Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
7Activity
0 of .
Results for:
No results containing your search query
P. 1
Ids Review

Ids Review

Ratings: (0)|Views: 55 |Likes:
Published by adiltsa
IDS REVIEW
IDS REVIEW

More info:

Categories:Types, Brochures
Published by: adiltsa on Aug 05, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/09/2010

pdf

text

original

 
 
Introduction—
The specialised nature of information systems (IS) auditing, and the skills necessary to perform such audits, require standardsthat apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association
(ISACA
) is to advance globallyapplicable standards to meet this need. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACAprofessional contribution to the audit community.
Objectives—
The objectives of the ISACA IS Auditing Standards are to inform:
 
 
IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA
Codeof Professional Ethics
for IS auditors
 
Management and other interested parties of the profession’s expectations concerning the work of practitionersThe objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.
Scope and Authority of IS Auditing Standards—
The framework for the IS Auditing Standards provides multiple levels of guidance:
Standards
define mandatory requirements for IS auditing and reporting.
Guidelines
 
provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgment in their application and be prepared to justify any departure.
Procedures
provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be consideredinclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the sameresults. In determining the appropriateness of any specific procedure, group of procedures or test, IS auditors should apply their ownprofessional judgment to the specific circumstances presented by the particular information systems or technology environment. Theprocedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements.The words audit and review are used interchangeably. A full glossary of terms can be found on the ISACA web site at
www.isaca.org/glossary.htm.
 Holders of the Certified Information Systems Auditor 
(CISA
®
) designation are to comply with IS Auditing Standards adopted by ISACA.Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.
Development of Standards, Guidelines and Procedures—
The ISACA Standards Board is committed to wide consultation in thepreparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposuredrafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topicunder consideration for consultation where necessary.
 
The following C
OBI
T
resources should be used as a source of best practice guidance:
 
Control Objectives
—High-level and detailed generic statements of minimum good control
 
Control Practices
—Practical rationales and how-to-implement guidance for the control objectives
 
 Audit Guidelines
—Guidance for each control area on how to: obtain an understanding, evaluate each control, assess compliance, andsubstantiate the risk of controls not being met
 
Management Guidelines
—Guidance on how to assess and improve IT process performance, using maturity models, metrics andcritical success factors
 
Each of these is organised by the IT management process, as defined in the C
OBI
T
Framework 
. C
OBI
T is intended for use by businessesand IT management as well as IS auditors. Its usage allows for the understanding of business objectives and for the communication of bestpractices and recommendations around a commonly understood and well-respected standard reference.The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties tohelp identify emerging issues requiring new standards. Any suggestions should be e-mailed (
research@isaca.org 
), faxed (+1.847.253.1443)or mailed (address provided at the end of this guideline) to ISACA International Headquarters, for the attention of the director of researchstandards and academic relations.This material was issued on 1 May 2003.
Information Systems Audit and Control Association 2002-2003 Standards Board
 
Chair, Claudio Cilli, CISA, CISM, CIA, Ph.D., CISSP KPMG, ItalyClaude Carter, CISA, CA Nova Scotia Auditor General’s Office, CanadaSergio Fleginsky, CISA PricewaterhouseCoopers, UruguayAlonso Hernandez, CISA, ROAC Colegio Economistas, SpainMarcelo Hector Gonzalez, CISA Central Bank of Argentina Republic, ArgentinaAndrew MacLeod, CISA, FCPA, MACS, PCP, CIA Brisbane City Council, AustraliaPeter Niblett, CISA, CA, MIIA, FCPA Day Neilson, AustraliaJohn G. Ott, CISA, CPA Aetna, Inc., USAVenkatakrishnan Vatsaraman, CISA, ACA, AICWA, CISSP Emirates Airlines, United Arab Emirates
 
IS AUDITING PROCEDURE
INTRUSION DETECTION SYSTEM (IDS) REVIEW
DOCUMENT P3
 
 
Page 2 Intrusion Detection System Review Procedure
1. BACKGROUND1.1 Linkage to Standards
 
1.1.1
 
Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor should obtain sufficient, reliable andrelevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysisand interpretation of this evidence.”
1.2
 
Linkage to C
OBI
T1.2.1
The C
OBI
T
 
Framework 
states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge thisresponsibility, as well as to achieve its expectations, management must establish an adequate system of internal control."
 
