EXERCISES OF

Information System Audit

Hello!
WE ARE,

Sandra Trianadewi Kanti Andariguna Ahmad Syah

120110160089 120110160027 120110160108

2
 Security is freedom from, or
resilience against, potential harm
(or other unwanted coercive
change) caused by others.

3
 Problem One

Security testing can be applied to any number or

subset of controls. What controls are being tested
during each of the following tests?
(Be as specific as possible)

4
 VULNERABILITY SCANS

▹ Vulnerability scans search for known system vulnerabilities and can be done
automatically
▹ As it is necessary for maintaining information security of a company, the
frequency of vulnerability scan at least done quarterly. Some analysts have
observed some clients performing vulnerability scans even weekly
▹ Vulnerability scan provide a comprehensive baseline of what vulnerabilities
exist and what changed since the last report
▹ The focus is to list the known software vulnerabilities that could be exploited
▹ Typically, it is conducted by in-house staff using authenticated credentials.
▹ Through this scans, we are able to detect when equipment could be
compromised

5
 PENETRATION TESTING

▹ Penetration test attempts to actively exploit weaknesses in an

environment and its test requires various levels of expertise
▹ It also attempts to identify insecure business processes, lax security
settings, or other weaknesses that a threat actor could exploit
▹ This tests do not need to be conducted as often as vulnerability scans
but should be repeated on a regular basis
▹ This tests are conducted by a third-party vendor rather than internal
staff to provide an objective view of the network environment and avoid
conflicts of interest
▹ A penetration test report identifies what was compromised. It can have
appendices listing specific details, but the main body of the report
should focus on what data was compromised and how.
▹ The report should also describe the actual method of attack and
exploit, the value of the exploited data and recommendations for
improving the organization’s security posture.

6
 SOCIAL ENGINEERING

▹ Social engineering penetration testing is the practice of attempting typical social engineering
scams on a company’s employees to ascertain the organization’s level of vulnerability to that
type of exploit
▹ This test is designed to test employees’ adherence to the security policies and practices
defined by management
▹ This would provide a company with information about how easily an intruder could convince
employees to break security rules or provide access to sensitive information
▹ Social engineering testing can be performed in two modes: off-site and on-site
▹ Active off-site methods (phising) are designed to make employees divulge information
intended for internal use only. (example: phone phising, email phising, sms phising)
▹ On site engagement means that testers apply various techniques to gain physical access to
the office target company.
▹ The value of social engineering will uncover security weaknss in the physical security,
corporate security policies connected to proper usage and disposal of sensitive data, and
employees’ security awareness and implementation

7
 PHYSICAL PENETRATION TESTING

▹ Physical penetration test find an exploit the vulnerabilities within

a company’s physical controls and barriers
▹ This is a non-invasive, comprehensive assessment of all the
physical security controls in place at a facility or location.
▹ Physical security penetration test should be conducted on high
value facilities and locations annually
▹ Examples of physical security:
▸ Forms of physical security (barriers, door locks, patrols, mechanical,
electronic)
▸ Surveillance/Monitoring techniques (cameras/CCTV, Motion sensors)
▸ Visual and audio deterrents (alarms, security lighting)
▸ Office/desktop security
▸ Logging/Auditing

8
 WAR-DEALING

▹ War dialing is a technique used to perform “port scanning” but for

telephones. A war dialing assessment looks for answering resources
and then the attacker can then attempt to attack the service in order
to gain access.
▹ It produce a comprehensive report covering the approach, the
technique utilized, and the vulnerabilities identifies. The detail report
recommendations to ensure that your systems are secured against
attack
▹ The test follows documented security testing methodologies which
include:
▸ Footprinting of organzation phone ranges
▸ Connection testing of discovered ranges
▸ Attempt access to discovered services

9
 News
Find an article on a recent computer security incident or breach.

10
 FACEBOOK

Facebook, Inc. is an American

online social media and social
networking service company based
in Menlo Park, California.
It was founded by Mark
Zuckerberg, along with fellow
Harvard College students and
roommates Eduardo Saverin,
Andrew McCollum, Dustin
Moskovitz and Chris Hughes.
It is considered one of the Big Four
technology companies along with
Amazon, Apple, and Google.

