Вы находитесь на странице: 1из 309

2009

CISA
ExamESSENTIALS Ed.
Study Guide

The Number One Source of Exam and On­the­Job Information


ST UD Y IN F ORMAT ION FO R EX AM CAND ID ATES

CISA ExamESSENTIALS Guide

Covering the 2009 Syllabus

ã
ExamREVIEW PRO & ExamREVIEW PRESS
2009
All rights reserved. No part of the contents of this book may be reproduced or
transmitted in any form or by any means without the written permission of the
publisher.
Important – Please Read 

Due to the variety of fonts installed on the users' 
systems, Acrobat may prompt you to download an 
additional language component (which is FREE from 
Adobe anyway). 

If you receive a message saying that a Traditional 
Chinese language pack has to be downloaded in order 
to load this eBook, please click YES to have Acrobat 
download the update. The size of the update is about 
7M. Don’t worry, this download is safe.
Table of Contents 
END USER LICENSE AGREEMENT  7 

EXAM FORMAT  13 

ABOUT THIS BOOK  14 

EXAM TOPICS  15 

EXAM REGISTRATION CONTACTS  19 

STUDY PSYCHOLOGY & EXAM TACTICS  20 

KEY EXAM STRATEGIES  21 

STRATEGY ONE : KEYWORD OR KEY PHRASE MATCHING.  21 


STRATEGY TWO : CHOICES GROUPING.  22 
STRATEGY THREE: THINK TRICKY.  23 

SECURITY THEORIES  25 

THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM  27 
DEFENSE IN DEPTH  27 
VULNERABILITIES  28 
SECURITY MEASURES  45 
STANDARDS AND GUIDELINES  49 

IS ORGANIZATION AND INFORMATION ASSETS PROTECTION  55 

THE STAKEHOLDERS  56 
THE BOARD  57 
THE AUDIT MANAGER  58 
AUDIT PERSONNEL  59 

IS CONTROLS  61 

THE IMPORTANCE OF THE USE OF CONTROLS  61 
CLASSIFICATION OF CONTROLS  62 
GENERAL CONTROLS VS APPLICATION CONTROLS  63
ACCESS CONTROL AND THE AUDITING PROCESS  66 

ACCESS  CONTROL MODELS  66 


ACLS VERSUS CAPABILITIES  68 
WHAT IS O RANGE BOOK, BY THE WAY?  69 
TYPES OF ACCESS CONTROL  70 
THE AAA CONCEPT  71 
ESTABLISHING ACCOUNTABILITY THROUGH EVENT LOGGING  74 
THE AUDIT PROCESS  75 
THE SARBANES–OXLEY ACT AND THE COSO FRAMEWORK  76 
WHAT IS AUDITING, BY THE WAY ?  79 
THE ROLE OF AN AUDITOR  82 
THE AUDIT PROCESS FLOW  83 
OVERALL STRATEGIES  88 
AUDIT PLANNING  90 
RECOMMENDED TYPES OF AUDIT  100 
EXAMPLE AUDIT OBJECTIVES AND PROCEDURES  103 
AUDIT F IELDWORKS  111 
AUDIT PROGRAM  115 
AUDIT REPORT  116 
AUDIT FOLLOW­UP  118 
AUDIT ASSESSMENT  120 

IT STRATEGIC PLANNING  121 

IT STRATEGIC PLANNING DEFINED  121 
THE ROLE OF IS AUDITING IN THE PLANNING PROCESS  122 
IN­HOUSE OR OUT ­SOURCE?  123 
AVOIDING CONFLICTS OF INTERESTS  124 

PROTECTION OF INFORMATION ASSETS THROUGH SECURITY POLICY  126 

INFORMATION ASSETS DEFINED  126 
DATA CLASSIFICATIONS AND LAYER OF RESPONSIBILITIES  129 
SECURITY POLICY  131 
SECURITY MODELS AND MODES OF OPERATIONS  138 
EXAMPLE POLICY  141 
CONSEQUENCES OF VIOLATIONS  143 
EVALUATION  144 
ORGANIZATION SPECIFIC CLASSIFICATION SCHEME  145 
CHANGE CONTROL  146 

BUSINESS CONTINUITY PLANNING  148 

DEFINITION  148 
BCP VS BPCP VS DRP  149 
BCP PHASES  150 
STAKEHOLDERS AND CRISIS COMMUNICATIONS  151
THE RISK ASSESSMENT FLOW  153 
RISK VS THREAT AND VULNERABILITY  158 
IDENTIFYING RISKS  159 
LOSS CALCULATIONS  161 
BUSINESS IMPACT ANALYSIS DEFINED  164 
BIA GOALS AND STEPS  165 
BIA CHECKLIST  166 
PREPARING FOR EMERGENCY  168 
MANAGING RECOVERY  170 
TESTING THE PLAN  172 
USER ACCEPTANCE  174 
PLAN MAINTENANCE  174 
INCIDENT HANDLING  177 

RISK MANAGEMENT  180 

RISK MANAGEMENT DEFINED  181 
THE RISK MANAGEMENT STEPS  181 
IS AUDITING AND RISK MANAGEMENT  183 
RISK­BASED AUDITING  184 
RISK MANAGEMENT READINGS  185 

PROJECT MANAGEMENT  187 

PROJECT MANAGEMENT DEFINED  187 
PROJECT MANAGEMENT AND AUDIT  188 

CHANGE MANAGEMENT  190 

CHANGE MANAGEMENT DEFINED  190 
CHANGE MANAGEMENT STRATEGIES  192 
CHANGE MANAGEMENT VS CHANGE CONTROL VS CONFIGURATION MANAGEMENT  194 
CHANGE CONTROL  196 

APPLICATION PROGRAM DEVELOPMENT  203 

GENERAL GUIDELINES  203 
SYSTEM CHANGE CONTROL  204 
SOFTWARE DEVELOPMENT PROCESSES AND MODELS  205 
BUY VS MAKE: ACQUISITION MANAGEMENT METHODS  208 

TECHNICAL READINGS  211

  SECTION 1: TOPICS ON SECURITY THEORY  211


  SECTION 2: TOPICS ON HACKING, ATTACKING, DEFENDING AND AUDITING.  211
  SECTION 3: TOPICS ON ENCRYPTION AND VPN.  211
  SECTION 4: TOPICS ON RESPONDING TO ATTACKS  211
  SECTION 5: TOPICS ON VIRUSES .  211 

EXCELLENT PUBLIC RESOURCES  302 

SAMPLE IS AUDIT QUESTIONNAIRE  307 

END OF STUDY GUIDE  308
End User License Agreement 

The  CISA  ExamESSENTIALS  Guide  (the  "Book")  is  a  certification  study  product  provided  by 
ExamREVIEW Press (including ExamREVIEW.NET and SystemREVIEW.NET, being referred to as 
“ExamREVIEW.NET” in this document), subject to your compliance with the terms and conditions set 
forth below. 

PLEASE READ THIS DOCUMENT CAREFULLY BEFORE ACCESSING OR USING THE BOOK. 
BY ACCESSING OR USING THE BOOK, YOU AGREE TO BE BOUND BY THE TERMS AND 
CONDITIONS  SET  FORTH  BELOW.  IF  YOU  DO  NOT  WISH  TO  BE  BOUND  BY  THESE 
TERMS  AND  CONDITIONS,  YOU  MAY  NOT  ACCESS  OR  USE  THE  BOOK. 
EXAMREVIEW.NET  MAY  MODIFY  THIS  AGREEMENT  AT  ANY  TIME,  AND  SUCH 
MODIFICATIONS  SHALL  BE  EFFECTIVE  IMMEDIATELY  UPON  POSTING  OF  THE 
MODIFIED AGREEMENT ON THE CORPORATE SITE OF EXAMREVIEW.NET. YOU AGREE 
TO REVIEW THE AGREEMENT PERIODICALLY TO BE AWARE OF SUCH MODIFICATIONS 
AND  YOUR  CONTINUED  ACCESS  OR  USE  OF  THE  BOOK  SHALL  BE  DEEMED  YOUR 
CONCLUSIVE ACCEPTANCE OF THE MODIFIED AGREEMENT. 

1. Copyright and Licenses.

License Grant
This Agreement entitles you to install and use one copy of the Book. In addition, you
may make one archival copy of the Book. The archival copy must be on a storage
medium other than a hard drive, and may only be used for the reinstallation of the Book.
This Agreement does not permit the installation or use of multiple copies of the Book,
or the installation of the Book on more than one computer at any given time, on a
system that allows shared used of applications, on a multi-user network, or on any
configuration or system of computers that allows multiple users. Multiple copy use or
7

Notes:
installation is only allowed if you obtain an appropriate licensing agreement for each user
and each copy of the Book. For further information regarding multiple-copy licensing
of the Book, please contact: michael@ExamREVIEW.NET

Restrictions on Transfer
Without first obtaining the express written consent of ExamREVIEW.NET, you may
not assign your rights and obligations under this Agreement, or redistribute, encumber,
sell, rent, lease, sublicense, or otherwise transfer your rights to the Book.

Restrictions on Use
You may not use, copy, or install the Book on any system with more than one computer,
or permit the use, copying, or installation of the Book by more than one user or on more
than one computer. If you hold multiple, validly licensed copies, you may not use, copy,
or install the Book on any system with more than the number of computers permitted
by license, or permit the use, copying, or installation by more users, or on more
computers than the number permitted by license.

You may not decompile, "reverse-engineer", disassemble, or otherwise attempt to derive


the source code for the Book.

Restrictions on Alteration
You may not modify the Book or create any derivative work of the Book or its
accompanying documentation. Derivative works include but are not limited to
translations. You may not alter any files or libraries in any portion of the Book. You
may not reproduce the database portion or create any tables or reports relating to the
database portion.

Notes:
Restrictions on Copying
You may not copy any part of the Book except to the extent that licensed use inherently
demands the creation of a temporary copy stored in computer memory and not
permanently affixed on storage medium. You may make one archival copy which must
be stored on a medium other than a computer hard drive. 

TRADEMARKS. 

CISA  ExamESSENTIALS  Guide  /or  any  other  names  of  ExamREVIEW.NET  or  its  publications, 
products,  content  or  services  referenced  herein  or  on  the  Book  are  the  exclusive  trademarks  or 
servicemarks of ExamREVIEW.NET. Other product and company names mentioned in the Book may 
be the trademarks of their respective owners. 

2. Use of the Book. 

You understand that, except for information, products or services clearly  identified as being supplied 
by ExamREVIEW.NET,  ExamREVIEW.NET  does  not  operate,  control or  endorse  any  information, 
products or services on the  Internet in any way. Except  for  ExamREVIEW.NET­ explicitly  identified 
information, products or services,  all information, products  and services offered  through the Book or 
on the Internet generally are offered by third parties, that are not affiliated with ExamREVIEW.NET. 

YOU ASSUME  TOTAL RESPONSIBILITY  AND  RISK  FOR  YOUR USE  OF  THE  BOOK  AND 
THE  INTERNET.  EXAMREVIEW.NET  PROVIDES  THE  BOOK  AND  RELATED 
INFORMATION "AS IS" AND DOES NOT MAKE ANY EXPRESS OR IMPLIED WARRANTIES, 
REPRESENTATIONS  OR  ENDORSEMENTS  WHATSOEVER  (INCLUDING  WITHOUT 
LIMITATION  WARRANTIES  OF  TITLE  OR  NONINFRINGEMENT,  OR  THE  IMPLIED 
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE) WITH 
REGARD  TO  THE  BOOK,  ANY  INFORMATION  OR  SERVICE  PROVIDED  THROUGH  THE 
BOOK,  AND  EXAMREVIEW.NET  SHALL  NOT  BE  LIABLE  FOR  ANY  COST  OR  DAMAGE 
ARISING  EITHER  DIRECTLY  OR  INDIRECTLY  FROM  ANY  SUCH.  IT  IS  SOLELY  YOUR
9

Notes:
RESPONSIBILITY  TO  EVALUATE  THE  ACCURACY,  COMPLETENESS  AND  USEFULNESS 
OF  ALL  OPINIONS,  ADVICE,  AND  OTHER  INFORMATION  PROVIDED  THROUGH  THE 
BOOK. 

LIMITATION OF LIABILITY 

IN  NO  EVENT  WILL  EXAMREVIEW.NET  BE  LIABLE  FOR  (I)  ANY  INCIDENTAL, 
CONSEQUENTIAL,  OR  INDIRECT  DAMAGES  (INCLUDING,  BUT  NOT  LIMITED  TO, 
DAMAGES FOR  LOSS OF  PROFITS,  BUSINESS  INTERRUPTION,  LOSS OF PROGRAMS  OR 
INFORMATION,  AND  THE  LIKE)  ARISING  OUT  OF  THE  USE  OF  OR  INABILITY  TO USE 
THE BOOK. EVEN IF EXAMREVIEW.NET OR ITS AUTHORIZED REPRESENTATIVES HAVE 
BEEN  ADVISED  OF  THE  POSSIBILITY  OF  SUCH  DAMAGES,  OR  (II)  ANY  CLAIM 
ATTRIBUTABLE  TO  ERRORS,  OMISSIONS,  OR  OTHER  INACCURACIES  IN  THE  BOOK. 
BECAUSE  SOME  STATES  DO  NOT  ALLOW  THE  EXCLUSION  OR  LIMITATION  OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION 
MAY NOT APPLY TO YOU. IN SUCH STATES, EXAMREVIEW.NET  LIABILITY IS  LIMITED 
TO THE GREATEST EXTENT PERMITTED BY LAW. 

ExamREVIEW.NET  makes  no  representations  whatsoever  about  any  other  web  site  which  are 
referenced in the book. When you access a non­ExamREVIEW.NET web site, please understand that it 
is  independent  from  ExamREVIEW.NET,  and  that  ExamREVIEW.NET  has  no  control  over  the 
content  on  that  web  site.  In  addition,  a  link  to  a  ExamREVIEW.NET  web  site  does  not  mean  that 
ExamREVIEW.NET endorses or accepts any responsibility for the content, or the use, of such web site. 

3. Indemnification. 

You  agree  to  indemnify,  defend  and  hold  harmless  ExamREVIEW.NET,  its  officers,  directors, 
employees, agents, licensors, suppliers and any third party information providers to the Book from and 
against  all  losses,  expenses,  damages  and  costs,  including  reasonable  attorneys'  fees,  resulting  from 
any violation of this Agreement (including negligent or wrongful conduct) by  you or any other person 
using the Book. 

4. Third Party Rights.
10

Notes: 
The  provisions  of  paragraphs  2  (Use  of  the  Book),  and  3  (Indemnification)  are  for  the  benefit  of 
ExamREVIEW.NET  and its officers, directors,  employees,  agents,  licensors,  suppliers, and any third 
party  information providers to  the Book. Each  of these  individuals or  entities shall have  the  right to 
assert and enforce those provisions directly against you on its own behalf. 

5. Termination. 

This  Agreement  may  be  terminated  by  either  party  without  notice  at  any  time  for  any  reason.  The 
provisions  of  paragraphs  1  (Copyright,  Licenses  and  Idea  Submissions),  2  (Use  of  the  Book),  3 
(Indemnification),  4  (Third Party Rights) and 6 (Miscellaneous)  shall survive  any  termination of  this 
Agreement. 

6. Miscellaneous. 

This  Agreement  shall  all  be  governed  and  construed  in  accordance  with  the  laws  of  Hong  Kong 
applicable to agreements made and to be performed in Hong Kong. You agree that any legal action or 
proceeding  between  ExamREVIEW.NET  and  you  for  any purpose  concerning  this  Agreement  or the 
parties' obligations hereunder shall be brought exclusively  in a court of competent  jurisdiction sitting 
in  Hong  Kong.  Any  cause  of  action  or  claim  you  may  have  with  respect  to  the  Book  must  be 
commenced  within  one  (1)  year  after  the  claim  or  cause  of  action  arises  or  such  claim  or  cause  of 
action  is  barred.  ExamREVIEW.NET's  failure  to  insist  upon  or  enforce  strict  performance  of  any 
provision of this Agreement shall not be construed as  a waiver of any provision or right. Neither  the 
course  of  conduct  between  the  parties  nor  trade  practice  shall  act  to  modify  any  provision  of  this 
Agreement. ExamREVIEW.NET may assign its rights and duties under this Agreement to any party at 
any time without notice to you. 

Any rights not expressly granted herein are reserved.

11

Notes: 
Every effort has been made to ensure the accuracy of this book. If you have
comments, questions, or ideas regarding this book, please let us know by
emailing to this address: michael@ExamREVIEW.NET

This electronic book was originally created as a print book. For simplicity, the
electronic version of this book has been modified as little as possible from its
original form.

12

Notes:
Exam Format
The following question formats are used in the CISA exams:

Text Based Multiple-choice: The examinee selects one option that best
answers the question or completes a statement.

Multiple-response: The examinee selects multiple options that best answers


the question or completes a statement.

Sample Directions (Scenario): Read the statement or question and from the
response options, select only the option(s) that represent the BEST possible
answer(s).

There are no fill in the blank questions. There are no graphical questions.

You will mostly be asked to pick one choice as the answer. However, some
questions will require you to pick multiple items – something like “i and ii”, “i,
iii & v” …etc.

q For international candidates, it takes about two months to receive


the results.

q As of 2004 all CISA exams are paper and pencil based.

13

Notes:
About this book
The CISA exam has a lot of questions that ask for your "best decisions" - of the
hundreds of questions you will encounter in the exam, a significant portion of
them requires that you pick the best possible options. These best options are
often based on expert advices and best practices not found in the standard
exam text books.

Our CISA ExamESSENTIALS Guide goes the expert-advice way. Instead of


giving you the hard facts, we give you information that covers the best practices.
With this information, you will always be able to make the most appropriate
expert judgment in the exam.

If you are looking for the hard facts, visit the following ISACA link:

http://www.isaca.org/TemplateRedirect.cfm?Template=/ContentManagemen
t/ContentDisplay.cfm&ContentID=15262

* In case this link no longer works, refer to the Standards section of ISACA’s
web site.

This is the place where most “official” IS auditing standards and guidelines are
listed. In the exam you will encounter certain questions that test your
memorization skills – you will have to get these hard facts “fully loaded” into
your memory. We believe that the official published material is the best source
of information in this regard.
14

Notes:
Our guide focuses on the best business practice and expert advice side
of the exam.

Exam Topics

The official exam objectives can be found from the CISA exam page:

http://www.isaca.org/cisaexam

I personally do not recommend that you spend too much time on these
objectives. The reasons are:

l many of them simply require nothing but basic common sense – you will
be able to answer the corresponding questions easily anyway

l the list is way too detailed – if you go through them one by one, it will take
you a year or so to finish

l many of the objectives are heavily overlapped

l to me, they look confusing

15

Notes:
Instead, I prefer to focus on the following areas (because they often involve
topics that do not have fixed answers but instead require the “best possible”
options):

l Access control models.

l The auditing process.

l IT strategic planning.

l Protection Policy for Information Assets

l Business Continuity Planning.

l Risk management.

l Project Management.

l Change Management.

Why do we choose these topics? Firstly, according to many recent CISA


“graduates”, these are the topics that frequently give them surprises. Secondly,
if you watch closely what ISACA at present offers together with the Big 5
accounting firms, you should notice that these topics are always emphasized.

16

Notes:
Most candidates fail the exam because they focused too much on the IT side of
the exam, with little or no preparation on the auditing related disciplines.
Remember, a large number of the CISA exam candidates are from the
accounting profession where business auditing is a major daily duty.
The exam is about 40% TECHNOLOGY and 60% BUSINESS
PRACTICE.

Tech gurus do not really have an edge because no in-depth nor advanced
technologies are tested here. Instead, the “practical business people” with
sufficient technology knowledge rule.

The tech questions are easy because they are (and are bound to be)
straight forward. The business practice related questions are difficult
because business rationales are never straight forward – too many factors
come into play and therefore making every scenario highly complicated.

And remember, technology does not mean IT technology alone. It also means
Physical Security Technology as well as Biometrics, and many more. As of the
time of this writing the state of biometrics technology is very sophisticated and
accurate, but is highly expensive. Other potential barriers include user
acceptance, enrollment time and throughput. Still, it is gaining ground,
especially in environment where security is CRITICAL.

Take a look at the security measures your company has implemented and
critically assess their features and effectiveness. This will help.
17

Notes:
!!! Biometrics is an important topic. Check out the various forms of biometrics
technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm

18

Notes:
Exam Registration Contacts

The CISA exam is offered throughout the world twice a year (in June and in
December). The best way to register for the exam is to request for the exam
bulletin from the ISACA Certification Department via email at
certification@isaca.org or by phone at +1.847.253.1545.

I do recommend that you register early. As I remember, there is an early bird


discount available …

19

Notes:
Study Psychology & Exam Tactics

ü Always plan ahead!

ü Always maintain a positive attitude.

ü Prepare systematically using ExamReview materials.

ü Ensure you have enough sleep! Health is essential for maintaining a


fighting spirit.

ü Arrive at the test center in time to have a margin of safety.

ü Dress yourself in a manner with emphasis on comfort. Always have a coat


ready just in case the A/C is way too powerful.

ü Read the exam instructions carefully before answering the first question.

20

Notes:
Key exam strategies

To be successful in the CISA exam, you must know how the questions are
structured. The official saying is that the CISA examination will require the
candidates to answer questions and to make judgments based on the
information learned in courses and on their own professional experiences.
Based on our experiences, however, tackling CISA questions involve several
major strategies:

Strategy One: Keyword or key phrase matching.

Example: Which of the following would be included in an information security


strategic plan?

A. Specifications for planned hardware purchases

B. Analysis of future business objectives

C. Target dates for information security projects

D. Annual budgetary targets for the security department


21

Notes:
The key phrase here is "strategic plan". As we all know, a strategic plan is a very
high level thing. Look at the choices, only choice B has a high level element,
which is "business objective". Therefore, B is the correct answer.

Strategy Two: Choices grouping.

Example: The MOST important responsibility of an information security


manager in an organization is:
A. recommending and monitoring security policies.

B. promoting security awareness within the organization.


C. establishing procedures for security policies.

D. administering physical and logical access controls.

When you try to classify or group the choices, you will find that choice B, C and
D can be classified into one group – a group of implementation activities.
Choice A, on the other hand, takes place way before the implementation phase.
Therefore, choice A is the answer.

22

Notes:
Strategy Three: Think tricky.

You need to know how to pick the BEST answer out of several technically
possible answers. To do this you need to think tricky – the questions are always
written with trickiness in mind (believe me, this is exactly the case with most
ISACA exam questions).
As an example, you are asked to evaluate the following statements:

· In the context of information security, the term Granularity refers to the


level of detail to which a trusted system can authenticate users.

· In the context of information security, the term Granularity refers to the


level of detail to which imperfections of a trusted system can be
measured.

· In the context of information security, the term Granularity refers to the


level of detail to which packets can be filtered.

· In the context of information security, the term Granularity refers to the


level of detail to which an access control system can be adjusted.

Which statement is the BEST one?

23

Notes:
To pick the BEST choice, you must keep in mind that Granularity is a term
which could be applied to a multitude of usage within the context of IT security.
It can be for packet filtering, and it can also be for user access. The last
statement said "access control system" without specifying its exact type. It is
therefore representative of almost all possible types of access control system.
You know what, this is exactly the type of answer expected. Kinda tricky, isn't it?

24

Notes:
Security Theories

A security stance is a default position on security matters. The 2 primary


security stances are:

i, "Everything not explicitly permitted is forbidden" (default deny). This


improves security at the cost of functionality. A good approach to use if you
have lots of security threats. You may find this approach helpful basing on the
principle of least privilege (sometimes also known as the principle of least
authority - POLA), that every module of a computing environment should be
able to access only such resources that are necessary to its legitimate purpose.
Do keep in mind, an over restrictive system can sacrifice usability. The lack of
flexibility can also hinder usability.

ii, "Everything not explicitly forbidden is permitted" (default permit). This


allows greater functionality by sacrificing security. This is only a good approach
in an environment where security threats are non-existent or negligible. Many
earlier Windows systems give Everyone full control, which is no good security-
wise.

25

Notes:
Proper balance of security risks is needed for implementing practical
computing systems.

