Certified Information Systems Auditor (CISA)

Module 5 - Protection of Information Assets

Slide 1

Module 5
Protection of Information Assets

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2

Lesson 1: Importance Of Information Security

 The most critical factor for protecting information assets and privacy is
a great foundation for effective information security management
 Security objectives to meet these business requirements include:
 The continued availability of their information systems
 Ensure the integrity of information stored on the computer and while in transit
 Preserve the confidentiality of sensitive data while stored and in transit
 Conform to applicable laws, regulations and standards
 Ensure trust and obligation requirements in relation to any information relating to an
identified or identifiable individual

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3

Key Elements of Information Security

Management
 There’s no doubt that a security violation can cost a lot to a company,
whether in recovery from this event, or in the repair of public
relations
 There is no such thing as perfect security, and no matter of how much
security you purchase if it is not properly implemented and managed,
it will not be effective

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4

Information Security Management Roles and

Responsibilities
 All defined and documented responsibilities and roles must be
established and communicated to all relevant personnel and
management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5

Inventory and Classification of Information

Assets
 Good control requires a detailed inventory of all information assets
since it is the first step in being able to classify the assets and determine
how much protection they need
 The mature record of each information asset should include:
 Identification of the asset
 The assets relative value
 Location
 Security risk classification
 Is it part of an asset group
 Owner
 Designated custodian

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6

Inventory and Classification of Information

Assets Continued
 Assets have a varying degree of sensitivity and criticality towards the
business objectives. Assigning a class or level of sensitivity is an important
part of establishing a security rule
 The classification system should be simple, perhaps something as simple as
using a designation of different degrees of sensitivity and criticality
 Classification should define:
 The owner of the information assets
 Who has access
 The level of access that they should have
 Who’s responsible for doing the classification
 What approvals are needed for access
 What type of security controls should be used

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7

System Access Permission

 This is the prerogative to act on computer resources with regards to
how you want to assign access permission. Usually this is a technical
privilege
 The access information resources should be established, managed and
controlled by physical and logical level
 Examples of physical access might be:
 Entry into a building, suite, data center or other room
 The use of badges, memory cards, guard keys, true walls
 Logical control over transactions, data, programs and applications

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8

System Access Permissions Continued

 The IT assets that are being secured can be grouped into four logical
layers:
 Networks
 Platforms
 Databases
 Applications

 The information owner or manager should determine who is allowed to

have access. Often this should be in the form of written authorization
 Logical access can be implemented by security administration by
determining the user or groups of users who are allowed authorization
 Reviews of access authorization should be evaluated regularly

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9

Mandatory and Discretionary Access Controls

 Mandatory access controls are logical control filters to validate access

credentials that can be modified by a normal user
 MACs are prohibitive in that anything that is not expressly permitted is
forbidden
 DACs are protection they can be modified by the data owner at their
discretion. Microsoft Windows is an example of a DAC

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10

Privacy Management Issue and the Role of IS

Auditors
 Privacy is a matter of trust and obligation in relation to the information
relating to an individual
 Privacy should be built into the policies, standards and procedures from
the very beginning
 The privacy impact analysis and other assessments should have the
auditor called in to support or review.
 Such assessment should:
 Determine the nature of personally identifiable information as it is associated with
the business
 Document collection, use, disclosure and destruction of personal identification
information
 Make sure there is accountability for privacy issues

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11

Privacy Management Issues and the Role of the

Auditors Continued
 As an auditor, you might be asked to give an assurance to the
responsible managers in regards to their adherence to privacy laws.
 To do so the auditor should:
 Identify and understand legal requirements
 Check that sensitive data is correctly managed
 Verify that the correct security measures are adopted
 Review management’s privacy policy to determine if it takes into consideration the
requirements of the applicable privacy laws and regulations

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12

Critical Success Factors to Information

Security Management
 The commitment to security should be supported with a
comprehensive program of formal security training. This training should
require management level training since it is not normally a part of the
management expertise
 The auditor should also make sure that a professional risk-based
approach is used to identify sensitive and critical information resources
and to make sure there is a clear understanding of the threats risks

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13

Information Security and External Parties

 Security policies and procedures should not be reduced by an external
party being introduced into the products or services
 External party arrangements should include:
 Service providers, network providers, telephone services, maintenance and support
 Managed security services
 Customers
 Outsourcing facilities
 Management and business consultants
 Developers and suppliers
 Temporary personnel and other casual short-term appointments

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14

Identification of Risks Related to External

Parties
 An added risk can occur from a business process that involves external
parties. This should be identified and the appropriate controls and
implemented before granting access.
 The risks related to external party accesses might include:
 The facilities the external party is allowed to access
 Type of access an external party might have, such as physical or network connectivity
 The value and sensitivity of information involved and how critical it is for business
 The controls needed to protect information that should not be accessible
 Personnel from the external party that is involved
 The controls employed by the external party when working with secure information
 Any legal and regulatory requirements or other contractual obligations that are
relevant

