Carol Njama – IT – 5102/Lab 3
Carol Njama IT5102 – Intro to Information Security November 3, 2013 Lab 3 – Sarbanes-Oxley Act 2002
Search online for credible, authoritative information about the Sarbanes-Oxley Act. What provisions does the law make regarding information security? Share your findings with the class.
The Sarbanes-Oxley Act, also known as the Public Company Accounting and Investor Protection Act of 2002, was passed in response to the 2001 corporate accounting scandals involving companies such as WorldCom and Enron. The company executives were using company stocks to fund their own businesses and over-inflating their stock prices to attract investors. They not only lied to investors but committed financial fraud. According to the Yahoo article, WorldCom used shady accounting methods to mask its declining financial condition by falsely professing financial growth and profitability to increase the price of WorldCom’s stock (Yahoo Contributor Network, 2007).
The Sarbanes-Oxley Act Section 404 deals with internal controls that can be applied to information technology and Information Security. According to Warner, Section 404 of the Sarbanes-Oxley Act requires the executives of publicly traded companies to confirm that they have effective internal controls around financial reporting. An internal control can be a process or procedure that provides reasonable protection that the financial reporting is accurate. Section 404 also requires that the company assess its internal control structure to verify that all controls are effective. The second part of Section 404 deals with evaluation and reporting of the internal control structure by a registered public accounting firm (Information Security and Section 404 of the Sarbanes-Oxley Act, 2004).
In the information security and protection aspect of the law, the Sarbanes-Oxley Act ensures compliance and requirements are met on specific process and procedures for public companies internal controls and in this case, information security accepted processes or standard best practices. It holds management accountable that they have reviewed and ensured that the security measures and processes are implemented and are effective. It also ensures that the processes and procedures are accurate and effective in monitoring and preventing fraudulent activity within their organizations and detect unauthorized use of assets as well as securing and protecting investors or shareholder information. It also requires an independent third party evaluation and audit of the effectiveness of those internal controls.
According to Warner, effective controls can be included in a number of different things that an information security team is responsible for, from an intrusion detection system to monitor for malicious network activity to reviewing log files on a periodic basis (Information Security and Section 404 of the Sarbanes-Oxley Act, 2004). This means that management is required to support the information security in businesses and securing the systems to prevent unauthorized use or security attacks. The InfoSec professionals are required to comply with these security measures or elements as part of their jobs. In addition, ensuring implementation of policies and procedures and everyone is complying with them to provide good security. InfoSec professionals are required to be knowledgeable, highly trained and certified as required in order to provide monitoring and make security recommendations through the acquired skills. Policies and procedures need to be created, implemented, documented and communicated to all appropriate individuals and enforced accurately for risk analysis and management.
Carol Njama – IT – 5102/Lab 3
Due to compliance and requirements of the Sarbanes-Oxley law’s internal controls, InfoSec professionals will need the certifications required by employers in job descriptions to be able to:
Support the threat and vulnerability management program effectively. Contribute to the Information Security Assessment and Remediation program. Actively participate in the Security Incident management program. To continuously review and research relevant security policies against existing policies. Support the Information Security Policy and Compliance program. Continuously review and research applicable control frameworks and contribute to maintaining the Information Security control framework. Maintain the monthly Information Security metrics and documentation. Provide general Information Security awareness and guidance to other lines of business and ensure projects comply with and maintain the Information Security corporate framework. Understand the business context in which Information Security functions operate. Maintain up-to-date knowledge of Information Security news, tools, and equipment vendors. Evaluate Information Security tools (hardware and software) to assist in the management and control of information security risks. Evaluate new technologies entering business environment for risks. Contribute to the technical understanding and promotion of new and existing information security standards and solutions. Conduct periodic Information Security audits and assessments in various areas of the company. Understanding of threat and vulnerability management, penetration testing and vulnerability mitigation. Understanding of Information Security compliance frameworks (e.g. ISO 27000 series, DoD 8500.2, NIST 800-53), assessments and remediation strategies. Understanding of incident detection, response, and mitigation. Understanding of SIEM technologies, logging, monitoring, and alerting. Understanding of various network, system, and database platforms. General knowledge of the telecommunications and satellite industry (Intelsat Corporation, 2013).