There are two different approaches to security in computing. One focuses


mainly on external threats, and generally treats the computer system itself as a
trusted system. The other regards the computer system itself as largely an
untrusted system, and redesigns it to make it more secure in a number of ways.
Most current real-world computer security efforts focus on external threats, and
generally treat the computer system itself as a trusted system. Some observers
consider this to be a disastrous mistake, and point out that this distinction is the
cause of much of the insecurity of current computer systems - once an attacker
has subverted one part of a system without fine-grained security, he or she
usually has access to most or all of the features of that system. In other words,
this security stance tends to produce insecure systems.

The 'trusted systems' approach has been predominant in the design of many
earlier software products, due to the long-standing emphasizes on functionality
and 'ease of use' over security.

26

Notes:
The computer system itself as largely an untrusted system

The “untrusted system” approach seeks to enforce the principle of least


privilege to great extent, where an entity has only the privileges that are needed
for its function. That way, even if an attacker has subverted one part of the
system, fine-grained security ensures that it is just as difficult for them to
subvert the rest. Furthermore, by breaking the system up into smaller
components, the complexity of individual components is reduced, opening up
the possibility of using techniques such as automated theorem proving to prove
the correctness of crucial software subsystems. Where formal correctness
proofs are not possible, rigorous use of code review and unit testing measures
can be used to try to make modules as secure as possible.

Defense in depth

From a technical perspective, design with the above mentioned technique


often make use of the concept of "defense in depth", where more than one
subsystem needs to be compromised to compromise the security of the
system and the information it holds.

27

Notes:
A typical defense in depth approach divides the key security elements into
layers for creating a cohesive defense strategy. To ensure effective IT
security, you must design, implement, and manage IT security controls for
each layer of this layered model. As an example: you may divide your
controls into the layers of network, hardware, software, and data.

From a broader perspective, an important principle of the Defense in Depth strategy is


that in order to achieve Information Assurance you need to maintain a balanced focus on
the critical elements of People, Technology and Operations.

In any case, security should not be view as an all or nothing issue. The
designers and operators of systems should assume that security breaches are
inevitable in the long term, that full audit trails should be kept of system
activity so that when a security breach occurs, the mechanism and extent of
the breach can be determined. In fact, storing audit trails remotely, where
they can only be appended to, can keep intruders from covering their tracks.

Vulnerabilities

To understand the techniques for securing a computer system, it is


important to first understand the various types of attacks that can be made
against it. These threats can typically be classified into the following
categories:

28

Notes:
l You may think of salami attack as a concept that can be applied to
scenarios with and without relation to computing. In general, a salami
attack is said to have taken place when tiny amounts of assets are
systematically acquired from a very large number of sources. Since the
process takes place below the threshold of perception and detection, an
ongoing accumulation of assets bit by bit is made possible. An example:
the digits representing currency on a financial institution’s computer
could be modified in such a way that values to the right of the pennies
field are automatically rounded down. The salami concept can apply in
information gathering - aggregating small amounts of information from
many sources with an attempt to derive an overall picture of an
organization.

l Bribes and extortion can occur! With promises or threats that cause
your staff to violate their trust, information security can be at risk big
time! This is more a HR issue but still you need to think of ways to
safeguard security assuming bribery is not entirely impossible.

l Software flaws such as buffer overflows, are often exploited to gain


control of a computer, or to cause it to operate in an unexpected
manner.

29

Notes:
NOTE: Buffer overflow (buffer overrun) is supposed to be a programming
error which may result in memory access exception - that is, a
process make attempt to store data beyond the fixed boundaries of a
buffer area. With careless programming, this kind of access attempt
can be triggered by ill-intented codes. Stack-based buffer overflows
and heap-based buffer overflows are the 2 popular types of attack of
this nature. Techniques such as Static code analysis can help
preventing such attack. You should also always opt for the use of
safe libraries.

l Many development methodologies rely on testing to ensure the quality


of any code released; this process often fails to discover extremely
unusual potential exploits. The term "exploit" generally refers to small
programs designed to take advantage of a software flaw that has been
discovered, either remote or local.

NOTE: As a pre-attack activity, footprinting refers to the technique of


collecting information about systems thru techniques such as Ping
Sweeps, TCP Scans, OS Identification, Domain Queries and DNS
Interrogation. Tools involved may include samspade, nslookup,
traceroute, neotrace and the like. Passive fingerprinting, on the other
hand, is based primarily on sniffer traces from your remote system.
Rather than proactively querying a remote system, you capture
30

Notes:
packets that pass-by instead.

l Any data that is transmitted over an IP network is at some risk of being


eavesdropped or even modified. Voice over IP has the same security
issues as running regular applications which rely on IP for transmission.

NOTE: The OSI model is a layered model which gives abstract description
for network protocol design. It is a seven layer model, and IP runs at
layer 3, even though the TCP/IP suite itself has its own 4 layer
structure. TCP runs at OSI layer 4, which is on top of IP, for
providing connection oriented service in between the sender and the
recipient.

TCP is supposed to provide guaranteed delivery. Every single TCP


segment contains a TCP header with the source and destination port,
a sequence number that identifies the first byte of data, and an
acknowledgment number that indicates an acknowledgment by the
recipient. There are also 6 flag bits, which are URG, ACK, PSH,
RST, SYN and FIN. Keep in mind, TCP does not make any
assumptions about the underlying IP network.

31

Notes:
You can perceive ports as the actual endpoints of every TCP
connection. Examples of well known ports include http port 80, SSL
port 443 and others.

ICMP is quite special. It runs at the IP layer mostly for sending one-
way informational messages to a networked host. "ping" is an utility
which uses ICMP.

The 4 TCP areas that hackers usually look at for determining the
operating system may include TTL (the Time To Live on the
outbound packet), Window Size, DF (the Don't Fragment bit) and
the TOS (the Type of Service). Thru analyzing these and compare
with the database of signatures there is a chance you can tell what the
remote operating system is.

l Non-IP based networks are also highly hack-able. Sniffing was pretty
common on the Ethernet (and also on IP networks).

Packet sniffer (another name for protocol analyzer) can be deployed


to intercept and log netowrk traffic that passes through the network.
It can capture unicast, multicast and broadcast traffic provided that
you put your network adapter into promiscuous mode. You may
sniff to analyze network problems, or to gain information for
32

Notes:
launching a network attack.

Wireshark (formerly Ethereal) is a free protocol analyzer you may use


for network troubleshooting and sniffing. The functionality it offers
is similar to tcpdump but it provides a GUI for ease of use.

l Even machines that operate as a closed system can be eavesdropped


upon via monitoring the faint electro-magnetic transmissions generated
by the hardware such as TEMPEST.

l Wireless networks are highly hack-able.

NOTE: In the world of WLAN, a BSS refers to a set of wireless stations


which communicate with each others. The 2 types of BSS are
independent BSS and infrastructure BSS. The former is an ad-hoc
network that has no access points. The latter requires the use of
access points. Both of them are not too secure by default.

WEP is the original encryption standard for WLAN. It uses key


lengths in the range of 128-and 256-bit, but is still considered way
less secure than WPA. WPA deploys a pre-shared Shared Key for
establishing a 8-63 character passphrase.

Accidental association could be a form of attack that takes place


when one's computer latches on to an access point that belongs to a

33

Notes:
neighboring and overlapping network. Sometimes this can happen
accidentally - that is, the user has no intent to crack into the
overlapping network at all.

Access points exposed to non-filtered traffic can be vulnerable.


Broadcast traffic like OSPF, RIP and HSRP ... etc can be corrupted
through the injection of bogus reconfiguration commands.

You should always have your access points arranged in such a way
that radio coverage is available only to your desired area. Wireless
signal that "spills" outside of your desired area could be sniffed.

To further secure your WLAN you should always change the default
SSID as most hackers know most default names of most equipments.
Avoid using dictionary word to form your SSID. Use something hard
to guess.

l A computer system is no more secure than the human systems


responsible for its operation. Malicious individuals have regularly
penetrated well-designed, secure computer systems by taking advantage
of the carelessness of trusted individuals, or by deliberately deceiving
them. The availability of the internet makes penetration even easier as
everything is now connected. Attacking web servers had become an exciting yet
enjoyable challenge by hackers.

34

Notes:
NOTE: In a web infrastructure you have router, firewall and a web server.
Web server serves requests through port 80 and 443 (SSL). Different
servers work slightly differently, thus having different vulnerabilities.
Scanning tools may, through the active ports and obtaining response,
to identify the target servers and carry out possible attacks. This is
especially true for web server software that has too many ports other
than the required ports opened.

IIS can be extremely vulnerable if you simply follow the default


installation options. Windows and IIS always install and configure
superfluous services that are unpatched, which are the easy targets.

Another problem is that IIS uses a few built-in default accounts that
are weakly protected. You should change the defaults - change the
account names and the passwords whenever possible. Close all
unnecessary ports too.

Part of the reason why IIS is so vulnerable is that it runs on


Windows, which is not a very secure platform by design.

Null sessions are no good - they allow attacker to extract system


critical information such as user account names. NT, 2000 and
Windows Server 2003 domain controllers are believed to be
susceptible to enumeration via null sessions. One way to prevent this
is to block UDP port 137 and 138, TCP port 139 and 445. You want
to do this via a firewall at the edge of the network.

35

Notes:
Another vulnerability on Windows is the inter-process
communications (IPC) mechanism. It is a mechanism that allows a
process to communicate with another. This can take place on
different computers that are connected through a network, that is
why it can be bad - real bad.

l Social engineering is a collection of techniques used to manipulate


people into performing actions or divulging confidential information.
While similar to a confidence trick or simple fraud, the term typically
applies to trickery for information gathering or computer system access.

l Denial of service (DoS) attacks are not primarily a means to gain


unauthorized access or control of a system. They are instead designed
to render it unusable. Attackers can deny service to individual victims,
such as by deliberately guessing a wrong password 3 consecutive time
and thus causing the victim account to be locked, or they may overload
the capabilities of a machine or network and block all users altogether.
These types of attack are, in practice, very hard to prevent, because the
behavior of whole networks needs to be analyzed, not only of small
pieces of code. Distributed denial of service (DDoS) is even worse - a
large number of compromised hosts are used to flood a target system
with network requests, thus attempting to render it unusable through
resource exhaustion.

36

Notes:
l Many computer manufacturers used to preinstall backdoors on their
systems to provide technical support for customers. With the existences
of backdoors, it is possible to bypass normal authentication while
intended to remain hidden to casual inspection. The backdoor may take
the form of an installed program or could be in the form of an existing
"legitimate" program, or executable file.

NOTE: A backdoor refers to a generally undocumented means of getting


into a system, mostly for programming and
maintenance/troubleshooting needs. Most real world programs have
backdoors.

On Windows some backdoor programs may get themselves installed


to start when the system boots. You want to know if there are
services that are somewhat configured to automatically start - they
may be Trojan horse or backdoor program.

l A specific form of backdoors is rootkit, which replaces system binaries


of the operating system to hide the presence of other programs, users,
services and open ports.

37

Notes:
NOTE: rootkit originally describes those recompiled Unix tools that would
hide any trace of the intruder. You can say that the only purpose of
rootkit is to hide evidence from system administrators so there is no
way to detect malicious special privilege access attempts.

l To some, secrecy means security so closed source software solutions


are preferable. In the modern days this may not always be true. With
the open source model, people may freely revise and inspect codes so
back doors and other hidden tricks / defects can hardly go undetected.

l Malware is software designed to infiltrate or damage a computer system


without the owner's informed consent. It is a blend of the words
"malicious" and "software". The expression is a general term used by
computer professionals to mean a variety of forms of hostile, intrusive,
or annoying software or program code. Software is considered malware
based on the intent of the creator rather than any particular features. It
includes computer viruses, worms, trojan horses, spyware, adware, and
other unwanted software.

38

Notes:
NOTE: As a common type of Trojan horses, a legitimate software might
have been corrupted with malicious code which runs when the
program is used. The key is that the user has to invoke the program
in order to trigger the malicious code. In other words, a trojan horse
simply cannot operate autonomously. You would also want to know
that most but not all trojan horse payloads are harmful - a few of
them are harmless. Most trojan horse programs are spread through e-
mails. Some earlier trojan horse programs were bundled in "Root
Kits". For example, the Linux Root Kit version 3 (lrk3) which was
released in December 96 had tcp wrapper trojans included and
enhanced in the kit.

Keystroke logging (in the form of spyware) was originally a function


of diagnostic tool deployed by software developers for capturing
user's keystrokes. This is done for determining the sources of error
or for measuring staff productivity. Imagine if someone uses it to
capture user input of critical business data such as CC info ... You
may want to use anti spyware applications to detect and clean them
up. Web-based on-screen keyboards may be a viable option for web
applications.

39

Notes:
NOTE: The majority of malware and viruses exploit known vulnerabilities in
popular OS. They typically come out within days after a vulnerability
is announced. One way to protect your computers against these
threats is to keep your OS and software security updates as current as
possible through applying service packs, patches and hot fixes.

l The best-known types of malware are viruses and worms, which are
known for the manner in which they spread, rather than any other
particular behavior. Originally, the term computer virus was used for a
program which infected other executable software, while a worm
transmitted itself over a network to infect computers. More recently,
the words are often used interchangeably.

NOTE: Nonresident viruses proactively and immediately search for victims


to infect and then transfer control to the infected application
program. Resident viruses don't do that. Instead, they wait in
memory on execution and infect new victims that are invoked on the
system. Modern anti virus software can fight against both. Examples
of modern AV software includes Norton AV, PC Tools AV, AVG
Pro, F-Prot, and NOD32.

Note that viruses that are capable of rewriting themselves


dynamically to avoid getting detected are metamorphic. The core of
40

Notes:
the payload of these viruses is a metamorphic engine.

l Direct access attacks may be conducted through the use of common


consumer devices. For example, someone gaining physical access to a
computer can install all manner of devices to compromise security,
including operating system modifications, software worms, keyboard
loggers, and covert listening devices. The attacker can also easily
download large quantities of data onto backup media or portable
devices.

To secure a system, one should aim at reducing vulnerabilities. For example,


in order to harden a Linux system you would first disable any unnecessary
services/ports, and then have the rlogin service disabled. Unnecessary
TCP/UDP ports should be closely monitored. Similar things could be done
on Windows.

Computer code is regarded by some as just a form of mathematics. It is


theoretically possible to prove the correctness of computer programs
41

Notes:
though the likelihood of actually achieving this in large-scale practical
systems is regarded as unlikely in the extreme by most with practical
experience in the industry. In practice, only a small fraction of computer
program code is mathematically proven, or even goes through
comprehensive information technology audits or inexpensive but extremely
valuable computer security audits.

On the other hand, it is technically possible to protect messages in transit by


means of cryptography. You may also work at preventing information
leakage. Information Leakage Detection and Prevention (ILD&P or ILDP)
is a computer security term referring to systems designed to detect and
prevent the unauthorized transmission of information from the computer
systems of an organization to outsiders.

Audit questions related to cryptography may include:

l Does your organization use cryptographic technology to protect


sensitive information during transmission? Does the technology you
use provide a digital signature capability for messages containing
sensitive information?
l Does your organization use cryptographic technology to protect
sensitive information stored in the system and in archives?

42

Notes:
l Does your organization have a policy that clearly states when
information is to be encrypted?

In some systems, non-administrator users are over-privileged by design, in


the sense that they are allowed to modify internal structures of the system.
In some environments, users are over-privileged because they have been
inappropriately granted administrator or equivalent status. In some worst
case scenarios, administrators are like cow boys who often go wild. Relevant
questions to ask in this regard may include:

l How many system administrators does your organization have?


l Do your system administrators work full-time as system administrators?
What if they also work for someone else...
l Are your system administrators contractor employees? How much
control you want them to be able to exercise?
l Is there segregation of duties among system administrators?
l Does each system administrator have a delegate and/or backup person?
What can they perform on the systems?
l Are program modifications approved by the configuration control
function required to be installed by system administrators?
l Is there consistency in the implementation of security procedures by
system administrators in the organization?
43

Notes:
Technically speaking, all Social Engineering techniques are based on flaws
in human logic known as cognitive biases. These bias flaws are used in
various combinations to create attack techniques. For example, pretexting is
the act of creating and using an invented scenario (the pretext) to persuade a
target to release information or perform an action and is usually done over
the telephone. It's more than a simple lie as it most often involves some
prior research or set up and the use of pieces of known information to
establish legitimacy in the mind of the target. Phishing, on the other hand,
applies to email appearing to come from a legitimate business requesting
"verification" of information and warning of some dire consequence if it is
not done. Sadly, social engineering and direct computer access attacks can
only be effectively prevented by non-computer means, which can be
difficult to enforce, relative to the sensitivity of the information. Social
engineering attacks in particular are very difficult to foresee and prevent.

Remember, in the real world the most security comes from operating
systems where security is not an add-on but a built-in (such as the IBM
OS/400).

44

Notes:
Security measures

A state of computer "security" is the conceptual ideal, attained by the use of


the processes of Prevention, Detection, and Response.

Prevention:
User account access controls and cryptography can protect systems files and
data, respectively. Firewalls are by far the most common prevention systems
from a network security perspective as they can shield access to internal
network services, and block certain kinds of attacks through packet filtering.

NOTE: Stateful firewall can determine whether an IP packet belongs to a


new connection or is actually part of an existing connection. Packet
filter does not care about this at all.

To prevent messages from being intercepted during transmission over the


network, technologies like IPSec and SSL should be considered.

45

Notes:
NOTE: IPsec is different from SSL in that it runs at layer 3, so it can protect
both TCP and UDP traffic. SSL operates from the transport layer up
so less flexibility can be offered. The goal of SSL is to provide
endpoint authentication as well as communications privacy via
cryptography.

Symmetric key algorithms use trivially related (or even identical)


cryptographic keys for decryption and also encryption. They use
much less computational power, but would require the use of a
shared secret key on each end. The storage and exchange of such
shared secret can be a source of security risk. Asymmetric key
algorithms use different keys so they don't have to worry about the
shared secret but they consume way more CPU power.

RSA is an example of asymmetric algorithm. With both a public key


and a private key, it is used primarily for public key encryption. It is,
in fact, suitable for both signing and encryption. However, adaptive
chosen ciphertext attack can be used against RSA encrypted
messages. Also, timing attacks can be used against RSA's signature
scheme.

In addition to message encryption, you may want to enforce non-


repudiation. You may use a public key certificate (one that
incorporates a digital signature) to bind a public key with an identity.
In a PKI, the signature is typically of a Certificate Authority.

In a typical PKI a hash function is often used to turn data into a


smaller number which serves as a digital sort of fingerprint. In

46

Notes:
cryptography, a good hash function allows for "one-way" operation,
meaning there is almost no way to calculate the data input value.
SHA is one example. It has several variants, which are SHA-1, SHA-
224, SHA-256, SHA-384, and SHA-512. They are designed by the
NSA and published thru the NIST. MD5 is another example. It uses
a 128-bit hash value to create a hash that is typically a 32 character
hex number.

Detection:
Intrusion Detection Systems are designed to detect network attacks in
progress and assist in post-attack forensics, while audit trails and logs serve
a similar function for individual systems.

NOTE: A typical IDS has a few components, such as sensors which detect
and generate security events, a console interface for you to monitor
events and alerts plus managing the setup, and an engine which
records and analyzes the logged events. These components work
together such that a suspected intrusion may be evaluated and
signaled (through an alert or an alarm). One may, however, flood an
IDS with way too many traffic such that the IDS is too busy keeping
up with the pace.

47

Notes:
Response:
"Response" is necessarily defined by the assessed security requirements of
an individual system and may cover the range from simple upgrade of
protections to notification of legal authorities, counter-attacks, and the like.

Example audit questions:

l Does your organization have an Internet access policy?

l How are network services accessed by members of your organization?

l Is back door access by unapproved means possible?

l Does your organization have a firewall? If so, how is it configured? What


services are accessible by external users inside and outside of this firewall?

l Does your organization have an IDS? If so, who defines the IDS
knowledge base?

l Who has external remote access to your organization’s systems?

l Is your network’s internal architecture hidden from untrusted external


users?

48

Notes:
l Do you have any established session control practices in place?

Standards and guidelines

ISACA has become a pace-setting global organization for information


governance, control, security and audit professionals. Their IS auditing and
control standards are followed by many.

Apart from guidelines published by ISACA, you may also refer to the SoGP.
The Standard of Good Practice (SoGP) is a detailed documentation of best
practices for information security. It is published and revised biannually by the
Information Security Forum (ISF), an international best-practices organization.
The Standard is developed from research based on the actual practices of and
incidents experienced by major organizations. Its relatively frequent update
cycle of two years also allows it to keep up with technological developments
and emerging threats. In fact, the Standard is used as the default governing
document for information security behavior by many major organizations, by
itself or in conjunction with other standards such as ISO 17799 or COBIT.

49

Notes:
One of the most widely used security standards today is ISO 17799 which
started in 1995. This standard consists of two basic parts. BS 7799 part 1 and
BS 7799 part 2 both of which were created by (British Standards Institute) BSI.
Recently this standard has become ISO 27001. The National Institute of
Standards and Technology (NIST) has released several special papers
addressing cyber security. Three of these special papers are very relevant to
cyber security: the 800-12 titled “Computer Security Handbook”; 800-14 titled
“Generally Accepted Principals and Practices for Securing Information
Technology;” and the 800-26 titled “Security Self-Assessment Guide for
Information Technology Systems”.

ISO 17799 states that information security is characterized by integrity,


confidentiality, and availability. The ISO 17799 standard is arranged into eleven
control areas; security policy, organizing information security, asset
management, human resources security, physical and environmental security,
communication and operations, access controls, information systems
acquisition/development/maintenance, incident handling, business continuity
management, compliance.

The Sarbanes–Oxley Act of 2002 (commonly called SOX or SarBox) is a


United States federal law passed in response to a number of major corporate

50

Notes:
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework (which will be addressed later) in
management/auditor assessment of controls. Auditors have also looked to the
IT Governance Institute's "COBIT: Control Objectives of Information and
Related Technology" for more appropriate standards of measure. Since the
financial reporting processes of most organizations are driven by IT systems, it
is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing
Standard 2" states:

"The nature and characteristics of a company's use of information technology


in its information system affect the company's internal control over financial
reporting."

Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.

51

Notes:
The SEC identifies the COSO framework by name as a methodology for
achieving compliance. The COSO framework defines five areas, which when
implemented, can help support the requirements as set forth in the Sarbanes-
Oxley legislation. These five areas and their impacts for the IT Department are
Risk Assessment, Control Environment, Control Activities, Monitoring, and
Information & Communication.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)


is a U.S. private-sector initiative. Formed in 1985, its major objective is to
identify the factors that cause fraudulent financial reporting and to make
recommendations to reduce its incidence. COSO has established a common
definition of internal controls, standards, and criteria against which companies
and organizations can assess their control systems.

The Federal Information Security Management Act (FISMA) is a US federal


law enacted way back in 2002. It imposes a mandatory set of processes that
have to be followed for information systems operated by a government agency
or by a contractor which works on behalf of the agency. The Federal
Information Processing Standards (FIPS), on the other hand, are a set of
publicly announced standards developed by the US government for use by
52

Notes:
non-military government agencies and their contractors. FIPS 46 in particular
covers some major Data Encryption Standards, while FIPS 140 covers security
requirements for cryptography modules.

ISO 27001 sets out the requirements for information security management
systems. On the other hand, ISO 27002 offers a code of practice for
information security management.

British Standard 7799 Part 3 provides guidelines for information security risk
management. COBIT links IT initiatives to business requirements, organises IT
activities into a generally accepted process model, identifies the major IT
resources to be leveraged and defines the management control objectives to be
considered. ITIL (or ISO/IEC 20000 series) focuses on the service processes
of IT and considers the central role of the user.

Trusted Computer System Evaluation Criteria (TCSEC) has classification on


the various security requirements based on the evaluation of functionality,
effectiveness and assurance of operating systems for the government and
military sectors. TCSEC was introduced in 1985 and retired in 2000.

53

Notes:
Information Technology Security Evaluation Criteria (ITSEC) is the first single
standard for evaluating security attributes of computer systems by the countries
in Europe.

Common Criteria (also known as ISO/IEC 15408) combines and aligns


existing and emerging evaluation criteria with a collaborative effort among
national security standards organisations of Canada, France, Germany, Japan,
Netherlands, Spain, UK and US. Common Criteria Evaluation and Validation
Scheme (CCEVS) establishes a national program for the evaluation of
information technology products for conformance to the International
Common Criteria for Information Technology Security Evaluation.

