CISA Certified Information Systems Auditor Module Study Guide

2009
CISA
ExamESSENTIALS Ed.
Study Guide
The Number One Source of Exam and OntheJob Information

ST UD Y IN F ORMAT ION FO R EX AM CAND ID ATES
CISA ExamESSENTIALS Guide
Covering the 2009 Syllabus
ã
ExamREVIEW PRO & ExamREVIEW PRESS
2009
All rights reserved. No part of the contents of this book may be reproduced or
transmitted in any form or by any means without the written permission of the
publisher.
Important – Please Read
Due to the variety of fonts installed on the users'
systems, Acrobat may prompt you to download an
additional language component (which is FREE from
Adobe anyway).
If you receive a message saying that a Traditional
Chinese language pack has to be downloaded in order
to load this eBook, please click YES to have Acrobat
download the update. The size of the update is about
7M. Don’t worry, this download is safe.
Table of Contents
END USER LICENSE AGREEMENT 7
EXAM FORMAT 13
ABOUT THIS BOOK 14
EXAM TOPICS 15
EXAM REGISTRATION CONTACTS 19
STUDY PSYCHOLOGY & EXAM TACTICS 20
KEY EXAM STRATEGIES 21
STRATEGY ONE : KEYWORD OR KEY PHRASE MATCHING. 21

STRATEGY TWO : CHOICES GROUPING. 22
STRATEGY THREE: THINK TRICKY. 23
SECURITY THEORIES 25
THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM 27
DEFENSE IN DEPTH 27
VULNERABILITIES 28
SECURITY MEASURES 45
STANDARDS AND GUIDELINES 49
IS ORGANIZATION AND INFORMATION ASSETS PROTECTION 55
THE STAKEHOLDERS 56
THE BOARD 57
THE AUDIT MANAGER 58
AUDIT PERSONNEL 59
IS CONTROLS 61
THE IMPORTANCE OF THE USE OF CONTROLS 61
CLASSIFICATION OF CONTROLS 62
GENERAL CONTROLS VS APPLICATION CONTROLS 63
ACCESS CONTROL AND THE AUDITING PROCESS 66
ACCESS CONTROL MODELS 66

ACLS VERSUS CAPABILITIES 68
WHAT IS O RANGE BOOK, BY THE WAY? 69
TYPES OF ACCESS CONTROL 70
THE AAA CONCEPT 71
ESTABLISHING ACCOUNTABILITY THROUGH EVENT LOGGING 74
THE AUDIT PROCESS 75
THE SARBANES–OXLEY ACT AND THE COSO FRAMEWORK 76
WHAT IS AUDITING, BY THE WAY ? 79
THE ROLE OF AN AUDITOR 82
THE AUDIT PROCESS FLOW 83
OVERALL STRATEGIES 88
AUDIT PLANNING 90
RECOMMENDED TYPES OF AUDIT 100
EXAMPLE AUDIT OBJECTIVES AND PROCEDURES 103
AUDIT F IELDWORKS 111
AUDIT PROGRAM 115
AUDIT REPORT 116
AUDIT FOLLOWUP 118
AUDIT ASSESSMENT 120
IT STRATEGIC PLANNING 121
IT STRATEGIC PLANNING DEFINED 121
THE ROLE OF IS AUDITING IN THE PLANNING PROCESS 122
INHOUSE OR OUT SOURCE? 123
AVOIDING CONFLICTS OF INTERESTS 124
PROTECTION OF INFORMATION ASSETS THROUGH SECURITY POLICY 126
INFORMATION ASSETS DEFINED 126
DATA CLASSIFICATIONS AND LAYER OF RESPONSIBILITIES 129
SECURITY POLICY 131
SECURITY MODELS AND MODES OF OPERATIONS 138
EXAMPLE POLICY 141
CONSEQUENCES OF VIOLATIONS 143
EVALUATION 144
ORGANIZATION SPECIFIC CLASSIFICATION SCHEME 145
CHANGE CONTROL 146
BUSINESS CONTINUITY PLANNING 148
DEFINITION 148
BCP VS BPCP VS DRP 149
BCP PHASES 150
STAKEHOLDERS AND CRISIS COMMUNICATIONS 151
THE RISK ASSESSMENT FLOW 153
RISK VS THREAT AND VULNERABILITY 158
IDENTIFYING RISKS 159
LOSS CALCULATIONS 161
BUSINESS IMPACT ANALYSIS DEFINED 164
BIA GOALS AND STEPS 165
BIA CHECKLIST 166
PREPARING FOR EMERGENCY 168
MANAGING RECOVERY 170
TESTING THE PLAN 172
USER ACCEPTANCE 174
PLAN MAINTENANCE 174
INCIDENT HANDLING 177
RISK MANAGEMENT 180
RISK MANAGEMENT DEFINED 181
THE RISK MANAGEMENT STEPS 181
IS AUDITING AND RISK MANAGEMENT 183
RISKBASED AUDITING 184
RISK MANAGEMENT READINGS 185
PROJECT MANAGEMENT 187
PROJECT MANAGEMENT DEFINED 187
PROJECT MANAGEMENT AND AUDIT 188
CHANGE MANAGEMENT 190
CHANGE MANAGEMENT DEFINED 190
CHANGE MANAGEMENT STRATEGIES 192
CHANGE MANAGEMENT VS CHANGE CONTROL VS CONFIGURATION MANAGEMENT 194
CHANGE CONTROL 196
APPLICATION PROGRAM DEVELOPMENT 203
GENERAL GUIDELINES 203
SYSTEM CHANGE CONTROL 204
SOFTWARE DEVELOPMENT PROCESSES AND MODELS 205
BUY VS MAKE: ACQUISITION MANAGEMENT METHODS 208
TECHNICAL READINGS 211
　 SECTION 1: TOPICS ON SECURITY THEORY 211

