to Diameter components.

Denial of service

Loss of physical control of the client’s system

Possibility that the client system will be hacked to gain remote access capability

Possibility that the remote access system will be hacked to gain access

These risks can best be addressed by good policies and procedures that specify using strong controls. Strong authentication should also be used to ensure that intruders cannot easily guess passwords or compromise remote access systems. Encryption should also be a key component of any remote access system; encryption is the best control that can be used to prevent the interception of information.

From an auditing standpoint, it is important to keep in mind that not all versions are the same. The original version has been replaced, and SSH is now at version 2.x. Also, just because someone is allowed to have remote access to a computer does not mean that person always needs root or administrative access. Allowing root login over SSH is considered a poor security practice and should be restricted.

Remote access VPN: Used to connect a user to a private network and access its services and resources remotely.

Site-to-site VPN: Typically used in corporations. Site-to-site VPNs connect the network of one corporate location to the network at another office location. With this VPN type, one router acts as a VPN client, and the other router acts as a VPN server. Communication between these two devices starts only after authentication is validated between the two parties.

Examples of VPN tunneling protocols include the following:

Point-to-Point Tunneling Protocol (PPTP): PPTP was developed by a group of vendors. It consists of two components: the transport, which maintains the virtual connection, and the encryption, which ensures confidentiality. It can operate at 40 bits or 128 bits.

Layer 2 Tunneling Protocol (L2TP): L2TP was created by Cisco and Microsoft to replace Layer 2 Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP.) L2TP merged the capabilities of L2F and PPTP into one tunneling protocol. By itself, it provides no encryption; but it is deployed with IPsec as a VPN solution.

Secure Sockets Layer (SSL): SSL was developed by Netscape for transmitting private documents over the Internet. Unlike S-HTTP, SSL is application independent. One of the advantages of SSL is its cryptographic independence. The protocol is merely a framework for communicating certificates, encrypted keys, and data. The most robust version of SSL is SSLv3, which provides for mutual authentication and compression.

Transport Layer Security (TLS): TLS encrypts the communication between a host and a client. TLS typically makes use of an X.509 digital certificate for server authentication. This mechanism provides strong authentication of the server to the client, so the client can trust that it is connected to the correct remote system. TLS consists of two protocols: TLS Record Protocol and the TLS Handshake Protocol.

IP Security (IPsec): Widely used for VPNs, IPsec can provide Encapsulating Security Payload (ESP) and/or an authentication header (AH). ESP provides confidentiality by encrypting the data packet. AH provides integrity and authentication.

Natural boundaries at the location

Fences or walls around the site

Physical access control

Gates, access doors, the delivery dock, and entry points

The design of the outer walls of a building

Lighting and exterior design of the complex

Organizations that require very high security might consider using a perimeter intrusion and detection and assessment system (PIDAS). This special fencing system works somewhat like an intrusion detection system in that it has sensors to detect someone climbing or cutting the fence.

Although fences are a good start, more physical controls, such as proper gates, can help. Gates act as chokepoints to control the ingress and egress of employees and visitors into and out of the facility. Just as with fences, standards govern the strength of gates and the security of their design, as detailed in UL Standard 325.

In addition to people, vehicles must also be restricted and otherwise controlled on the grounds of a facility. One method of controlling vehicles is to use bollards. Made of concrete or steel, bollards are used to block vehicular traffic. You might have noticed them in front of the doors of a facility or at a shopping mall; sometimes they even look like large flower pots. Regardless of their shape, they are designed for one purpose: to prevent cars and trucks from ramming into a building and smashing doors. Recently designed bollards have electronic sensors to detect collisions and notify building inhabitants that someone has rammed the facility. Although fences are considered the first line of defense, bollards are a close second because they further protect employees and the facility from common smash-and-grab techniques and terrorist car bombings.

Using dogs for guard duty: Breeds such as German Shepherds and Chow Chows have been used for centuries to guard facilities and assets. Dogs can be trained and are loyal, obedient, and steadfast, yet they are sometimes unpredictable and could bite or harm the wrong person. Because of these factors, dogs are usually restricted to exterior premises control and should be used with caution.

Adopting a low-key design: The last thing an organization that handles sensitive information or high-value assets wants to do is to advertise its presence to attackers or others that might target the facility. A building or department should be discreetly identified. Server rooms, computer rooms, and other sensitive areas should not be easily visible and should contain no windows.