In Information Security, internal controls such as systems and software application development processes, data and internet security procedures and protection, password protection, intrusion prevention and physical security should be effective, applicable and in compliance with the Sarbanes-Oxley Act Section 404. This is important not only to hold Information Security professionals, management and companies’ accountable but as a whole, to maintain standards within these companies and businesses and protect investors, shareholders and users.
Carol Njama – IT – 5102/Lab 3
References
Career Builder (2013.) Associate Information Security Analyst (3004) retrieved October 22, 2013 from Intelsat Corporation Web site: http://www.careerbuilder.com/JobSeeker/Jobs/JobDetails.aspx?APath=2.21.0.0.0&job_did=JHN3RX 6W2GWG7M2ZK6V&sc_cmp1=js_jrp_jobclick&IPath=QAKV
JJ (2007). WorldCom Scandal: A Look Back at One of the Biggest Corporate Scandals in U.S. History retrieved October 30, 2013 from Yahoo Contributor Network Web site http://voices.yahoo.com/worldcom-scandal-look-back-one-biggest-225686.html
Warner, Reed (2004). Information Security and Section 404 of the Sarbanes-Oxley Act retrieved October 30, 2013 from SANS Institute InfoSec Reading Room Web site: http://www.sans.org/reading-room/whitepapers/legal/information-security-section-404-sarbanes- oxley-act-1582
Carol Njama – IT – 5102/Lab 4
Carol Njama IT5102 – Intro to Information Security November 10, 2013 Lab 4 – Multics (Multiplexed Information and Computing Service)
According to the MIT website, Multics (Multiplexed Information and Computing Service) was a mainframe timesharing operating system that began at MIT as a research project in 1965. It was a joint project with MIT, General Electric and Bell Labs and later taken over by Honeywell now, Bull.
What was it used for? Multics was initially used for sharing campus information in the campus between academia and the administration. Later, General Electric (GE) used it as a commercial product for selling time-sharing services. It included: A supervisor program that managed all hardware resources, which used multiprocessing, multiprogramming and paging A segmented memory addressing system supported by hardware A tree structured file system Device support for peripherals and terminals Command programs including language compilers and tools User library routines Operational and support tools User and system documentation (Multics, 2013)
How was it different from other operating systems of its time especially concerning security? It was designed similar to a utility service such as telephone services or electricity and it provided high availability and security features, which was a fundamental design requirement, in order to meet the utility goals. Due to its high modular ability for hardware and software, one could add resources that are more appropriate even when the service was running. Most of the users who used the services did not trust each other so therefore security was a major feature with file sharing provided in a hierarchical level system via access controls. Multics was designed to be secure from the beginning. In the 1980’s, the system was awarded the B2 (Orange Book TCSEC - Structured Protection) security rating by the US government National Computer Security Center (NCSC), the first system to get a B2 rating (Multics, 2013).
According to Wikipedia, the Pick operating system also of the same year, known as “the Pick system”, is a demand-paged, multiuser, virtual memory time-sharing computer operating system based around a unique multivalued database that was primarily used for business data processing. In comparison to Multics, older versions of Pick stored passwords in plaintext, but later versions encrypt them, which shows that security was not a concern for the pick system.
The IBM system S/360, was a mainframe computer system. It was designed to cover the complete range of applications from small to large both commercial and scientific. The design made a clear distinction between architecture and implementation allowing IBM to release a suite of compatible designs at different prices. In terms of security, the system was designed to separate the “system state” from the problem “state”. This provided a basic level of security and recoverability from programming errors. The user programs could not modify data or program storage associated with the system state. Addressing data or operation exception errors caused the system state to be entered through a controlled routine allowing the operating system to attempt to correct or terminate the program in error. Processor and hardware errors could be recovered through the machine check routines (Wikipedia, 2013). Carol Njama – IT – 5102/Lab 4
References
IBM System/360 (2013). IBM System/360 retrieved November 9, 2013 from Wikipedia Web Site: http://en.wikipedia.org/wiki/IBM_System/360
Multics (2013). Multics History retrieved November 9, 2013 from MIT Web Site: http://www.multicians.org/history.html
Multics (2013). Multics Overview retrieved November 9, 2013 from MIT Web Site: http://web.mit.edu/multics-history/
Pick Operating System (2013).Pick operating system retrieved November 9, 2013 from Wikipedia Web Site: http://en.wikipedia.org/wiki/Pick_operating_system
Carol Njama – IT – 5102/Lab 5
Carol Njama IT5102 – Intro to Information Security November 17, 2013 Lab 5 – Desktop Encryption Products
Laptop theft is a real problem. Your instructor had his laptop stolen off his desk when he left the office for a brief 5 minutes. The real concern is theft of confidential data leading to identity theft.