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15

Addressing Security When Dealing with

Customers
 All security requirements should be looked at before giving customers
access to the internal information or assets.
 Some of the considerations are:
 Procedures to protect the assets, including information software, and management of
known vulnerabilities
 Methods to detect any compromise of the assets
 A description of the product or service to be provided
 Justification for customer access
 Security controls to prevent only the access allowed including authorization process
 A statement that all other access not explicitly listed is forbidden
 Appropriate reports, notifications and investigations of inaccuracies
 The ability to monitor and revoke any activity

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16

Addressing Security and Third-Party

Agreements
 Any agreement to allow a third-party access to your organization roles
assets should cover all relevant security requirements. It is important
there’s no misunderstanding between the organizations.
 Contract terms should include:
 The information security policy
 Controls in place to ensure asset protection
 Including procedures to protect the assets
 Required physical protection controls
 Controls against malware
 User and administration training
 A clear reporting structure
 A clear change management process

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17

Addressing Security and Third-Party

Agreements Continued

 As an added protection when working with third party you

should also consider:
 Using technical controls such as DRM
 Including all identified risks and security requirements and agreements
 Outsourced security management should have agreements on how they
will guarantee the adequate security as defined by the risk assessment

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18

Human Resources Security and Third Parties

 Proper information security practices should make sure that employees,

contractors and third parties understand their responsibilities
 They should ensure they are suitable for the roles their considered for,
and to reduce the risk of theft fraud or misuse of facilities
 Specifically:
 Security responsibilities should be addressed prior to employment
 Candidates for appointment should be adequately screened
 There should be a signed agreement on their security roles and responsibilities
including confidentiality

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19

Human Resources Security and Third Parties

Continued

 Consideration should be given to the following:

 Screening
 Terms and conditions of employment
 Following policies during employment
 Termination or change of employment
 Removal of access rights

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20

Computer Crime Issues and Exposures

 Computer crime can be described as follows:
 Used to commit the crime
 Evidence of the crime
 Fruits of the crime

 Trusted business could include:

 Financial loss
 Legal repercussions
 Loss of credibility
 Blackmail/industrial espionage/organized crime
 Disclosure of confidential or embarrassing information
 Sabotage

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21

Computer Crime Issues and Exposures

Continued
 The perpetrators of crimes can be categorized as:
 Hackers or crackers
 Script kiddies
 Crackers
 Employees
 IS personnel
 End users
 Former employees
 Interested or educated outsiders
 Part-time and temporary personnel
 Third parties
 Accidental ignorance

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22

Types of Computer Crimes

 Alteration attack
 Botnet attack
 Brute force attack
 Denial of service
 Eavesdropping
 E-mail bombing spanning
 E-mail spoofing
 Flooding
 Malicious Codes
 Man in the middle

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23

Types of Computer Crimes Continued

 Masquerading
 Message modification
 Network analysis
 Packet replay
 Fishing
 Piggybacking
 Race conditions
 Enumeration
 Salami
 Spam
 War driving
 War walking
 War chalking

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24

Peer to Peer, Instant Messaging, Data Leakage

and Web-Based Technologies
 The peer-to-peer network has no specific server for a person to connect
to. Most of the connection is established between two peers for the
purpose of file sharing
 Security administer should design a proper security policy control measure regarding peer-
to-peer computing
 Instant messaging is a popular method to collaborate and keep in touch
with others
 Eavesdropping
 Malware
 Social networking is popular because of the ease of use to establish
connections with others
 Uploads to message boards
 Sharing of personal information
 Cyber stalking

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25

Security Incident Handling and Response

 To minimize damage from a security event and to recover and learn from
these events. There should be a formal incident response that should be
established which includes:
 Planning and preparation
 Detection
 Recording
 Evaluation
 Containment
 Response
 Recovery
 Reporting
 Post incident review

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26

Security Incident Handling and Response

Continued
 Management should establish key roles and responsibilities including:
 A coordinator who acts as a liaison to business process owners
 A director to oversee the incident response
 Managers to manage each incident
 Security specialists to detect, investigate, contain and recover from incidents
 Non-security technical specialists
 Business unit leader

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27

Lesson 2: Logical Access

 Logical access controls are the primary means used to manage and
protect information assets.
 A logical access control can enact and substantiate management design
policies and procedures to protect assets
 Auditors need to understand this relationship and to be able to analyze
and evaluate the effectiveness of the logical access control

