Information Management and Auditing

Information Assets Protection

Effective information security arrangement is the foundation for protecting assets and privacy.
The security objective of information assets could be enlisted as under:
Information integrity.
Confidentiality of sensitive data.
Adherence to piracy or copy right arrangement.
Continued availability of data.
Conformity to applicable laws.

KEY ELEMENTS:
Following are the key elements of information security management:
Senior management commitment and support.
Policies and procedures.
Organization of the responsibilities.
Security awareness and education.
Monitoring and compliance.
Incident handing and response.
KEY TERMS:
CSIRT Computer Security Incident Response team.
CERT Computer Emergency Response Team.
These teams should be formulated, with clearly defined responsibilities, for incident handling.

ROLES AND RESPONSIBILITIES:

All defined and documented responsibilities and accountabilities must be established and
communicated to all members. These responsibilities include:
ROLE
RESPONSIBILITIES
a) Executive management:
Overall protection of information assets.
b) Process owners:

Ensures appropriate security measures

organizational established policies.

c) Users:

Follow the procedures. (See below)

d) Data owners:

Determine classification levels to ensure degree of CIA1.

e) Chief Privacy Officer:

Articulate privacy laws to protect customers and employees

privacy issues.

f)

Devise security guidelines, policies, and procedures.

IS security committee:

consistent

with

g) Security specialist:

Promulgate and assist with the design and implementation of

security policies.

h) IT developers:

Implement information security.

i)

IS auditors:

Provide independent assurance to management as to the

effectiveness of information security.

j)

External Parties:

Include all external stakeholders.

Confidentiality, Integrity, and Availability

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

Some procedures that USERS follow are as under:

Reading and agreeing security policies.
Keeping login (username, and password) secret.
Locking their screen when idle.
Reporting suspected security violations.
Maintaining good physical security.
Adhering to applicable laws.
Key point:
Management should assign ownership and accountability for major information assets.

INFORMATION ASSETS INVENTORIES:

Inventory records of major information asset would include the following:
Identification.
Location.
Security classification.
Asset group.
Owner.

INFORMATION ASSETS CLASSIFICATION:

Different information has different degrees of sensitivity. Assigning classes of sensitivity helps
establish access control. Classification should be simple and should consider legal/contractual
terms.
KeyPoint:
Classification reduces risk of OVERPROTECTING or UNDERPROTECTING the information.
Data classification should define:
Access person.
Access level (read, write, execute etc).
Person to define access person and level.
Approvals required.

SYSTEM ACCESS:
The ability to do something with a computer is termed as system access such as CREATE,
MODIFY, DELETE, EXECUTE, CONNECT etc.
TYPES OF SYSTEM ACCESS CONTROLS:
System access could be logical or physical:
a) Logical system access control:
It provides technical means of controlling
Information users can utilize.
Program or transactions they can run.
Modification they can make.
It can be through O/S, separate software, or application built-in etc.
b) Physical system access control:
It restricts entry and exit of personnel. They include badges, memory cards, guard keys,
locks, and biometrics.
Keynote:
System access (logical or physical) should be on a documented need-to-know basis.
Other points:

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

Information owner is responsible to establish system access.

Access capabilities are implemented by security administrator.
Review of access responsibilities should periodically be reviewed.
Non-employees (contract employees, vendor employees, maintenance personnel, clients,
auditors, and consultants) should also adhere to the security policies.

IMPORTANT:
Access controls could either be mandatory or discretionary:
Mandatory access control is a mechanism to enforce corporate security policy or security
rules dealing with information resource sharing.
Discretionary access controls are data data-owner-defined sharing of access control.

PRIVACY ISSUES:
Privacy defined:
Adherence to trust and obligation of any information relating to an identified/identifiable
individual is called privacy.
Critical points:
Management is responsible to adhere to privacy issues. IS auditor is NOT responsible of the
contents of database. IS auditors could also take expert opinion.
IS auditor e has to review managements privacy policies, which include:
Nature of information.
Documentation.
Accountability of privacy issues.
Reduction in privacy modifications.
CRITICAL SUCCESS FACTORS:
Managerial commitment and support.
Updated policies and procedures reflecting business objectives.

