In this chapter, you will learn about information security infrastructure and architecture and explore the methods, tools, and techniques available to you for the development of a robust information security program. This chapter will help CISM aspirants to understand security architecture in line with industry best practices. The CISM aspirant will also gain basic knowledge about access control requirements and authentication factors—including biometrics.

The following topics will be covered in this chapter:

• Information Security Architecture
• Architecture Implementation
• Access Control
• Virtual Private Networks
• Biometrics
• Factors of Authentication
• Wireless Networks
• Different Attack Methods for Information Security

Just as conventional architecture defines the rules and standards for the construction of buildings, information security architecture addresses the design and implementation of the security posture of the organization. Architecture helps to integrate different components of information security in an effective manner. A security architecture also defines the baseline, that is, the minimum level of security for the infrastructure.

A security architecture generally addresses the following aspects:

• Where to place and deploy security tools, such as firewalls, intrusion detection systems (IDSs), and antimalware
• How to configure the security of applications and servers
• How to build the overall security environment

A structured architecture provides the framework to manage a complex environment. As the size and complexity of the organization grow, a well-defined architecture helps the security manager to monitor and control the...

A security manager should consider the following aspects while implementing the architecture:

• Termination process: An effective termination process is one of the most important aspects of the information security process. Terminated employees can misuse their credentials for unauthorized activity. Hence, the termination process should ensure timely revocation of all access as soon as an individual is terminated or otherwise ceases to be in employment.
• Security rules: A security manager should ensure that rules related to security tools, such as firewalls, IDS, antimalware software, and security information and event management (SIEM), should be reviewed at periodic intervals. Rules should be simple and easy to implement. It is difficult to manage an excessive number of rules, and there is a chance that a particular rule may conflict with another, which may lead to security vulnerabilities. Furthermore, it becomes difficult to test complex...

The main objective of the access control process is to ensure that only authorized users are granted access. To achieve this, it is very important for user activities to be uniquely identifiable for accountability purposes. The security manager should be aware of the following categories of access control.

Mandatory Access Control

In mandatory access control (MAC), control rules are governed by an approved policy. Users or data owners cannot modify the access role. MAC ensures that files are shared only with authorized users as per the security classification of the file, and files cannot be shared with unauthorized users.

Discretionary Access Control

In discretionary access control (DAC), control access can be activated or modified by the data owner as per their discretion.

MAC is considered more robust and stringent in terms of information security compared to DAC. To increase the effectiveness of DAC, it should be aligned in accordance with MAC...

A virtual private network (VPN) is used to extend a private network through the use of the internet in a secured manner. It provides a platform for remote users to get connected to the organization's private network.

With the help of VPN technology, remote users and branch offices can connect to the resources and applications hosted in the private network of the organization. To enable a VPN, a virtual point-to-point connection is established using dedicated circuits of tunneling protocols.

VPN technology ensures the safeguarding of critical data traveling through the internet.

VPNs – Technical Aspects

A VPN provides a platform to hide information from any sniffers on the internet. Instead of using expensive dedicated leased lines, a VPN relies on public IP infrastructure, which is cost efficient. To protect the data, a VPN encrypts the packets with IP Security (IPSec) standards.

A VPN is enabled either through IPSec tunnel mode...

Biometric verification is a process through which a person can be uniquely identified and authenticated by verifying one or more of their biological features. Examples of these biometric identifiers include palm or hand geometry, fingerprints, retina and iris patterns, voice, and DNA.

Biometrics – Accuracy Measure

The accuracy of a biometric system determines how well a system meets the objective. Accuracy measures determine the success factor of the biometric system. This section will present a few biometric accuracy measures.

False Acceptance Rate

False acceptance rate (FAR) is the rate of acceptance of a false person (that is, an unauthorized person). In this case, a biometric control does not restrict an unauthorized person and allows them access.

False Rejection Rate

False rejection rate (FRR) is the rate of rejection of a correct person (that is, an authorized person). In this case, biometrics reject even an authorized person, denying them...

There are three authentication factors that can be used for granting access:

• Something you know (for example, a password, PIN, or some other personal information)
• Something you have (for example, a token, a one-time password, or a smart card)
• Something you are (for example, biometric features such as a fingerprint or iris scan or voice recognition)

Two-factor authentication means the use of two authentication methods from the preceding list. For critical systems, it is advisable to use more than one factor of authentication for granting access.

From the user's perspective, two-factor authentication can cause additional hassle. Hence, the security manager should strike the correct balance between ease of access and control.

Password Management

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks.

Strong and complex passwords should be one of the most important...

A network connection supporting communication between devices without the use of a cable or a wire is known as a wireless network. Cell phone networks and wireless local area networks are examples of wireless networks.

CISM aspirants should know about the following controls regarding the protection of wireless (Wi-Fi) security:

• Encryption
• Media access control filtering
• Disabling service set identifier
• Disabling dynamic host configuration protocol

Encryption

Encryption is the process of converting data into an unreadable form. Encryption helps to scramble the data sent through the wireless network into a code. It is an effective way of restricting intruders when it comes to accessing the wireless network. Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) are the two main types of encryption. For wireless connections, Wi-Fi Protected Access II (WPA 2) is the strongest encryption standard. These encryption methods only protect...

A CISM aspirant should be aware of the following methods and techniques for information system attacks:

• Alteration attack: In this type of attack, an alteration or modification is done of data or code without authorization. Cryptographic code is used to prevent an alteration attack.
• Botnets: Botnets are compromised computers, also known as zombie computers. They are primarily used to run malicious software for distributed denial of service (DdoS) attacks, adware, or spam.
• Buffer overflow: A buffer overflow, also known as buffer overrun, is the most common software coding error that can be exploited by an attacker to gain unauthorized access to a system. A buffer overflow occurs when more data is fed in than the buffer can handle. Excess data overflows to adjacent storage.

Due to this, the attacker gets an opportunity to manipulate the coding errors for malicious actions.

A major cause of buffer overflow is...

In this chapter, you learned about the infrastructure and architecture of information security. This chapter will help the CISM candidate understand important methods, tools, and techniques to develop a security program in an effective and efficient manner.

You also explored security architecture in line with industry best practices and access control requirements including biometrics and authentication factors.

The next chapter will cover the practical aspects of information security program development and management.

1. Which of the following is most effective to address the risk of dumpster diving?
   1. Security awareness training
   2. Policy for discarding documents
   3. Placing CCTV above bins
   4. Purchasing high-speed shredders
2. The best way to control the activity of an intruder masquerading as an authorized user and connecting to the corporate network is:
   1. Encrypting the network traffic
   2. Deploying an intrusion prevention system
   3. Two-factor authentication
   4. Use of a digital signature
3. What is the most important aspect to secure credit card data while using the card at point of sale?
   1. Authorization
   2. Authentication
   3. Encryption
   4. Digital signature
4. A SQL injection attack can best be prevented by:
   1. An intrusion prevention system
   2. An intrusion detection system
   3. Periodic audits
   4. Periodic security awareness training
5. A man-in-the-middle attack between two computers can be prevented by:
   1. Use of two-factor authentication
   2. Establishing a connection through an IPv6 security virtual private network
   3. Conducting periodic security...