1.2.2
The C
OBI
T
Management Guidelines
provide a management-oriented framework for continuous and proactive control self-assessment specifically focused on:
Performance measurement—How well is the IT function supporting business requirements?
IT control profiling—What IT processes are important? What are the critical success factors for control?
Awareness—What are the risks of not achieving the objectives?
Benchmarking—What do others do? How can results be measured and compared?
1.2.3
The
Management Guidelines
provide example metrics enabling assessment of IT performance in business terms. The key goalindicators identify and measure outcomes of IT processes, and the key performance indicators assess how well the processes areperforming by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessmentsand benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement.
1.2.4
The
Management Guidelines
can be used to support self-assessment workshops, and they also can be used to support theimplementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme.
1.2.5
C
OBI
T provides a detailed set of controls and control techniques for the information systems management environment. Selectionof the most relevant material in C
OBI
T applicable to the scope of the particular audit is based on the choice of specific C
OBI
T ITprocesses and consideration of C
OBI
T’s information criteria.
 
1.2.6
Refer to the C
OBI
T reference located in the appendix of this document for the specific objectives or processes of C
OBI
T that shouldbe considered when reviewing the area addressed by this guidance.
 1.3 Need for Procedure
 
1.3.1
The purpose of this procedure is to provide the steps to be followed by IS auditors when reviewing an intrusion detection system(IDS).
1.3.2
This procedure is designed to provide the following:
 
A definition of an IDS and how it functions
 
The purpose and benefits of using an IDS
 
The principal types of IDSs and the advantages and disadvantages of each
 
Guidance on the conditions necessary to appropriately implement and administer an IDS
 
Planning considerations when reviewing an IDS
 
An overview of the audit approach
 
Reporting issues
 
Types of audit procedures and audit evidence
1.3.3
 
This procedure also defines IDS controls within the existing C
OBI
T 3
rd
Edition,
Framework,
published in 2000 by the ITGovernance Institute.
2. WHAT IS AN IDS?2.1 Definition2.1.1
Intrusion detection is the process of detecting unauthorised use of systems and networks through the use of specialised softwareand/or hardware. The primary purpose of an IDS is to provide the ability to view network and system activity in real time and toidentify unauthorised activity. In addition, it can provide a nearly real-time automated response. IDS products also provide theability to analyse today's activity in relation to past activity to identify larger trends and problems.
2.2
 
Purpose and Benefits of an IDS2.2.1
The primary purpose of performing intrusion detection is to help prevent the consequences caused by undetected intrusions.Implementing a programme of effective security controls is an effective starting point for establishing the supporting securityinfrastructure. Effective controls grow out of effective information security policies, standards and practices and the use of appropriate technology. Appropriate technology is defined as technology that supports and enforces an organisation’s policyeffectively. Being able to detect an intrusion attempt in real time is an important aspect of intrusion detection. Knowing when anattack is in progress and being able to take immediate action significantly improves the odds of successfully terminating intrusionsand tracing intrusion attempts to their source. Real-time detection depends upon having a watchdog system that sits in thebackground and monitors all activities involving the connected devices. The monitoring system must be able to interpret variousincidents and diagnose actual attacks.
2.2.2
Most traditional IDSs take either a network- or a host-based approach toward identifying and protecting against attacks. In either case, IDSs look for attack signatures, specific patterns that ordinarily indicate malicious intent or suspicious activity. A trulyeffective IDS will employ both methods.
 