Use the Internet to research products that perform PC desktop encryption to protect files stored on a laptop. Once such example is TrueCrypt. Answer the following questions.
The PC desktop encryptions I will be evaluating are TrueCrypt and BestCrypt (TrueCrypt & BestCrypt, 2013).
a) What differences to do you find in how they implement encryption?
TrueCrypt
Plausible deniability – forces you to reveal the password Hidden volume and operating system therefore you will not have to decrypt or reveal the password for the hidden operating system in situations where you are forced to It does encryption currently for Windows operating systems. As of February 7, 2012 (7.1a) minor improvements and bug fixes for Mac OS X, and Linux) Encryption algorithms – AES, Serpent, Twofish and Cascades Supports Hash Algorithms o RIPEMD-160 o SHA-512 o Whirlpool
BestCrypt
Compatibility with Windows, Mac OS and Linux Protects selected files or folders from leaking out unless they have a password or keys For data no longer needed, BestCrypt Container Encryption includes the full version of BCWipe. BCWipe has been trusted as the de-facto standard for the U.S. Department of Defense. Uses Encryption algorithms – AES (Rijndael), Blowfish, Cast, GOST 28147-89, Triple-DES, Serpent, Twofish
b) What approaches are used (whole disk encryption, partition encryption, file encryption?)
TrueCrypt
Creates a virtual encrypted disk within a file and mounts on a real disk Encrypts partition or storage device Encrypts partition or drive where Windows is installed Encryption is automatic and real-time and transparent Parallelization and pipelining – read/write fast
Carol Njama – IT – 5102/Lab 5
BestCrypt
Encryption to store files or folders (virtual drives) Transparent use and access to files BestCrypt Volume Encryption now allows encryption of boot/system volumes on computers with operating systems loaded according to Unified Extensible Firmware Interface (UEFI). BestCrypt Volume Encryption v.3.60.10 supports superior whole disk encryption by fully supporting Secure Boot for UEFI and signed EFI binaries.
c) Some products such as TrueCrypt are open source. This means the “bad guys” can learn how it works. Does this pose additional risk?
Yes, I feel that it poses additional risk because it is an open source and the hackers know how it works and they would be able to decrypt your information if they can find your password or the hidden operating system.
d) Which product would you recommend for a business?
BestCrypt Due to its compatibility with most popular operating systems Whole disk encryption Availability of BCWipe that has been trusted as the de-facto standard for the U.S. Department of Defense More encryption algorithms – AES (Rijndael), Blowfish, Cast, GOST 28147-89, Triple-DES, Serpent, Twofish Offers Jetico Central Manager enables an administrator to always monitor usage of encrypted data on remote workstations all across an enterprise network and includes a database for gathering and storing information from client computers, such as log information about deployment and updates of BestCrypt Container Encryption client modules or rescue information to recover encrypted data in case of emergency.
e) Which product would you consider using yourself?
BestCrypt because it is not an open source and also it is compatible and offers more encryption algorithms
Carol Njama – IT – 5102/Lab 5
References
BestCrypt (2013).BestCrypt retrieved November 15, 2013 from BestCrypt Web Site: http://www.jetico.com/products/personal-privacy/bestcrypt-container-encryption/
BestCrypt (2013).BestCrypt retrieved November 15, 2013 from BestCrypt Web Site: http://www.jetico.com/products/personal-privacy/bestcrypt-volume-encryption/
TrueCrypt (2013).TrueCrypt retrieved November 15, 2013 from TrueCrypt Web Site: http://www.truecrypt.org/
Carol Njama – IT – 5102/Lab 7
Carol Njama IT5102 – Intro to Information Security December 2, 2013 Lab 7 – Biometric Security Systems
Go online and search for information on biometric security systems for individual computers. For example, small biometric devices can be added to notebook PCs, and ensure that only the computer's authorized user can access the system. Based on your research, would purchase such a security device for your own computer? Why or why not?
According to the text, biometric authentication uses characteristics of human face, eyes, voice, fingerprints, hands, signature or even body temperature. It is using an individual’s unique characteristics along with other identification and authentication techniques (Merkow and Breithaupt, 2006).