11
 28 SEPTEMBER 2018

Facebook says 50 million user accounts were exposed to hackers

On Friday, Facebook announced that at least 50 million and potentially up to

90 million Facebook users had their data exposed to hackers in a breach
involving the social media platform’s “View As” feature, which lets you view
your own account as if you were someone else.
Unlike the Cambridge Analytica Scandal, in which a third-party company
erroneously accessed data that a legitimate quiz app had siphoned up,
this vulnerability allowed attackers to directly take over user accounts.

https://www.vox.com/2018/9/28/17914598/facebook-new-hack-data-breach-50-million
https://www.wired.com/story/facebook-security-breach-50-million-accounts/

12
Identify as many of the following elements as possible:
1. Threat Agent
2. Vulnerability
3. Assets Affected
4. Countermeasures Applied

13
 Threat Agent

The term Threat Agent is used to indicate an individual or group that can
manifest a threat. It is fundamental to identify who would want to exploit the
assets of a company, and how they might use them against the company.

In this case, we can conclude that the Threat Agent comes from outside the
company. In this case, attackers exploited a vulnerability that allowed them access to
personal data. Those attackers are threat agents.

https://en.wikipedia.org/wiki/Threat_(computer)
https://techcrunch.com/2018/09/28/everything-you-need-to-know-about-facebooks-data-breach-affecting-50m-
users/
14
 Vulnerability

Vulnerability means the quality or state of being exposed to the possibility

of being attacked or harmed, either physically or emotionally.

In this case, the company stated in an official blog post that earlier this
week, on Tuesday, September 25, it identified a vulnerability in its code that
had been present and unnoticed for over a year. That vulnerability gave
hackers the ability to “take over people’s accounts” by stealing their access
tokens — basically, the “digital keys” that allow people to stay logged in for
days, weeks, or months at a time.

https://www.vox.com/2018/9/28/17914598/facebook-new-hack-data-breach-50-million

15
 Assets Affected

An asset is a resource with economic value that an individual,

corporation or country owns or controls with the expectation that it
will provide a future benefit.

In this case, the affected assets include everything in a victim’s

profile, although it’s still unclear if that includes private messages or
if any of that data was misused. Zuckerberg said that the attackers
were using Facebook developer APIs to obtain some information,
like “name, gender, and hometowns” that’s linked to a user’s profile
page.

https://techcrunch.com/2018/09/28/everything-you-need-to-know-about-facebooks-data-breach-affecting-50m-users/
https://www.wired.com/story/facebook-security-breach-50-million-accounts/
https://www.investopedia.com › Investing › Financial Analysis

16
 Countermeasure Applied

A countermeasure is a measure or action taken to counter or offset

another one. As a general concept it implies precision, and is any
technological or tactical solution or system (often for a military application)
designed to prevent an undesirable outcome in the process.

In this case, not one but three bugs led to the data exposure;
1. The bug prompted Facebook’s video upload tool to mistakenly show
up on the View As page
2. Uploader generate an access token, what allows you to remain
logged into your account without having to sign in everything you
visit, that had the same sign-in permissions as the Facebook mobile
app.
3. When the video uploader did appear in “View As” mode, it triggered
an access code for whoever the hacker was searching for.

17
 Countermeasure Applied

“This is a complex interaction of multiple bugs,” Rosen said, adding that

the hackers likely required some level of sophistication.

Therefore, Facebook did the following action:

Friday morning, millions of account are logged out to reset the access
tokens of both those directly affected and any additional accounts “that
have been subject to a View As look-up” in the last year, Rosen said.
Facebook has temporarily turned off “View As”, as it continues to
investigate the issue.

In other words, Facebook says it fixed the vulnerability, and then began
resetting the access tokens of people to protect the security of their
accounts.

https://techcrunch.com/2018/09/28/everything-you-need-to-know-about-facebooks-data-breach-affecting-50m-users/

18
Recommended Safeguards
Ways to improve

19
 Safeguards

Safeguarding is protecting subject from harm or damage with an appropriate

measure.

In this case, we can suggest a few safeguards Facebook can implement:

1. Encryption
Encryption is a critical tool for protecting sensitive data, including personally
identifiable information that can be used for identity theft, financial data
exploited for fraud and other financial crimes, proprietary business
information and intellectual property, and even government secrets.
Although strong encryption cannot prevent a data breach, it can block cyber
attackers from accessing the sensitive data once its stolen, thus mitigating
the risk.

20
 Safeguards

2, Manage file access permissions

Although data breaches from external attacks often get the biggest
headlines, data loss is often a result of employee error. Define
who needs to have access to specific client data, how to remove
permissions should an employee leave the business, and the rights
your staff should have to print, email, export or save documents
outside of your designated cloud or on-premises software.

21
Thank you :)