CRIMES AND EXPOSURES:

Committing crimes can damage reputation, morale, and viability of an organization. Threats
related to crimes could be classified as under:
Financial loss.
Legal repercussions (consequences).
Loss of credibility (competitive edge).
Blackmail/industrial espionage.
Disclosure of confidential sensitive information.
Sabotage bad corporate image.
CRIME PERPETRATORS
Following could be the computer crime perpetrators:
a) Hackers person able to explore the system details and exploit.
b) Script kiddies person who uses written scripts and programs to perform their own tasks.
c) Crackers person who illegally tries to break security measures.
d) Employees (authorized or unauthorized).
e) IS personnel custodian of information.
f) End users.
g) Former employees especially who leave organization on unfavorable terms.
h) Interested or educated outsiders competitors, foreigners, criminals etc.
i) Temporary personnel.

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

j) Third parties vendors, consultants etc.

k) Accidental ignorant.

LOGICAL ACCESS Exposures

In applying management-designed policies and procedures for protecting information assets,
logical access controls are primary means of managing and protecting these resources.
Trojan horses/backdoors:
It involves hiding malicious code in an authorized computer program. The code is executed
whenever the program is executed. For example, cutting unnoticeable amount of payroll
cheque and transferring to perpetrators account.
Rounding down:
Drawing off small (fractional) amounts to perpetrators account is called rounding down.
Salami techniques:
It truncates some parts of the amount rather than rounding it off.
Viruses:
It is a malicious program code inserted into other executable code that can self-replicate
and spread from computer to computer.
Worms:
These are destructive programs that may destroy data or utilize tremendous computer and
communication resources but do not replicate like viruses.
Logic bombs:
These are similar to computer viruses but they do not self-replicate.
Trap doors:
These are exits out of an authorized program that allow insertion of specific logic, such as
program interrupts, to permit a view of data during processing.
Asynchronous attacks:
They occur in multiprocessing environments where data move asynchronously.
Data leakages:
It involves leaking information out of the computer.
Wire tapping:
It involves eavesdropping (spy) on information being transmitted over telecommunication
lines.
KeyNote:
The IS auditor needs to get through understanding of organizations IT environment to
effectively assess logical access controls.

LOGICAL ACCESS Paths

General nodes of access are the following:
1) Network connectivity:
Access is gained by physically connecting a PC to a segment of an organizations network.
Such access required user identification and authentication.
2) Remote access:
A user dials in remotely to an organizations server through formal logon process.
A networked environment would include the following traditional entry points:
a) Operator console These are the privileged computer terminals to perform most
computer operations. They should physically be secured.
b) Online terminal Through proper login system.

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

LOGICAL ACCESS Control software

To achieve CIA of information, access control software is used. This software prevents
unauthorized access to organizations critical data/processes. The greatest degree of
protection is at network and O/S platforms.
GENERAL O/S CONTROLS
Applying user identification and authentication mechanisms.
Restricting logon IDs to specific terminals.
Establishing rules.
Creating individual accountability.
Creating or changing user profiles.
Logging events.
Reporting capabilities.
DATABASE/APPLICATION CONTROLS

Creating or changing data files and database profiles.

Verifying user authorization at application level.

Verifying user authorization at field level for data modification.

Access control software is provided at different levels within an IS architecture, each having
certain degree of security.

LOGICAL ACCESS Auditing

IS auditor needs to perform the following evaluations:
General understanding of security risks through documentations, enquiry, observation etc.
Document and evaluate control over potential access paths.
Control tests are performed to ensure functionality.
Whether control objectives are achieved.
Whether security environment is adequate and as per standards.
Following are the STEPS:
Familiarization with the IS environment:
Document access paths:
Interview systems personnel:
Review reports from access control software:
Reviewing application systems operations manual:

IDENTIFICATION AND AUTHENTICATION:

It is the process of proving ones identity. There is high risk of unauthorized access in the
absence of I&A procedures.
I&A VULNERABILITIES
Weak authentication methods.
Potential for users to bypass authentication mechanism.
Lack of confidentiality and integrity for stored authentication information.
Lack of encryption of authentication information.