ISO/IEC 13335 (IT Security Management) offers a series of guidelines for


technical security control measures. On the other hand, the Payment Card
Industry Data Security Standard offers 12 core security requirements, which
include security management, policies, procedures, network architecture,
software design and other critical measures.

54

Notes:
IS Organization and Information Assets
Protection

There must be a proper Information Management Policy in place and


integrated with the Information Security Policy. This policy should clearly
define information as an asset of the business unit that needs protection, and
that local business managers are the owners of information who are ultimately
held responsible. In fact, to get the staff really serious about information
security, it is necessary to define roles and responsibilities of those involved in
the ownership and classification of information.

No organization on earth has unlimited resources. You just cannot protect


everything to the fullest extent. Therefore it is important for you to classify the
information assets and then allocate resources accordingly. You also need to
know whether it is cost effective to protect a certain information asset – what if
the protection measure itself costs even more to implement? However, you
must assess the cost element accurately and comprehensively. Some costs may
not be easily quantified even though they could hurt big time when things go
wrong (legal cost as an example).

55

Notes:
The stakeholders

A critical factor in protecting information assets is laying the foundation for


effective information security management. In fact, commercial, competitive
and legislative pressures from around the business environment often require
the implementation of proper security policies and related logical access
controls. Security failures are often costly to business. Losses may be suffered as
a result of the failures or costs may be incurred when recovering from the
security incident, followed by more costs to secure the systems and prevent
repeated failures. Job positions within an organization that have information
security responsibilities may include and not limited to the following:

l Executive management (Senior management, Directors …etc)

l Security committee

l Data owners

l Process owners

l IT developers

l Security specialists

l Auditors
56

Notes:
l Users

The board

The board of directors and senior management are responsible for ensuring
that the organization's system of internal controls is operating effectively. An
“audit committee” should be appointed to oversee audit functions and to
report on audit matters periodically to the board. FYI, in order to comply with
the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to
appoint outside directors as audit committee members. On the other hand, all
members of a stock-issuing institution’s audit committee must be members of
the board of directors and be independent.

The ability of the audit function to achieve desired objectives depends largely
on the independence of audit personnel. This is especially true if the auditors
are internal auditors rather than outside auditors.

The board of directors should ensure that written guidelines for conducting IT
audits have been adopted, and should assign responsibility for the internal audit
57

Notes:
function (IT audit is commonly conducted in-house by the internal audit
function) to a member of management who has sufficient audit expertise and is
independent of the other business operations of the organization. In general,
the position of the auditor within the organizational structure, the reporting
authority for audit results, and the auditor’s responsibilities should indicate the
degree of auditor independence within the organization. The board should do
its best to ensure that the audit department does not participate in activities that
may compromise, or appear to compromise, its independence. These activities
may include preparing reports or records, developing procedures, or
performing other operational duties normally reviewed by auditors. Keep in
mind, the auditor’s independence may also be determined by analyzing the
reporting process and verifying that management does not interfere with the
candor of the findings and recommendations.

The audit manager

The audit manager is responsible for implementing board-approved audit


directives. This manager should oversee the audit function and provides
leadership and direction in communicating and monitoring audit policies,
practices, programs, and processes conducted by the internal audit staff. The
extent of external audit work (if any) should be clearly defined in a separate and
formal engagement letter. This letter should discuss the scope of the audit, the
58

Notes:
objectives, resource requirements, audit timeframe, and resulting reports. Expect
a bunch of meetings, coordination, collaboration, and conflicts between the outside guys and the
insiders.

Audit personnel

The auditors, whether internal or external, should in any case be granted the
authority to access records and staff necessary to perform auditing and
reporting. In fact, for any audit effort to be successful, a reporting line MUST
be identified to the highest level of the organization. The auditor's right of
access to information must be clearly identified early in the process.
Management should be required to respond formally, and in a timely manner,
to significant adverse audit findings by taking appropriate corrective action. The
auditors in turn should discuss their findings and recommendations periodically
with the audit committee.

Personnel performing IT audits should have information systems knowledge


commensurate with the scope and sophistication of the organization’s IT
environment and possess sufficient analytical skills to determine and report the

59

Notes:
root cause of deficiencies (they don't have to be CISA certified - although
certification is a "plus").

Sometimes the audit function will be requested to take a role in the


development, acquisition, conversion, and testing of major applications. It is
necessary that such participation be independent and objective. Auditors can
determine and should recommend appropriate controls to project management.
However, such recommendations should not pre-approve the controls. At the
most they should only guide the developers in considering appropriate control
standards and structures throughout their project.

60

Notes:
IS Controls

The importance of the use of controls

According to the internal control principle (GASSP), information security


forms the core of an organization's information internal control system, that
"the internal control standards define the minimum level of quality acceptable
for internal control systems in operation and constitute the criteria against
which systems are to be evaluated. These internal control standards apply to all
operations and administrative functions but are not intended to limit or
interfere with duly granted authority related to development of legislation, rule-
making, or other discretionary policymaking in an organization or agency."

There are many ways to classify controls. From an IS perspective, some said
they may be generally classified as physical, technical, or administrative in nature.
Some said that they can be further classified as either preventive or detective.
Three other types of controls, namely deterrent, corrective, and recovery, may
further supplement such classification.

61

Notes:
Classification of controls

l Examples of physical controls include locks, security guards, badges,


alarms, and similar measures to control access to computers, related
equipment, and the processing facility itself.

l Technical controls refer to safeguards incorporated in computer hardware,


operations or applications software, communications hardware and
software, and related devices. They are sometimes referred to as logical
controls.

l Administrative controls refer to management constraints, operational


procedures, accountability procedures, and supplemental administrative
controls established for providing an acceptable level of protection for
computing resources.

l Preventive controls attempt to avoid the occurrence of unwanted events.


Detective controls, on the other hand, attempt to identify unwanted events
after they have occurred. Deterrent controls attempt to discourage
individuals from intentionally violating information security policies or
procedures by making it difficult or even undesirable to perform
unauthorized activities. Corrective controls, on the other hand, attempt to

62

Notes:
remedy the circumstances that allowed the unauthorized activity and return
conditions to what they were before the violation.

l Recovery controls attempt to restore lost resources or capabilities and help


the organization recover losses caused by a security violation.

General Controls VS Application Controls

From a broader perspective, you can view controls as either General Controls
or Application Controls. General controls are about the overall information-
processing environment. They include:

l Organizational Controls (in particular the segregation of duties controls).

l Data Center and Network Operations Controls

l Hardware & Software Acquisition and Maintenance Controls

l Access Security Controls

l Application System Acquisition, Development, and Maintenance Controls

63

Notes:
Application controls, on the other hand, cover the processing of individual
applications and help ensure the completeness and accuracy of transaction
processing, authorization, and validity. They typically include:

l Data Capture Controls to ensure that all transactions are properly recorded
in the application system

l Data Validation Controls to ensure that all transactions are properly valued.

l Processing Controls to ensure the proper processing of transactions.

l Output Controls to ensure that computer output is not distributed to


unauthorized users.

l Error Controls to ensure that errors are corrected and properly


resubmitted at the correct point in processing.

Keep in mind that different types of network model often require the use of
different combinations of control. You must have basic foundation knowledge
on networking in order to pick the correct answers. Know LAN networking
and WAN networking. Know distributed computing and client server
64

Notes:
computing. Know server computing and thin client computing. Don’t attempt
to take the exam until you are completely familiar with these basic concepts.

Tests of controls refer to audit procedures that are performed to evaluate


the effectiveness of either the design or the operation of the internal
controls in question. A CISM plans and implements the needed controls.
A CISA, on the other hand, tests these controls.

65

Notes:
Access Control and the Auditing Process

Access control protects your systems and resources from unauthorized access.
An access control model is a framework that dictates how subjects access
objects. The most popular models are: mandatory access control, discretionary
access control and role-based access control. Even though these models are
often associated with IT technology, try to think of them as security
management principles – they can be applied to disciplines other than IT.

Access Control Models

The decision of what access control models to implement is based on


organizational policy and on two generally accepted standards of practice,
which are separation of duties and least privilege. Controls (in the context of
Access Control) may be characterized as either mandatory or discretionary.
With mandatory controls, only administrators may make decisions that bear on
or derive from the predefined policy. Access controls that are not based on

66

Notes:
established policy may be characterized as discretionary controls (or need-to-
know controls).

With the Discretionary model, the creator of a file is the ‘owner’ and can grant
ownership to others. Access control is at the discretion of the owner. Most
common implementation is through access control lists. Discretionary access
control is required for the Orange Book “C” Level.

Mandatory controls are prohibitive and permissive. With the Mandatory model,
control is based on security labels and categories. Access decisions are based on
clearance level of the data and clearance level of the user, and, classification of
the object. Rules are made by management, configured by the administrators
and enforced by the operating system. Mandatory access control is required for
the Orange Book “B” Level.

With the Role-Based model, access rights are assigned to roles – not directly to
users. Roles are usually tighter controlled than groups - a user can only have
one role.

67

Notes:
ACLs VERSUS Capabilities

The two fundamental means of enforcing privilege separation and


controlling access are access control lists (ACLs) and capabilities. The
semantics of ACLs have been proven to be insecure in many situations. It
has also been shown that ACL's promise of giving access to an object to
only one person can never be guaranteed in practice. Both of these
problems are resolved by capabilities. This does not mean practical flaws
exist in all ACL-based systems, but only that the designers of certain utilities
must take responsibility to ensure that they do not introduce flaws.

For various historical reasons, capabilities have been mostly restricted to


research operating systems and commercial OSes still use ACLs.
Capabilities can, however, also be implemented at the language level, leading
to a style of programming that is essentially a refinement of standard object-
oriented design. A reason for the lack of adoption of capabilities may be
that ACLs appeared to offer a quick fix for security without pervasive
redesign of the operating system and hardware.

68

Notes:
What is Orange Book, by the way?

Orange Book refers to the US Department of Defense Trusted Computer


System Evaluation Criteria. Although originally written for military systems, the
security classifications are now broadly used within the computer industry.

The Orange Book security categories range from D (Minimal Protection) to A


(Verified Protection):

D - Minimal Protection - Any system that does not comply to any other
category, or has failed to receive a higher classification.

C - Discretionary Protection - applies to Trusted Computer Bases (TCBs) with


optional object (i.e. file, directory, devices etc.) protection.
B - Mandatory Protection - specifies that the TCB protection systems should be
mandatory, not discretionary.

A - Verified Protection - the highest security division.


Further information on the Orange Book categories can be found here:
http://www.dynamoo.com/orange/summary.htm

69

Notes:
Types of Access Control

To ensure that access controls adequately protect all of an organization’s


resources, it is recommended that you first categorize the resources that need
protection.

In an access control model, there are subject and object:

l Subject: Entity requiring access to an object – user, process. (Active).

l Object: Entity to which access is requested – file, process. (Passive).


Access control information can be viewed as a matrix with rows representing
the subjects, and columns representing the objects.

Access control consists of the following primary areas:

l Identification

l Authentication

l Authorization
70

Notes:
l Accountability

The AAA concept

The three “As” are often being referred to as the AAA concept. The general
types of authentication are:

l Something a person knows (eg. password)

l Something a person has (eg. ID card)

l Something a person is (eg. role and title)

Strong authentication requires two of the above and is known as two-factor


authentication.

Authentication is the first line of defense. Questions you may ask here:

l What password rules are enforced, in particular in terms of length and


alphanumeric combinations?

l How often are users required to change their passwords?


71

Notes:
l Does your system use a password cracker to identify nonsecure passwords?

l Does your organization keep a password history file?

l Do users have unique authentication for different types of access?

l Does your organization use authentication other than reusable passwords?


Any policy for use of such authentication?

Authorization determines if you can carry out the requested actions. Access
criteria types include and not limited to:

l Roles

l Groups

l Physical or logical location

l Time of day

l Transaction type

l … etc

72

Notes:
A common practice is to have all access criteria default to “no access” at the
very beginning, although this may not be always true in modern days OS for
usability sake (for example, in earlier Windows everyone has full control by
default).

Authentication deals with how one’s user account is established. There are also
issues dealing with how such account should be handled and protected (i.e. user
account management) . Some questions you may ask include:

l Is logoff at the end of the day required?

l Are there automatic session timeouts?

l Can a user use a password to lock the screen?

l Does an unsuccessful logon indicate the cause of failure?

l Under what circumstances are accounts locked?

l Is the user informed about the last successful/unsuccessful logon attempt?

73

Notes:
Establishing Accountability through event logging

Accountability determines who is responsible for a particular action taken. To


properly establish accountability, audit trail and logging facility must be available.
As an example, here is a list of what should be logged in a networked
environment:

· System startup

· System shutdown

· File system full

· Hardware failures

· Logins: failed and successful / local or remote

· Account creation: failed and successful;

· Account modification: failed and successful; assigning, changing or


removing rights and privileges

· Account removal: failed and successful


74

Notes:
· Account disabled

· Password/security information copied: failed and successful

· System configuration change: failed and successful

· Operating system patch applied

· Network connections: failed and successful

· Audit logs modification: failed and successful

· Object access: failed and successful

The audit process

You need to know the fundamentals of auditing – not just IS auditing, but
auditing in general.

Most CISA study text books in the market fail to give a complete and clear
picture of the auditing process as a whole. We will fill this gap here.

75

Notes:
At the end of this e-book there is a sample IS Audit Questionnaire. Go
through that Questionnaire and you will understand exactly what are
expected to be accomplished by an IS audit.

Note that several information technology audit related laws and regulations
have been introduced since 1977. These include the Gramm Leach Bliley Act,
the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability
Act, the London Stock Exchange Combined Code, King II, and the Foreign
Corrupt Practices Act. You are expected to understand what they are for.

* Health Insurance Portability and Accountability Act (HIPAA)

* Gramm-Leach-Bliley Act (GLBA)

* Sarbanes-Oxley Act (SOX)

* Foreign Corrupt Practices Act (FCPA)

The Sarbanes–Oxley Act and the COSO framework

76

Notes:
The Sarbanes–Oxley Act of 2002 (commonly called SOX or SarBox) is a
United States federal law passed in response to a number of major corporate
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework in management/auditor
assessment of controls. Auditors have also looked to the IT Governance
Institute's "COBIT: Control Objectives of Information and Related
Technology" for more appropriate standards of measure.

Since the financial reporting processes of most organizations are driven by IT


systems, it is apparent that IT plays a vital role in internal control. As PCAOB's
"Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technology


in its information system affect the company's internal control over financial
reporting."

Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
77

Notes:
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.

The SEC identifies the COSO framework by name as a methodology for


achieving compliance. The COSO framework defines five areas, which when
implemented, can help support the requirements as set forth in the Sarbanes-
Oxley legislation. These five areas and their impacts for the IT Department are
Risk Assessment, Control Environment, Control Activities, Monitoring, and
Information & Communication.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)


is a U.S. private-sector initiative. Formed in 1985, its major objective is to
identify the factors that cause fraudulent financial reporting and to make
recommendations to reduce its incidence. COSO has established a common
definition of internal controls, standards, and criteria against which companies
and organizations can assess their control systems.

78

Notes:
What is auditing, by the way?

“An audit is a management instrument which can identify the improvement potential of
business processes (process audit) or of the management system as a whole (system audit). At
the same time, audits allow the supervision of already started measures. Audits therefore help
to improve the effectiveness of management systems and consequently the whole company
organization”1.

An audit:

o compares your actual process against your documented process

o reports to what extent you are following your document process.

o acts as a verification exercise - if you think you are following your


documented process but you do not verify this with an audit, there is a
very good chance that you are not actually following your own processes.

o the audit process is not a process of criticizing anyone or anything in any


way

1 http://www.experteam.de/starte/leistungen/Themen/SWQualitaetsmanagement/Auditierung.html
79

Notes:
“Every successful audit is based on sound planning and an atmosphere of constructive
involvement and communication between the client and the auditor”2.

A Security Audit refers to the process or event with the security policy or
standards as a basis to determine the overall state of the existing protection and
to verify whether existing protection has been performed properly. It needs to
target at and focus on finding out whether the current environment is securely
protected in accordance with the defined security policy. A security audit would
therefore require a complete inventory list and audit checklists, which may
cover different areas of IT such as web application, network architecture,
wireless network, etc. It would practically involve the use of security audit tools
and different review techniques for revealing the security loopholes.

In the context of IT security, an audit is not the same as an assessment. Security


Risk Assessment is a process of evaluating security risks related to the use of
information technology. It is conducted at the very beginning for identifying
what security measures are required and when there is a change to the
information asset or its environment. On the other hand, a Security Audit is a

2 http://www.auditnet.org/process.htm
80

Notes:
repetitive checking process to ensure that these security measures are properly
implemented from time to time. You may safely conclude that Security Audit is
performed more frequently than Security Risk Assessment.

The success of every audit is based on careful planning and preparation. It is


directly dependent on the knowledge and degree of experience of the auditors.
Consistent reprocessing of the audit results and the supervised implementation
of defined correction and improvement measures ensure the benefits for the
audited organization and its processes.

In the context of IT:

Formerly called an Electronic data processing (EDP) audit, an IT audit refers to


the process of collecting and evaluating evidence of an organization's
information systems, practices, and operations. Obtained evidence evaluation
can be used to ensure whether the organization's information systems safeguard
assets, maintains data integrity, and is operating effectively and efficiently to
achieve the organization's objectives.

81

Notes:
NOTE: Auditing allows one to define the sequence of steps which occurred
prior to a security incident. Traceability is the key. In practice, good
IS security procedures often specify the use of software and/or other
mechanisms which comes with some sort of automatic auditing
facility for providing traceability.

Gathering reliable information to perform an IT audit requires a review of all of


the available written documents on each area of control as well as each critical
asset element, in addition to interviews.

The role of an auditor

The role of an auditor is to review the integrity of the subject in question. The
auditor does not participate in the creation or implementation of the subject.
He is merely an observer, an examiner and a reviewer.

One major duty of an IS Auditor is to audit the access control


mechanisms currently in place.

82

Notes:
Keep in mind, auditor's active participation in the procedure being audited
would be a potential conflict of interest. That is why a former programmer of
the developer team shouldn’t be assigned to audit the work of the developer
team at present.

An auditor acts for the best interest of the client. He/she must place the
responsibilities to be extremely fair and honest ahead of his/her own
interest. This is what FIDUCIARY RESPONSIBILITY is all about.

The Audit process flow

Information Security Auditing covers topics from auditing the physical security
of data centers to the auditing logical security of databases and highlights key
components to look for and different methods for auditing these areas. To be
effective and efficient, one should be adequately educated about the
organization and its critical business operations through the following activities:

l Meet with IT management to determine possible areas of concern

l Review the current IT organization chart


83

Notes:
l Review job descriptions of involved employees

l Research all operating systems, software applications and equipment


operating within the organization

l Review the overall IT policies and procedures

l Evaluate the organization's IT budget and systems planning


documentation

l Review the organization's disaster recovery plan

Following is a list of objectives one as an IS auditor should review for


identifying audit risks in the operating environment and assessing the controls
in place that may mitigate those risks.

l Personnel procedures and responsibilities

l Change management processes are in place and properly followed

l Appropriate back up procedures are in place to minimize downtime and


prevent loss of important data

l The workplace has adequate physical security controls to prevent


unauthorized access Information Assets
84

Notes:
l Adequate environmental controls are in place to ensure equipments are
protected from natural disasters

Below is the audit flow chart developed by UNISA of Australia. Different types
of audit conducted in different industries may have variations to this “model
flow”, and this chart is shown here to give you an idea of how the pros conduct
a planned audit in the real world.

85

Notes:
86

Notes:
87

Notes:
Overall Strategies

General Principles for Developing an Audit Strategy include:


In order to have an appropriate auditing strategy and to avoid unnecessary
auditing, you must have a clear understanding of the reasons for auditing.
Additionally, in order to prevent unnecessary audit information from cluttering
the meaningful information, it is important to audit the minimum number of
statements, users, or objects required to get the targeted information.

General Principles for Auditing Suspicious IS Activity:

Audit generally, then specifically. In other words, enable general audit options at
first, then use more specific audit options. This will help the auditor gather the
evidence required to make concrete conclusions regarding the origins of
suspicious activity. Remember to protect the audit trail so that audit
information cannot be added, changed, or deleted without being audited.

General Principles for Auditing Normal IS Activity:

88

Notes:
This refers to the process of gathering historical information about particular IS
activities. In order to avoid cluttering the meaningful information with useless
audit information, you should audit only the targeted activities. After you have
collected the required information, archive audit records that are of interest and
purge the audit trail of this information.

NOTE: Effective audit trails in the practical world should at the least
document each action requested, detect any changes made or
attempted, and create a log of all the missed attempts. The log should
be consistent and patterned by items such as user session and
date/time, plus showing the command issued and the files affected.
The log should be stored in a hidden location, using some sort of
separately identifiable encrypted formats.

You should log the activities of both the regular users and the power users
(administrators …etc). Regular users tend to make careless mistakes, while
power users are capable of making intentional errors.

89

Notes:
NOTE: An Administrator's Log provides a history of the actions taken by the
administrator, who has been charged with responsibility to authorize the
access and use of corporate data and application. Through this log,
actions of the administrator can be thoroughly audited to assure that
corporate policy and procedure have not been unintentionally tampered
with.

Audit Planning

An important part of the process for managing an audit function involves


planning, an activity that covers both audit administration and assignment. One
of the first tasks you must do at this planning stage is to develop a working
budget. You as the IT audit manager must know the capabilities of the audit
staff assigned to the project. In addition to budgeted time needed to perform
the audit, you should also budget time needed to train the audit staff and allow
time for any error correction purposes.

While planning the audit, you should decide what level of the risk of reaching
an incorrect conclusion based on the audit findings that is acceptable.
90

Notes:
There are 2 types of possible risk here:

l The Risk of Incorrect Acceptance – the risk that a material misstatement is


assessed as unlikely, when in fact the population is materially misstated.

l The Risk of Incorrect Rejection – the risk that a material misstatement is


assessed as likely, when in fact the population is not materially misstated.

The more effective and extensive the audit work is, the less the risk that a
weakness will go undetected and you will issue an inappropriate report. Such
audit risk is dependent on the assessed levels of inherent risk, control risk, and
detection risk (Control risk is determined by evaluating an organization’s
internal control structure. You can implement compliance testing procedures
when the effectiveness of an organization’s internal controls is evaluated. The
level of detection risk is further determined by the assessment of inherent risk
and the assessment of control risk following compliance testing). In fact, these
risks can be quite accurately determined when performing a risk assessment of
the organization.

There should also be a risk assessment process that describes and analyzes the
risks inherent in the existing IT operation. You should update the risk
assessment as necessary to reflect changes to internal control or work processes,
91

Notes:
and to incorporate new operations (if any). In fact, the level of risk should be
one of the most significant factors considered when determining the frequency
and depth of audit activities.

When assessing materiality, you should consider the aggregate level of error
acceptable to management, the IT audit committee, and the appropriate
regulatory agencies. You need to consider the potential for the cumulative
effect of small errors or weaknesses to become material. While establishing
materiality, you may audit non-financial items such as physical access controls,
logical access controls, and systems for personnel management, manufacturing
control, design, quality control, and password generation...etc etc.

The audit plan should detail the audit function’s budgeting and planning
processes. The plan should describe audit goals, schedules, staffing needs, and
reporting. The audit plan should ideally be defined by combining the results of
the risk assessment and the resources required to yield the timing and frequency
of planned audits. The audit committee should formally approve this audit plan.
The auditors should in turn report the status of planned versus actual audits
regularly.

92

Notes:
For successful audits, you need to know:
o the audit objectives

o the audit methodology

o the resource allocation

At the planning portion of the audit, an auditor should perform the following:

1. notify the client of the audit

2. discuss the scope and objectives of the examination with organization


management in a formal meeting

3. gather information on important processes

4. evaluate existing controls

5. plan the remaining audit steps

Controls that deserve your attention may include:

93

Notes:
l Interception Controls: Interception can be deterred by physical access
controls at data centers and offices. Note that encryption also helps to
secure wireless networks. You should continually evaluate your client’s
encryption policies and procedures. In particular, you should verify that
management has controls in place over the data encryption management
process. Access to keys should require dual control, keys should be
composed of two separate components and should be maintained on a
computer that is not accessible to programmers or outsiders.

l Availability Controls: The network should have redundant paths between


resources. Automatic fallback / Hot standby / Fault Tolerance
mechanisms should also be put in place.

l Access/entry point Controls: Controls at the point where the network


connects with external network for limiting the traffic that pass through
the network, such as firewalls, intrusion prevention systems, and antivirus
software.

