Information Systems Security has become a popular issue recently, as more companies depend on the hacker-ridden internet, and audit legislation became mandatory for many industries to counteract fraud. To achieve security, a combination of secure computer technology and secure business procedures must be integrated to achieve security within reasonable costs. This tutorial/workshop will introduce some aspects of security technology, but will emphasize the business or organizational aspects of cyber-security.

This workshop will cover the basics of attacks and security, then proceed to concepts of information systems security. The problem with cyber-security is that someone in a foreign country can attack a computer from the comfort of their home. They only need to find one vulnerability, while a security analyst must close all holes. The basics of attacks include the four stages of hacking, including Reconnaissance, Scanning, Gaining Access, and Exploit/Maintain Access. Attack techniques defined include social engineering, war driving, spoofing, session hijacking, SQL injection, (Distributed) Denial of Service, bots, and rootkits.

A summary of security architecture briefly defines the most important best practices for systems and network security. Defense in depth is implemented in layers, like an onion: attackers who make it through one layer, encounter other layers of defense. Often, network security includes a demilitarized zone, which includes services accessible to the outside, such as web pages, DNS, and email. An internal private network has more restrictive firewall access. However, firewalls may be bypassed with telephones, floppies, and internal visitors/employees. To ensure logs are never modified by an attacker, they may be sent via a private network to a separate log system. Intrusion Detection Systems are like spies: they observe and report to system administration, but may not stop an attack in progress. Finally, the Computer Fraud and Abuse Act law regarding hacking and fraud is reviewed, to enable security analysts to separate what is and is not legal.

One problem with security is that: 1) more security means restricted operations; and 2) more security costs more money; and 3) full security can never be completely achieved. Business aspects of security help define where security shall be applied and at what level. Risk analysis defines the value of an organization’s "jewels" and evaluates levels of threats and vulnerabilities. Risk analysis helps determine how to defend the computer network based on assessing liability and control costs. Security planning includes defining policies, control procedures, and data classification. Policies are the defined security goals, while procedures, standards, and other controls implement or achieve the goals. Data classification ensures that sensitive information is classified and protected, via access and encryption controls. Audit procedures test implemented controls and procedures to ensure functionality. Audit plans define the scope, objective, and the tests to be performed, while audit reports list the results of the audit. Audit tests may include testing the firewall, IDS, web system, and logging system, to ensure attacks are handled as expected. Audits may involve probing open applications on various systems. How the organization responds to attacks will vary by organization: the initial reaction must be determined by top management. A business continuity plan determines how to handle the most serious threat/vulnerability combinations. A disaster recovery plan defines and implements a backup system to survive temporary disasters. To successfully prosecute a computer attack in court, computer forensics defines the legal procedures that must be carefully followed to ensure evidence authenticity and continuity, or chain of custody.

With recent accounting fraud resulting in the corporate failures of Enron, ImClone, WorldCom, Adelpha, etc, various legislation has been passed in the U.S. to minimize potential fraud, maximize survivability in event of incidents, and maximize customer and shareholder security via privacy, accuracy, and quality of service. Such legislation includes Sarbanes-Oxley (SOX), Federal Info Security Mgmt Act (FISMA), and the Health Insurance Portability & Accountability Act (HIPAA).

While defining the legislation is the first step, guidelines are necessary to lead companies in achieving secure accounting and computer systems infrastructure. Comm. of Sponsoring Org. of the Treadway Commission (COSO) and Control Objectives for Information and related Technology (COBIT) created such guidelines to define how security can be measured from a business planning perspective. COSO defined five aspects of security: control environment, risk assessment, control activities, monitoring, and information and communication. COBIT expanded the COSO model into four stages of information technology: planning and organization, acquisition and implementation, delivery and support, and monitoring. COBIT defines six levels of maturity, derived originally from the System Security Engineering - Capability Maturity Model (SSECMM).

The author has taught network security courses which included having students performing audits of (parts of) real organizations, involving computer systems and networks. Graduate students also worked with COBIT-based interviews and evaluations. These experiences will be discussed in the presentation to add security "war stories".

Within the lecture, participants will perform exercises to help them learn the material. These exercises will include:

1. Evaluating risk for the organizational or home computer, including:
   • Defining the "crown jewels"
   • Defining a vulnerability assessment quadrant map
2. Brainstorming a perfect security system for organizational/home computer(s).
3. Completing a COBIT-based questionnaire for the participant’s organization (timepermitting).

Handouts will include the presentation notes, the exercise questions, the COBIT-derived questionnaire, and a maturity level standard to evaluate against.