Controlling points of entrance: Just as gates are used to control how individuals can enter and leave the property, doors should be used to control access into the building. All unnecessary entry points to the grounds and the facility should be eliminated.

Using adequate lighting: Lighting provides great perimeter protection. Far too much criminal activity happens at night or in poorly lit areas. Outside lighting discourages prowlers and thieves. Failure to adequately light parking lots and other high-traffic areas also could lead to lawsuits if an employee or a visitor is attacked in a poorly lit area. Effective lighting means that the system is designed to put the light where it is needed in the proper wattage. More light isn’t necessarily better: Too much light causes overlighting and glare.

During an audit of physical security, the auditor will need to look for a number of controls that present. These controls should include warning signs or notices posted to deter trespassing and also, any item that might allow an attacker to bypass physical security. This includes securing any opening that is 96 square inches or larger within 18 feet of the ground, such as manholes and tunnels, gates leading to the basement, elevator shafts, ventilation openings, and skylights. Even the roof, basement, and walls of a building might contain vulnerable points of potential entry and should, therefore, be assessed. When these activities have been completed, the auditor can move on to analyzing interior controls.

Guards do have some disadvantages—after all, they are human. Guards are capable of poor judgment and can make mistakes. Therefore, if an organization hires guards from an external vendor, they should be bonded to protect the agency from loss.

Whether or not a guard is in place, the movement of visitors throughout a facility should be controlled. Anyone entering the building, including friends, visitors, vendors, contractors, and even maintenance personnel, should be escorted. A mantrap, also called a deadman door, can control access into or out of the facility; these usually are found at the entryways of high-security areas and require the outer door to be closed before authentication can take place and the inner door is opened. This is really just a system of doors that are arranged so that when one opens, the other remains locked. Some organizations also use turnstiles to control the ingress and egress of employees and visitors.

The warded lock, the most basically designed mechanical lock still in use, uses a series of wards that a key must match up to. This is the cheapest type of mechanical lock and also the easiest to pick. You can find these at any local hardware store, but they should not be used to protect a valuable asset.

Tumbler locks are considered more advanced because they contain more parts and are harder to pick. Linus Yale patented the modern tumbler lock in 1848. When the right key is inserted into the cylinder of a tumbler lock, the pins are lifted to the right height so that the device can open or close. The correct key has the proper number of notches and raised areas that allow the pins to be shifted into the proper position. The pins are spring-loaded so that when the key is removed, the pins return to the locked position. Figure 8-4 shows an example of a tumbler lock.

Another common form of lock is a tubular lock. Tubular locks, also known as Ace locks, are considered very secure because they are harder to pick. A tubular lock requires a round key, as the lock itself has the pins arranged in a circular pattern. These are used for computers, vending machines, and other high-security devices.

When examining locks, remember that you get what you pay for: More expensive locks are usually better made. The quality of a lock is determined by its grade. Table 8-4 describes the three grades of locks.

Different types of locks provide different levels of protection. The American National Standards Institute (ANSI) defines the strength and durability of locks. For example, Grade 3 locks are designed to function for 200,000 cycles, a Grade 2 lock must function for 400,000 cycles, and a Grade 1 lock must function for 800,000 cycles. Higher-grade locks are designed to withstand much more usage, are less likely to fail sooner, or wear so that they can be easily bypassed. Thus, it’s important to select the appropriate lock to obtain the required level of security.

One way to bypass a lock is to pick it. This is usually not a criminal’s preferred method. Breaking a window, prying a doorframe, or even knocking a hole in sheetrock might all be faster methods to gain access. Individuals who pick locks do so because it is a stealthy way to bypass security controls and might make it harder for victims to figure out that they have been compromised. These basic components are used to pick locks:

Tension wrenches: These are not much more than a small angled flathead screwdriver. They come in various thicknesses and sizes.

Picks: As the name implies, these are similar to a dentist pick. Picks are small, angled, and pointed.

Together, these tools can be used to pick a lock. One of the easiest techniques to learn is scrubbing, which is accomplished by applying tension to the lock with a tension wrench and then quickly scraping the pins. Some of the pins are placed in a mechanical bind and stuck in the unlocked position.