A firewall acts as a choke point in the network where all passing-by traffics are inspected. A
proxy firewall acts as a middleman between the two parties so there is no direct connection
between them. It works by making a copy of each incoming packet, changing the source address
and then transmitting it to the final destination.

94

Notes:
Application level proxies inspect the entire packet and make filtering decisions based on both
the header information and the actual packet content. They allow for the greatest level of control
at the expense of resource consumption. Circuit level proxies make filtering decisions based on
basic information such as packet header information, IP addresses, ports, and protocol type.
They are less secure. Routers can achieve basic protection by filtering IP address through the use
of access control lists. They are never intended for providing serious firewalling service.

l Logical Security Controls: The key points in auditing logical security


include Passwords, Account Termination Procedures, Special Privileged
User Accounts, and Remote Access.

l Application Security Controls: Application Security centers around the


main functions of Programming, Processing and Access. When it comes to
programming it is important to ensure proper physical and password
protection exists around servers and mainframes for the development and
update of key systems. With processing it is important that procedures and
monitoring of a few different aspects such as the input of falsified or
erroneous data, incomplete processing, duplicate transactions and untimely
processing are in place. With access it is important to realize that
maintaining network security against unauthorized access is one of the
major focuses nowadays as threats can come from both internal and
external sources.

95

Notes:
Talking about application security, you would also need to know the different methods of
software system testing.

l With Black box testing, the tester has no previous knowledge on the test object's internal
structure and would not examine the codes involved. The test is therefore unbiased.
However, since the tester is independent of the designer, it is almost impossible to ensure
that all existent "paths" of the system are fully tested. On the contrary, White box testing
(also known as clear box testing/glass box testing/structural testing) uses an internal
perspective of the system to design test cases. Test cases are therefore designed and
implemented based on full knowledge of the test object's internal structure. The tester has
to know the codes inside and out in order to test accurately. Bias is therefore possible to
exist.

l Stress testing is a common way to test and determine the stability of a given system. It
involves testing beyond normal operational capacity in order to observe system performance
under stress. Emphasis is on robustness, availability, and error handling during heavy
workload.

l A use case is a technique commonly used for capturing functional requirements of systems.
It allows you to describe the sequences of events that, when taken together, can lead to the
completion of a particular set of system activities for achieving a particular purpose.

l Boundary value analysis is a special software testing design technique for determining test
cases that cover specifically those off-by-one errors (logical errors which involve the discrete

96

Notes:
equivalent of a boundary condition). This type of analysis is valuable as the boundaries of
input ranges to a software program are often liable to defects.

<< For an in-depth list of controls from a technical perspective, refer to


the earlier section on IS Control >>

Audit sampling, which is often desirable due to practical needs, refers to the
application of an audit procedure to usually less than 100% of the population so
you may evaluate audit evidence within a class of transactions for the purpose
of forming a conclusion concerning the population. Sampling may be done
statistically through Random Sampling or Systematic Sampling, or non-
statistically through Haphazard Sampling or Judgmental Sampling. Do note that
sample size is a factor that may affect the level of sampling risk - the smaller the
sample size the more likely you will end up with more errors.

You should also make decisions about the nature, extent, and timing of
evidence to be gathered. The types of evidence may include:

l Observed processes, such as a physical entrance security system in


operation.
97

Notes:
l Documentary audit evidence, such as activity and control logs.

l Representations, such as written policies and procedures.

l Analysis, such as comparison of error rates between applications and


transactions.

The outcomes of the audit planning stage should include:

o Announcement Letter – have the client informed of the audit through


an announcement or engagement letter. Such a letter communicates the
scope and objectives of the audit, the auditors assigned to the project
and other relevant information.

o Initial Meeting - at this meeting the client describes the unit or system
to be reviewed, the organization, available resources and other relevant
information. The client also identifies issues or areas of special concern
that should be addressed.

o Preliminary Survey - the auditor gathers relevant information about the


target unit in order to obtain a general overview of operations.

o Control Review - the auditor reviews the target unit's existing control
structure. To save time, the auditor uses a variety of tools and
98

Notes:
techniques to gather and analyze information about the operation. One
primary objective here is to determine the areas of highest risk and
design tests to be performed in the fieldwork section.

o Audit Program – the preparation of the audit program which outlines


the fieldwork necessary to achieve the audit objectives.

Keep in mind:

“The IS auditor should consider whether his or her organizational status is appropriate for the
nature of the planned audit. Where this is not considered to be the case, the hiring of an
independent third party to manage or perform this audit should be considered by the
appropriate level of management”3.

In fact, you may audit your audit program and policy through asking questions
like:

l Is there a mandatory auditing policy in place?

3 http://www.isaca.org/standard/guide1.htm
99

Notes:
l What information is audited?

l Is the audited information analyzed and reported on promptly and


regularly?

l Are IT security personnel trained in audit analysis?

l Are the contents of audit logs protected from unauthorized access,


modification, and/or deletion?

l Is there a policy stating how long the captured audit logs are to be retained?

Recommended types of audit

INFOSEC recommends a number of types of audit which deserve your serious


attention.

You want to have a FIREWALL AUDIT to ensure that the firewall and the
associated systems have all been properly configured to enforce the security
policy with the minimal and optimal security protection. The firewall should be
audited for its configuration and also for its physical access control.
100

Notes:
You want to conduct an INTERNAL NETWORK AUDIT to discover any
vulnerability that could be exploited by authorized internal users, and to
identify any weaknesses and strengths in the controls of the internal systems
and networks. The topology of internal network infrastructure should also be
reviewed. The audit test should include an internal network scan to check for
any security holes on specified times or pre-agreed periods. The scanning on
critical hosts or workstations should be included as part of the test effort.

You want to have an EXTERNAL NETWORK AUDIT for identifying


security weaknesses of the systems and networks from outside such as the
Internet. This can help to anticipate external attacks that might cause security
breaches by scanning and launching attacks from the outside Internet to the
internal network at specified and pre-agreed time and locations.

You want to have a PHONE LINE AUDIT for identifying undocumented or


uncontrolled modems connecting internal computers directly to the telephone
network. This aims at eliminating any unauthorized or inappropriate modem
connection and configuration to your internal network and systems.

101

Notes:
You want to perform SECURITY POLICY, GUIDELINES &
PROCEDURES REVIEW to review or develop the existing security policy,
guidelines and procedures. You want to focus on the high-level overall
organization-wide security policy, or on specific systems, networks or areas that
are under concerns.

You want to perform HOST SECURITY AUDIT for assessing the operating
system level security of different the computer server platforms.
Misconfiguration of the operating systems may open up security holes that may
not be known by your system administrators and the goal of this audit is to sort
them all out.

You want to perform an INTERNET SECURITY AUDIT to identify those


security weaknesses of the systems and networks that are in connection with
the Internet. It is sort of a combination of the internal network and external
network security audit with major focus on the Internet gateway.

You want to perform a REMOTE ACCESS SECURITY AUDIT. The goal is


to deal with those vulnerabilities that are associated with remote access services

102

Notes:
via communication links such as dial-up connections and/or broadband
connections.

You want to perform a WIRELESS NETWORK SECURITY AUDIT to deal


with vulnerabilities that are associated with wireless network. You also want to
perform a WEB APPLICATION SECURITY AUDIT which deals with
vulnerabilities relevant to your web applications.

Example Audit Objectives and Procedures

FYI, below is an example document detailing the objectives and procedures of


a proposed network audit:

Objective: 

To assess whether access from the internal network to the 
Internet and from the Internet to the internal network 
are controlled.

103

Notes:
Criteria: 

The Internet policy should convey to all staff the intent 
of the controls to be implemented by the firewall. 

Procedures: 

a) Obtain a copy of the Internet Policy. 

b) Identify the process that was used to develop the 
policy. Ascertain whether the process considered the 
value of and degree of reliance on the firewall and the 
severity, probability, and extent of the potential for 
direct and indirect harm. 

c) Assess whether the policy: 

*  identifies the specific assets that the firewall is 
intended to protect and the objectives of that protection 
(integrity, availability, and confidentiality); 

* describes the organizational structure and associated 
responsibilities and accountability of personnel who will 
be charged with implementing the policy, monitoring 
compliance with the policy and adhering to the policy; 

* supports the legitimate use and flow of data and
104

Notes:
information; and 

* documents what information passing through the firewall 
will be monitored (limit organizational liability, reduce 
abuse, support prosecution for abuse); and 

* is consistent both in tone and in principle with other 
organizational policies and accepted practice (e.g 
availability of Internet access for non­business use) 

d) Ascertain whether legal counsel has reviewed the 
policy to ensure consistency with requirements and 
limitations imposed externally (laws, regulations etc.). 

e) Determine whether management approval of the policy 
has been sought and granted and the date of the most 
recent review of the policy by management. 

f) Identify how the Internet policy was/is communicated 
to users and how awareness is maintained. Select a sample 
of users and discuss their understanding of their 
responsibilities related to Internet use and how to 
report problems. 

g) Determine whether standards and procedures have been 
defined to specify the means by which the policy is 
implemented.

105

Notes:
h) Assess whether the standards and procedures specify 
who is responsible and empowered to do each function 
required for the proper operation of the firewall. 

i) Assess whether the security policy: 

* is easy to read and locate relevant sections; 

* is versioned and dated; 

* is carefully worded with all ambiguous terms precisely 
defined; 

* sets out acceptable conditions of use as well as 
unacceptable conditions of use; 

* is widely communicated to affected persons; and 

* is reviewed at regular intervals. 

j) Consider whether the following issues are addressed in 
the policy document: 

* Scope of the policy in relation to other internal and 
external networks with which it may be connected. 

* Basic philosophy that may be used for making non­ 
deterministic decisions.

106

Notes:
* Governing policies, such as Federal and Provincial Law, 
contractual terms and conditions, or other policies 
internal to the Company. 

* Identification of the person who has ultimate authority 
to interpret and apply the policy to a particular 
situation. 

* Allowance for the policy to be temporarily waived by a 
person of authority under certain conditions or 
guidelines. 

* Formal definition of how the people affected by the 
policy will be informed of its contents. 

* Frequency and necessity for reviews of the policy. 

* Outline of the assets that must be protected, and from 
what threats. 

* Security incident handling principles. 

* Guidelines for liability of personnel with regard to 
security breaches to discourage people from hiding 
details of a breach that they may have (somewhat 
innocently) been involved in.

107

Notes:
* Guidelines regarding investigation of incidents and 
courses of action that could be taken by decision­makers 
based upon details of the security breach, including 
referral to law enforcement agencies, as well as internal 
investigation and disciplinary principles. 

k) Consider whether the rights and responsibilities of 
users are addressed in the policy document, including: 

* Account use, by both the account holder and the 
resource provider. Special conditions may apply to the 
use of normal user accounts, and public access accounts 
(like anonymous ftp), and these conditions could be 
expressed here. 

* Software and data access and use, including sources of 
data and software. 

* Disclosure of information which is potentially harmful, 
such as password information or configuration 
information. 

* Etiquette, including acceptable forms of expression 
(e.g. non­offensive expression expected for unsolicited 
electronic mail), and unacceptable practices (such as the 
forging of electronic mail and news articles). 

* Password use and format.

108

Notes:
* Rights to privacy, and the circumstances under which 
the resource provider may intrude on the files held under 
or activities practiced by an account. 

* Other miscellaneous guidelines regarding reasonable 
practices, such as the use of CPU cycles and temporary 
general access storage areas. Copyright issues may also 
be discussed here. 

l) Consider whether the rights and responsibilities of 
resource providers are addressed in the policy document, 
including: 

* physical security guidelines; 

* privacy guidelines; and 

* configuration guidelines, including: 

­ allocation of responsibility; 

­ network connection guidelines; 

­ authentication guidelines; 

­ authority to hold and grant account guidelines;

109

Notes:
­ auditing and monitoring guidelines; 

­ password format, enforcement and lifetime guidelines; 
and 

­ login banners.

You may also perform audit using a wide range of computer tools. For example,
you may perform vulnerability scans using an automated vulnerability scanning
tool to quickly identify known vulnerabilities on the target hosts or devices.
However, since a large amount of system requests will be generated from the
automated vulnerability scanning tool, the system and network performance of
the target groups will likely be impacted during the vulnerability scanning
process. You must therefore devise a plan to minimize possible service
interruption during the scanning process. Also noted that some of the potential
vulnerabilities identified by the automated scanning tool may not represent real
vulnerabilities in the practical real world context. therefore, you should realize
that false positives is not impossible and professional judgment must be
exercised from time to time.

110

Notes:
While network vulnerability scanning is a good method to collect vulnerability
information within a short period of time, it is non-intrusive and would not
attempt to exploit the identified vulnerability. A penetration testing may need to
be adopted if more in-depth findings are desired.

Penetration testing may be performed internally or externally. It involves using


automated tools to scan the network or system to create a complete map of
connected workstations and servers, as well as to identify vulnerabilities from
either inside or outside the network and system under study by attempting to
penetrate them. Sometimes penetration testing may also involve user interviews
and the use of different hacking techniques to test the system or network. The
level of details and types of hacking would have to be thoroughly planned and
agreed upon on prior to proceeding.

In any case, PLAN THEIR USE EARLY PRIOR TO MOVING ON


TO THE FIELDWORKS.

Audit Fieldworks

111

Notes:
During the audit process, the fieldwork concentrates on transaction testing and
informal communications. At this stage the auditor determines whether the
controls identified during the preliminary review are operating properly and in
the manner described.

Remember, you do NOT audit every piece of items. With the help of statistical
sampling techniques, you determine (mostly in a random manner) which piece
of item to work on.

One major purpose of fieldwork is to accumulate sufficient, competent,


relevant, and useful evidence to support the audit comments and
recommendations:
o Audit evidence is sufficient when it is factual and is convincing enough
for an informed person to reach the same conclusion.

o Evidence is competent if it consistently produces the same outcomes.

The activities at this stage often include:

112

Notes:
o Transaction Testing - procedures usually include testing the major
controls and the accuracy and propriety of the transactions. Various
techniques including sampling are used to enhance productivity.

o Advice & Informal Communications - the auditor may discuss any


significant findings with the client. The client may, in return, offer
insights and work with the auditor to determine the best method of
resolving the finding. Most of the time these communications are oral.
Written forms of communication usually indicate the existence of
serious problems.
o Audit Summary - the auditor summarizes the audit findings, conclusions,
and recommendations necessary for preparing the audit report
discussion draft.

o Working Papers – sort of “scratch paper” that are kept for supporting
the audit opinion. They are comprehensive in nature.

In field work IT auditors may use computer-assisted audit techniques (CAATs)


to improve audit coverage by reducing the cost of testing and sampling
procedures that otherwise would be performed manually. CAATs typically
include tools and techniques such as generalized audit software, utility software,
test data, application software tracing and mapping, and audit expert systems.

113

Notes:
Whatever the source, audit software programs should remain under the strict
control of the audit department.

You use CAATs to test application controls as well as perform substantive tests
on sample items. Types of CAATs include Generalized Audit Software (GAS),
Custom Audit Software (CAS), Test Data, Parallel Simulation and Integrated
Test Facility. Through the use of CAATs, you will be able to obtain evidence to
support their final conclusions developed on the audit.

Audit evidence needs to be sufficient, reliable, relevant, and useful in order for
you to form an opinion and to support their findings and conclusions. You
need to devise procedures to gather and organize audit evidence. You should
select the most appropriate procedure for the audit objective. Possible options
include:

l Inquiry and/or Observation

l Inspection

l Confirmation

l Reperformance
114

Notes:
l Monitoring

Working papers is the formal collection of auditors notes, documents,


flowcharts, correspondence, results of observations, plans and results of tests,
the audit plan, minutes of meetings, computerized records, data files or
application results, and evaluations that document the auditor activity for the
entire audit period. They are essential to support the auditor’s findings and
recommendations in the audit report.

To conclude the fieldwork stage, a list of significant findings from which the
auditor will prepare a draft of the audit report is produced.

Audit Program

An audit program acts as the link between the preliminary survey and the field
work. In the preliminary survey the auditors identify operating objectives, risks,
operating conditions and control procedures. In field work they gather evidence
about the effectiveness of control systems based on observations,
documentation, verification and other audit procedures.

115

Notes:
For a list of popular audit programs you may refer to this hyperlink:
http://www.auditnet.org/asapind.htm

Audit Report

This is the principal product of the audit process - you express your opinions,
present the audit findings, and discuss recommendations for improvements.
According to IS Auditing Standard 070 (Reporting), The IT auditor should provide a report
in an appropriate form, upon the completion of the audit. The report should state the scope,
objectives, period of coverage, and the nature, timing, and extent of the audit work performed.
The report should state the findings, conclusions, and recommendations and any reservations,
qualifications or limitations of scope that IT auditor has with respect to the audit.”

It is always advisable for you to first discuss the rough draft with your client
prior to issuing the final report:

1. When the fieldwork is completed, the auditor drafts the report and gives
it to the audit management for a thorough review. A discussion draft is
prepared for the unit's operating management and is submitted for the
client's review before the exit conference.

116

Notes:
2. When audit management has approved the discussion draft, the auditor
meets with the unit's management team to discuss the findings,
recommendations, and text of the draft. At this meeting (which is
known as the Exit Conference), the client is given the chance to
comment on the draft. The ultimate goal is for the group to reach an
agreement on the audit findings (and to maintain a friendly relationship
with the client).

3. After an agreement is made, the auditor prepares a formal draft which


takes into account any revisions resulting from the exit conference and
other discussions. When the changes have been reviewed by audit
management and the client, the final report is produced and rendered to
the audit management as well as the client. The approval of the client
and the Audit Director is required for release of the report to any third
party.

4. The client should be given the opportunity to respond to the audit


findings prior to issuance of the final report which can be included or
attached to our final report. However, if the client decides to respond
after the report has been issued, the first page of the final report should
include a letter requesting the client's written response to the report
recommendations.

117

Notes:
You should discuss the draft of the audit report with management
to give management the chance to correct any weaknesses or
deficiencies before they are reported and/or even released to the
public. You may do this in the form of a Management Comment
Letter.

5. In the response, the client should explain how report findings will be
resolved. An implementation timetable should also be included. It is
technically acceptable for the client to respond with a decision not to
implement an audit recommendation and to bear the risks associated
with an audit finding.

6. Finally, the client may comment on the performance of the audit. This
feedback can be very beneficial to the audit team.

Audit Follow­Up

Within a period defined by the client, the auditor will perform a follow-up
review to verify the resolution of the report findings:

118

Notes:
1. Follow-up Review - the client response letter is reviewed and the actions
taken to resolve the audit report findings may be tested. Unresolved
findings will be discussed in the follow-up report.

2. Follow-up Report - lists the actions taken by the client to resolve the
original report findings. Any unresolved findings will be mentioned as
well. It is a recommended practice to have a discussion draft of each
report with unresolved findings circulated to the client before the follow-
up report is issued (again, this is for reaching agreement and maintaining
friendly relationship).

To keep things going properly, you should use a process that enables yourself
to track the status of client management's actions on significant findings and
recommendations.

Note:

If after issuing the audit report it is found that some procedures had been
omitted, you may need to review the available audit alternatives in order to
compensate for the omission. If unfortunately the omitted procedures actually
present material bearing on the audit outcome, the worst case scenario is that
you will have to issue a new report and have the old one cancelled.
119

Notes:
Audit Assessment

Upon completion, your audit work should be evaluated by a partner or senior


manager based on a number of criteria, including:

l Audit Completeness and Pertinence

l Accuracy

l Appropriate Conclusions, Findings and Recommendations

l Follow-up to Findings and Recommendations

120

Notes:
IT Strategic Planning

IT Strategic Planning defined

Strategic planning is an important activity for information technology


organizations. IT Strategic Planning is closely related to IT governance, which
comprises the body of issues addressed in considering how IT is applied within
the enterprise.

The key goal of the IT strategic planning process is to translate your


organization’s vision into detailed short and long-term IT plans and processes
that match the company’s business plan and ensure that employees, clients,
suppliers, and partners can easily and securely interact and collaborate:

o IT strategic plans must be aligned with institutional mission, plans, and


priorities. An IT plan must also be flexible to adapt to changes. Most
importantly, IT strategic planning must occur as part of a process that
ensures that the best ideas are put forward and a process that creates
investment on the part of stakeholders.

o Strategic IT planning must include setting long-term goals, identifying


performance goals, selecting the portfolio of IT investments to support

121

Notes:
those goals and continuously measuring the performance of IT
investments. It must be tightly coupled with the organization’s strategic
planning and it must be an intrinsic and integrated part of the budget
process.

Remember, IT is a serious (and expensive) investment. Management often


measures investment from a monetary standpoint. Investment MUST produces
returns (in the form of savings or profit increases).

The role of IS Auditing in the planning process

The IS auditor should consider the following options in establishing the overall
objectives of any audit associated with IT governance and the IT strategic
planning process. These options, as mentioned by ISACA4, should include:
o Reporting on the system of governance and/or its effectiveness

o Inclusion or exclusion of financial information systems

4 http://www.isaca.org/standard/guide1.htm
122

Notes:
o Inclusion or exclusion of non-financial information systems

ISACA (above) further defines the following points that should be considered
by the auditor when reviewing the IT strategic planning process:
o There is a clear definition of IT mission and vision

o There is a strategic information technology planning methodology in


place

o The methodology correlates business goals and objectives to IT business


goals and objectives

o This planning process is periodically updated (at least once per year)

o This plan identifies major IT initiatives and resources needed

o The level of the individuals involved in this process is appropriate

In­house or Out­source?

123

Notes:
Note that one major duty of the IS auditors is to validate the acquisition or
development of the business application systems. From a security standpoint,
you need to tell if doing it in house is more secure (and is easier to control) than
buying it off the shelf. A tradeoff is involved in the decision, and different
answers are expected in different circumstances. The general guideline is that
doing it in house allows for more control over the development process and
can allow you to build in more security features. However, this can be costly as
you need to recruit, train and manage your IT team to do the job.

Also, when your own development team is involved you must clearly define the
roles and responsibilities of each team member. Certain roles must not be
overlapped, and certain duties must be clearly separated.

Avoiding conflicts of interests

“The principle of separation of duties is that an organization should carefully


separate duties, so that people involved with checking for inappropriate use are
not also capable of making such inappropriate use. No person should be
responsible for completing a task involving sensitive, valuable or critical
information from beginning to end. Likewise, a single person must not be
responsible for approving their own work”.

124

Notes:
The general guidelines here are:

l you don’t test nor QC your own work.

l creation and daily administration must NOT be performed by the same


individual

Other examples include:

l development VS production

l security VS audit

l account payable VS accounts receivable

l encryption key management VS changing of keys

125

Notes:
Protection of Information Assets through
Security Policy

Information Assets defined

Information Assets which are mostly of an intellectual nature are the vital
business resources that require protection commensurate with their value.
Mechanisms shall be in place to protect these assets from intentional (or
unintentional) modification, destruction, unauthorized disclosure, or other
malfeasance. The end goal is to make sure that confidentiality, integrity, and
availability of these assets are adequately maintained.

Confidentiality - Protecting sensitive information from unauthorized


modification or disclosure.

Integrity - Safeguarding the accuracy and completeness of information and


computer software.

Availability - Ensuring that all systems, networks, applications and information


are available and accessible by authorized users when they are required.

126

Notes:
Assets - Protection from damage, loss or misuse of all computer and
communications equipment, including computing and communications
premises, data storage media, application/system computer programs and
documentation.

According to INFOSEC, values of information assets may be expressed in


terms of tangible values such as replacement costs of IT facilities, hardware,
media, supplies, documentation, and IT staff supporting the systems; intangible
values such as goodwill and replacement costs of data; Information values; and
Data classification of the information stored, processed, or transmitted by the
asset.

When we talk about the protection of information assets, we are dealing with
two issues here:

1. The policy for offering protection

2. The technology that is in use for offering protection

127

Notes:
NOTE: Practically speaking, copy protection is also a significant issue. If the
software you use (which is part of your information assets) has a
serial number you may be held liable for the illegal copies spawned
from the original copy running on your computer system.