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28

Logical Access Exposures

 Technical exposures are one type that exist from an accidental or
intentional exploitation of logical access control. These are often
unauthorized activities that interfere with normal processing.
 Examples include:
 Data leakage
 Wiretapping
 Computer shut down

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29

Familiarization with the Enterprise IT

Environment
 Auditors should effectively assess logical access controls within their
organization, they proceed to gain tactical and organizational
understanding of the environment
 The goal is to determine which areas, from a risk standpoint, warrant
auditing attention and planning current and future work

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30

Paths of Logical Access

 Access or points of entry can be gained by several avenues
 Direct, as in the case of a PC terminal connecting to a mainframe
 Another form of access may be through the LAN using the common linking
structure and existing trust relationships
 The use of security doors among the various environments which may need to cross
low security or open IT spaces like the Internet
 Front-end systems are network-based, connecting an organization to the outside
untrusted network

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31

General Points of Entry

 Points of entry to the user front-end or backend systems control the
accesses from an organization’s networking or telecommunication
infrastructure into their information resources.
 General modes of access may include:
 Network connectivity
 Remote access

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32

Logical Access Control Software

 Computer systems can store large quantities of sensitive information, and
increase the capability of sharing from one system to another, and all of
these factors have made resources more widely and promptly accessible
and available
 To protect an organization information resources by access controls at all
layers of the organizations IS architecture
 General controls might include:
 Create or change user profiles
 Assign user identification and authentication
 User logon limit rules
 Banner message
 Logging

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33

Identification and Authentication

 Identification is the providing of credentials to prove
one’s identity, where authentication is the validation
of those credentials
 Common vulnerabilities to gain unauthorized access
might include:
 Weak authentication methods
 Bypassing authentication
 Lack of confidentiality and integrity for stored authentication
information
 Lack of encryption for identification transmitted over the
network
 Lack of user knowledge about social engineering

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34

Identification Authentication Continued

 Authentication is to be categorized as:

 Something you know
 Something you have
 Something you are

 Using more than one combination of

these creates more secure authentication
sometimes known as 2-factor
authentication

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35

Features of Passwords
 Passwords should be easy to remember but difficult for an attacker to derive
 Initial passwords may be created by security administrations or generated by
the system itself, but the user must be required to change it on the first login
 The consideration of account login policies should also be used
 Password should be one-way encrypted, stored internally on the computer with a strong
encryption
 Passwords should not be displayed in any form
 Passwords should be changed regularly
 Passwords should be changed by the user not the administrator
 Users should be informed of their passwords expiration

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36

Identification and Authentication Best Practices

 Disable system accounts

 Unused accounts should be deactivated after time
 Automatic disconnection of an idle login session
 Minimum length of passwords, usually eight characters
 Complex passwords
 No John Doe passwords
 Password account policies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37

Token Devices, One-Time Passwords

 Smartcards, token generators
 Biometrics
 Palm
 Hand geometry
 Iris
 Retina
 Fingerprint
 Face
 Signature recognition
 Voice recognition

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38

Management of Biometrics
 Management should address effective security for the collection,
distribution and processing of biometric data encompassing:
 Data integrity, authenticity and non-repudiation
 Management of biometric data
 Use of biometric technology
 Application of biometric technology
 Encapsulation of biometric data
 Techniques for secure transmission of biometric data
 Security the physical hardware
 Techniques for integrity and privacy

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39

Single Sign-On
 Asking the user to remember a series of
user names and passwords can be an
overburden and sometimes leads to
security risk:
 To address this situation, the concept of single
sign-on (SSO) is defined as a process for
consolidating all of the authentication and
authorization functions into one centralized
feature
 One of the challenges is to manage the diverse
platforms through single sign-on

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40

Single Sign-On Continued

 The advantages of SSO are:
 Multiple passwords are no longer needed
 Easier administration of user accounts
 Less administration overhead resetting passwords
 Reduces user needs to log into multiple servers

 Disadvantages of SSO are:

 Difficult to implement across different platforms
 The costs associated with SSO development can be significant
 If the main identity has been compromised then this could be a single point of failure
for information assets

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41

Authorization Issues
 Access rules specify who can access what
 Computer access can be set for various levels such as files, tables, data
items
 Access restrictions at the file level might include:
 Read, inquiry or copy only
 Write, create, update or delete only
 Execute only
 Any combination of the above

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42

Access Control Lists

 The authorizations files and facilities are usually through a logical access
control mechanism known as an access control list (ACL) or access
control table
 Users which could include groups, machines, processes
 Types of access permitted

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43

Logical Access Security Administration

 This can be administered either through centralized or decentralized
environment
 Advantages of a decentralized environment are:
 Security administration is on-site at the distributed location
 Security issues resolved in a timely manner
 Security controls are monitored on a more frequent basis