Floodlights

Streetlights

Searchlights

Take a moment to look at how the lights are configured the next time you do a physical walk-through or audit of a facility. Outside the company, you will most likely see rows of lights placed evenly around the facility. That is an example of continuous lighting. Areas such as exits, stairways, and building evacuation routes should be equipped with standby lighting. Standby lighting activates only in the event of power outages or during emergencies. Security checkpoints are another location where you will see careful design of the illumination. Here, lights are aimed away from the guard post so that anyone approaching the checkpoint can easily be seen and guards are not exposed in the light. This is an example of glare protection. Glare and overlighting can cause problems by creating very dark areas just outside the range of the lighted area. Exterior lighting involves a balance between too little light and too much light. Each exterior light should each cover its own zone but still allow for some overlap between zones.

If a CCTV system is to be used outside, the amount of illumination is important. Illumination is controlled by an iris that regulates the amount of light that enters the CCTV camera. An automatic iris is designed to be used outside, where the amount of light varies between night and day, whereas a manual iris is used for cameras to be used indoors. CCTV cameras can even be equipped with built-in LEDs or configured for infrared recording.

The depth of field is controlled by the focal length of the lens. Although some systems have fixed focal lengths, others offer the capability to pan, tilt, and zoom (PTZ), allowing the operator to zoom in or adjust the camera as needed. Older CCTV cameras are analog, whereas most modern cameras capture enhanced detail quickly by the use of charge-coupled devices (CCDs). A CCD is similar to the technology found in a fax machine or a photocopier.

A CCTV system can be wired or wireless and comprises many components, including cameras, transmitters, receivers, recorders, monitors, and controllers. CCTV systems provide effective surveillance of entrances and critical access points. If employees are not available to monitor in real time, activity can be recorded and reviewed later. If you are auditing CCTV systems, also consider the rights of workers to privacy or notification of the absence of privacy and consider the existence of potential blind spots.

High humidity can be a problem because it causes rust and corrosion. Low humidity increases the risk of static electricity, which could damage equipment. The ideal humidity for a data center is 35 to 45 percent.

Ventilation is another important concern. Facilities should maintain positive pressurization and ventilation to control contamination by pushing air outside. This is especially important in case of fire because it ensures that smoke will be pushed out of the facility instead of being pulled in.

The final issue with HVAC is access control. Control of who has access to the system and how they can be contacted is an import issue. These systems must be controlled to protect organizations and their occupants from the threat of chemical and biological threats.

Auditors must plan for enough time and resources to examine PBX systems and their features. Common features such as direct inward dial (DID) can be a problematic; an external party can use DID to request a dial tone and then call anywhere in the world for free. Most PBX systems also have the capability to do call logging and auditing, which should be enabled to better track telecommunication activity. Finally, all fax machines and modems connected to the PBX should be identified and recorded with the proper documentation.

VoIP offers organizations a low-cost alternative to traditional long-distance services and analog PBX systems. VoIP functions by placing the voice data into packets and sending them over a packet-switched network. With so much going for it, you might wonder what the disadvantage is. There are actually several. As VoIP is being transmitted over the data network, any break can cripple both the data network and the voice network. If the organization is using the Internet to route calls, none of the protection mechanisms of the public switched telephone network (PSTN) exist. Five hops, six hops, or even more intermediate systems might stand between the sender and the receiver. Any one of them could be used to intercept the call, listen to the call, or forward the call to a malicious third party. Although countermeasures are available, VoIP communication is vulnerable to many attacks, including spoofing, eavesdropping, and denial of service. (For VoIP best practices, security tools, and in-depth information, check out the VoIP Security Alliance website, at http://voipsa.org.)

Although encryption cannot prevent the loss of data or protect against denial of service, it is a valuable tool to protect the assets of an organization. Encryption can be used to provide confidentiality, integrity, authenticity, and nonrepudiation. Before covering the nuts and bolts of encryption, you need to know a few basic terms to better understand encryption and its components:

Algorithm: The rules or mathematical formula used to encrypt and decrypt data.

Cryptography: The study of secret messages, derived from the Greek terms kryptos, which means “hidden,” and grafein, which means “to write.”

Ciphertext: Data that is scrambled and unreadable.

Cryptographic key: The value used to control a cryptographic process.