I&A TECHNIQUES
I&A techniques are generally categorized on the following bases:
1) Something you know passwords.
2) Something you have token card.
3) BIOMETRICS.
a. Something you are biometric features (physical)
b. Something you do signature and voice recognition (behavioral)

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

SOMETHING YOU KNOW

The I&A based on something you know consists of IDs and passwords.
Login ID provides individual identification, given uniquely to each user.
Password provides individual authentication.
Password features:
Should be easy to remember, but difficult to guess by perpetrator.
Initial password could either be system generated or administrator assigned.
The system shout force user to change password at initial login.
In case of wrong password entry for specific times, account should be locked.
The account deactivated in case of forgotten password, the system administrator activates
after inquiry.
Passwords should periodically be changed.
I&A best practices:
Login IDs not used for a number of days should be locked, either manually or automatically.
Login session should end when there is no activity for some time, say 10 minutes.
SOMETHING YOU HAVE
Microprocessor controlled smart card generates one time password good for only one logon
session. User enters this password and he has memorized to get system access.
BIOMETRICS
Biometrics features are the best means of authenticating users identity based on unique,
measurable attribute for verifying the identity of human being.
Physical biometric features could be classified as under:
a) Palm.
b) Hand geometry. c) Iris.
d) Retina.

e) Fingerprint.

f)

Face.

Behavioral oriented features include:

a) Signature recognition or signature dynamics.
b) Voice recognition.

SINGLE-SIGN-ON (SSO)
Users have to access number of resources during a typical workday; therefore, users have to
get authenticated himself number of times. Users normally cannot memorize many passwords
and there is an increased likelihood that the password information could be communicated
through written near workstation area.
SSO means consolidating all organizations platform-based administration, making
authentication and authorization functions into a single centralized administrative function.
SSO server handling this information is called primary domain.
Advantages:
Multiple passwords are no longer required.
Improves managers ability to manage user accounts.
It improves efficiency.
Disadvantages:
Difficult for all operating systems to support.
Costly.
Centralize failure could cause huge disruption.
Social engineering:

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

No matter how strong the security system of an organization is, it doesnt work unless its
employees are committed and aware of security implications. Management should install a
program for ongoing employee awareness regarding security issues.

AUTHORIZATION ISSUES
Access rules specify WHO can access WHAT. Access should be documented. Computer access
can be of varying degrees of levels, for example:
Read, write, and copy only.
Write, execute, update, or delete only.
Execute only.
Combination of above.
A least dangerous access type is READ ONLY.
ACCESS CONTROL LISTS:
Access control lists (ACL) refer to the register of:
Authorized usernames.
Access permitted.
REMOTE ACCESS SECURITY:
Organizations require remote connectivity to their information system.

NETWORK INFRASTRUCTURE SECURITY

Communication network include devices. Control is established through network control
terminal and specialized communication software. Following are the controls over
communication network:

LAN SECURITY:
LANs facilitate the storage and retrieval of programs and data used by a group of people. LAN
software and practices also need to provide for the security of these programs and data.
INFORMATION REQUIRED:
LAN topology and network design.
LAN administrator and his/her functions.
Group of users.
Applications used in LAN.
Standards and procedures.
RISKS AND ISSUES:
The administrative and control functions available with network software might be limited.
Software vendors and network users have recognized the need to provide diagnostic
capabilities to identify the cause of problems when the network goes down or functions in an
unusual manner. The use of logon Ids and passwords with associated administration facilities is
only now becoming standard.
DIAL-UP ACCESS CONTROLS:

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

It is possible to break LAN security through the dial-in route. Without dial-up access controls, a
caller can dial in and try passwords until they gain access. Once in, they can hide pieces of
software anywhere, pass through wide area network (WAN) links to other systems and generally
create as much or as little havoc as they like. To minimize the risk of unauthorized dial-in
access, remote users should never store their passwords in plain text login scripts on notebooks
and laptops.
Dial back procedures:
When a dialup line is used, access should be restricted by a dial-back mechanism, user calling
line identity to verify the calling number, or strong two-factor authentication. Dial-back
interrupts the telecommunications dialup connection to the computer by dialing back the caller
to validate user authority. Once a dialup connection is made, logical access controls should
provide the same restrictions as if the user were using a terminal from within the organization.
When a call is answered by the modem, the caller must enter a code. The modem hangs up the
connection, looks up the connection, and calls back if authenticated.

CLIENT/SERVER SECURITY:
A client/server system typically contains numerous access points. Security procedures for these
server environments are usually not as well understood nor as protected as a mainframe-based
processing environment. Client/server systems utilize distributed techniques, creating
increased risk of access to data and processing. To effectively secure the client/server
environment, all access points should be identified.