You need to have an idea of what it takes to shape a proper set of Information
Assets Protection policy. Then you know how to go head with an audit.
Questions you may ask here:

l Does your organization have a written security policy?

l Does the policy identify all individuals responsible for implementing that
policy and what their duties are?

l Does the policy identify the steps to be taken if there is a security breach?

l Does the policy identify what information it is most important to protect?

l Does the policy identify enforcement procedures that identify the penalties
associated with a security breach?

128

Notes:
l Is the policy known by all individuals who have the responsibility for
implementing that policy?

l Has a security plan been developed based on the security policy?

Data classifications and Layer of responsibilities

The purpose of data classification is to indicate the level of confidentiality,


integrity and availability that is required for each type of information.

The US Classifications are:


Commercial  Military 
Confidential  Top Secret 
Private  Secret 
Sensitive  Confidential 
Public  Sensitive but unclassified 
Public

The Data Owners are the senior managers who are ultimately responsible for
protection and use of data. They often determine the data classification. The
Data Custodians, on the other hand, are responsible for maintenance and
129

Notes:
protection of data, such as making backups and performing restores. The IT
guys in the IT department are usually of this role.

NOTE: Before you give classified information to anyone, you as the holder of the
information MUST do whatever you can to ensure that the person to
whom you are giving the information possess the proper level of security
clearance has the “need-to-know”.

130

Notes:
Security Policy

Policy is issued top down. It is signed by the top person in the organization,
and that compliance is mandatory. On the other hand, procedures tell the steps
needed for attaining compliance.

The overall objective of a security policy is to control human behavior in an


attempt to reduce the risk to information assets by accidental or deliberate
actions. Top management should set a clear policy direction and demonstrate
support for the maintenance of information security through the commitment
to developing an information security policy across the organization. Such
policy should apply to ALL business units and entities with access to
information assets owned by or entrusted to the organization.

A Baseline IT Security Policy is a top-level directive statement that sets the


minimum standards of a security specification for all departments of the
organization. It states clearly what aspects are of paramount importance to a
department. In other words, it provides the basic rules which must be observed
as mandatory. On the other hand, security guidelines serve to introduce general
concepts relating to Information Technology Security as well as elaborate

131

Notes:
interpretations on the Baseline IT Security Policy. It also provides some
guidelines and considerations for defining detailed security requirements.

Support from the top management is a MUST! Therefore, the policy


document MUST be approved by management and be communicated
to all employees. It should EMPHASIS management commitment and
set out the organization. 

Once defined and implemented, the policy owner should be held responsible
for its maintenance and review according to a de fined periodic review process
(update & maintenance of the policy is kind of a hands-on job). Such process
should ensure that a review takes place in response to any changes affecting the
basis of the original risk assessment.

Ownership of critical information and systems should be assigned to capable


individuals, with responsibilities clearly defined and accepted. Responsibilities of
these owners should include:

a) determining business (and the relevant information security) requirements.

b) ensuring information and systems are protected in line with their importance
to the organization.
132

Notes:
c) determining which users are authorized to access particular information and
systems.

d) ‘signing-off’ access privileges for each user or set of users.

e) defining information interchange agreements.


f) developing service level agreements.

g) ‘signing-off’ specifications for business requirements.

h) authorizing new or significantly changed systems.

i) ensuring users are aware of their security responsibilities and are able to fulfill
them.
j) being involved with security audits/reviews.

These responsibilities should be clearly documented. Responsibilities for


protecting information and systems should be communicated to ‘owners’ and
accepted by them.

133

Notes:
Do keep in mind, ALL USERS, NOT just the owners, have a
responsibility to ensure the protection of information and computing
assets!

And for the purpose of the exam, remember that the necessary components
that fit together for effective security management practices are:

l Data classification

l Operational activities

l Safeguard selection

l Separation of duties

l Management security responsibilities

l Guidelines and procedures

l Risk assessment

l Policies and standards

l Security awareness.

134

Notes:
The above are concerns at a broader level. On the other hand, at the actual
admin level questions you may ask concerning the hand-son management,
enforcement and implementation of security procedures may include:

l How many system administrators does your organization have?

l Do your system administrators work full-time as system administrators?

l Are your system administrators contractor employees?

l Is there segregation of duties among system administrators?

l Does each system administrator have a backup person?

l Are program modifications approved by the configuration control


function required to be installed by system administrators?

l Is there consistency in the implementation of security procedures by


system administrators in the organization?

135

Notes:
To ensure successful implementation of security policies and procedures,
security awareness training, the factors of Awareness, Training and Education
must be considered. Note that:

· Systems development staff needs skills to design systems in a disciplined


manner and develop security controls.

· IT staff needs skills to run computer installations and networks correctly


and apply security controls. Beware of potential segregation of duties
issue though*.

· Business users needs skills to use systems correctly and apply security
controls

· Information security specialists needs skills to understand the business,


run security projects, communicate effectively, and perform specialist
security activities.

General questions you may ask concerning user training may include:

l Is there a formal information security training program within your


organization?

136

Notes:
l Are new employees required to receive security awareness training within a
specified number of days after hiring?

l Are employees required to get updated security training at regular intervals?

* The risk of IT staff disrupting the running of the network either in error or by malicious
intent should be reduced by the following measures:

a) segregating the duties of staff running the network from those developing/designing the
network.

b) ensuring all network and external staff sign non-disclosure/confidentiality agreements.

c) minimizing reliance on key individuals by automating tasks as well as ensuring complete


and accurate documentation.

d) organizing duties in such a way as to minimize the risk of theft, fraud, error and
unauthorized changes to information.
e) screening applicants for positions that involve running the network through taking up
references and checking career history.

137

Notes:
Security Models and Modes of Operations

A model is a symbolic representation of a policy. It maps the desires of the


policy into a set of rules to be followed by a computer system. It defines the
dos and donts to achieve the goals of the security policies. Even though these
are mostly theoretical information of not much practical value, the exam will
have quite a few questions on them.

The Bell-LaPadula Model was developed by the military in the 1970s to address
leakage of classified information. Main goal is confidentiality. A system using
the Bell-LaPadula model would be classified as a multi-level security system.
The Bell-LaPadula is a state machine model, and could also be categorized as an
information flow model.

The Biba Model is also a state machine model. It is similar to Bell-LaPadula


except that it addresses data integrity rather than data confidentiality. The data
integrity focus is characterized by three goals:

l Protection from modification by unauthorized users.

l Protection from unauthorized modification by authorized users.


138

Notes:
l Internally and externally consistent.

The Clark-Wilson model takes a different approach to protecting integrity.


Users cannot access objects directly, but must go through programs that
control their access.

The various information flow models have one thing in common: they have
each object assigned a security class or value. Information is constrained to flow
only in the directions permitted by the security policy.

Based on the above mentioned models, several modes of operations can be


developed for defining the security conditions under which the system actually
functions.

l With the Dedicated Security Mode, all users have the clearance and the
“need to know” to all the data within the system.

139

Notes:
l With the System-High Security Mode, all users have clearance and
authorization to access the information in the system, but not necessarily a
need to know.

l With the Compartmented Security Mode, all users have the clearance to all
information on the system but might not have need to know and formal
access approval. Users can access a compartment of data only.

l The Multilevel Security Mode permits two or more classification levels of


information to be processed at the same time. Users, however, do not have
clearance for all of the information being processed.

Under Limited Access, the minimum user clearance is “not cleared” and the
maximum data classification is “sensitive but unclassified”. Under Controlled
Access, there is a limited amount of trust placed on system hardware and
software.

Some questions you may ask when auditing user account related issues:

l What is the procedure for establishing accounts? What level of supervisor


approval is required?

140

Notes:
l Who has root/admin access to your systems?

l Can accounts be accessed remotely? If so, by whom? What kind of


justification is required before remote access is permitted?

l What is the procedure for forgotten passwords?

l What is the procedure for closing accounts when an employee is


terminated?

l What is the procedure for monitoring inactive accounts?

l What is the technical process by which accounts are established?

Example Policy

The role of the CIO and his/her peers involves developing and publishing
policy in consultation with Business Units and Service Providers as well as
promoting the development of the various supporting standards and
Guidelines.

Below is an example of the terms included in a real life security policy:

141

Notes:
1. Sample company information technology assets must not be used for private
commercial purposes.

2. Users must not breach copyright, nor use facilities for illegal purposes.

3. Users must protect Sample company and vendor intellectual property.


4. Users, external suppliers and clients must, on request, sign a confidentiality
agreement in respect of the use of IT facilities, documentation and data,
including non-disclosure of Sample company information to third parties.

5. All users must abide by Sample company acceptable use policies for e-mail
and Internet and not download, transmit, distribute or store any harassing or
obscene messages and files, or any objectionable material via a Sample
company PC or network. This includes the use of insulting, sexist, racist,
obscene, suggestive or any other inappropriate language.
6. All users are personally accountable for their own logon-id and password.
Passwords must not be disclosed nor shared.

7. The Standards and Guidelines supporting this policy form part of the Policy.
8. Users are responsible for meeting published information technology
standards, guidelines and acceptable use policies.

142

Notes:
9. Appropriate levels of security and encryption will be used when
communicating electronically with external parties. All items for encryption
must be authorized and copies of encryption keys must be lodged with the IT
Security Officer.
10. Any variations or departures from the IT Security Policy must be endorsed
by the Chief Information Officer and must be available for audit.

11. Sample company reserves the right to monitor usage and electronically
record security breaches to ensure compliance is maintained.

12. All Sample company PC's will be loaded with Virus Checking software.
Users must not disable or change the configuration settings of this software
unless directed to do so by an appropriate Technology Group staff member.

13. Authorization must be obtained from the appropriate Technology Group


before any form of communications equipment, including modems, are
attached to the Sample company IT Network.

Consequences of violations

In order for a security policy to be effective, the CONSEQUENCES OF


SECURITY POLICY VIOLATIONS must be clearly defined upfront. In
143

Notes:
fact, any security exposures, misuse or non-compliance must be reported as
soon as an occurrence is identified. Failure to comply with the Information
Technology Security Policy and supporting sub-policies, for internal staff may
lead to disciplinary procedures, for external suppliers and consultants may lead
to the suspension of contracts and withdrawal of access to the organization’s
information systems …etc.

Evaluation

Broadly known as the “Orange” Book, the US Dept of Defense has developed
TCSEC (Trusted Computer Systems Evaluation Criteria) to provide a graded
classification for computer system security. The graded classification hierarchy
has four levels:

A – Verified Protection
B – Mandatory Protection

C – Discretionary Protection
D – Minimal Security

144

Notes:
The evaluation criteria involve four main areas: Security, Policy, Accountability
and Assurance and Testing. Note that the red book is an interpretation of the
Orange book for networks and network components. The Red Book TNI
ratings are:

l None

l C1 – Minimum

l C2 – Fair

l B2 – Good

Organization specific classification scheme

There may be a need for an organization specific security classification scheme


that applies across your organization, which should be used to determine
varying levels of the importance of information or systems and the sensitivity of
information or systems. Such security classification scheme should take account
of the possible business impact of a loss of confidentiality, integrity or
availability of information, and be used to classify information held in
electronic or paper form, software and hardware. It should be applied to
business applications, computer installations, networks and systems under
145

Notes:
development, with the purpose of explaining how to resolve conflicting
classifications.

A comprehensive security classification scheme should require critical


information and systems to be distinguished from other information and
systems, that information and systems are protected in line with their
classification. It has to be sign-off’ by the relevant business owners, and that its
security classifications have to be reviewed whenever changes are made.

Change control

Change control is an important element – it describes the procedures for


making and controlling changes to information. Put it this way, change control
procedures restrict the way people make changes to information assets.

The five general procedures for implementing change control are:

‧ Applying to introduce a change


146

Notes:
‧ Cataloging the intended change

‧ Scheduling the change

‧ Implementing the change

‧ Reporting the change to appropriate parties

Change Control is critical to software development as well. Refer to the section


on Change Management for more information.

147

Notes:
Business Continuity Planning

“According to a recent Gartner Group document, a business continuance plan should include:
a disaster recovery plan, which specifies an organization's planned strategies for post-failure
procedures; a business resumption plan, which specifies a means of maintaining essential
services at the crisis location; a business recovery plan, which specifies a means of recovering
business functions at an alternate location; and a contingency plan, which specifies a means of
dealing with external events that can seriously impact the organization”.

Definition

Business continuity is a term that describes the processes and procedures an


organization puts in place to ensure that essential functions can continue during
and after a disaster. Business continuity planning seeks to prevent interruption
of mission-critical services, and to reestablish full functioning as swiftly and
smoothly as possible.

From a practical standpoint, you must understand that it may not be practical
for any but the largest business functions to maintain full functioning
throughout a disaster crisis. You cannot afford to keep everything running non-
stop due to the high cost involved. In fact, the very first step in business
148

Notes:
continuity planning is deciding which of the organization's functions are
essential, and apportioning the available budget accordingly.

BCP vs BPCP vs DRP

Should it be called Business Continuity Planning (BCP)? Business Process


Contingency Planning (BPCP)? Or Disaster Recovery Planning (DRP)?
Traditionally, planning for the restoration and continuation of IT infrastructure
services to support mission-critical business processes was referred to simply as
DRP. Still, at the end of the day their objectives are very similar. Contingency
planning is a popular term to use. So is disaster recovery planning.

One DRP related term is Fault Tolerance. Fault-tolerance (also known as


graceful degradation) is the property that enables a system to continue
operating properly in the event of the failure of some of its components. Fault -
tolerance is particularly sought-after in high-availability or life-critical systems.
With fault tolerance mechanism in place you subject to way less disruption
when things go wrong.

149

Notes:
BCP Phases

The phases of development for any BCP (Business Continuity Planning)


program should include:

l Initiation

l Business impact analysis

l Strategy development

l Plan development

l Implementation

l Testing

l Maintenance

The four most important elements of a BCP are:

l Scope plan initiation

l Business impact Analysis – includes vulnerability assessment


150

Notes:
l Business continuity plan development

l Plan approval and implementation

The key phrase in business continuity is "reduce risk", which means to prepare
for any event that could jeopardize your business ability to operate. If disaster
strikes, companies have everything to lose - critical data, profits, and
information…etc, all of which are critical to the running of any company.

BCP should not be a pure IT call. In fact, it should be considered as a business


call. It should be developed by a team representing ALL functional areas of the
organization.

BCP is in fact a project. Managing a BCP is like managing a project. A formal


project needs to be established, and activities should commence only when the
project has been approved by the Board of Directors of the organization.

Stakeholders and crisis communications

You will need to take into account the various stakeholders in the equation.
Below are the stakeholders that will most likely be involved:
151

Notes:
l Internal (corporate and business unit level) groups

l External groups (customers, vendors, suppliers, public, INSURANCE


COMPANIES)

l External agencies (local, state, national governments, emergency


responders, regulators, etc.)

l Media (print, radio, television, Internet)

Important points to remember regarding the arrangement with these


stakeholders for handling emergencies shall include:

l A list of important contacts must be maintained all the time by several key
people in the organization. One of these key people must be available off-
site (imagine what can happen if all the key people get buried in the
destructed building).

l Determine the chain of command structure – who should be in charge if,


let’s say, the president may never be available again?

l Each business unit should have at least one person assigned to keep a list
of contacts of all the staff within the unit – during a tragedy there is a need

152

Notes:
to find out who is still missing. There is also a need to keep the family
members of the staff fully informed on what is happening.

l A crisis communication plan must always be in place. Communications


must be properly maintained with the outside world during the tragedy.
You will need help from various external agencies. In fact, get in touch
with these agencies regularly to determine how you all can work together in
the case of emergency. You will also want to let your customers know that
everything is under control and there is no need for them to worry too
much.

l It will be very ugly if the person in charge of the organization is the last one
who is informed of the tragedy. When something goes wrong, the CEO is
often the target of the media. Do NOT upset the media. Do NOT upset
the reporters.

The Risk Assessment Flow

As said previously, Security Risk Assessment can be defined as a process of


evaluating security risks related to the use of information technology. It is
conducted at the very beginning for identifying what security measures are
required and when there is a change to the information asset or its environment.
Assessing security risk should therefore be treated as the initial step to evaluate
153

Notes:
and identify risks and consequences associated with vulnerabilities. It provides a
basis for company management to establish an effective security program.
Based on the assessment results, you develop security policies and guidelines,
assign security responsibilities and implement technical security protections.
You then perform cyclic compliance reviews and re-assessment to assure that
security controls are properly put into place to meet users' security requirements,
and to cope with the rapid environmental changes of all kinds. You would need
to rely on continuous feedback and monitoring to achieve this.

Security risk assessment has to be treated as an on-going activity. It should be


conducted at least once every two years to explore the risks in your information
systems. Do understand that a security risk assessment can only give a snapshot
of the risks at a particular time. Therefore, for mission-critical information
system, you should conduct security risk assessment more frequently.

High-level Assessment emphasizes on the analysis of overall infrastructure or


design of a system in a more strategic and systematic approach. Comprehensive
Assessment is typically conducted periodically for the security assurance of all
information systems or selected information systems of a particular department.
Pre-production Assessment is commonly conducted on new information
systems before they are rolled out.

154

Notes:
Prior to conducting risk assessment you should get yourself started with
building up a solid knowledge base. You need to the current and historical
internal environment, the current and historical external environment, internal
and external dependencies and vulnerabilities, threat profiles, as well as
countermeasure choices and related costs.

Throughout the different stages of security risk assessment a large amount of


data and system configurations will have to be collected where some of them
may contain sensitive Therefore, you must ensure all the collected data are
stored securely. The use of file encryption tools and lockable cabinet/room
should be planned early.

The kinds of information that are often desired for performing an assessment
as per recommended by INFOSEC include:

l Security requirements and objectives

l Information available to the public or found in the web pages

l Physical assets such as hardware equipment


155

Notes:
l Systems such as operating systems, network management systems

l Contents such as databases and files

l Applications and servers information

l Network such as supported protocols and network services offered

l Access controls process, application operation process, etc.

l Identification and authentication mechanisms requirements

l Documented or informal policies and guidelines

According to INFOSEC, the assessment process of a system should include


the identification and analysis of a number of elements, including:

l all assets of and processes related to the system

l threats that could affect the confidentiality, integrity or availability of the


system

l system vulnerabilities to the threats

l potential impacts and risks from the threat activity


156

Notes:
l protection requirements to control the risks

l selection of appropriate security measures and analysis of the risk


relationships

You may collect these information through using General control review,
System review, and Vulnerability identification. With General Control Review
you identify threats arisen from the existing general security processes by
examining the systems through interviews, site visits, documentation review,
and observation etc. System Review focuses on system elements such as System
files or logs, Running processes, Access control files, User listing, Configuration
Settings, Security Patch level ...etc. Vulnerability Identification would often
involve using automated tools such as Vulnerability Scanning and Penetration
Testing over the network.

One important element to consider when preparing your risk assessment is to


estimate the potential losses to which a business is exposed. The objective of
the loss potential estimate is to identify critical aspects of the business operation
and to place a monetary value on the loss estimate. The second step of the risk
analysis is to evaluate the threats to the business. The third step in the risk
analysis is to combine the estimates of the value of potential loss and
probability of loss to develop an estimate of annual loss expectancy (ALE). The
157

Notes:
purpose is to pinpoint the significant threats as a guide to the selection of
security measures and to develop a yardstick for determining the amount of
money that is reasonable to spend on each of them.

Risk VS Threat and Vulnerability

The traditional definition of risk:


Risk is the product of threat and vulnerability. This model of risk is appropriate
for assets where applicable threat data can be well predicted from historical
events.

One way to represent this is:

Risk = Threat x Vulnerability

Note that this model of risk assumes that we have knowledge of our
vulnerabilities and our threats.

158

Notes:
Threat is typically defined as an event (such as a flood, tornado, computer virus
outbreak …etc.) of low probability yet highly damaging that really catches your
attention. The chance of the event occurring is a probability that the event has
happened. There is no time constraint. The event will likely happen over some
defined period of time. There exists a probability that describes the frequency
of such an event. Vulnerability, on the other hand, is usually defined as a
weakness that is exploited in some very negative way by the threat.

You perform Threat Analysis to identify the threats and to determine the
likelihood of their occurrence and their potential to harm systems or assets.
System error or control logs are usually good sources of data for this.

Social threats are directly related to human factors, which can be intentional or
unintentional. Technical threats are usually caused by technical problems.
Environmental threats are usually caused by environmental disasters.

Identifying Risks

The key part of the BCP Process is the assessment of the potential risks to the
business which could result from disasters or emergency situations. You MUST
consider ALL the possible incidents and the impact that follows. Examples of
159

Notes:
the risks that are possible for any organization on earth include (and not limited
to):

o Environmental Disasters

o Deliberate Disruption (e.g. terrorist attack)


o Loss of Utilities and Services

o Equipment or System Failure

o Serious Information Security Incidents

Risk results may be analyzed using Qualitative & Quantitative Methods and/or
Matrix Approach. With Qualitative method you use descriptive, word scales or
rankings of significance/severity based on experience and judgment. It is more
subjective in nature. On the contrary, Quantitative method uses numerical
information to arrive at percentages or numerical values. Generally speaking, a
qualitative method is better for initial screening while a quantitative method is
more ideal for detailed and specific analysis on some critical elements and for
further analysis on high-risk areas. A matrix approach would involve
documenting and estimating the three major needs of security protection,
which are confidentiality, integrity and availability, in three different levels

160

Notes:
of severity (high, medium, low). The risk level would be ranked based on the
criticality of each risk elements. The idea is that risk interpretation should be
limited to the most significant risks so as to reduce the overall effort and
complexity.

Loss Calculations

The 3 major models are:

l Single Loss Expectancy (SLE)

l Annualized Loss Expectancy (ALE)

l Cumulative Loss Expectancy (CLE)

The Single Loss Expectancy model is the model upon which the Annualized
Loss Expectancy and Cumulative Loss Expectancy models are based. This
simple (and less accurate) model has its roots in accounting, with the purpose
of determining how much value in terms of dollars will be lost, and is often
used to express the results in a financial impact analysis.

161

Notes:
The Annualized Loss Expectancy Model of risk comes closer (relatively) to
painting an accurate picture of risk by adding the probability of an event
happening over a single year’s time. To reach an answer, you need to first
calculate the Single Loss Expectancy to determine this value. Then you obtain
the product of the Single Loss Expectancy and the value of the asset to
produce the Annualized Loss Expectancy. The formula looks like this:

Single Loss Annualized Rate Annualized Loss


Expectancy x of Occurrence = Expectancy

The Cumulative Loss Model approaches risks by taking into account all of the
bad things that are likely to happen to your business over the next year. You
will need to look at each threat, the probability of each threat against your
business, and then derive an expected loss. You can take all of the threats, and
compute the annual rate of each threat occurring. This is a relatively
complicated model and is less emphasized in the exam.

162

Notes:
From a CISA point of view, of particular importance when considering
business risks and the impact of potential emergencies is the disruption to, and
availability of, IT services and communications that are supposed to run 24 x7.

As an IS auditor, some of the more important issues that should be considered


when assessing the level of risk associated with IT services and
communications include:

o Specification of IT and Communications Systems and Business


Dependencies

o Key IT, Communications and Information Processing Systems

o Key IT Personnel and Emergency Contact Information


o Key IT and Communications Suppliers and Maintenance Engineers

o Existing IT Recovery Procedures

163

Notes:
At the end of the day you want to know how one may continue IT function
should something goes seriously wrong. Contingency planning is therefore a
critical factor to consider. Questions you should ask may include:

l Does your organization have a contingency plan for dealing with


natural and manmade disasters? If so, who maintains the contingency
plan and who is responsible for its implementation?

l Does your organization have an uninterrupted power source (UPS) to


increase the possibility of an orderly shutdown without loss of data?

l Does the contingency plan identify and prioritize the resources that
are most important to protect in an emergency?

l Is the contingency plan tested periodically?

Business Impact Analysis defined

The BIA is an evaluation of the strengths and weaknesses of your company’s


disaster preparedness and the impact an interruption would have on your
business.
164

Notes:
Every BIA should include an exploratory component to reveal any
vulnerabilities, and a planning component to develop strategies for minimizing
risk. A well done BIA should be capable of identifying costs linked to failures,
such as loss of cash flow, replacement of equipment, salaries paid to catch up
with a backlog of work, and loss of profits …etc.

The result of analysis is a business impact analysis report, which describes the
potential risks specific to the organization studied. It should quantify the
importance of business components and suggest appropriate fund allocation
for measures to protect them. The possibilities of failures are likely to be
assessed in terms of their impacts on safety, finances, marketing, legal
compliance, and quality assurance.