Plaintext: Cleartext that is readable.

Encryption: The process of transforming data into an unreadable format.

Symmetric encryption: An encryption method that uses the same key to encode and decode data.

Asymmetric encryption: An encryption method that uses one key for encryption and a different key for decryption. Each participant is assigned a pair of keys, consisting of an encryption key and a corresponding decryption key.

Encryption systems must be strong to serve their required purpose. The strength of the encryption system is based on several factors:

Algorithm: Remember that this is the set of instructions used with the cryptographic key to encrypt plaintext data. Not all algorithms are of the same strength. For example, Caesar might have thought his system of encryption was quite strong, but it is seen as relativity insecure today.

Cryptographic key: A user needs the correct key to encrypt or decrypt the information. For example, when my brother was a teenager, my parents took the key to his car for violating curfew. Without the key, he had no way to use the car. Had he made a copy, access would have still been possible.

Key length: Weak keys are easily subverted, whereas stronger keys are hard to break. How strong a key needs to be depends on the value of the data. High-value data requires more protection than data that has little value. More valuable information needs longer key lengths and more frequent key exchange to protect against attacks.

Modern encryption systems use either symmetric or asymmetric encryption. Each method has unique abilities and specific disadvantages. Symmetric encryption uses a single shared key to encrypt and decrypt data. Asymmetric encryption uses two different keys for encryption and decryption. Each user must maintain a pair of keys. The following sections discuss each of these methods in much more detail; however, first take a quick look at the advantages and disadvantages of each method, as shown in Table 8-5.

Data Encryption Standard (DES): One of the most well-known symmetric algorithm and the first national standard. DES has been replaced by 3DES and AES.

Triple Data Encryption Standard (3DES): A short term replacement for DES designed to apply the DES cipher three times to each block of data. This stop-gap solution was designed to be used until a long term replacement for DES was approved. 3DES was replaced by AES.

Blowfish: A general-purpose symmetric algorithm intended as a replacement for the DES, replaced by Advanced Encryption Standard (AES) and Twofish.

Rijndael: A block cipher that the U.S. government adopted as AES to replace DES.

Rivest Cipher 4 (RC4): A stream-based cipher.

Rivest Cipher 5 (RC5): A block-based cipher.

Secure and Fast Encryption Routine (SAFER): A block-based cipher.

All symmetric algorithms are based on the single shared secret key concept, illustrated in Figure 8-5.

The strength of symmetric encryption depends on how well the private key is protected. One key is used to both encrypt and decrypt. The dual use of keys makes this system simple and also causes its weakness. Symmetric encryption is fast and can encrypt and decrypt very quickly; it also is considered strong. Symmetric encryption is very hard to break if a large key is used. Even though symmetric encryption has strengths, it also has disadvantages.

One disadvantage of symmetric encryption is key distribution. For symmetric encryption to be effective, there must be a secure method for transferring keys, and it must be done by some type of out-of-band method. For example, if Bob wants to send Alice a secret message but is afraid that a third party can monitor their communication, how can he send the message? If the key is sent in cleartext, the third party can intercept it. Bob could deliver the key in person, mail it, or even send a courier. None of these methods is practical in the world of electronic communication.

Another disadvantage of symmetric encryption is key management. For example, a user who needs to communicate with 10 people would need many unique keys. To calculate the numbers of keys needed in symmetric encryption, use this formula:

N (N – 1)/2

So, in this example, a user who needs to communicate with 10 people would need this many keys:

10 (10 – 1)/2 = 45 keys

You can see that as the number of users increases, so does the problem of key management.

Another problem with symmetric encryption is that it provides only confidentiality. If other services are needed, such as integrity or nonrepudiation, asymmetric encryption must be considered.

Block ciphers: These ciphers divide a message into blocks for processing.

Stream ciphers: These ciphers divide a message into bits for processing.

Because DES is a block cipher, it divides the input data into nice even blocks. If one block is short, padding is added to make sure all the blocks are the same size. DES processes 64-bit blocks of plain text and outputs 64-bit blocks of ciphertext. DES uses a 56-bit key; therefore, the remaining 8 bits are used for parity. DES works by means of permutation. This is a method of scrambling the input. DES performs 16 rounds of scrambling on each 64-bit block. DES has different modes of operation, such as Electronic Code Book (ECB) and Cipher Block Chaining (CBC).