 The risks of decentralized responsibility are:

 The possibility that local standards might be implemented instead of the
organizational requirements
 Levels in security management might be below what can be maintained by central
administration
 Lack of management checks and audits

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44

Logical Access Security Administration

Continued
 There are many ways to control remote and distributed sites:
 Software controls over access to the computer, data files and remote access should
be implemented
 The physical controls should be as secure as possible
 Remote access should be controlled appropriately
 Controls should exist for data transmitted from remote locations
 Replicated files should also have controls that ensure that the files are used correctly
and current

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45

Remote Access Security

 Remote access is more common in today’s use of telecommuters,
vendors, consultants, and business partners
 Remote access user can connect to network with the same level of
functionality as if they were their own office
 Many of these remote access connections are linked to VPNs, but this
can create holes in the security infrastructure since encrypted traffic
and hide to security perimeters

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46

Common Connectivity Methods

 Dial-up lines
 Network access servers
 Radius and TACACS
 Remote access risks include:
 Denial of service where a user may not be able to gain access
 Malicious third parties who may try to gain access and exploit weaknesses in the
communications software
 Misconfigured communications software
 Misconfigured devices
 Poor security on host systems
 Physical security over remote user computer

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47

Common Connectivity Issues Continued

 Remote access controls include:
 Policies and standards
 Proper authorizations
 Identification and authentication mechanisms
 Encryption tools and techniques
 System and network management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48

Remote Access Using PDAs

 The use of PDAs is widespread and can be used in place of desktop and laptop PCs
 Controls should be implemented with PDAs and could include the following:
 Compliance
 Approval
 Standard PDA applications
 Due care
 Awareness training
 PDA applications
 Synchronization
 Encryption
 Virus detection
 Device registration
 Camera use

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49

Access Issues with Mobile Technology

 Devices used to move data from networks and desktops to mobile
equipment could use removable media
 Employees can even use such devices to their own misuse of enterprise
computing facilities and take unauthorized copies of data or programs
 Controls that should be used might include:
 Banning all use of transportable drives
 The disabling of USB with a login script
 Encrypt all data transported or saved by these devices

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50

Access Rights to System Logs

 Access rights to system logs for security administrator to perform any
activity should be strictly controlled
 Security managers and system administrators should have access for
review purposes
 Security logs are your audit trail against data modification and they
should have the most security that you can configure

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51

Tools for Audit Trail Analysis

 Many types of tools are developed to reduce the amount of information
contained in the audit records to be able to delineate useful
information:
 Audit reduction tools
 Trend/variance detection tools
 Attack signature detection tools

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52

Use of Intrusion Detection

 Both intrusion detection and intrusion prevention can discover
unauthorized use of computers and networks through use of their software
designed for detecting such attacks
 Once a violation has been identified:
 The person identifying violations reports the problem
 Security administrator and management should work to investigate and determine the
severity of the violation
 Executive management should be notified if this is a serious attempt
 Law-enforcement is only notified at the decision of upper management
 Consider public relations
 Facilitate proper handling of access violations
 Take corrective measures

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53

Storing, Retrieving, Transporting and Disposing

of Confidential Information
 This should be done for:
 Backup files of databases
 Databanks
 Media used to hold confidential information
 Management of equipment sent off-site for maintenance
 Any agency concerned with sensitive or critical or confidential information
 E-token electronic keys
 Storage records

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54

Lesson 3: Network Infrastructure Security

 The following are controls over communication network

 Network control functions should be used by people with proper training and
experience
 Network control functions should be separated, and the duties rotated on a regular
basis
 Network control functions should restrict operator access from certain functions
 Network control software should maintain an audit trail
 Audit trail should be reviewed periodically
 Network access by system engineers should be monitored
 Data encryption should be used where appropriate

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55

LAN Security
 Risk associated with the use of LANs could be:
 Loss of data and program integrity through unauthorized changes
 Exposure to external activity
 Malware
 Improper security, not following the need to know best practice
 Illegal access through impersonation
 Network sniffing
 Users spoofing

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56

LAN Security Continued

 The auditor should gain a full understanding of the following:
 LAN topology and network design
 LAN administrator/LAN owner
 Functions performed by the LAN administrator
 Distinct groups of LAN users
 Computer applications used on the LAN

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57

Virtualization
 Virtualization provides enterprise with a chance to increase efficiency
and decrease cost and IT operations.Virtualization also introduces new
risks
 At a high level, virtualization allows multiple operating systems to exist
on the same server in isolation from each other
 The host then, presents a single point of failure and to address these
risks you should include the following:
 Strong physical and logical access controls, especially over the host of the
management console
 Configuration management practices and system hardening for the host
 Network segregation, including the avoidance of virtual machines in the DMZ
 Strong change management practices