BIA goals and steps

As part of the risk assessment effort, business impact analysis has 3 primary
goals:

l Criticality Prioritization: Critical business units must be identified and


prioritized.

l Downtime Escalation: Estimate the maximum tolerable downtime.

165

Notes:
l Resource Requirements: Identify resource requirements for the critical
processes.

Business impact analysis generally involves 4 steps:


1. Gathering the needed assessment materials

2. The vulnerability assessment

3. Analyzing the information compiled

4. Documenting the results and presenting recommendations to


management.

BIA checklist

You will need inputs from both the top management and the line managers.

- Determine the business areas

- For each business area, determine the business processes and identify
the essential processes.
166

Notes:
- For the business processes, estimate the costs of failure
What are the costs of non-performance?

What are the costs of late performance?

What is the max tolerable delay in performance?

- Determine attributes for the business processes

Description of process

Frequency of process

Manpower requirements (numbers, skills, who do what)

- Establish communication facilities required

- Establish IT facilities required

- Establish non-IT facilities required

- Establish clerical requirements


- For the business processes, establish the minimum resources required
to operate.

167

Notes:
Priorities essential business processes – this is VERY IMPORTANT. One key
assumption behind every BIA is that every component of the organization is
reliant upon the continued functioning of every other component, but that
some are more crucial than others and require a greater allocation of funds in
the wake of a disaster.

- Summarize the requirements for the business processes

Determine the minimum acceptable backup plan

Determine the minimum acceptable recovery configuration

Determine the time scales

- Consider alternative backup/recovery solutions (cost/benefit analysis,


Hot site VS Cold site)

- Determine the Backup and Business Recovery Strategy

Preparing for emergency

168

Notes:
To minimize the effects of potential emergencies, focus must be placed on
those business activities that are keys to the continued viability of the business,
such as:

o Back-up and Recovery Strategies

o Key BCP Personnel and Supplies

o Key Documents and Procedures

Backup is critical. Key questions here include:

l Does your organization have backup policies and procedures?

l How often are system and user backups performed?

l Who is authorized to perform backups?

l Are backup media stored in a secure location offsite?

169

Notes:
l Are backup media tested regularly for restorability/recoverability of
files?

l Can an operational capability be restored within acceptable time


constraints?

l What are the policies and procedures regarding archived data?

The key personnel and the IT staff should be well trained to tackle through
emergency situation and incidents. Ask these questions:

l Have users and system administrators received training on how to carry


out their respective responsibilities when an incident occurs? Do they
receive awareness reminders and periodic refresher training?

l Does your organization maintain a knowledge base of past incidents and


“lessons learned” for future use?

Managing recovery

170

Notes:
One critical part of handling any serious emergency situation is in the
management of the Disaster Recovery Phase. Remember, the priority during
recovery is ALWAYS the safety and well being of the employees and other
involved persons. LIFE is the most important asset. Other priorities include
the minimization of the emergency itself, the removal or minimization of the
threat of further injury or damage and the re-establishment of external services
(power, telecom …etc).

The Business Recovery Phase will then follow directly on from the Disaster
Recovery Phase. This Phase involves the restoration of normal business
operations. From a business perspective, this is the most critical phase of the
whole BCP exercise as the efficiency and effectiveness of the procedures here
could have a direct bearing on the organization’s ability to survive the
emergency.

For a business to truly recover, from an IS standpoint these are items that are
critical:
o Power and Other Utilities

o Premises, Fixtures and Furniture

171

Notes:
o Communications Systems
o IT Systems

o Production and Other Equipments

o Information and Documentation

Testing the plan

The effectiveness of the BCP in emergency situations can only be assessed if


rigorous testing is carried out in realistic conditions. Therefore, the BCP should
be tested within a realistic environment with simulating conditions applicable in
an actual emergency. All persons who will be involved with recovering a
particular business process during emergency should be REQUIRED to
participate in the testing process.

The BCP test itself should be carefully planned as well. The objectives and
scope of the tests are outlined below:
o Develop Objectives and Scope of Tests
172

Notes:
o Setting the Test Environment
o Prepare Test Data

o Identify Who is to Conduct the Tests

o Identify Who is to Control and Monitor the Tests

o Prepare Feedback Questionnaires

o Prepare Budget for Testing Phase

o Training Core Testing Team for each Business Unit

The following activities must be emphasized during the test:

1. Test each part of the Business Recovery Process

2. Test Accuracy of Employee and Vendor Emergency Contact Numbers

3. Assess Test Results

The test process gives IS auditors a good chance to see if the IS controls
relevant to BCP actually work as planned.
173

Notes:
User Acceptance

About user acceptance testing - each user should create a test script designed
to validate the accuracy and performance of its application in a contingency
environment. The test scripts should be defined in such a way that a clear
indication of whether or not they can do business as usual as stated in their
recovery requirements must be made available.

Users should be asked to provide their views on the testing process and on the
results of the test. The users should also provide comments regarding
improvements and modifications that they would like to see as a result of the
test. Upon completion a user sign-off sheet should be provided for this
purpose and must be signed off by a manager of the business.

Plan maintenance

In today’s world, the pace of change will never slow down but will continue to
increase. It is necessary for the BCP to keep pace with these changes in order
for it to be useful in the event of a disruptive emergency.

174

Notes:
To ensure that the BCP is regularly updated, the following must be established:

o Change Control Procedures for Updating the Plan

o Responsibilities for Maintenance of Each Part of the Plan

o Test All Changes to Plan

o Advise Person Responsible for BCP Training

The IS auditor, when appropriate, should assist in the process by checking


whether the controls and procedures for the update process are properly
implemented and followed.

For your interest, take a look at the following fragment of a real world audit
report with BCP involved:

Has the Department Adequately Planned For the Actions It Must Take In the Event Of
A Disaster To Minimize the Loss of Computer Operations?

175

Notes:
An organization needs good business continuity planning in order to quickly
recover critical operations after a disaster. Business continuity planning
addresses an organization's ability to continue functioning when normal
operations are disrupted. By necessity, it includes planning for contingencies
and disaster recovery, and is focused on the computer functions that are most
necessary to continued agency operations. Continuity planning enables an
organization to minimize the loss of communications and important
computer operations during an emergency.

The Department has done little business continuity planning for its critical
computer programs. Department management have implemented some
sound practices, such as a system for backing up critical data. However, the
Department doesn't meet many other planning standards. We found
problems such as the following:

Ø The Department hasn't conducted a risk analysis to assess possible


disaster scenarios or threats

Ø The existing continuity plan doesn't assign roles and responsibilities to

176

Notes:
specific staff, and is limited in the recovery instructions it gives

Ø The Department hasn't made any arrangements for off-site processing


for its critical computer programs.

Incident Handling

The major activities involved in the planning and preparation of an incident


handling mechanism should as a minimum include:

l Security Incident Handling Plan

l Reporting Procedure

l Escalation Procedure

l Security Incident Response Procedure

l Training and Education

l Incident Monitoring Measure

177

Notes:
There has to be a proper reporting procedure in place so that in case an
incident occurs, all parties involved would know whom they should report to,
and in what way, and what should be noted and reported. Such reporting
procedure should have a clearly identified point of contact, and comprises
simple but well-defined steps to follow. It should be widely published to all
concerned staff for their information and reference. You should ensure that all
related staff are familiar with the reporting procedure and are capable of
reporting security incident instantly.

There must also be a comprehensive Escalation Procedure established. Such


procedure would define the way to escalate the incident to management and
relevant parties for ensuring that important decisions are promptly taken. You
need to put in place an important contact list for addressing legal, technical, and
managerial issues that should be prepared to facilitate different stages of
security incident handling. You should set out the points of contact with the
corresponding contact information as well as the various levels for notification
basing on the type and severity of the impact caused by the incident.

The system or functional area's manager must establish a security incident


response procedure for guiding the security incident response team through the
178

Notes:
incident handling process. Moreover, a sufficient level of security measures for
incident monitoring must be implemented to protect the system during normal
operation as well as to monitor potential security incidents. For example, you
want to install firewall device and apply authentication and access control
measures to protect important system and data resources. You also want to
install intrusion detection tool to proactively monitor, detect and respond to
system intrusions or hacking. It may be a good idea to also install anti-virus tool
and malicious code detection and repair software to detect and remove
computer virus and malicious codes, and prevent them from affecting the
system operation.

179

Notes:
Risk Management

“Risk is a concept that auditors and managers use to express their concerns about the probable
effects of an uncertain environment. Because the future cannot be predicted with certainty,
auditors and managers have to consider a range of possible events that could take place”5.

“Risk management is a discipline for dealing with uncertainty”6.

As mentioned by David McNamee in his article “Management Control


Concepts”, uncertainty and randomness exist in nature, that risk is not
something to be worried or concerned about but something to be managed. In
fact, managing a range of risks is required for both survival and success in
nowadays environment.

Every organization can and should use risk management strategies and tools to
protect vital assets.

5 http://www.mc2consulting.com/riskart2.htm

6 http://www.nonprofitrisk.org/tutorials/rm_tutorial/2.htm
180

Notes:
The discipline of risk management aims at helping an organization to identify,
assess and control risks that may be present in operations, service delivery,
staffing, and governance activities.

Good risk management can reduce legal costs and lawsuit altogether.
Remember, legal cost is one of the worst nightmares an organization can ever
have.

Risk management defined

The risk management process provides a framework for identifying risks and
deciding what to do about them. Since not all risks are created equal, risk
management does not simply identify risks but also to weigh various risks and
make decisions about which risks deserve immediate attention.

The risk management steps

The steps involved in proper risk management shall include:

181

Notes:
o Context establishment - begin a risk management program by setting
goals and identifying any potential barriers or impediments to the
implementation of the program.

o Risks identification - categorize risks according to the major categories of


assets of the organization in question.

o Risks evaluation and prioritization - establish a list of risk related action


items in priority order.

o Strategies selection and implementation – use risk management


techniques to address virtually every risk your organization is facing.
Such techniques should include:

v Avoidance - do not offer programs that pose too great a risk.

v Modification – modify an activity to make it safer for all involved.

v Retention - make conscious decisions to retain risk.

v Sharing - share risk with another organization through contractual


arrangement, such as insurance contracts and risk management
service contracts.

182

Notes:
o Program update – keep the risk management techniques and plans
periodically reviewed and updated to make certain that they remain the
most appropriate strategy.

Always remember, people are the heart and soul of your organization that are
irreplaceable. Risks associated with people’s life always deserve the most
attention.

IS Auditing and Risk Management

IS auditors may participate in assessing and controlling new systems and


technologies that are emerging in the business world. By applying a risk and
audit framework for assessment and control, new methods of systems planning,
development, deployment and operation can be introduced in a relatively “safe”
manner. Questions you may ask here:

l Has an overall risk assessment been performed on critical information


assets? If so, how recently was it performed or updated?

l Have risks previously identified been corrected? Are there remaining


vulnerabilities that have not been addressed?
183

Notes:
Risk­based Auditing

When performing audit assignments, there are usually two different approaches:
the checklist approach VS the risk-based approach.

Auditing using checklists is basically auditing without an appreciation of why


the auditor is doing some particular task, and can be seen as auditing without an
understanding of the risks involved in the business process.

On the other hand, with risk-based auditing, the auditor must have a thorough
understanding of the business process as well as the risks and controls in the
system for achieving the organization's goals. The risk-based audit plan is
specifically tuned to spend more time on the areas of highest risk and greatest
importance to the goals. Less time will be spent on areas of lower importance
and lower risk.

184

Notes:
Risk Management Readings

Below is a list of HIGHLY RECOMMENDED REFERENCE READINGS.


I strongly recommend that you go through all of them:

The New Risk Management

http://www.intekworld.com/Newsletters/vol3/10oct04/riskmanagement
.htm

Failure in Risk Management

http://www.findarticles.com/p/articles/mi_m3937/is_2000_Jan/ai_6219
7034

Assessing Internet Security Risk, Part One: What is Risk Assessment?


http://www.securityfocus.com/infocus/1591

185

Notes:
Trends: Rethinking risks
http://www.cioinsight.com/article2/0,1397,1458270,00.asp?kc=CTNKT0
209KTX1K0100481

186

Notes:
Project Management

“Project Management is a decision-making and strategic risk. It is defined as the application of


knowledge, skills, tools, and techniques to project activities in order to meet or exceed
stakeholder needs and expectations from a project”7.

Project Management defined

Project management is not simply a technical subject. Instead, it is a business


one. It involves balancing the competing demands of:

v scope

v time

v cost

v quality

v different stakeholders

7 http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAuditPage!OpenDocument
187

Notes:
To be precise, Project Management is the defining, planning, scheduling, and
controlling of the tasks that must be completed to reach your goal and the
FAIR allocation of the resources to perform those tasks. On the other hand, a
Project Performance audit is an audit for helping you to understand the current
capability of your project management processes or staff, benchmark your
business against best practice, and help you focus improvement to maximum
effect.

Project Management and Audit

Remember, controlling the project is important because things never work out
exactly as planned. To meet your goal, it's important that you be on top of
changes. This is where the audit function fits in.
To truly appreciate the relationship between IS audit and Project Management,
I recommend that you read the following REAL LIFE Project Management
audit documents that have been used by real world government organizations /
NGOs:

188

Notes:
The Canadian Passport Office IRIS Project
http://www.ppt.gc.ca/publications/iris_oct99.aspx

Template - PM Audit Checklist

http://www.auditnet.org/docs/PM-
AuditQuestionnaire.pdf#search='PROJECT%20MANAGEMENT%20AUD
IT'

Also, read the following document in-depth. This is an excellent article that
describes the complex relationship between Project Management, Risk
Management and the Auditing function:

http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAudi
tE-businessrisksProjectMgmt!OpenDocument

By going through these documents, you will be able to tell exactly the role of
the audit function in a project management context.

189

Notes:
Change Management

Change Management Defined

You can think of Change Management as

v The task of managing change

v An area of professional practice

v A body of knowledge

One meaning of managing change refers to the making of changes in a planned


and managed or systematic fashion, with the aim of more effectively
implementing new methods and systems in an ongoing organization. These
changes may be of the type which the organization exercises little or no control,
or of the type that is well-planned.

190

Notes:
As an “Area of Professional Practice”, we see many independent consultants
who acknowledge that they are change agents that manage change for their
clients, that their practices are change management practices. And stemming
from the view of change management as an area of professional practice, there
arises the third definition of change management: the subject matter of change
management as a body of knowledge.

In fact, at the heart of change management we have the change problem - some
future state to be realized, some current state to be left behind, and some
process for getting from the one to the other. At the conceptual level, the
change problem is a matter of moving from one state to another. At the
practical level, changes and the change problems they present are problems of
adaptation, that they require the organization to adjust itself to an ever-changing
set of circumstances.

Change management auditing, with respect to the IT control environment


within an organization, is aimed at limiting unauthorized changes and errors
and disruption from changes to essential IT assets, including computer
applications and system platforms. A change management control system is
therefore made available for setting out procedures to analyze, implement, and
review changes to information technology infrastructure.

191

Notes:
Change Management strategies

Generally speaking, there is no single strategy in regards to change management.


One may adopt a general or what is called a "grand strategy", but for any given
initiative some mix of strategies is the best option.

Four strategies have been outlined in Fred Nickols’s article “Change


Management 101”:

192

Notes:
Strategy Description
People are rational and will follow their self-
interest — once it is revealed to them. Change
Rational-Empirical
is based on the communication of information
and the proffering of incentives.
People are social beings and will adhere to
cultural norms and values. Change is based on
Normative-Reeducative redefining and reinterpreting existing norms and
values, and developing commitments to new
ones.
People are basically compliant and will
generally do what they are told or can be made
Power-Coercive
to do. Change is based on the exercise of
authority and the imposition of sanctions.
People oppose loss and disruption but they
adapt readily to new circumstances. Change is
Environmental-Adaptive based on building a new organization and
gradually transferring people from the old one
to the new one.

193

Notes:
The proper mix of strategies to be used can be determined by the following
factors:

v Degree of Resistance

v The Stakes

v The Time Frame

v Expertise

v Dependency

Along the journey of making changes, there is a need to control the change
process and the elements within it. Change control is often perceived as a part
of the Change Management process where the audit function may fit in.

Change Management VS Change Control VS


Configuration Management

194

Notes:
If we play with the textual definitions, one may argue that Change Management
and Change Control are two totally different disciplines. In fact, in the field of
Project Management, there tend to be differing understandings of these terms
or expressions. The problems are compounded where participants are
unfamiliar with project work and do not recognize the implicit context.

The term Change Management is normally used to mean the achievement of


change in human behavior as part of an overall business solution. The term
Change Control, which is often being referred to as "Change Management",
refers to the management process for requesting reviewing, approving, carrying
out and controlling changes to the project's deliverables.

Change Control is usually applied once the first version of a deliverable has
been completed and agreed.

Sometimes people associate Change Control with Configuration Management,


which is the technical and administrative control of the multiple versions or
editions of a specific deliverable (particularly where the component has been
changed after it was initially completed):

195

Notes:
“Configuration Management is the identification and maintenance of the configuration of a
software product, throughout the product's life, and including both successive and parallel
product versions, for the purpose of systematically controlling changes and thereby maintaining
the product's integrity and traceability”8.

Change Control

“Change Control is a technique for the management of modifications to existing application


software. Compared with the reactive-ness of Incident Reporting, Change Control recognizes the
need for adaptation to externally imposed change, and looks for opportunities for internally
instigated change. It is concerned not only with adaptation of an application's existing functions,
but also with its extension to include new functions”9.

To know what change control exactly is, take a look at the following fragment
of an audit report extracted from a real world case:

8 http://www.anu.edu.au/people/Roger.Clarke/SOS/ChgeCtl90.html

9 Ibid.
196

Notes:
Does the Department Adequately Manage the Maintenance and Updating of Its Critical
Software?

Because of the dynamic nature of computer software, it's important to have a


well organized system to manage the process of making changes. Large and
complex computer programs are constantly in flux. As a result, computers
programs remain works in progress long after they are put into daily use.
However, if changes to the software aren't well organized and closely
managed, the software can quickly become unreliable.

The Department places the responsibility for managing changes on the users,
where it belongs. System changes are approved and monitored by several
steering groups made up of users of the system from across the state, as well
as representatives from the Department's programming staff. While
programmers make the actual changes, users decide which changes need to be
made and set priorities for the programmers.

Overall, the change control process needs to be better organized and


197

Notes:
documented. The system of user groups the Department uses to control the
process is well designed. However, change control as a whole could be
improved by adding more organization and better documentation.
Specifically, the Department could improve its system by:

Ø developing written change control policies

Ø developing a policy requiring the system supervisor to approve in


writing incorporation of software changes into the production software

Ø in the case of significant changes, requiring formal user acceptance


tests before the final changes are allowed to be incorporated into the
production software

Ø requiring staff to update user operation manuals when changes are


made to the software

Change control is often being perceived as a means of prolonging the life of an


application that must be increasingly a proactive measure driven by business
needs and initiated by functional managers. The IS auditors help to check and
198

Notes:
find out whether the proper IS control mechanisms needed by the change
control process are in place and are properly followed.

Refer to the summary below for several more related terms:

In the context of IT, the term configuration management (configuration


control) often refers to:

i, the management of security features and assurances through control of


changes made to hardware, software, firmware, documentation, test, test
fixtures and test documentation of an automated information system,
throughout the development and operational life of a system; and

ii, the control of changes, including the recording thereof, that are made to the
hardware, software, firmware, and documentation throughout the system
lifecycle.

Revision control (also known as version control) refers to the management of


multiple revisions of the same unit of information. It is most commonly used in
system engineering and software development to manage ongoing development
199

Notes:
of digital documents like application source code. Changes are identified by
incrementing an associated number or letter code, termed the "revision
number", "revision level", or simply "revision" and associated historically with
the person making the change.

Release Management is the discipline within software engineering of


managing software releases. A release manager serves as a liaison between
varying business units to guarantee smooth and timely delivery of software
products or updates. He also holds the keys to production systems and takes
responsibility for their quality and availability.

Key points to follow:

· Prior to changes being applied to the live environment, change requests


should be documented through a change request form and accepted
only from authorized individuals. All changes have to be approved by
the application ‘owner’, and that the possible impact of changes should
be assessed in terms of overall risk and on other components of the
application. Additionally, all changes should be tested and should be
reviewed to ensure that they do not compromise security controls. Back-
out positions should be established so that the changes can be backed-
out if they fail.
200

Notes:
· Application changes should be performed by individuals who are
capable of making changes correctly and securely and be supervised by a
specialist. It must also be signed-off by the application owner.

· Arrangements should be made to ensure that once changes have been


applied, version control is maintained and that details of changes are
communicated to relevant individuals. Additionally, checks must be
performed on a regular basis to confirm that only intended changes have
been made, such as using code comparison programs or checking
‘before and after’ contents of key records such as within customer
master files.

From a pure software development point of view, Release Management is


closely related to Change Control.

Questions you may ask concerning configuration management:

l Does your organization have a configuration control plan?

201

Notes:
l Does your organization have a configuration control function or the
equivalent to direct activities in this area? If so, does the configuration
control function approve and record all changes to hardware, software, and
firmware?

l Does your organization have network and system diagrams and a list of all
system resources?

l Are only authorized individuals allowed to move and install computer


equipment?

202

Notes:
Application Program Development

Basic knowledge on database system, data modeling, procedural


programming and object oriented programming is required under this
knowledge domain.

Security is an issue that must be addressed in each phase of the development


effort, not just at the end of development. Therefore, separation of duties has
to be practiced all the time, and a programmer should never have direct access
to codes that are in the production stage. Remember, separation of duties is
always the correct answer!

General guidelines

Program development security is particular important when there is proprietary


software under development. The general guidelines are:

203

Notes:
l Allow only the applications programmers to have access to application
programs under development, and nothing else.

l Allow only systems programmers to have access to system programs under


development, and nothing else.

l Allow only librarians to have write access to system and application


libraries, and nothing else.

l Allow access to live data only through programs that are in the application
libraries, and nothing else.

l Proper change controls must be in place if changes to program codes are


regularly required.

System change control

Changes must be authorized, tested and recorded. Changes can be approved


only if they do not affect the security level of the system.

The change control sub-phases include:


204

Notes:
- Request control
- Change control

- Release control

The change control process includes the following steps:

- Make a formal request of change

- Analyze the request

- Record the change request

- Submit the change request for approval

- Develop the change

Software development processes and models

System development life cycle (SDLC) refers to the process of developing


information systems through investigation, analysis, design, implementation and
205

Notes:
maintenance. It is a systems approach to problem solving and is made up of
several phases, including:

l Software concept

l Requirements analysis

l Architectural design

l Coding and debugging

l System testing

The Waterfall Model as a popular version of the systems development life cycle
model for software engineering includes the following phases:

- System requirements
- Software requirements

- Analysis
- Program design
206

Notes:
- Coding
- Testing

- Operations & Maintenance

The waterfall model describes a development method that is linear and


sequential. It offers distinct goals for each phase of development. The
advantage is that it allows for departmentalization and managerial control. For
example, a schedule can be set with deadlines for each stage of development
and a product can proceed through the development process step by step
without much complexity. The disadvantage is that it does not allow for much
reflection or revision. That means, once an application is in the testing stage, it
is very difficult to go back and change something that was not well-thought out
in the concept stage.

The spiral model is a development model that combines elements of both


design and prototyping-in-stages in an effort to combine advantages of both
the top-down approach and the bottom-up methodology. Under this model,
each phase starts with a design goal and ends with the client reviewing the
progress thus far. Analysis and engineering efforts are applied at each phase of
the project, with an eye toward the overall end goal of the project.
207

Notes:
The Chaos model is a structure of software development that extends the spiral
model and the waterfall model. It notes that the phases of the life cycle apply to
all levels of projects, from the whole project to individual lines of code. In fact,
this model has several tie-ins with the chaos theory:

l It helps explain why software is so unpredictable.

l It explains why high-level concepts like architecture cannot be treated


independently of low-level lines of code.

l It provides a hook for explaining what to do next in terms of the chaos


strategy.

Buy VS Make: Acquisition Management Methods

It is very common for an organization to purchase off-the-shelf or tailor made


software from the outside. Because of this, it is important to investigate the
acquisition process used by the organization so as to comply with the defined
security guidelines and procedures. In fact, part of that contract/outsourcing
process should include making sure that the security vendor’s service levels are
spelled out satisfactorily. A recommended way is to devise an evaluation matrix
208

Notes:
that lists the requirements of the organization and rates each service provider
on how well they achieve each requirement.