Although DES provided years of useful service, nothing lasts forever; the same is true of DES, which became the victim of increased computing power. Just as Moore’s law predicted, processing power has doubled about every 18 to 24 months. As a result, an encryption standard that it might have taken years to brute-force crack in 1977 takes much less time to crack in 2017. The final demise of DES came in 1998 when the Electronic Frontier Foundation (EFF) was able to crack DES in about 23 hours. (Although this sounds easy, the actual attack used distributed computing and required more than 100,000 computers.) This demonstrated the need for stronger algorithms. The short-term fix for the problem was to implement 3DES, which can use two or three keys to encrypt data and performs multiple encryption. 3DES has a 168-bit key length. Even this was seen as just a stopgap measure. Therefore, NIST began looking for a new system to replace DES. This new standard was to be referred to as Advanced Encryption Standard (AES).

Public key cryptography is made possible by factoring large prime numbers or using discrete logarithms. Both make it possible to set up one-way functions. This is also called a trap door function. For example, given the prime numbers 387 and 283, it is easy to multiply them and get 109,521. However, if you are given the number 109,521, it’s quite difficult to extract the two prime numbers 387 and 283. The CISA exam does not expect you to calculate these numbers or perform advanced math. However, you do need to know that anyone who has trap door values can encrypt and decrypt, but anyone who lacks them can perform the function only in one direction. This means that anyone with the public key can perform encryption and signature verification, while anyone with the private key can perform decryption and signature generation.

Diffie-Hellman, RSA, and ECC are all popular asymmetric algorithms. Figure 8-6 illustrates public key encryption.

MD5: Provides 128-bit output

SHA: Provides 160-, 256-, or 512-bit output

Now let’s turn our attention to how hashing and asymmetric algorithms are used for authentication. The application of asymmetric encryption for authentication is known as a digital signature. Digital signatures are much like signatures in real life because they validate the integrity of the document and the sender. Algorithms used for digital signatures include MD4, MD5, SHA, and HAVAL. Here’s how the digital signature process works:

1. Bob produces a message digest by passing a message through a hashing algorithm.

2. The message digest is encrypted using Bob’s private key.

3. The message is forwarded to the recipient, Alice.

4. Alice creates a message digest from the message with the same hashing algorithm that Bob used. Alice then decrypts Bob’s signature digest by using Bob’s public key.

5. Alice compares the two message digests, the one originally created by Bob and the other that she created. If the two values match, Alice can be confident that the message is unaltered.

Certificate authority (CA): A person or group that issues certificates to authorized users. The CA creates and signs the certificate. The CA is the one that guarantees the authenticity of the certificate.

Certificate revocation list (CRL): The CA maintains the CRL. The list is signed to verify its accuracy and is used to report problems with certificates. When requesting a digital certificate, anyone can check the CRL to verify the certificate’s integrity.

Registration authority (RA): The RA reduces the load on the CA. The RA cannot generate a certificate, but it can accept requests, verify an owner’s identity, and pass along the information to the CA for certificate generation.

Certificate server: The certificate server maintains the database of stored certificates.

X.509 standard: This is the accepted standard for digital certificates.

When a user goes to a website that uses PKI, the certificate is presented to the user when he or she initiates a transaction. The user’s system then checks the certificate by querying the CA’s database. If the certificate is valid, the transaction continues. Figure 8-8 shows a valid digital certificate. If there is a problem with the certificate, the user is notified, as shown in Figure 8-9.

Table 8-6 provides an overview of some of these cryptographic solutions in relation to the OSI model. Some of the options shown are discussed shortly.

An organization could decide to use encryption that simply encrypts the data payload, known as end-to-end encryption. Or an organization might determine that everything needs to be encrypted, including the data and the header. That is known as link-state encryption. End-to-end encryption encrypts the message and the data packet, but the header, IP addresses, and routing information are left in cleartext. The advantage of this type of encryption is speed. The disadvantage is that some information, such as addresses, are left in the clear. Link encryption encrypts everything, including the header, addresses, and routing information. Its advantage is that no one can determine the original source or the final destination. The disadvantage is that all intermediate devices, such as routers, must have the necessary keys, software, and algorithms to encrypt and decrypt the encrypted packets. This adds time and complexity.