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58

Client/Server Security
 An auditor should check for the following controls being in place:
 Securing access to the data or application by disabling removable drives
 Securing the automatic boot or stop files
 Network monitoring devices to inspect activity
 Data encryption techniques
 Authentication systems
 The use of application level access control programs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59

Client/Server Security Continued

 The areas of risk and concern are:
 Access controls may be weak such as poor password change controls
 Change control and change management procedures may be weak
 Loss of network availability may have a serious impact
 Obsolescence of the network components
 Remote access connections may be weak

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60

Wireless Security Threats and Risks Mitigation

 The classification of security threats may be divided into nine

categories:
 Errors and omissions
 Fraud and theft by authorized or unauthorized users
 Employee sabotage
 Loss of physical and infrastructure support
 Hackers
 Industrial espionage
 Malicious code
 Foreign government espionage
 Threats to personal privacy

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 61

Wireless Security Threats and Risk Mitigation

Continued
 Ensuring the CIA of the prime objectives and security requirements
should include:
 Authenticity
 Non-repudiation
 Accountability
 Network availability

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 62

Internet Threats and Security

 The nature of the Internet makes it vulnerable to attack. Estimates claim
that there are over 300 million computers on the Internet, which I
believe is a low number.
 The Internet protocol, designed decades ago, was designed just for
addressing and routing and really didn’t have a concept of security

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 63

Network Security Threats

 Passive attacks
 Reconnaissance attacks
 Active attacks
 Brute force
 Packet replay
 Phishing
 Message modification
 Denial of service
 E-mail bombing, spamming and spoofing
 Internet attacks are more pervasive because of the availability of tools and techniques on the
Internet or the commercial software
 Also the lack of security awareness training among employees
 Expectation of security vulnerabilities
 Inadequate security on firewalls and operating systems

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 64

Internet Security Control Audits

 The auditor should investigate the following controls:
 Risk assessments being performed periodically
 Security awareness and training for employees
 Firewall standards security
 IDS and security
 Remote access
 Incident handling and response
 Configuration management
 Encryption techniques

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 65

Firewall Security Systems

 Company should build firewalls as a means of perimeter security, but
remember that firewalls are actually quite easy to pass through
 Internal attacks do not transit a perimeter firewall
 The general features of the firewall would be:
 Block access to particular sites
 Limiting traffic on public service segments
 Prevent certain users from accessing certain servers
 Monitoring of communications
 Encryption of packets
 Firewall types are:
 Packet filters
 Stateful inspection
 Application based firewalls

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 66

Common Attacks Against a Firewall

 IP spoofing
 Source routing specification
 Miniature fragment attack

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 67

Examples of Firewall Implementation

 Screen host firewall
 Dual homed firewall
 DMZ
 Problems faced by firewalls include:
 A false sense of security
 Circumventing firewalls through other connections
 Poorly configured firewalls
 Misunderstanding what a firewall is
 Firewall policies
 Firewalls only operate at layer 3/4

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 68

Intrusion Detection
 IDS can be performed at the network or host level
 components of been IDS are:
 Sensors to collect data
 Analyzers to review the received input
 Administration console
 User interface
 Types of IDS include:
 Signature based
 Statistical based
 Neural networks
 IPS
 Honeypots and honeynets

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 69

Encryption
 Encryption is the process of converting plaintext into ciphertext.
 Encryption is generally used to:
 Protected in transit
 Protect data in rest
 Deter and detect accidental or intentional alterations
 Verify authenticity

 Elements of encryption:
 Algorithm
 Keys
 Key length

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 70

Encryption Continued
 Symmetric key encryption:
 DES
 3DES
 AES
 Asymmetrical encryption
 PKI
 RSA
 Diffie Hellman
 ECC
 Quantum cryptography
 Digital signatures
 Digital envelope
 Components of PKI:
 Certificates, CA, RA, CRL

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 71

Uses of Encryption
 Secure socket layer
 Secure HTTP s/http
 IPsec
 Secure MIME s/mime
 SET
 Security risks for encryption:
 Short keys
 Randomness of keys
 Passwords tied to keys

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 72

Viruses
 This is a generic term that is applied to all sorts of malware. The general
definition between viruses and worms is that a virus needs a host to spread
where as a worm can spread on its own
 Management procedural controls:
 Build a system from original, clean master copies
 Allow no alternate media
 Update antivirus software
 Write protect risks
 Enforce rules against shareware and peer to peer networks
 Scan all software before installation
 Update infrastructure
 Educate users

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 73

Technical Controls Against Viruses

 A technical method to prevent a virus could be done by:
 Use boot virus protection
 Use remote booting
 Hardware-based password
 By protected tabs on disks
 Block insecure protocols