INTERNET SECURITY:
IMPACT OF INTERNET THREATS:
Loss of income.
Increased cost of recovery.
Increased cost of retrospectively securing systems.
Loss of information.
Loss of trade secrets.
Damage to reputation.
Legal and regulatory noncompliance.
Failure to meet contractual commitments.
CAUSAL FACTORS FOR INTERNET ATTACKS:
Availability of tools and techniques on the Internet.
Lack of security awareness and training.
Exploitation of security vulnerabilities.
Inadequate security over firewalls.

FIREWALL:
Every time a corporation connects its internal computer network to the Internet, it faces
potential danger. Because of the Internets openness, every corporate network connected to it
is vulnerable to attack. Hackers on the Internet could theoretically break into the corporate
network and do harm in a number of ways: steal or damage important data, damage individual
computers, etc.
Firewalls are hardware and software combinations that are built using routers, servers and a
variety of software. They should sit in the most vulnerable point between a corporate network
and the Internet and they can be as simple or complex as a corporate information security
policy demands.
WHY?

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

Block access on the Internet.

Limit traffic.
Prevent certain users.
Monitor communication.
Encrypt packets.

TYPES:
1) Router Packet Filtering:
A screening router examines the header of every packet of data traveling between the
Internet and the corporate network. Packet headers have information in them, including
the IP address of the sender and receiver, and the authorized port numbers (application or
service) allowed to use the information transmitted.
Advantages
Disadvantages
Simple.
Vulnerable to attack due to direct exchange
of packets.
2) Application Firewall Systems:
There are two types. They are referred to as Application or circuit level firewall systems
and provide greater protection capabilities than packet filtering routers. These firewalls
allow information to flow between systems but do not allow the direct exchange of
packets.
Advantages
Disadvantages
Provides security for commonly used
Poor performance as usage increases.
protocols and hide internal network from
outside untrusted network.
3) Statefull Inspection Firewalls:
It keeps track of destination IP address of each packet that leaves the organizations
internal network.
Advantages
Disadvantages
Efficient
Complex to administer.
FIREWALL ISSUES:
Problems faced by organizations that have implemented firewalls are:
A false sense of security exists where management feels that no further security checks and
controls are needed on the internal network.
The circumvention of firewalls through the use of modems connecting users directly to
Internet service providers.
Misconfigured firewalls allowing unknown and dangerous services to pass through freely.
The misunderstanding of what constitutes a firewall.
Monitoring activities do not occur on a regular basis.
Firewall policies are not regularly maintained.

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

INTRUSION DETECTION:
An intrusion detection system works in conjunction with routers and firewalls by monitoring
network usage anomalies. It protects companys IS from both internal and external misuse. It
notifies the administrator when it detects a perceived threat.
CATEGORIES:
There are two broad categories of IDS:
a) Network-based IDS:
They identify attacks within the monitored network and issue warnings to operator.

IDS is complement, not substitute, to firewall.

b) Host-based IDS:
They are configured for specific environments and monitor various internal resources and
O/S to warn possible attacks.

10

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

COMPONENTS:

TYPES:
a) Signature-based:
Detect intrusions based on stored signatures.
b) Statistical based:
Detects intrusions based on expected behavior.
c) Neural based:
Monitors general patterns of network activity with added learning capability.

ENCRYPTION:
Encryption is a method of converting a plaintext message to a cipher text message which
cannot be understood without converting back, decryption. The process is performed through a
mathematical function and a special password called KEY.
WHY?
Encryption is performed to
Protect unauthorized access of important data.
Detect accidental or intentional modification of data.
Verify authenticity of a transaction or document.
ELEMENTS:
There are three elements of an encryption system:
1) Algorithm a mathematical function.
2) Keys a unique piece of information to be used in the process, similar to password.
3) Key length a predetermined length for the key.
CRYPTOGRAPHIC SYSTEMS:
There are two cryptographic systems:
a) Private key cryptographic systems:
They are based on symmetric encryption algorithms which use a secret (private) key to
encrypt the plaintext to the ciphertext. They also use the same key to decrypt the
ciphertext to the corresponding plaintext. DES (Data Encryption Standard) is a private
cryptographic system.
b) Public key cryptographic systems:
They are based on an asymmetric encryption process, two keys work together as a pair.
One key is used to encrypt data; the other is used to decrypt data. Either key can be used
to encrypt or decrypt, but once the key has been used to encrypt data, only its partner can
be used to decrypt the data.