With so many ways to encrypt data, you might think that these solutions could be used to build perfect security, but unfortunately, that’s not true. Attacks also can be launched against encryption systems, as discussed next.

Secure Shell (SSH): An application-layer program that provides secure remote access. It is considered a replacement for Telnet.

Secure Electronic Transaction (SET): An application-layer program developed by Visa and MasterCard to secure credit card transactions. SET uses a combination of digital certificates and digital signatures among the buyer, merchant, and bank to ensure privacy and confidentiality.

Secure/Multipurpose Internet Mail Extensions (S/MIME): A program that adds security to email and uses both digital signatures and public key encryption. Support also is provided for X.509 digital certificates.

Pretty Good Privacy (PGP): An application-layer secure mail solution that adds encryption and builds a web of trust. PGP requires users to sign and issue their own keys.

Define the classification level

Specify the criteria for classification

Classify data

Determine the responsibility of the data owner

Identify the data custodian

Indicate security controls

Document any exceptions

Review methods to transfer ownership

Create a review policy

Define termination procedures for declassification

Perform security awareness training

Physical controls: These controls can include locks, gates, fences, bollards, guards, lighting, and so on.

Technical controls: These controls can include encryption, firewalls, NAC, SIEM, IDS, IPS, and so on.

Administrative controls: These controls can include separation of duties, dual control, mandatory vacations, security awareness training, and so on.

Lack of alignment to the business objectives and applicable external requirements

General misunderstanding about the rationale for IT compliance

Funding shortfalls

Continued support from top management

Misconception of what IT compliance will do for the organization

The following are some tactics that can be used to maintain compliance:

Regular assessment of security risks and controls

Configuration and control of management processes

Monitoring of security controls on an ongoing basis

Annual audit of the security environment

Change management

Monitoring is a process whereby the effectiveness of internal controls is assessed on a periodic or continuing basis. Monitoring can be achieved through periodic review, examination of log files, or even by means of keystroke logging.

Keyloggers, which can be hardware or software, are used by an employer to track the activity of users on company devices for purposes such as IT security and regulatory compliance. Employees must generally be aware of such activity and understand that they may be monitored. Informing employees that they are being monitored is required by employee privacy regulations in most countries.

Monitoring can be used for periodic audit activities and to help track what has occurred when something goes wrong. It this scenario, think of the log files as a type of insurance policy in that after an event or system outage, a log file can be used to determine what someone has done to determine if the problem was caused by hackers or insiders or was simply a technical problem.

The PIA is tied to three items:

Technology: Any time new systems are added or modifications are made, reviews are needed.

Processes: Business processes change, and, even though a company might have a good change policy, the change-management system might overlook personal information privacy.

People: Companies change employees and others with whom they do business. Any time business partners, vendors, or service providers change, the impact of the change on privacy needs to be reexamined.

Privacy controls tend to be overlooked for the same reason that many security controls are overlooked. Management might have a preconceived idea that security controls will reduce the efficiency or speed of business processes. To overcome these types of barriers, senior management must make a strong commitment to security and demonstrate support. A key component of the process is security awareness and training. Most managers and users do not instinctively know about good security practices; they require education. Part of the educational process involves increasing awareness of the costs involved in sensitive information being lost. Risk-assessment activities aid in the process by informing employees of the actual costs for the loss of security. Knowing this information helps justify the controls needed to protect sensitive information. One of the controls is system access, our next topic of discussion.

Each level of classification that’s established should have specific requirements. Luckily for us, others have done much of this work, and two widely used schemes already exist to manage and control information: military and commercial (see Table 8-8).

Regardless of which model is used, answering the following questions helps determine the proper placement of the information:

Who owns the asset?

Who controls access rights and privileges?

Who approves access rights and privileges?

What level of access is granted to the asset?

Who currently has access to the asset?

Other questions the organization must address to determine the proper placement of the information include these:

How old is the information?

What laws govern the protection of the information?

What regulations pertain to the information’s disclosure?

What regulations or laws govern data retention?

What is the replacement cost if the information is lost or corrupted?

Known plaintext attack: This type of attack requires the hacker to have both the plaintext and the ciphertext of one or more messages. For example, if a WinZip file is encrypted and the hacker can find one of the files in its unencrypted state, the two then provide the attacker with both plaintext and ciphertext. Together these two items can extract the cryptographic key and recover the remaining encrypted, zipped files.