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 74

AV Software
 The components of AV software are:
 Scanners
 Signatures and heuristic

 Active monitors
 Integrity checkers
 Behavior blockers
 Immunizes

 Working with antivirus software strategies:

 Scheduler scans
 Manual/on-demand scans
 Continuous scanning

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 75

Voice Over IP
 There are many advantages to voice over IP,
such as flexibility, scalability, and lower costs
 Voice over IP security issues
 Voice packets are sent over the network to a
receiver on the same IP network as of the traffic
and they can be intercepted
 They are also subject to denial of service the
network outage issues
 Consider securing these with a private VLAN

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 76

Private Branch Exchange

 The PBX is designed for digital phone networks that are separate from
your data networks. These are widespread throughout the industry in
that they have been around longer than voice over IP
 PBX risks include:
 Theft of service
 Disclosure of information
 Data modification
 Unauthorized access
 Knowledge service
 Traffic analysis
 External access/control

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 77

Lesson 4: Auditing Information Security

Management Framework
 Auditing the information security framework of an organization involves
the audit of logical access, the use of these techniques, for testing
security, and the use of investigation techniques

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 78

Auditing Information Security Management

Framework
 Reviewing written policies, procedures and standards
 Logical access policies
 Formal security awareness training
 Data ownership
 Data owners
 Data custodians
 Security administrator
 New IT users
 Data users
 Documented authorizations
 Terminated employee access
 Security baselines
 Access standards

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 79

Auditing Logical Access

 When evaluating logical access controls the auditor should:
 Obtain a general understanding of the security risks facing information processing by
looking at relevant documentation, inquiry, observation, risk assessment and
evaluation techniques
 Document and evaluate controls over access paths
 Test controls over access paths
 Evaluate the access control environment to see the control objectives are being met
 Evaluate the security environment to assesses adequacy by reviewing written policies,
observing practices, and procedures and then comparing them with the appropriate
SOP’s

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 80

Techniques for Testing Security

 Auditors can use different techniques for testing security some of the
methods are:
 Terminal cards and keys
 Terminal identification
 Login IDs and passwords
 Controls over production resources
 Logging and reporting computer access violations
 Follow-up access violations
 Bypassing security and compensating controls
 Review access controls and password administration

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 81

Lesson 5: Auditing Network Infrastructure

Security
 When performing an audit on the network infrastructure the auditors
should:
 Review network diagrams to understand the full connectivity between all network options
 Identify the network design implemented as well as the IP numbering strategy and
segmentation
 Determine the applicable security policies, standards, procedures and guidance on network
management
 Identify who is responsible for security and operation of Internet, and determine if they
have the sufficient knowledge for such activities
 Determine whether consideration has been given to the legal problems from the use of the
Internet
 Review all SLA’s if any
 Review the network administrator procedures to ensure that hardware and software are
upgraded against new vulnerabilities

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 82

Auditing remote access

 Allowing remote access can dramatically improve the business
productivity but also generates new control issues and securities
concerns
 The auditor should test remote access connections
 The auditor should determine if the remote access procedures are based on cost
effective, risk-based solutions
 The auditor should look at e-mail if it’s allowed outside of the local area network
 The auditor should review the marketing (web pages)
 Sales channel/electronic commerce
 Channel of delivery for goods and services

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 83

Network Penetration Test

 There are many procedures that can be used that are similar to that of the
hacker. These procedures can validate the security of a network. This is
usually called a penetration test or ethical hacking
 The following should be mentioned in the scope of the audit:
 IP address ranges to be tested
 Host restrictions
 Acceptable testing techniques
 Acceptance the proposed methodology
 Timing of the attack
 Determination of source address to attack from
 Point of contact
 Warning notification from the auditor before the simulation begins

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 84

Types of Penetration Tests

 External testing
 Internal testing
 Blind testing
 Double-blind testing
 Targeted testing
 Risks of a penetration test:
 There is no assurance that all vulnerabilities are discovered
 Miscommunications may result the test objectives not being achieved
 Testing may trigger escalation
 Sensitive information may be disclosed
 The tester may damage crucial systems

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 85

Full Network Assessment Reviews

 After the penetration test, comprehensive review of all network systems
vulnerabilities should occur to determine the threats against the CIA.
 The following review should occur:
 Security policies and procedures should be reviewed
 The network and firewall configuration should be evaluated for proper design
 Logical access controls should be evaluated
 The following should be looked at:
 IDS
 Filtering
 Encryption
 Strong authentication
 AV scanners
 Audit logging