11

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

QUANTUM CRYPTOGRAPHY:
It is the next generation of cryptography that will solve existing problems associated with
current cryptographic systems. Proven in laboratory research as a commercially viable
technology, Quantum cryptography taps the natural uncertainty of the quantum world (using
interaction of light pulses as a way of transmitting keys and secure information).
DIGITAL SIGNATURES:
It is an electronic identification of a person or entity created by using a public key algorithm
and intended to verify to a recipient the integrity of the data and the identity of the sender. To
verify the integrity of the data, a cryptographic hashing algorithm is computed against the
entire message, which generates a small fixed string message usually about 128 bytes in length.
This process, also referred to as a digital signature algorithm, creates a message digest (i.e.,
smaller extrapolated version of the original message).

AUDITING NETWORK INFRASTRUCTURE SECURITY

IS auditor needs to evaluate the following with reference to network infrastructure:

12

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

REMOTE ACCESS AUDIT:

There are some tools used to audit remote access:

POINTS OF PRESENCE:
When auditing an organizations presence over the Internet, IS auditor should review the use of
Internet in the following areas:
a) Email.
b) Marketing.
c) ECommerce.
d) Delivery channels.
e) Information gathering.
NETWORK PENETRATION TESTS: (Simulation of real hacking attack)
These are effective methods to determine real-time risks in an information processing
environment. IS auditor attempts to avoid the security features of a system and exploits the
vulnerabilities to gain access that would otherwise be unauthorized.
These tests try to imitate the real hacking situation. Formal top managerial approval is
required.
TYPES:
There are five types of penetration tests:

RISKS:
Doesnt ensure discovery of all vulnerabilities.
Miscommunication.
Disclosure of sensitive information.
Potential of damaging information assets by inexperienced testators.
FULL NETWORK ASSESSMENT REVIEWS:
After penetration testing, full review of network vulnerabilities is done which include:
Security policy and procedures.
Network and firewall configuration.
Logical access controls.
Encryption.
Firewall.
Virus scanning.
Audit logging.

13

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

Information Assets Protection

NETWORK CHANGES:
Controls to prevent unauthorized changes are:
Segregation of duties.
Restricting access to development environments.
Restricting source code access.
COMPUTER FORENSICS:
It is a process of identifying, preserving, analysing, and presenting audit evidence in a
manner which legally acceptable in any legal proceedings.

ENVIRONMENTAL EXPOSURE AND CONTROLS

EXPOSURES:
Environmental exposures are due to natural events such are lightening, storms, earthquakes,
hurricanes, and extreme weather conditions. Such conditions sometimes cause many problems.

Power failure types:

a) Total power failure blackout:
It refers to complete loss of electric power due to weather conditions or inability of
WAPDA.
b) Severe reduced voltage burnout:
It refers to inability of WAPDA to provide required voltage.
c) Sags, spikes, and surges:
Sag means decrease and spikes and surge means increase in voltage.
d) Electromagnetic interference:
It is caused by electrical storms or noisy equipment.
CONTROLS:
Alarm controls panels.

Handheld fire extinguishers.

Smoke detectors.

Strategic computer rooms.

Fireproof environment.

UPS.

Eating/drinking prohibition.

PHYSICAL ACCESS EXPOSURES

EXPOSURES:

14

Water detectors.
Manual fire alarms.
Fire suppression systems.
Inspection.
Electrical surge detectors.
Emergency power-switch off.
Documented evacuation procedures.
AND CONTROLS

Prepared by: Muhammad

Umar Munir

Information Management and Auditing

CONTROLS:
Bolting door locks.
Biometric door locks.
Identification badges.
Controlled visitor access.
Alarm system.

Combination door locks.

Manual logging.
Video cameras.
Bounded personnel.

Information Assets Protection

Electronic door locks.

Electronic logging.
Security guards.
Deadman doors.

AUDITING:
Touring IPF (computer room, programmers area, tape library, printer stations, and
management offices) is useful in understanding overall installation.
Documents to assist:
Emergency evacuation procedures.
Inspection tags.
Fire suppression system test results.
Key lock logs.
Areas:
All operator consoles.
Printer rooms.
Computer storage rooms.
UPS/generator.
Communication equipment. Tape library.
Offsite backup storage.

15

Prepared by: Muhammad

Umar Munir