If acquisition is conducted through bidding, certain controls of the bidding


process should be in place. Here are the general guidelines:

· A formal bidding process should be open and fair, encourage


competition, and provide the purchasing entity with the best product at
the lowest possible price.

· Develop a checklist for the review of various requirements for formal


bids, including insurance, bonding, specifications, and evaluation and
award.

· Establish a system to monitor compliance with the bid tabulation


procedure, including the rules and controls for accepting bid changes
after the bids are opened.

· Develop and implement an effective filing system for bid files.

· Require that all purchase specifications clearly state the bid evaluation
criteria and ascertain that the staff use only the evaluation criteria
included in the purchase specifications.

· Criteria for bids should be laid out in the request for proposal.
209

Notes:
· Formal bidders list should be maintained.

· Bids should be opened and recorded by someone not involved in the


bid evaluation process. Retain the bid envelope that shows the dates
and times of bid receipt and opening, and file it with the other bid
documents.

210

Notes:
Technical Readings
There are 5 sections included in this part of the study guide. They cover the
majority of technical topics that will be tested in the CISA/CISM exams. By
going through all of them your readiness of the real exams can be reasonably
assured.

q Section 1: Topics on security theory.

q Section 2: Topics on Hacking, attacking, defending and


auditing.

q Section 3: Topics on encryption and VPN.

q Section 4: Topics on responding to attacks

q Section 5: Topics on viruses.

As a reminder: Biometrics is an important topic. Check out the various forms


of biometrics technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their
drawbacks and their impacts.

211

Notes:
Slide 1

Technical Readings

for CISA/CISM candidates 

Covering the technical elements of the 2005/06 objectives

Copyright 2005/06. All rights reserved. 1

212

Notes:
Slide 2

What is included in this study guide?

n  There are 5 sections included in this part of the study 
guide. They cover the majority of technical topics that will 
be tested in the CISA/CISM exams. By going through all 
of them your readiness of the real exams can be 
reasonably assured. 

q  Section 1: Topics on security theory. 
q  Section 2: Topics on Hacking, attacking, defending and auditing. 
q  Section 3: Topics on encryption and VPN. 
q  Section 4: Topics on responding to attacks 
q  Section 5: Topics on viruses.

Copyright 2005/06. All rights reserved. 2

213

Notes:
Slide 3

What is included? cont’d

n  Basically, we did all the homework for you! We: 
q  reviewed the major preparation products available in the 
market and identified the missing critical information 
q  collected and summarized these missing pieces and presents 
them to you in an easy­to­follow style

Copyright 2005/06. All rights reserved. 3

214

Notes:
Slide 4

Before you begin… 

n  Make sure you have enough time – based on 
past experience, it takes an average student 
3 full days at the least to go through all the 
sections.

Copyright 2005/06. All rights reserved. 4

215

Notes:
Slide 5

Before you begin… 

n  Copyright Information 
q  Some contents of this product are extracted and recompiled 
from the various Linux Security HOWTO document which is 
copyrighted by Kevin Fenzi and Dave Wreski, and distributed 
under the following terms: 
n  Linux HOWTO documents may be reproduced and distributed in 
whole or in part, in any medium, physical or electronic, as long as 
this copyright notice is retained on all copies. All translations, 
derivative works, or aggregate works incorporating any Linux 
HOWTO documents are covered under this copyright notice. 
n  Information presented in this product is 
platform independent. Content has been 
modified to fulfill the purpose of this product.

Copyright 2005/06. All rights reserved. 5

216

Notes:
Slide 6

Section 1

Security Theory

Copyright 2005/06. All rights reserved. 6

217

Notes:
Slide 7

Section 1 – Issue 1

n  Why Do We Need Security? 
q  In the ever­changing world of global data communications, 
inexpensive Internet connections, and fast­paced software 
development, security is becoming more and more of an 
issue. Security is now a basic requirement because global 
computing is inherently insecure. As your data goes from 
point A to point B on the Internet, for example, it may pass 
through several other points along the way, giving other 
users the opportunity to intercept, and even alter, it. Even 
other users on your system may maliciously transform your 
data into something you did not intend. 
q  Unauthorized access to your system may be obtained by 
intruders, also known as "crackers", who then use 
advanced knowledge to impersonate you, steal information 
from you, or even deny you access to your own resources.

Copyright 2005/06. All rights reserved. 7

218

Notes:
Slide 8

Section 1 – Issue 2

n  How Secure Is Secure? 
q  First, keep in mind that no computer system can 
ever be completely secure. All you can do is make 
it increasingly difficult for someone to compromise 
your system. For the average home user, not 
much is required to keep the casual cracker at 
bay. However, for high­profile users (banks, 
telecommunications companies, etc), much more 
work is required.

Copyright 2005/06. All rights reserved. 8

219

Notes:
Slide 9

Section 1 – Issue 2 cont’d

n  How Secure Is Secure? 
q  Another factor to take into account is that the more secure 
your system is, the more intrusive your security becomes. 
You need to decide where in this balancing act your 
system will still usable, and yet secure for your purposes. 
For instance, you could require everyone dialing into your 
system to use a call­back modem to call them back at their 
home number. This is more secure, but if someone is not 
at home, it makes it difficult for them to login. You could 
also setup your system with no network or connection to 
the Internet, but this limits its usefulness.

Copyright 2005/06. All rights reserved. 9

220

Notes:
Slide 10

Section 1 – Issue 2 cont’d

q  If you are a medium to large­sized site, you 
should establish a security policy stating how 
much security is required by your site and what 
auditing is in place to check it.

Copyright 2005/06. All rights reserved. 10

221

Notes:
Slide 11

Section 1 – Issue 3

n  What Are You Trying to Protect? 
q  Before you attempt to secure your system, you 
should determine what level of threat you have to 
protect against, what risks you should or should 
not take, and how vulnerable your system is as a 
result. You should analyze your system to know 
what you're protecting, why you're protecting it, 
what value it has, and who has responsibility for 
your data and other assets.

Copyright 2005/06. All rights reserved. 11

222

Notes:
Slide 12

Section 1 – Issue 3 cont’d


q  Risk is the possibility that an intruder may be successful in attempting 
to access your computer. Can an intruder read or write files, or execute 
programs that could cause damage? Can they delete critical data? Can 
they prevent you or your company from getting important work done? 
Don't forget: someone gaining access to your account, or your system, 
can also impersonate you. Additionally, having one insecure account 
on your system can result in your entire network being compromised. 
If you allow a single user to login using a .rhosts file, or to use an 
insecure service such as tftp, you risk an intruder getting 'his foot in 
the door'. Once the intruder has a user account on your system, or 
someone else's system, it can be used to gain access to another 
system, or another account. 

q  Threat is typically from someone with motivation to gain unauthorized 
access to your network or computer. You must decide whom you trust 
to have access to your system, and what threat they could pose.

Copyright 2005/06. All rights reserved. 12

223

Notes:
Slide 13

Section 1 – Issue 4

n  Types of intruders: 
q  The Curious ­ This type of intruder is basically interested 
in finding out what type of system and data you have. 
q  The Malicious ­ This type of intruder is out to either bring 
down your systems, or deface your web page, or otherwise 
force you to spend time and money recovering from the 
damage he has caused. 
q  The High­Profile Intruder ­ This type of intruder is trying 
to use your system to gain popularity and infamy. He might 
use your high­profile system to advertise his abilities.

Copyright 2005/06. All rights reserved. 13

224

Notes:
Slide 14

Section 1 – Issue 4 cont’d

q  The Competition ­ This type of intruder is interested in 
what data you have on your system. It might be someone 
who thinks you have something that could benefit him, 
financially or otherwise. 
q  The Borrowers ­ This type of intruder is interested in 
setting up shop on your system and using its resources for 
their own purposes. He typically will run chat or irc servers, 
porn archive sites, or even DNS servers. 
q  The Leapfrogger ­ This type of intruder is only interested 
in your system to use it to get into other systems. If your 
system is well­connected or a gateway to a number of 
internal hosts, you may well see this type trying to 
compromise your system.

Copyright 2005/06. All rights reserved. 14

225

Notes:
Slide 15

Section 1 – Issue 5

n  Vulnerability 
q  It describes how well­protected your computer is from 
another network, and the potential for someone to gain 
unauthorized access. What's at stake if someone breaks 
into your system? Of course the concerns of a dynamic 
PPP home user will be different from those of a company 
connecting their machine to the Internet, or another large 
network. 
q  How much time would it take to retrieve/recreate any data 
that was lost? An initial time investment now can save ten 
times more time later if you have to recreate data that was 
lost. Have you checked your backup strategy, and verified 
your data lately?

Copyright 2005/06. All rights reserved. 15

226

Notes:
Slide 16

Section 1 – Issue 6

n  Developing A Security Policy 
q  Create a simple, generic policy for your system 
that your users can readily understand and follow. 
It should protect the data you're safeguarding as 
well as the privacy of the users. Some things to 
consider adding are: who has access to the 
system (Can my friend use my account?), who's 
allowed to install software on the system, who 
owns what data, disaster recovery, and 
appropriate use of the system.

Copyright 2005/06. All rights reserved. 16

227

Notes:
Slide 17

Section 1 – Issue 6 cont’d

q  A generally­accepted security policy starts with the phrase 
That w hich is not permitted is prohibited 
n  This means that unless you grant access to a service for a user, that user 
shouldn't be using that service until you do grant access. Make sure the 
policies work on your regular user account. Saying, "Ah, I can't figure out 
this permissions problem, I'll just do it as root" can lead to security holes 
that are very obvious, and even ones that haven't been exploited yet. 
n  rfc1244 is a document that describes how to create your own network 
security policy. 
n  rfc1281 is a document that shows an example security policy with 
detailed descriptions of each step. 
n  Finally, you might want to look at the COAST policy archive at 
ftp://coast.cs.purdue.edu/pub/doc/policy to see how a real­life security 
policy looks like. There are policy files for public download.

Copyright 2005/06. All rights reserved. 17

228

Notes:
Slide 18

Section 1 – Issue 7
n  Means of Securing Your Site 
q  What would happen to your reputation if an intruder deleted some of your 
users' data? Or defaced your web site? Or published your company's 
corporate project plan for next quarter? If you are planning a network 
installation, there are many factors you must take into account before adding 
a single machine to your network. 
q  Even if you have a single dialup PPP account, or just a small site, this does 
not mean intruders won't be interested in your systems. Large, high­profile 
sites are not the only targets ­­ many intruders simply want to exploit as 
many sites as possible, regardless of their size. Additionally, they may use a 
security hole in your site to gain access to other sites you're connected to. 
q  Intruders have a lot of time on their hands, and can avoid guessing how 
you've obscured your system just by trying all the possibilities. There are 
also a number of reasons an intruder may be interested in your systems, 
which we will discuss later.

Copyright 2005/06. All rights reserved. 18

229

Notes:
Slide 19

Section 1 – Issue 8

n  Host Security 
q  Perhaps the area of security on which administrators 
concentrate most is host­based security. This typically 
involves making sure your own system is secure, and 
hoping everyone else on your network does the same. 
Choosing good passwords, securing your host's local 
network services, keeping good accounting records, and 
upgrading programs with known security exploits are 
among the things the local security administrator is 
responsible for doing. Although this is absolutely necessary, 
it can become a daunting task once your network becomes 
larger than a few machines.

Copyright 2005/06. All rights reserved. 19

230

Notes:
Slide 20

Section 1 – Issue 9

n  Local Network Security 
q  Network security is as necessary as local host 
security. With hundreds, thousands, or more 
computers on the same network, you can't rely on 
each one of those systems being secure. 
Ensuring that only authorized users can use your 
network, building firewalls, using strong 
encryption, and ensuring there are no "rogue" 
(that is, unsecured) machines on your network are 
all part of the network security administrator's 
duties.

Copyright 2005/06. All rights reserved. 20

231

Notes:
Slide 21

Section 1 – Issue 10

n  Security Through Obscurity 
q  One type of security that must be discussed is "security 
through obscurity". This means, for example, moving a 
service that has known security vulnerabilities to a non­ 
standard port in hopes that attackers won't notice it's there 
and thus won't exploit it. Rest assured that they can 
determine that it's there and will exploit it. Security through 
obscurity is no security at all. Simply because you may 
have a small site, or a relatively low profile, does not mean 
an intruder won't be interested in what you have.

Copyright 2005/06. All rights reserved. 21

232

Notes:
Slide 22

Section 1 – Issue 11

n  Physical Security 
q  The first layer of security you need to take into 
account is the physical security of your computer 
systems. Who has direct physical access to your 
machine? Should they? Can you protect your 
machine from their tampering? Should you? 
q  How much physical security you need on your 
system is very dependent on your situation, 
and/or budget.

Copyright 2005/06. All rights reserved. 22

233

Notes:
Slide 23

Section 1 – Issue 11 cont’d


q  If you are a home user, you probably don't need a lot 
(although you might need to protect your machine from 
tampering by children or annoying relatives). If you are in a 
lab, you need considerably more, but users will still need to 
be able to get work done on the machines. Many of the 
following sections will help out. If you are in an office, you 
may or may not need to secure your machine off­hours or 
while you are away. At some companies, leaving your 
console unsecured is a termination offense. 
q  Obvious physical security methods such as locks on doors, 
cables, locked cabinets, and video surveillance are all good 
ideas, but beyond the scope of this document. :)

Copyright 2005/06. All rights reserved. 23

234

Notes:
Slide 24

Section 1 – Issue 12

n  Computer locks 
q  Many modern PC cases include a "locking" 
feature. Usually this will be a socket on the front 
of the case that allows you to turn an included key 
to a locked or unlocked position. Case locks can 
help prevent someone from stealing your PC, or 
opening up the case and directly 
manipulating/stealing your hardware. They can 
also sometimes prevent someone from rebooting 
your computer from their own floppy or other 
hardware.

Copyright 2005/06. All rights reserved. 24

235

Notes:
Slide 25

Section 1 – Issue 12 cont’d

q  These case locks do different things according to the support in 
the motherboard and how the case is constructed. On many PC's 
they make it so you have to break the case to get the case open. 
On some others, they will not let you plug in new keyboards or 
mice. Check your motherboard or case instructions for more 
information. This can sometimes be a very useful feature, even 
though the locks are usually very low­quality and can easily be 
defeated by attackers with locksmithing. 
q  Some machines (most notably SPARCs and macs) have a 
dongle on the back that, if you put a cable through, attackers 
would have to cut the cable or break the case to get into it. Just 
putting a padlock or combo lock through these can be a good 
deterrent to someone stealing your machine.

Copyright 2005/06. All rights reserved. 25

236

Notes:
Slide 26

Section 2

Hacking, attacking, defending and auditing

Copyright 2005/06. All rights reserved. 26

237

Notes:
Slide 27

Section 2 – Issue 1

n  To be able to defend and audit, you should 
know how to hack (think like a hacker)J

Copyright 2005/06. All rights reserved. 27

238

Notes:
Slide 28

Section 2 – Issue 2
n  Packet Sniffers 
q  One of the most common ways intruders gain access to more 
systems on your network is by employing a packet sniffer on a 
already compromised host. This "sniffer" just listens on the 
Ethernet port for things like passwd and login and su in the 
packet stream and then logs the traffic after that. This way, 
attackers gain passwords for systems they are not even 
attempting to break into. Clear­text passwords are very 
vulnerable to this attack. 
q  Example: Host A has been compromised. Attacker installs a 
sniffer. Sniffer picks up admin logging into Host B from Host C. It 
gets the admin's personal password as they login to B. Then, the 
admin does a su to fix a problem. They now have the root 
password for Host B. Later the admin lets someone telnet from 
his account to Host Z on another site. Now the attacker has a 
password/login on Host Z.

Copyright 2005/06. All rights reserved. 28

239

Notes:
Slide 29

Section 2 – Issue 2 cont’d

q  In this day and age, the attacker doesn't even 
need to compromise a system to do this: they 
could also bring a laptop or pc into a building and 
tap into your net. 
q  Using ssh or other encrypted password methods 
thwarts this attack. Things like APOP for POP 
accounts also prevents this attack. (Normal POP 
logins are very vulnerable to this, as is anything 
that sends clear­text passwords over the network.)

Copyright 2005/06. All rights reserved. 29

240

Notes:
Slide 30

Section 2 – Issue 3
n  SATAN, ISS, and Other Network Scanners 
q  There are a number of different software packages out there that do port 
and service­based scanning of machines or networks. SATAN, ISS, SAINT, 
and Nessus are some of the more well­known ones. This software connects 
to the target machine (or all the target machines on a network) on all the 
ports they can, and try to determine what service is running there. Based on 
this information, you can tell if the machine is vulnerable to a specific exploit 
on that server. 
n  SATAN (Security Administrator's Tool for Analyzing Networks) is a port scanner 
with a web interface. It can be configured to do light, medium, or strong checks on a 
machine or a network of machines. It's a good idea to get SATAN and scan your 
machine or network, and fix the problems it finds. Make sure you get the copy of 
SATAN from metalab or a reputable FTP or web site. There was a Trojan copy of 
SATAN that was distributed out on the net. Note that SATAN has not been updated 
in quite a while, and some of the other tools below might do a better job.

Copyright 2005/06. All rights reserved. 30

241

Notes:
Slide 31

Section 2 – Issue 3 cont’d

n  ISS (Internet Security Scanner) is another port­based 
scanner. It is faster than Satan, and thus might be better 
for large networks. However, SATAN tends to provide 
more information. 
n  Abacus is a suite of tools developed by Psionic to 
provide host­based security and intrusion detection.

Copyright 2005/06. All rights reserved. 31

242

Notes:
Slide 32

Section 2 – Issue 3 cont’d

n  SAINT is a updated version of SATAN. It is web­based 
and has many more up­to­date tests than SATAN. 
n  Nessus is a free security scanner. It has a graphical 
interface for ease of use. It is also designed with a very 
nice plugin setup for newly updated port­scanning tests.

Copyright 2005/06. All rights reserved. 32

243

Notes:
Slide 33

Section 2 – Issue 3 cont’d

n  Security scanners are often used in the 
process of security auditing as well as 
footprinting. 
q  Footprinting is the first step in information 
gathering of hackers ­ to perform a successful 
attack, one needs to gather information – 
information on all aspects of the perspective 
organization’s security posture, profile of their 
Intranet, remote access capabilities, and 
intranet/extranet presence…etc.

Copyright 2005/06. All rights reserved. 33

244

Notes:
Slide 34

Section 2 – Issue 3 cont’d

n  Footprinting relies on info gathering. These are popular 
sources of such info: 
q  American Registry for Internet Numbers 
q  CERT®/CC Finding Site Contacts 
q  InterNIC 
q  Network Operations Centers List 
q  Network Solutions 
q  US Security and Exchange 
q  Enumeration is also an information gathering technique, 
but is an intrusive one! 
n  It is the process of extracting valid user accounts, poorly 
protected File Shares or other resources from a target system. 
q  This process is usually logged.

Copyright 2005/06. All rights reserved. 34

245

Notes:
Slide 35

Section 2 – Issue 3 cont’d

q  Security auditing to be performed before anything 
had happened typically involves the use of 
Security Scanners and other tools to test the 
security level of the network.

Copyright 2005/06. All rights reserved. 35

246

Notes:
Slide 36

Section 2 – Issue 3 cont’d

q  Security auditing to be performed after things had 
gone wrong typically involves the examination of 
the audit trail. 
n  However, the presence of Rootkits and Cover Tracks 
may hinder this process. 
q  Rootkits are tools used by hackers to hide their presence on 
compromised systems. They are mostly collections of 
trojaned binaries that replace the common commands. 
q  Cover tracks can wipe out the audit logs. Examples include 
Wipe and Zap.

Copyright 2005/06. All rights reserved. 36

247

Notes:
Slide 37

Section 2 – Issue 4

n  Detecting Port Scans 
q  There are some tools designed to alert you to probes by SATAN 
and ISS and other scanning software. However, if you liberally 
use tcp_wrappers, and look over your log files regularly, you 
should be able to notice such probes. Even on the lowest setting, 
SATAN still leaves traces in the logs on a stock Red Hat system. 
q  There are also "stealth" port scanners. A packet with the TCP 
ACK bit set (as is done with established connections) will likely 
get through a packet­filtering firewall. The returned RST packet 
from a port that _had no established session_ can be taken as 
proof of life on that port. I don't think TCP wrappers will detect 
this.

Copyright 2005/06. All rights reserved. 37

248

Notes:
Slide 38

Section 2 – Issue 5

n  Denial of Service Attacks 
q  A "Denial of Service" (DoS) attack is one where the 
attacker tries to make some resource too busy to answer 
legitimate requests, or to deny legitimate users access to 
your machine. 
q  Denial of service attacks have increased greatly in recent 
years.

Copyright 2005/06. All rights reserved. 38

249

Notes:
Slide 39

Section 2 – Issue 5 cont’d

q  There is no fixed format of DoS. In fact, there are 
many types of DoS attacks that are based on tons 
of different methods. A Denial of Service Attack 
can be based on crashing routers which makes a 
network inaccessible, crashing DNS servers 
which prevents the use of Domain Names, 
congesting hosts with requests…etc etc – it can 
be anything that stops things from working. 
q  A DoS Attack is ALWAYS used in conjunction 
with an another attack.

Copyright 2005/06. All rights reserved. 39

250

Notes:
Slide 40

Section 2 – Issue 5 cont’d

q  SYN Flooding ­ SYN flooding is a network denial 
of service attack. It takes advantage of a 
"loophole" in the way TCP connections are 
created. 
n  Sometimes known as Synk4 
n  Systems which fall prey to the Syn Flooding attack will 
have difficulty accepting any new incoming network 
connections. Therefore, legitimate users attempting to 
connect to the server will not be able to do so.

Copyright 2005/06. All rights reserved. 40

251

Notes:
Slide 41

Section 2 – Issue 5 cont’d

q  Pentium "F00F" Bug ­ It was recently discovered 
that a series of assembly codes sent to a genuine 
Intel Pentium processor would reboot the machine. 
This affects every machine with a Pentium 
processor (not clones, not Pentium Pro or PII), no 
matter what operating system it's running.

Copyright 2005/06. All rights reserved. 41

252

Notes:
Slide 42

Section 2 – Issue 5 cont’d

q  Ping Flooding / Smurf / Fraggle ­ Ping flooding is a 
simple brute­force denial of service attack. The attacker 
sends a "flood" of ICMP packets to your machine. If they 
are doing this from a host with better bandwidth than yours, 
your machine will be unable to send anything on the 
network. 
n  A variation on this attack, called "smurfing", sends ICMP 
packets to a host with your machine's return IP, allowing them 
to flood you less detectably. 
n  Smurf attacks are network amplification attacks. 
n  Fraggle attack is similar to Smurf attack except that it 
uses UDP echo packets, not ICMP echos.

Copyright 2005/06. All rights reserved. 42

253

Notes:
Slide 43

Section 2 – Issue 5 cont’d


q  Ping o' Death ­ The Ping o' Death attack sends ICMP 
ECHO REQUEST packets that are too large to fit in the 
kernel data structures intended to store them. Because 
sending a single, large (65,510 bytes) "ping" packet to 
many systems will cause them to hang or even crash, this 
problem was quickly dubbed the "Ping o' Death." This one 
has long been fixed, and is no longer anything to worry 
about. 
q  Teardrop / New Tear ­ One of the most recent exploits 
involves a bug present in the IP fragmentation code on 
Linux and Windows platforms. 
n  Teardrop is an attack that exploits the vulnerability found in 
some implementations of the packet reassembly. 
n  New Tear is a new teardrop type exploit which mainly affects 
NT4 and Win95.

Copyright 2005/06. All rights reserved. 43

254

Notes:
Slide 44

Section 2 – Issue 5 cont’d

q  Land / LaTierra ­ The Land attack uses IP 
spoofing in combination with the opening of a 
TCP connection. Both the source and destination 
IP addresses are modified to be the same ­ the 
address of the destination host. It misleads the 
machine to continue sending ACK packets and 
thus remaining in the loop. The LaTierra attack is 
similar except that LaTierra sends the TCP packet 
to more than one port and more than once.