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 86

Development and Authorization of Network

Changes
 Network configuration changes to update telecommunications lines,
terminals, modems and other network devices should be authorized in
writing by management and implemented in a timely manner.
 The auditor can test change control by:
 Sampling recent change requests, looking for appropriate authorization
 Matching network changes as being authorized through the change request

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 87

Unauthorized Changes
 One the most important objectives of change control is to prevent or
detect unauthorized change to software, configurations of parameters
and data
 Controls to prevent unauthorized changes may include:
 Segregation of duties between software development, software administration and
computer operations
 Restricting the software development teams access to the deployment environment
only
 Restricting access to source code

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 88

Computer Forensics
 This is defined as a process of identifying, preserving, analyzing and
presenting digital evidence in a manner that is legally acceptable in any
legal proceeding
 Forensics includes the activities involved in exploration and application
of methods to gather, process, interpret and use digital evidence to
substantiate if an incident did or did not occur:
 Providing evidence that an attack occurred
 Gathering digital evidence that can be used in the trial proceedings
 Tracking evidence
 Working with evidence
 Providing analysis

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 89

Chain of Evidence
 The life of evidence must be preserved to documentation by the following:
 Identification
 Preservation
 Analyze
 Presentation
 Data protection
 Data acquisition
 Imaging
 Extraction
 Interrogation
 Investigation
 Reporting

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 90

Lesson 6: Environmental Exposures and

Controls
 Environmental controls are described as following:
 Alarm control panels
 Water detectors
 Handheld fire extinguishers
 Manual fire alarms
 Smoke detectors
 Fire suppression systems:
 Water-based systems
 Dry pipe
 Hey Lon/FM – 200/are denied/CO2
 Strategic location of computer room
 Fire inspection
 Electrical surge protectors
 UPS
 Emergency power off switch

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 91

Lesson 7: Physical Access Exposures and

Controls
 Physical exposures could result in financial loss, legal repercussions, loss
of credibility or loss of competitive edge. These usually originate from
natural and man-made hazards

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 92

Physical Access Exposures

 Exposures that exist from accidental or intentional violation could
include:
 Unauthorized entry
 Damage, vandalism or theft equipment
 Copying or viewing sensitive information
 Altering sensitive information
 Public disclosure of sensitive information
 Abuse of data processing resources
 Blackmail
 Embezzlement

 Consider the possible perpetrators

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 93

Physical Access Controls

 Holding door locks
 Combination door locks
 Electronic door locks
 Biometric door locks
 Manual logging
 Electronic logging
 Identification badge
 CCTV
 Security guards
 Dead man doors
 Don’t advertise location
 Computer locks
 Controlled single entry
 Alarms
 Windows

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 94

Auditing Physical Access

 Testing should extend beyond the computer room to include:
 Location of operator consoles
 Printer rooms
 Computer storage rooms
 UPS
 Location of communications equipment
 Tape library
 Off-site backup facility
 Physical entry should be evaluated for:
 Entry doors
 Windows and walls
 Movable walls
 Ceiling types
 Ventilation systems

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 95

Lesson 8: Mobile Computing

 In today’s mobile environment, it’s not unusual for sensitive data to be
on PCs and diskettes, or laptops. It is difficult to implement physical
security on mobile devices.
 The following controls can reduce the risk of disclosure:
 Engrave or brand the serial number on property
 Use cable locks
 Backup critical or sensitive data
 Encrypt data
 Okay passwords to individual files
 Create a theft response team

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:

1. After identifying potential security vulnerabilities, what should be the IS auditor's next step?
A. To evaluate potential countermeasures and compensatory controls
B. To implement effective countermeasures and compensatory controls
C. To perform a business impact analysis of the threats that would exploit the
vulnerabilities
D. To immediately advise senior management of the findings

2. Which of the following is the BEST method for preventing the leakage of confidential
information from a laptop computer?
A. Encrypt the hard disk with the owner's public key
B. Enable the boot password (hardware-based password)
C. Use a biometric authentication device
D. Use two-factor authentication to logon to the notebook

3. The MOST important difference between hashing and encryption is that hashing:
A. Is irreversible
B. Output is the same length as the original message
C. Is concerned with integrity and security
D. Is the same at the sending and receiving end

4. Which of the following cryptography options would increase overhead/cost?

A. A use of symmetric encryption keys instead of asymmetric
B. A use of long asymmetric encryption keys
C. The hash is encrypted rather than the message
D. A use of secret key

5. Which of the following would be of the MOST concern to an IS auditor reviewing a virtual
private network (VPN) implementation? Computers on the network are located:
A. On the enterprise internal network
B. At the backup site
C. In employees' homes
D. At the enterprise's remote offices

6. The PRIMARY reason for using digital signatures is to ensure data:

A. Confidentiality
B. Integrity
C. Availability
D. Timeliness
7. Which of the following is an example of a passive attack initiated through the Internet?
A. Traffic analysis
B. Masquerading
C. Denial of service
D. E-mail spoofing