Some of the biometric security systems for individual computers and mobile phones I found on the internet are:
1. Privaris – plusID offers biometric security systems for individual computers
According to Privaris, It is a security device from Privaris and is a fingerprint-based, personal, mobile fob that can be used to authenticate users to computers, networks, websites, software, VPNs, encrypted files, and online applications. The authorized user's fingerprint template and access credentials, such as a password, are securely stored on the plusID device during the issuance process, called enrollment. Once enrolled, the device will release the user's password only after a successful biometric verification. Both the fingerprint and the access credentials are securely stored in the tamper resistant device, so unauthorized users cannot obtain them. The biometric device verifies its user's identity prior to allowing data access, but does so without the use of a biometric database to ensure its user's personal privacy. All fingerprint information in securely stored on the device itself, not in a database. The user never has to relinquish their biometric information. plusID has a self-contained fingerprint scanner and secure processor to verify its owner's identity using fingerprint authentication.
Some of the features I like about this one are:
Works as a smart card allowing to quick upgrade to biometric logon Supports one-time password delivery (OTP) - a simple way to add biometrics to existing OTP infrastructure Flexibility - three communication options in each device: o Bluetooth™ (with an added layer of encryption for heightened security) o 13.56MHz (ISO 14443A, 14443B, 15693 and NFC) o USB Reduces password/PIN maintenance costs and eliminates problems associated with multiple passwords Supports local and remote computer access Fast and easy to use - typical authentication times of a second or less (privaris.com, 2013).
Carol Njama – IT – 5102/Lab 7
2. AGNITIO – offers voice biometrics technology
According to agnitio-corp.com, they provide voice biometrics technology; the unique and advanced voice biometrics technology that allows identification, surveillance and precise ID verification using the voice. They protect users in the fight against identity fraud, terrorism and criminal activity and provide mobile and app security for organizations, private individuals and government agencies while performing transactions via mobile phones.
Some of the features I like about this one are:
Secure remote authentication: user-friendly authentication process using your voice as your unique password Uses products KIVOX 4.0 for developers and integrators by teaching your speaker ID to recognize your voice and KIVOX mobile and KIVOX app for smart phones on how to recognize your voice when conducting transactions including payments, bank transactions, and logins to private information sites There is no need for a network connection so you can do this anywhere and in any language since our technology is completely language independent Pay, login, unlock, and authenticate yourself to conduct multiple transactions-simply by speaking. It works in a variety of client/server configurations, allowing enterprise security teams to locate the voiceprint within their firewall, on the mobile device, or in a hosted service provider’s cloud. In all cases, they can validate the integrity of the voiceprint in the appropriate location on demand. They provide signal intelligence for defense and intelligence personnel such as telephone interceptors, electronic sensors and human voice gatherings. They provide law enforcement and forensics with voice speaker ID and voice verification in forensic laboratories. o ASIS -They offer storage of voices of criminals and terrorists that can be used by police and security forces to identify suspects in criminal or terrorist activities. o BATVOX – They offer forensics experts and scientific police by performing speaker verification and compile expert reports as evidence in court (Agnitio.com, 2013).
Both of the systems are good depending on whether you need the biometric security systems for the PC or for the smart phone. I use both PC and smart phone. I would purchase both because it would offer an added security when I use my PC or my smart phone for transactions.
The first one, fingerprint-based is good because I like the part where it eliminates problems associated with multiple passwords. I think we are swimming in a myriad of passwords, which is hard to keep up.
I like the second one because it is innovative since the voice recognition is not widely used. I think it offers a unique perspective on biometrics since technology is on the go now. More people are using their mobile phones and tablets for everything.
My concern with the voice biometrics would be if it infringes on the privacy and too intrusive because they store your voice and can provide information to intelligence and government agencies. I see where it would be helpful with law enforcement and homeland security in tracking criminals and terrorists but I wonder how it would be used in regards to the rest of us.
Carol Njama – IT – 5102/Lab 7
References
Agnitio: Your voice biometrics partner (2013).Agnitio retrieved November 26, 2013 from Agnitio-Corp Web Site: http://www.agnitio-corp.com/
Biometric security for protecting IT assets (2013). Privaris retrieved November 26, 2013 from Privaris Web Site: http://www.privaris.com/biometric_computer.html
Merkow, Mark, and Breithaupt, James. (2006). Information Security: Principles and Practices. Upper Saddle River, New Jersey: Pearson Education, Inc.