Copyright 2005/06. All rights reserved. 44

255

Notes:
Slide 45

Section 2 – Issue 5 cont’d

q  Blast – a small and quick TCP service stress test 
tool that can spot potential weaknesses in your 
network servers. 
n  It can be used as a tool for generating DoS attack! 

q  Bonk – an attack that modifies the frag offset. 
n  Also known as “teardrop reversed”

Copyright 2005/06. All rights reserved. 45

256

Notes:
Slide 46

Section 2 – Issue 5 cont’d

n  There are many ways to protect oneself 
against DoS attacks. The most popular ways 
are: 
q  patching the networking code of the OS kernel 
q  configuring the network with protective devices 
such as firewalls.

Copyright 2005/06. All rights reserved. 46

257

Notes:
Slide 47

Section 2 – Issue 6

n  Firewalls 
q  Firewalls are a means of controlling what 

information is allowed into and out of your 
local network. Typically the firewall host is 
connected to the Internet and your local LAN, 
and the only access from your LAN to the 
Internet is through the firewall. This way the 
firewall can control what passes back and 
forth from the Internet and your LAN.

Copyright 2005/06. All rights reserved. 47

258

Notes:
Slide 48

Section 2 – Issue 6 cont’d

q  There are a number of types of firewalls and 
methods of setting them up. 
n  Linux machines make pretty good firewalls. Firewall code 
can be built right into 2.0 and higher kernels. The user­ 
space tools ipfwadm for 2.0 kernels and ipchains for 2.2 
kernels, allows you to change, on the fly, the types of 
network traffic you allow. You can also log particular types 
of network traffic. 
n  Windows 2000 provides simple packet filtering functions. 
n  Windows XP provides Internet Connection Firewall.

Copyright 2005/06. All rights reserved. 48

259

Notes:
Slide 49

Section 2 – Issue 6 cont’d


n  Webopedia classifies firewall techniques as 
below: 
“ 
q  Packet filter: Looks at each packet entering or leaving the network and 
accepts or rejects it based on user­defined rules. Packet filtering is fairly 
effective and transparent to users, but it is difficult to configure. In addition, 
it is susceptible to IP spoofing. 
q  Application gateway: Applies security mechanisms to specific applications, 
such as FTP and Telnet servers. This is very effective, but can impose a 
performance degradation. 
q  Circuit­level gateway: Applies security mechanisms when a TCP or UDP 
connection is established. Once the connection has been made, packets 
can flow between the hosts without further checking. 
q  Proxy server: Intercepts all messages entering and leaving the network. 
The proxy server effectively hides the true network addresses. 

Copyright 2005/06. All rights reserved. 49

260

Notes:
Slide 50

Section 2 – Issue 6 cont’d

q  The National Institute of Standards and Technology 
have put together an excellent document on firewalls. 
Although dated 1995, it is still quite good 
(http://csrc.nist.gov/).

Copyright 2005/06. All rights reserved. 50

261

Notes:
Slide 51

Section 2 – Issue 7

n  BIOS Security 
q  The BIOS is the lowest level of software that configures or 
manipulates your x86­based hardware. All boot methods 
access the BIOS to determine how to boot up your 
machine. Other hardware has similar software 
(OpenFirmware on Macs and new Suns, Sun boot PROM, 
etc...). You can use your BIOS to prevent attackers from 
rebooting your machine and manipulating your system. 
q  Many PC BIOSs let you set a boot password. This doesn't 
provide all that much security (the BIOS can be reset, or 
removed if someone can get into the case), but might be a 
good deterrent (i.e. it will take time and leave traces of 
tampering). This might slow attackers down.

Copyright 2005/06. All rights reserved. 51

262

Notes:
Slide 52

Section 2 – Issue 7 cont’d

q  Many x86 BIOSs also allow you to specify various other 
good security settings. Check your BIOS manual or look at 
it the next time you boot up. For example, some BIOSs 
disallow booting from floppy drives and some require 
passwords to access some BIOS features. 
q  Note: If you have a server machine, and you set up a boot 
password, your machine will not boot up unattended. Keep 
in mind that you will need to come in and supply the 
password in the event of a power failure.

Copyright 2005/06. All rights reserved. 52

263

Notes:
Slide 53

Section 2 – Issue 8

n  DLL Injection 
q  a method of inserting malicious code into another 
running process's so that access to some 
otherwise restricted piece of information is 
possible.

Copyright 2005/06. All rights reserved. 53

264

Notes:
Slide 54

Section 2 – Issue 9

n  Back Door 
q  an easy route back into an already compromised 
system that was put in place by the current 
attacker or a previous attacker. It may be a 
program that binds itself to a specific port and 
listens for the attacker to connect to it, or a pre­ 
tested exploit that is configured by the attacker for 
future reuse.

Copyright 2005/06. All rights reserved. 54

265

Notes:
Slide 55

Section 2 – Issue 10

n  Privilege escalation 
q  the stage of penetration that occurs AFTER an 
attacker has already gained access to a system. 
q  It aims at gaining administrator level privileges on 
the system.

Copyright 2005/06. All rights reserved. 55

266

Notes:
Slide 56

Section 2 – Issue 11

n  War dialing 
q  attack through the phone system. 
q  War dialers were originally developed by and for 

phone phreaks seeking free long­distance service. 
n  They are well suited to the task of scanning and finding 
modems for possible network entry. 
n  Examples include: 
q  Telesweep Secure 
q  PhoneSweep 
q  THC­Scan

Copyright 2005/06. All rights reserved. 56

267

Notes:
Slide 57

Section 2 – Issue 12

n  Purloining and Pilfering 
q  Often being refer to as image and bandwidth theft. 
q  Digital watermarking is one way to protect against 

image theft.

Copyright 2005/06. All rights reserved. 57

268

Notes:
Slide 58

Section 3

Encryption and VPN

Copyright 2005/06. All rights reserved. 58

269

Notes:
Slide 59

Section 3 – Issue 1

n  VPNs ­ Virtual Private Networks 
q  VPN's are a way to establish a "virtual" network on top of some 
already­existing network. This virtual network often is encrypted 
and passes traffic only to and from some known entities that 
have joined the network. VPNs are often used to connect 
someone working at home over the public Internet to an internal 
company network. 
q  VPNs use authenticated links to ensure that only authorized 
users can connect to your network, and they use encryption to 
ensure that data that travels over the Internet can't be intercepted 
and used by others. VPN technology also allows a corporation to 
connect to its branch offices or to other companies over a public 
network while maintaining secure communications. 
q  In Windows 2000, VPNs are built using PPTP or L2TP.

Copyright 2005/06. All rights reserved. 59

270

Notes:
Slide 60

Section 3 – Issue 1 cont’d

n  Point­to­Point Tunneling Protocol (PPTP) provides 
data encryption using Microsoft Point­to­Point 
Encryption. 
n  Layer Two Tunneling Protocol (L2TP) provides data 
encryption, authentication, and integrity using IPSec. 
q  PPTP is suitable for Non­Windows 2000 computers. 
q  L2TP is suitable for Windows 2000 or Windows XP clients. 
n  If you want to try out configuring a VPN with Windows 
2000, read the MS KB article 308208.

Copyright 2005/06. All rights reserved. 60

271

Notes:
Slide 61

Section 3 – Issue 2

n  According to W ebopedia, "As the Internet and other 
forms of electronic communication become more 
prevalent, electronic security is becoming increasingly 
important. Cryptography is used to protect e­mail 
messages, credit card information, and corporate data. 
One of the most popular cryptography systems used 
on the Internet is Pretty Good Privacy because it's 
effective and free. Cryptography systems can be 
broadly classified into symmetric­key systems that use 
a single key that both the sender and recipient have, 
and public­key systems that use two keys, a public key 
known to everyone and a private key that only the 
recipient of messages uses."

Copyright 2005/06. All rights reserved. 61

272

Notes:
Slide 62

Section 3 – Issue 3

n  CA 
q  Certification authorities are responsible for 
managing certificate requests and issuing 
certificates to participating IPSec network peers. 
These services provide centralized key 
management for the participating peers and 
simplify administration.

Copyright 2005/06. All rights reserved. 62

273

Notes:
Slide 63

Section 3 – Issue 4

n  Digital signatures 
q  Digital signatures are enabled by public key cryptography and 
are providing a means to digitally authenticate devices and 
individual users. 
q  In public key cryptography, each user has a key­pair containing 
both a public and a private key. Anything encrypted with one of 
the keys can be decrypted with the other. 
q  In simple terms, a signature is formed when data is encrypted 
with a user's private key. The receiver verifies the signature by 
decrypting the message with the sender's public key. 
q  The fact that the message could be decrypted using the sender's 
public key shows that the holder of the private key must have 
created the message.

Copyright 2005/06. All rights reserved. 63

274

Notes:
Slide 64

Section 3 – Issue 4 cont’d

q  How can you know with a high degree of certainty 
that it really does belong to the sender, and not to 
someone pretending to be the sender? 
n  Use digital certificates. A digital certificate contains 
information to identify a user or device, such as the 
name, serial number, company, department or IP 
address. It also contains a copy of the entity's public key.

Copyright 2005/06. All rights reserved. 64

275

Notes:
Slide 65

Section 3 – Issue 4 cont’d

n  Since the certificate is itself signed by a certification 
authority, it is trust worthy. 
n  To be able to validate the CA's signature, the receiver 
must know the CA's public key. This is usually handled 
out­of­band or through an operation done at installation. 
q  Without digital signatures, one must manually 
exchange public secrets between each pair of 
peers that use IPSec to protect communications 
between them.

Copyright 2005/06. All rights reserved. 65

276

Notes:
Slide 66

Section 3 – Issue 5

n  Legal issues 
q  Be careful when deploying cryptography technology 
overseas. According to W ebopedia, "PGP is such an 
effective encryption tool that the U.S. government actually 
brought a lawsuit against Zimmerman for putting it in the 
public domain and hence making it available to enemies of 
the U.S. After a public outcry, the U.S. lawsuit was dropped, 
but it is still illegal to use PGP in many other countries." 
q  By the way, if you want to learn more about PGP, refer to 
its official home page at PGPI.ORG.

Copyright 2005/06. All rights reserved. 66

277

Notes:
Slide 67

Section 4

Responding to attacks

Copyright 2005/06. All rights reserved. 67

278

Notes:
Slide 68

Section 4 – Issue 1

n  Security Compromise Underway. 
q  Spotting a security compromise under way can be a tense 
undertaking. How you react can have large consequences. 
q  If the compromise you are seeing is a physical one, odds 
are you have spotted someone who has broken into your 
home, office or lab. You should notify your local authorities. 
In a lab, you might have spotted someone trying to open a 
case or reboot a machine. Depending on your authority 
and procedures, you might ask them to stop, or contact 
your local security people.

Copyright 2005/06. All rights reserved. 68

279

Notes:
Slide 69

Section 4 – Issue 1 cont’d


n  Detecting Physical Security Compromises 
q  The first thing to always note is when your machine was rebooted. 
The only times your machine should reboot is when you take it 
down for OS upgrades, hardware swapping, or the like. If your 
machine has rebooted without you doing it, that may be a sign 
that an intruder has compromised it. Many of the ways that your 
machine can be compromised require the intruder to reboot or 
power off your machine. 
q  Check for signs of tampering on the case and computer area. 
Although many intruders clean traces of their presence out of 
logs, it's a good idea to check through them all and note any 
discrepancy. 
q  It is also a good idea to store log data at a secure location, such 
as a dedicated log server within your well­protected network. 
Once a machine has been compromised, log data becomes of 
little use as it most likely has also been modified by the intruder.

Copyright 2005/06. All rights reserved. 69

280

Notes:
Slide 70

Section 4 – Issue 1 cont’d

q  The syslog daemon can be configured to automatically 
send log data to a central syslog server, but this is typically 
sent unencrypted, allowing an intruder to view data as it is 
being transferred. This may reveal information about your 
network that is not intended to be public. There are syslog 
daemons available that encrypt the data as it is being sent. 
q  Also be aware that faking syslog messages is easy ­­ with 
an exploit program having been published. Syslog even 
accepts net log entries claiming to come from the local host 
without indicating their true origin.

Copyright 2005/06. All rights reserved. 70

281

Notes:
Slide 71

Section 4 – Issue 1 cont’d

q  Some things to check for in your logs: 
n  Short or incomplete logs. 
n  Logs containing strange timestamps. 
n  Logs with incorrect permissions or ownership. 
n  Records of reboots or restarting of services. 
n  missing logs. 
n  su entries or logins from strange places.

Copyright 2005/06. All rights reserved. 71

282

Notes:
Slide 72

Section 4 – Issue 1 cont’d


q  If you have detected a local user trying to compromise your 
security, the first thing to do is confirm they are in fact who you 
think they are. Check the site they are logging in from. Is it the 
site they normally log in from? No? Then use a non­electronic 
means of getting in touch. For instance, call them on the phone 
or walk over to their office/house and talk to them. If they agree 
that they are on, you can ask them to explain what they were 
doing or tell them to cease doing it. If they are not on, and have 
no idea what you are talking about, odds are this incident 
requires further investigation. Look into such incidents , and have 
lots of information before making any accusations. 
q  If you have detected a network compromise, the first thing to do 
(if you are able) is to disconnect your network. If they are 
connected via modem, unplug the modem cable; if they are 
connected via Ethernet, unplug the Ethernet cable. This will 
prevent them from doing any further damage, and they will 
probably see it as a network problem rather than detection.

Copyright 2005/06. All rights reserved. 72

283

Notes:
Slide 73

Section 4 – Issue 1 cont’d

q  If you are unable to disconnect the network (if you have a busy 
site, or you do not have physical control of your machines), the 
next best step is to use something like tcp_wrappers or ipfwadm 
to deny access from the intruder's site. 
q  If you can't deny all people from the same site as the intruder, 
locking the user's account will have to do. Note that locking an 
account is not an easy thing. You have to keep in mind .rhosts 
files, FTP access, and a host of possible backdoors. 
q  After you have done one of the above (disconnected the network, 
denied access from their site, and/or disabled their account), you 
need to kill all their user processes and log them off. 
q  You should monitor your site well for the next few minutes, as the 
attacker will try to get back in. Perhaps using a different account, 
and/or from a different network address.

Copyright 2005/06. All rights reserved. 73

284

Notes:
Slide 74

Section 4 – Issue 2

n  Security Compromise has already happened 
q  So you have either detected a compromise that has 
already happened or you have detected it and locked 
(hopefully) the offending attacker out of your system. Now 
what? 
n  Closing the Hole 
q  If you are able to determine what means the attacker used to get 
into your system, you should try to close that hole. For instance, 
perhaps you see several FTP entries just before the user logged in. 
Disable the FTP service and check and see if there is an updated 
version, or if any of the lists know of a fix. 
q  Check all your log files, and make a visit to your security lists and 
pages and see if there are any new common exploits you can fix.

Copyright 2005/06. All rights reserved. 74

285

Notes:
Slide 75

Section 4 – Issue 2 cont’d

n  Assessing the Damage 
q  The first thing is to assess the damage. What has been 
compromised? If you are running an integrity checker like 
Tripwire, you can use it to perform an integrity check; it 
should help to tell you what has been compromised. If not, 
you will have to look around at all your important data. 
q  Since systems are getting easier and easier to install, you 
might consider saving your config files, wiping your disk(s), 
reinstalling, then restoring your user files and your config 
files from backups. This will ensure that you have a new, 
clean system. If you have to restore files from the 
compromised system, be especially cautious of any binaries 
that you restore, as they may be Trojan horses placed there 
by the intruder.

Copyright 2005/06. All rights reserved. 75

286

Notes:
Slide 76

Section 4 – Issue 2 cont’d

q  Re­installation should be considered mandatory upon an 
intruder obtaining root access. Additionally, you'd like to 
keep any evidence there is, so having a spare disk in the 
safe may make sense. 
q  Then you have to worry about how long ago the 
compromise happened, and whether the backups hold any 
damaged work. More on backups later.

Copyright 2005/06. All rights reserved. 76

287

Notes:
Slide 77

Section 4 – Issue 2 cont’d

n  Backups, Backups, Backups! 
q  Having regular backups is a godsend for security matters. If 
your system is compromised, you can restore the data you 
need from backups. Of course, some data is valuable to the 
attacker too, and they will not only destroy it, they will steal 
it and have their own copies; but at least you will still have 
the data.

Copyright 2005/06. All rights reserved. 77

288

Notes:
Slide 78

Section 4 – Issue 2 cont’d

q  You should check several backups back into the past before 
restoring a file that has been tampered with. The intruder 
could have compromised your files long ago, and you could 
have made many successful backups of the compromised 
file! 
q  Of course, there are also a raft of security concerns with 
backups. Make sure you are storing them in a secure place. 
Know who has access to them. (If an attacker can get your 
backups, they can have access to all your data without you 
ever knowing it.)

Copyright 2005/06. All rights reserved. 78

289

Notes:
Slide 79

Section 4 – Issue 2 cont’d

n  Tracking Down the Intruder. 
q  Ok, you have locked the intruder out, and recovered your 
system, but you're not quite done yet. While it is unlikely 
that most intruders will ever be caught, you should report 
the attack. 
q  You should report the attack to the admin contact at the site 
from which the attacker attacked your system. You can look 
up this contact with whois or the Internic database. You 
might send them an email with all applicable log entries and 
dates and times. If you spotted anything else distinctive 
about your intruder, you might mention that too. After 
sending the email, you should (if you are so inclined) follow 
up with a phone call. If that admin in turn spots your attacker, 
they might be able to talk to the admin of the site where they 
are coming from and so on.

Copyright 2005/06. All rights reserved. 79

290

Notes:
Slide 80

Section 4 – Issue 2 cont’d

q  Good crackers often use many intermediate systems, some 
(or many) of which may not even know they have been 
compromised. Trying to track a cracker back to their home 
system can be difficult. Being polite to the admins you talk 
to can go a long way to getting help from them. 
q  You should also notify any security organizations you are a 
part of ( CERT or similar), as well as your system vendor.

Copyright 2005/06. All rights reserved. 80

291

Notes:
Slide 81

Section 5

Virus

Copyright 2005/06. All rights reserved. 81

292

Notes:
Slide 82

Section 5 – Issue 1

n  Computer virus ­ a computer program which 
reproduces itself through legitimate 
processes in computer programs and 
operating systems. It can alter the behavior of 
a program or operating system without the 
knowledge of computer users. 
q  It itself is written with malicious purposes in 

mind.

Copyright 2005/06. All rights reserved. 82

293

Notes:
Slide 83

Section 5 – Issue 2

n  To know the CURRENT LATEST info on the 
various viruses, visit the following web sites: 
q  WildList Organization International, the world's 
premier source of information on which viruses 
are spreading In the Wild (http://www.wildlist.org/ ). 
q  The Virus Bulletin, an international anti­virus 

publication that keeps track of the occurrence of 
computer viruses (http://www.virusbtn.com/ ).

Copyright 2005/06. All rights reserved. 83

294

Notes:
Slide 84

Section 5 – Issue 3

n  Virus experts in general prefer to categorize 
viruses by: 
q  their behaviors 
q  the affected operating system platforms 

q  the type of programming languages used to 

develop them

Copyright 2005/06. All rights reserved. 84

295

Notes:
Slide 85

Section 5 – Issue 4

n  A majority of early viruses are Program 
Viruses that  infected programs which ended 
in the .com and .exe file extensions. 
q  They infect executable files by placing their 
programming instructions inside the other 
programs. 
q  They do NOT infect .BAT files, since .BAT files 

are simply text based scripts. They can be 
embedded into .BAT files for execution though. 
q  They cannot bypass anti­virus software.

Copyright 2005/06. All rights reserved. 85

296

Notes:
Slide 86

Section 5 – Issue 5

n  Script viruses mostly affect scripting languages like 
Microsoft Visual Basic and JavaScript became 
commonplace. 
n  Macro viruses mostly affect business software, such 
as MS Office. Macros let users automate a series of 
commands inside documents or spreadsheets. 
Macro instructions can easily be modified by viruses 
to perform erratic behaviors. 
n  All these viruses can be detected by nowadays’ anti­ 
virus software packages.

Copyright 2005/06. All rights reserved. 86

297

Notes:
Slide 87

Section 5 – Issue 6

n  Boot sector viruses infected hidden startup 
programs built into diskette media and hard 
drives. 
q  Since they start before the operating system is 
loaded, they can easily bypass the anti­virus 
software.

Copyright 2005/06. All rights reserved. 87

298

Notes:
Slide 88

Section 5 – Issue 7

n  To further spread viruses, virus writers 
developed Trojan horses – programs that 
trick users into starting them and then install 
malicious software. 
n  Hybrid viruses are another type of “latest 
inventions”. They can act in more than one 
way – as an example, an Internet worm may 
be able to infect program files.

Copyright 2005/06. All rights reserved. 88

299

Notes:
Slide 89

Section 5 – Issue 8

n  Melissa 
q  A very famous virus. 
q  Appearing in March 1999, it spread quickly and 

caused massive troubles worldwide. In fact, 
Microsoft had to shut down four out of six 
incoming mail servers under the strain produced 
by Melissa.

Copyright 2005/06. All rights reserved. 89

300

Notes:
Slide 90

Congratulations!

n  You have completed all the sections. 
n  For the latest product information, please visit 
our web sites: 
q  www.ExamREVIEW.NET

Copyright 2005/06. All rights reserved. 90

301

Notes:
Excellent public resources

Some of these web resources may have expired at the time you read this
document. If so please do a web search through Yahoo or Googles using the
resource title as the search subject. Good luck.

Know biometrics. Biometrics is an important topic. Check out the various


forms of biometrics technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their
drawbacks and their impacts.

Other recommended readings (primarily from NIST) include:

April 21, 2006: Draft Special Publication 800-92 Guide to Computer


Security Log Management

Adobe PDF (1,939 KB)


302

Notes:
http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf

This document provides detailed information on developing, implementing,


and maintaining effective log management practices throughout an enterprise.
It includes guidance on establishing a centralized log management infrastructure,
which includes hardware, software, networks, and media. It also discusses the
log management processes that should be put in place at an organization-wide
level, including the definition of roles and responsibilities, the creation of
feasible logging policies, and the division of responsibilities between system-
level and organization-level administrators. Guidance is also provided on log
management at the individual system level, such as configuring log generating
sources, supporting logging operations, performing log data analysis, and
managing long-term data storage.

August 15, 2005: Draft NIST Special Publication 800-26 Revision 1,


Guide for Information Security Program Assessments and System
Reporting Form

Adobe pdf (1,153 KB)

303

Notes:
http://csrc.nist.gov/publications/drafts/Draft-sp800-26Rev1.pdf

This draft document brings the assessment process up to date with key
standards and guidelines developed by NIST.

May 4, 2006: Draft Special Publication 800-80, Guide for Developing


Performance Metrics for Information Security

Adobe PDF (762 KB)


http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf

This guide is intended to assist organizations in developing metrics for an


information security program. The methodology links information security
program performance to agency performance. It leverages agency-level strategic
planning processes and uses security controls from NIST SP 800-53,
Recommended Security Controls for Federal Information Systems, to
characterize security performance.

304

Notes:
April 21, 2006: Draft Special Publication 800-53A, Guide for Assessing the
Security Controls in Federal Information Systems

Adobe PDF (5,487 KB)

http://csrc.nist.gov/publications/drafts/SP800-53A-spd.pdf

The document provides a comprehensive listing of methods and procedures to


assess the effectiveness of security controls in federal information systems.
Assessment procedures have been developed for each security control and
control enhancement in NIST Special Publication 800-53 with the rigor and
intensity of assessments aligned with the impact levels in FIPS 199.

March 13, 2006: Draft Federal Information Processing Standard (FIPS)


186-3 - Digital Signature Standard (DSS)

Adobe PDF (474 KB)


305

Notes:
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-
3%20_March2006.pdf

The draft defines methods for digital signature generation that can be used for
the protection of messages, and for the verification and validation of those
digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This
draft includes requirements for obtaining the assurances necessary for valid
digital signatures.

February 3, 2006: Draft Special Publication 800-88: Guidelines for Media


Sanitization

Adobe PDF (526 KB)

http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf

This guide is intended to assist organizations and system owners in making


practical sanitization decisions based on the level of sensitivity of their
information.
306

Notes:
Sample IS Audit Questionnaire

307

Notes:
You may download the latest sample questionnaire via the
web link below:

http://www.examreview.net/IT_Questionnaire.pdf

End of Study Guide

308

Notes: