Professional Documents
Culture Documents
Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and
maintain information security roles and access privileges and perform security monitoring.
Minimize the business impact of operational information security vulnerabilities and incidents.
Viruses, worms, spyware, and spam do not distract from the business,
All information is protected,
Enterprise-wide operations are secured from disruption,
All users are uniquely identifiable and have access rights in accordance with their business role,
Physical measures have been implemented to protect information from unauthorized access, damage and interference when being processed, stored or
transmitted,
Infrastructure events are integrated with general event monitoring and incident management, and
Electronic information is properly secured when stored, transmitted or destroyed.
Access management failing business requirements and compromising the security of business-critical systems
Business disruptions
1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
3 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
4 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
5 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
Manage network and connectivity security. Use security measures and related management procedures to protect information over all methods of connectivity.
6 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
classification.
DSS05.02.05 - Security Determine that IT applies Detail the application of approved security protocols to network connectivity.
Protocols approved security protocols to
network connectivity.
DSS05.02.06 - Secure Determine that IT has 1. Determine the kinds of network devices in use.
Configurations configured network equipment
in a secure manner. 2. Determine the methods that It uses to configure all network equipment in a secure manner.
DSS05.02.07 - Secure Understand if IT has Determine the methods IT uses to establish trusted mechanisms to support the secure
Transmissions established trusted transmission and receipt of information.
mechanisms to support the
secure transmission and
receipt of information.
DSS05.02.08 - Network Pen Determine that IT carries out Note: IT can carry out these testing steps and have Internal Audit participate or Internal Audit can
Testing periodic penetration testing to execute these independently from IT. Before any testing occurs, ensure that there is a
determine adequacy of network comprehensive SLA between Internal Audit and IT Security to ensure that expectations and limits
protection. are firmly set and understood.
Specific testing for OS and Pen testing are not included here. Please research the latest methods
and means for your particular environment. Discussion on methods and means follows.
The testing performed closely parallels that which an internal IS auditor will be assigned to audit,
given the size, complexity and financial resources devoted to risk associated with lack of security
concerns.
The first phase relates to information gathering, which is comprised of public information search,
googling, obtaining maximum information about business, employees, etc., thereby profiling the
target. For instance, this phase may result in obtaining resumes/CVs of employees, which may be
7 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
The first testing goal is to ascertain the internal network topology or footprint that provides a map
of the critical access paths/points and devices including their Internet protocol (IP) address
ranges. This is the network discovery stage.
Once critical points/devices are identified within the network, the next step is to attack those
devices given the various types of known vulnerabilities within the system and operating software
running on the devices (e.g., UNIX, NT, Apache, Netscape and IIS). This comprises the
vulnerability analysis phase.
The methodology needed to perform external testing allows for a systematic checking for known
vulnerabilities and pursuit of potential security risks. The methodology ordinarily employed
includes the processes of:
Information gathering (reconnaissance)
Network enumeration
Vulnerability analysis
Exploitation
Results analysis and reporting
For physical testing, identification of telecommunication access paths into and out of the
organization's premises, including communications rooms, and the data center areas are critical
to identifying potential methods to intercept, prevent or modify data communications. These
access paths should be physically secured from unauthorized access and rendered inaccessible
without the knowledge and specific permission of the organization as well as specialized
8 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
First, and most importantly, the more information that the individual performing the test has about
the organization, employee and network, the greater the likelihood of success of extracting
information. The individual performing the test should have a script. For example, the individual
performing the test may pose as on of the technical support personnel, whose name was
obtained in an earlier help desk call seeking information pertaining to connectivity and, therefore,
requesting network information. Typically, these social engineering efforts succeed when
information obtained from one source is used in combination with information from a second,
progressive source.
Using information obtained from the help desk in the example in 7.2.1, the test continues by
having an auditor pose as an organization employee over the telephone asking for a password
reset/change. These tests are best performed using a telephone inside the organization, as help
desk/security personnel employees may be more willing to accept the masquerade and provide
the information requested without detailed authentication/personal confirmation. Acting as an
impatient, disgruntled or aggravated customer over the phone as well as other personal behaviors
(i.e., telling the help desk employee that they need access to get information to their superior
9 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
Background information, such as the mother’s maiden name, zip code or social security number,
of the employee being impersonated by the individual performing the test is helpful. In addition,
obtaining resumes/CVs of employees through an Internet search or a stranger headhunter
approach could be of more help.
Each organization differs in its structure (i.e., centralized in the same geographical area vs.
segmented over a large physical area under different management), size (i.e., medium size bank
with 500-800 employees to large financial management organization with over 10,000
employees), network complexity and security awareness (i.e., well-known organization or federal
agency that is continuously probed by
Review of garbage disposal areas and bins for information can be a valuable source of sensitive
security and overall organizational information that could be useful in a social engineering
examination. Access to recycled paper bins should also be considered a source of critical
information.
Physical harm is possible in going through an organization's garbage, as there could be
10 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
As noted previously, none of the information obtained using social engineering may be particularly
relevant except when taken together with other information obtained via other tests defined in this
procedure. The most important aspect when attempting to exploit individuals’ naïveté or lack of
training for the security of organization proprietary information is that there will always be
someone who will divulge information and it is ordinarily only a matter of time before such an
individual is contacted.