Ciphertext-only attack: This attack requires a hacker to obtain messages that have been encrypted using the same encryption algorithm. The attacker then looks for repetitions or patterns.

Man-in-the-middle attack: This form of attack is based on hackers’ ability to place themselves in the middle of the communications flow. Once there, they exchange bogus certificates and spoof each user.

Key size plays a large role in the strength of an algorithm. Although 56-bit DES was cracked by the Electronic Frontier Foundation, it took many computers and cost more than $125,000. Larger key sizes equate to greater security. Increasing the key size by a factor of one doubles the work factor. Although (2⁴) is just 16, (2⁵) jumps to 32, and by incrementing only up to (2²⁵), you increase to a number large enough to approximate the number of seconds in a year. More often than not, encryption is cracked because users use weak keys or allow keys to become disclosed or compromised in some other way.

Another thumb drive threat is USB Rubber Ducky, a keystroke injection tool disguised as a generic flash drive. Computers recognize this device as a keyboard and accept potentially malicious code it is designed to run. Figure 8-11 shows some of the tools this thumb drive supports.

Pineapples are another threat—not the kind you eat but the kind that are used to set up evil twin Wi-Fi hotspots. These evil twin hotspots look just like real access points (APs) but can be used to lure a victim into connecting to it. Once a victim is connected, the attacker can use a built-in set of wireless penetration testing tools for reconnaissance, man-in-the-middle attacks, tracking, logging, and reporting. Figure 8-12 shows an example of a pineapple.

Another threat, pod slurping, involves using a portable data storage device such as an iPod to illicitly download large quantities of confidential data by directly plugging it into a computer where the data resides.

An auditor should also be aware of the following concerns:

Uncontrolled USB ports: Not just thumb drives but also the ports they plug into should be locked to prevent unauthorized access. USB ports should be turned off. A variety of software tools can be used to control USB ports, block unauthorized devices, and enforce encryption.

Open Wi-Fi: While an open Wi-Fi access point may look tempting, it might be an evil twin. If it’s the corporate Wi-Fi that’s been left open, it can be an open door to the rest of the business infrastructure or used to exfiltrate corporate data.

Enabled Bluetooth: Any device that uses Bluetooth should be disabled if it’s not being used. If required, a strong PIN should be used and the device should be placed in nondiscoverable mode.

Unmanaged smartphones: All corporate phones should have, at a minimum, a PIN/password enabled, encryption, and remote wipe enabled.

Uncontrolled employee devices: If the organization supports a bring-your-own-device (BYOD) policy, it should dictate when and how such devices can be used and should address the following:

Enforcing strong passcodes on all devices

Antivirus protection and data loss prevention (DLP)

Full-disk encryption for disk, removable media, and cloud storage

Device tracking to locate missing or stolen equipment

Mobile device management (MDM) to wipe sensitive data when devices are lost or stolen

Most companies also have many types of electronic information that reach their end of life. While formatting is not an acceptable option, a seven-pass drive wipe can be used, as can degaussing. Just keep in mind when these methods are used, there could be some data remanence. Physical destruction—acid baths, hard drive shredding, or hard drive crushing—is the best way to ensure that no information remains.

Cleartext protocols: Many protocols, such as FTP, HTTP, and Telnet, send data via cleartext and should be replaced with a secure option.

Insecure code or unpatched systems: All code is vulnerable, so systems must be continually patched and upgraded. Tools such as the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) can help with this process (see Figure 8-13).

Weak encryption: Encryption is a big part of this chapter because it’s important for an auditor to understand that all forms of encryption are not the same. Wired Equivalent Privacy (WEP) is much weaker than Wi-Fi Protected Access (WPA2), just as DES is much weaker than AES.

Weak passwords: Passwords remain one of the main forms of authentication. Control on passwords should be used such that password length, complexity, and change requirements are enforced.

No password clipping level: Password complexity is just one concern. Another is that there is a limit on how many times an end user can attempt passwords before the account is locked or disabled. Three attempts is a common account lockout threshold.

Malicious software: Attackers can use many tools and software distributions to target an enterprise. Kali Linux is a good example of a Linux distribution that contains many tools that can be used by penetration testers and hackers alike (see Figure 8-14).