 
Intrusion Detection System Review Procedure Page 3
2.3
 
Principal Types of IDSs2.3.1
The principal types of IDSs are:
 
Host-based
 
 
Network-based
 
-
Statistical anomaly
-
Pattern matching
2.4
 
Host-based IDS2.4.1
Host-based intrusion detection started in the early 1980s before networks were as prevalent, complex and interconnected as theyare today. In this simpler environment, it was common practice to review audit logs for suspicious activity. Because intrusionswere rare, after-the-fact analysis proved adequate to prevent future attacks.
2.4.2
Host-based IDSs still use audit logs, but they are much more automated, having evolved to include more sophisticated andresponsive detection techniques. Host-based IDSs typically monitor systems, events and security logs. When any of these fileschange, the IDS compares the new log with attack signatures to determine if there are any matches. If so, the system respondswith administrator alerts and other calls to action. It monitors files on systems for changes. The primary host-based IDS purpose isto monitor systems for individual file changes.
2.4.3.
 
Host-based IDSs have expanded to include other technologies. One popular method of detecting intrusions checks key system files andexecutables via checksums at regular intervals looking for unexpected changes. The timeliness of response is directly related to the frequency of the polling interval. Finally, some products monitor port activity and alert administrators when specific ports are accessed. This type of detectionbrings an elementary level of network-based intrusion detection into the host-based environment.
2.4.4
 
Host-based IDSs are not as fast as their network counterparts, however, they do offer advantages that network-based systemscannot match. These advantages include stronger forensics analysis, close focus on host-specific event data and lower entry-levelcosts.
2.4.5
 
The advantages of host-based IDSs include:
 
They verify success or failure of an attack. While Network-based IDSs provide an early warning, host-based IDSs provideverification of whether an attack was successful or not.
 
They monitor specific system activities. Host-based IDSs can monitor all user activity while connected to the network. It isvery difficult for a network-based system to provide this level of event detail.
 
They detect attacks that are not identified by network-based systems. For example, attacks from a keyboard inside a networkmay not be detected by a network-based system.
 
They are well-suited for encrypted and switched environments. Since host-based systems reside on various hosts throughoutan enterprise, they can overcome some of the problems of network-based systems in switched and encrypted environments.Identifying where to specifically place the IDS on internal networks can be difficult when trying to provide broad coverage for the enterprise. By the time a host-based system reviews the traffic, the data stream has already been decrypted.
 
They have nearly real-time detection and response. Many current host-based systems can receive an interrupt from theoperating system when there is a new log file entry. This new entry can be processed immediately, significantly reducing thetime between attack recognition and response.
 
They do not require additional hardware. Host-based IDSs reside on existing network infrastructure, including file servers,web servers and other shared resources.
 
They have a lower cost of entry. Network-based IDSs can offer broad coverage with little effort and they are often expensive.Host-based intrusion detection systems are often priced in the hundreds of dollars for a single agent and can be deployed bywith limited initial funding.
2.4.6
 
The disadvantages of host-based IDSs include:
 
Their capabilities are compromised as soon as the host machine is compromised.
 
They add additional overhead to an operating system and require a copy for every protected machine on a network.
 
They are frequently compared to antivirus tools, so users tend to use just the antivirus, where the IDS provides securityfeatures not found in an antivirus software.
 
 
They are very application-specific.
 
They must be able to translate between Windows NT, UNIX, VMS and other mainframe operating system languages. Thereare very few IDSs today that provide that level of translation. Since portions of these systems reside on the host that is beingattacked, host-based IDSs may be attacked and disabled by a clever attacker.
 
They are not well-suited for detecting network scans of all hosts in a network since the IDS at each host only sees thenetwork packets that it specifically receives.
 
They often have difficulty detecting and operating during denial-of-service attacks.
 
They use the computing resources of the hosts they are monitoring.
 
2.5
 
Network based IDSs2.5.1
Network-based IDSs use raw network packets as the data source. Network-based IDSs typically utilise network adapters runningin promiscuous mode to monitor and analyse network traffic in real time. Promiscuous mode makes it extremely difficult for anattacker to detect and locate. Attack recognition functionality uses two common techniques to recognise an attack signature:
 
Statistical anomaly detection
 
Pattern, expression or byte code matching
 
2.5.2
The advantages of network-based IDSs include:
 
Their greatest asset is stealth.
 
They can be deployed with no effect on existing systems or infrastructure.

Activity (7)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
jrfrmem liked this
jrfrmem liked this
1gn liked this
1gn liked this
farhad02 liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->