With the advent of wireless technology for transmitting data and voice, the well-known and relied
upon controls instituted using perimeter devices are disappearing. Gone are the physical security
controls, such as security guards, cameras and locks that were effective in protecting wired
networks and data transmissions. The major vulnerabilities result from the users of wireless
technologies not addressing the following:
11 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
The risks and threats associated with attacks against wireless networks are widespread including:
Attacks where message traffic is captured and analyzed and encryption keys cracked, i.e.,
initialization vector—IV
Resource theft, where Internet access is obtained that in return is used as a launch pad for
other attacks, i.e., cyclical redundancy check (CRC-32)
Denial-of-service due to signal interference and propagation of threat from viruses and
worms
In addition, as with other types of technologies, the greatest weakness with wireless security is
not the technical shortcomings but out-of-the-box insecure installations. The human factor is
typically the weakest link.
Web application testing includes manual and automated testing of the portal site as an outsider
with no login information. This testing compliments the external penetration testing. The goal of
this testing is to gain an understanding of how individuals interact with the system in accessing
sensitive data.
Additional testing may include testing of the portal site by an insider through a standard login
account. The goal of this testing is to determine the ease of access to sensitive information that is
not authorized by the login account (i.e., privilege escalation).
12 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
13 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
DSS05.03.02 - Device Understand if IT implements Determine the configurations to implement device lockdown mechanisms.
Lockdown device lockdown mechanisms.
DSS05.03.03 - Storage Understand that IT encrypts 1. Determine and analyze if a defined key life cycle management process exists. The process
Encryption information in storage should include:
according to a classification. – Minimum key sizes required for the generation of strong keys
– Use of required key generation algorithms
– Identification of required standards for the generation of keys
– Purposes for which keys should be used and restricted
– Allowable usage periods or active lifetimes for keys
– Acceptable methods of key distribution
– Key backup, archival and destruction
2. Determine if controls over private keys exist to enforce their confidentiality and integrity.
Consideration should be given to the following:
– Storage of private signing keys within secure cryptographic devices (e.g., FIPS 140-1,
14 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
3. Understand if procedures are defined to ensure that information labeling and handling is
performed in accordance with the organization’s information classification scheme.
DSS05.03.04 - Remote Understand how IT manages Determine how IT manages remote access and control.
Access remote access and control.
DSS05.03.05 - Network Determine that IT manages Determine how IT manages network configuration in a secure manner.
Configuration network configuration in a
secure manner. Note: specific testing of specific network devices (i.e., Routers, switches, and firewalls) is located
in the Specific Technology (ST) section of the audit-testing universe.
DSS05.03.06 - Network Understand that IT implements Determine how IT implements network traffic filtering on endpoint devices.
Traffic Filtering network traffic filtering on
endpoint devices.
DSS05.03.07 - System Determine how IT protects Determine ITs philosophy on protecting system integrity.
Integrity system integrity.
DSS05.03.08 - Physical Determine how IT provides Determine how IT provides physical protection of endpoint devices.
Protection physical protection of endpoint
devices.
DSS05.03.09 - Secure Determine how IT disposes of Understand how IT disposes of endpoint devices securely.
Disposal endpoint devices securely.
15 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2. Determine if user access rights are maintained in accordance with business function and
process requirements.
DSS05.04.02 - Role Determine that IT uniquely Understand if predetermined and preapproved roles are utilized to grant access, then determine if
Definitions identifies all information the roles clearly delineate responsibilities based on least privileges and ensure that the
processing activities by establishment and modification of roles are approved by process owner management.
functional roles, coordinating
with business units to ensure
that all roles are consistently
defined, including roles that are
defined by the business itself
within business process
applications.
DSS05.04.03 - Determine how IT Analyze if access provisioning and authentication control mechanisms are utilized for controlling
Authentication authenticates all access to logical access across all users, system processes and IT resources, for in-house and remotely
information assets and if it is managed users, processes, and systems.
16 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
17 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
18 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
2. 2. Determine if procedures are in place to ensure that access profiles remain current. Verify
that access to IT sites (server rooms, buildings, areas or zones) is based on job function and
responsibilities.
DSS05.05.03 - Entry Point Determine that IT logs and IT should register all visitors, including contractors and vendors, to the site.
Monitors monitors all entry points to IT
sites. Understand if there is a process to log and monitor all entry points to IT sites, registering all
visitors, including contractors and vendors, to the site.
19 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
20 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
3. Determine if and how disposed equipment and media containing sensitive information have
been logged to maintain an audit trail as to their eventual whereabouts.
4. Determine if and how active media is removed from the media inventory list when subject
to disposal. Check that the current inventory has been updated to reflect recent disposals in
the log.
5. Inquire as to how unsanitized equipment and media are transported in a secure way
throughout the disposal process.
21 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
22 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
DSS05.07.01 - Event Understand if and how IT logs 1. Understand if IT logs security-related events reported by infrastructure security monitoring
Logging security-related events tools, identifying the level of information to be recorded based on a consideration of risk.
reported by infrastructure
security monitoring tools, 2. Review a sample of these logs.
identifying the level of
information to be recorded
based on a consideration of
risk. Retain them for an
appropriate period to assist in
future investigations.
DSS05.07.02 - Incident Determine that IT has defined Determine if IT has defined and communicates the nature and characteristics of potential
Recording and communicates the nature security-related incidents so they can be easily recognized and their impacts understood to
and characteristics of potential enable a commensurate response.
security-related incidents so
they can be easily recognized
and their impacts understood
to enable a commensurate
response.
DSS05.07.03 - Log Review Determine if and who within IT Determine if and who within IT regularly reviews the event logs for potential incidents.
regularly reviews the event
23 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
24 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
25 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
26 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/
vulnerability type and includes the actors, events, assets and time issues.
Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human
Event (Something that happens that was not supposed to happen, something does not ⃣ Disclosure
happen that was supposed to happen, or a change in circumstances. Events always have ⃣ Interruption
causes and usually have consequences. A consequence is the outcome of an event and has ⃣ Modification
an impact on objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use
Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process
including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills
27 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)
28 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)