Encryption is another key defense. Encryption can provide confidentiality, integrity, authentication, and nonrepudiation. It’s an amazing thing that one item has the potential to make such a huge difference. Consider a lost laptop or exposed hard drive: If encryption is being used, there is an effective barrier that must be compromised before information can be gathered from the device. Also, consider the value of cryptographic solutions that use PKI. With PKI, it is possible to perform commercial transactions with users all around the world with a high level of confidence. You can rest assured that the X.509 certificate you are presented with when you go to your bank’s web page does, in fact, validate that you are truly dealing with your bank.

Without sufficient controls and without a defense-in-depth design, the many threats that endanger an organization could be realized. Each of these threats presents a real danger to the organization.

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple choices for exam preparation: the exercises here; Chapter 10, “Final Preparation;” and the exam simulation questions on the book’s companion web page (www.informit.com/title/9780789758446).

algorithm

asymmetric algorithm

asymmetric encryption

authentication

biometrics

Blowfish

bring-your-own-device (BYOD)

chain of custody

decryption

DIAMETER

digital certificate

digital signature

encryption

encryption key

equal error rate (EER)

false acceptance rate (FAR)

false rejection rate (FRR)

firewall security

hash

hashing algorithm

intrusion detection system (IDS)

Kerberos

mantrap

Moore’s law

nonrepudiation

password cracking

public key encryption

Public Key Infrastructure (PKI)

registration authority (RA)

Remote Authentication Dial-In User Service (RADIUS)

Rijndael

SHA

symmetric algorithm

symmetric encryption

turnstile

VoIP

a. DES

b. AES

c. MD5

d. RSA

2. You have been asked to write a report detailing a new software-management system that uses AES. Which term best describes the advantage of a symmetric algorithm such as AES?

a. It enables key exchange.

b. It enables key management.

c. It provides integrity.

d. It is fast.

3. A business-to-consumer e-commerce website is worried about security and has had talks about encryption. Specifically, the company would like to set up a system that can monitor, detect, and alert on hacking activity. Which of the following would best meet the required needs?

a. Packet filtering

b. Intrusion detection

c. Stateful inspection

d. Asymmetric cryptography

4. You have been asked to join an audit team that will review Internet controls at a local college. Which of the following is required for schools and libraries using an Internet connection?

a. FERPA

b. FISMA

c. PCI-DSS

d. CIPA

5. Which of the following about PKI and the registration authority (RA) is correct?

a. The RA cannot reduce the load on the CA.

b. The RA cannot accept requests.

c. The RA cannot generate a certificate.

d. The RA cannot verify an owner’s identity.

6. Which of the following is the highest priority for an Auditor?

a. Designing and implementing security controls

b. Reviewing new policies and procedures

c. Controlling and monitoring data security and policies

d. Controlling and monitoring IDS and firewall activity

7. As the result of a recent audit, you have been asked to serve on a team that will look at recommendations to strengthen authentication. Which of the following would you recommend if single sign-on were a requirement?

a. Kerberos

b. Diameter

c. RADIUS

d. TACACS

8. Which of the following data classification standards is the lowest level of the military classification?

a. Public

b. Unclassified

c. Sensitive

d. Available

9. During a recent physical security audit, you found several major problems. One was that the data center had one uncontrolled single-door entrance with weak access control. What double-door system would be a good recommendation in this case?

a. Honeypot

b. Mantrap

c. Turnstile

d. DMZ

10. Several coworkers are using public key encryption and have asked about the advantage of asymmetric encryption. Which of the following is correct?

a. It is very efficient.

b. It can be used as part of hashing algorithms.

c. It can be used for bulk data.

d. It enables easy key exchange.

Encryption and access control comparison: https://security.stackexchange.com/questions/89325/encryption-vs-access-control-comparison

Protecting data from cradle to grave: www.computerworld.com.au/article/40700/protecting_data_from_cradle_grave/

Data life cycle management (DLM): http://searchstorage.techtarget.com/definition/data-life-cycle-management

Difference between hashing and encryption: www.securityinnovationeurope.com/blog/page/whats-the-difference-between-hashing-and-encrypting

Physical security audit checklist: www.locknet.com/lockbytes/excerpts/physical-security-audit-checklist/