8. What method might an IS auditor utilize to test wireless security at branch office locations?
A. War dialing
B. Social engineering
C. War driving
D. Password cracking

9. Which of the following physical access controls effectively reduces the risk of piggybacking?
A. Biometric door locks
B. Combination door locks
C. Deadman doors
D. Bolting door locks

10. The MOST effective biometric control system is the one:

A. Which has the highest equal-error rate (EER)
B. Which has the lowest (EER)
C. For which the false-rejection rate (FRR) is equal to the false-acceptance rate (FAR)
D. For which the FRR is equal to the failure-to-enroll rate (FER)
Answer Key:

1. C
After identifying potential security vulnerabilities, the IS auditor's next step is to perform a
business impact analysis of the threats that would exploit the vulnerabilities.

2. A
Only encryption of the data with a secure key will prevent the loss of confidential
information. In such a case, confidential information can be accessed only with knowledge
of the owner's private key, which should never be shared.

3. A
Hashing works one way; by applying a hashing algorithm to a message, a message
hash/digest is created. If the same hashing algorithm is applied to the message digest, it will
not result in the original message. As such, hashing is irreversible, while encryption is
reversible. This is the basic difference between hashing and encryption.

4. B
Computer processing time is increased for longer asymmetric encryption keys, and the
increase may be disproportionate. For example, a benchmark showed that doubling the
length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly
six-fold. An asymmetric algorithm requires more processing time than symmetric
algorithms. A hash is shorter than the original message; therefore, a smaller overhead is
required if the hash is encrypted rather than the message. Use of a secret key, as a
symmetric encryption key, is generally small and used for the purpose of encrypting user
data.
5. C
One risk of a virtual private network (VPN) implementation is the chance of allowing high-
risk computers onto the enterprise's network. All machines that are allowed onto the virtual
network should be subject to the same security policy. Home computers are least subject to
the corporate security policies, and therefore are high-risk computers. Once a computer is
hacked and 'owned’ any network that trusts that computer is at risk. Implementation and
adherence to corporate security policy is easier when all computers on the network are on
the enterprise's campus. On an enterprise internal network, there should be security
policies in place to detect and halt an outside attack that uses an internal machine as a
staging platform. Computers at the backup site are subject to the corporate security policy,
and therefore are not high-risk computers. Computers on the network that are at the
enterprise remote offices, perhaps with different IS and security employees who have
different ideas about security, are more risky than choices A and B, but obviously less risky
than home computers.

6. B
Digital signatures provide integrity because the digital signature of a signed message (file,
mail, document, etc.) changes every time a single bit of the document changes; thus, a
signed document cannot be altered. Depending on the mechanism chosen to implement a
digital signature, the mechanism might be able to ensure data confidentiality or even
timeliness, but this is not assured. Availability is not related to digital signatures.

7. A
Internet security threats/vulnerabilities are divided into passive and active attacks. Examples
of passive attacks include network analysis, eavesdropping and traffic analysis. Active
attacks include brute force attacks, masquerading, packet replay, message modification,
unauthorized access through the Internet or web-based services, denial-of-service attacks,
dial-in penetration attacks, e-mail bombing and spamming, and e-mail spoofing.
8. C
War driving is a technique for locating and gaining access to wireless networks by driving or
walking with a wireless equipped computer around a building. War dialing is a technique for
gaining access to a computer or a network through the dialing of defined blocks of
telephone numbers, with the hope of getting an answer from a modem. Social engineering
is a technique used to gather information that can assist an attacker in gaining logical or
physical access to data or resources. Social engineering exploits human weaknesses.
Password crackers are tools used to guess users' passwords by trying combinations and
dictionary words.

9. C
Deadman doors use a pair of doors. For the second door to operate, the first entry door
must close and lock with only one person permitted in the holding area. This effectively
reduces the risk of piggybacking. An individual's unique body features such as voice, retina,
fingerprint or signature activate biometric door locks; however, they do not prevent or
reduce the risk of piggybacking. Combination door locks, also known as cipher locks, use a
numeric key pad or dial to gain entry. They do not prevent or reduce the risk of piggybacking
since unauthorized individuals may still gain access to the processing center. Bolting door
locks require the traditional metal key to gain entry. Unauthorized individuals could still gain
access to the processing center along with an authorized individual.

10. B
The equal-error rate (EER) of a biometric system denotes the percent at which the false
acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the
lowest EER is the most effective. The biometric that has the highest EER is the most
ineffective. For any biometric, there will be a measure at which the FRR will be equal to the
FAR. This is the EER. FER is an aggregate measure of FRR.