　 SECTION 2: TOPICS ON HACKING, ATTACKING, DEFENDING AND AUDITING. 211
　 SECTION 3: TOPICS ON ENCRYPTION AND VPN. 211
　 SECTION 4: TOPICS ON RESPONDING TO ATTACKS 211
　 SECTION 5: TOPICS ON VIRUSES . 211
EXCELLENT PUBLIC RESOURCES 302
SAMPLE IS AUDIT QUESTIONNAIRE 307
END OF STUDY GUIDE 308
End User License Agreement
The CISA ExamESSENTIALS Guide (the "Book") is a certification study product provided by
ExamREVIEW Press (including ExamREVIEW.NET and SystemREVIEW.NET, being referred to as
“ExamREVIEW.NET” in this document), subject to your compliance with the terms and conditions set
forth below.
PLEASE READ THIS DOCUMENT CAREFULLY BEFORE ACCESSING OR USING THE BOOK.
BY ACCESSING OR USING THE BOOK, YOU AGREE TO BE BOUND BY THE TERMS AND
CONDITIONS SET FORTH BELOW. IF YOU DO NOT WISH TO BE BOUND BY THESE
TERMS AND CONDITIONS, YOU MAY NOT ACCESS OR USE THE BOOK.
EXAMREVIEW.NET MAY MODIFY THIS AGREEMENT AT ANY TIME, AND SUCH
MODIFICATIONS SHALL BE EFFECTIVE IMMEDIATELY UPON POSTING OF THE
MODIFIED AGREEMENT ON THE CORPORATE SITE OF EXAMREVIEW.NET. YOU AGREE
TO REVIEW THE AGREEMENT PERIODICALLY TO BE AWARE OF SUCH MODIFICATIONS
AND YOUR CONTINUED ACCESS OR USE OF THE BOOK SHALL BE DEEMED YOUR
CONCLUSIVE ACCEPTANCE OF THE MODIFIED AGREEMENT.
1. Copyright and Licenses.
License Grant
This Agreement entitles you to install and use one copy of the Book. In addition, you
may make one archival copy of the Book. The archival copy must be on a storage
medium other than a hard drive, and may only be used for the reinstallation of the Book.
This Agreement does not permit the installation or use of multiple copies of the Book,
or the installation of the Book on more than one computer at any given time, on a
system that allows shared used of applications, on a multi-user network, or on any
configuration or system of computers that allows multiple users. Multiple copy use or
7
Notes:
installation is only allowed if you obtain an appropriate licensing agreement for each user
and each copy of the Book. For further information regarding multiple-copy licensing
of the Book, please contact: michael@ExamREVIEW.NET
Restrictions on Transfer
Without first obtaining the express written consent of ExamREVIEW.NET, you may
not assign your rights and obligations under this Agreement, or redistribute, encumber,
sell, rent, lease, sublicense, or otherwise transfer your rights to the Book.
Restrictions on Use
You may not use, copy, or install the Book on any system with more than one computer,
or permit the use, copying, or installation of the Book by more than one user or on more
than one computer. If you hold multiple, validly licensed copies, you may not use, copy,
or install the Book on any system with more than the number of computers permitted
by license, or permit the use, copying, or installation by more users, or on more
computers than the number permitted by license.
You may not decompile, "reverse-engineer", disassemble, or otherwise attempt to derive

the source code for the Book.
Restrictions on Alteration
You may not modify the Book or create any derivative work of the Book or its
accompanying documentation. Derivative works include but are not limited to
translations. You may not alter any files or libraries in any portion of the Book. You
may not reproduce the database portion or create any tables or reports relating to the
database portion.
Notes:
Restrictions on Copying
You may not copy any part of the Book except to the extent that licensed use inherently
demands the creation of a temporary copy stored in computer memory and not
permanently affixed on storage medium. You may make one archival copy which must
be stored on a medium other than a computer hard drive.
TRADEMARKS.
CISA ExamESSENTIALS Guide /or any other names of ExamREVIEW.NET or its publications,
products, content or services referenced herein or on the Book are the exclusive trademarks or
servicemarks of ExamREVIEW.NET. Other product and company names mentioned in the Book may
be the trademarks of their respective owners.
2. Use of the Book.
You understand that, except for information, products or services clearly identified as being supplied
by ExamREVIEW.NET, ExamREVIEW.NET does not operate, control or endorse any information,
products or services on the Internet in any way. Except for ExamREVIEW.NET explicitly identified
information, products or services, all information, products and services offered through the Book or
on the Internet generally are offered by third parties, that are not affiliated with ExamREVIEW.NET.
YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE BOOK AND
THE INTERNET. EXAMREVIEW.NET PROVIDES THE BOOK AND RELATED
INFORMATION "AS IS" AND DOES NOT MAKE ANY EXPRESS OR IMPLIED WARRANTIES,
REPRESENTATIONS OR ENDORSEMENTS WHATSOEVER (INCLUDING WITHOUT
LIMITATION WARRANTIES OF TITLE OR NONINFRINGEMENT, OR THE IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE) WITH
REGARD TO THE BOOK, ANY INFORMATION OR SERVICE PROVIDED THROUGH THE
BOOK, AND EXAMREVIEW.NET SHALL NOT BE LIABLE FOR ANY COST OR DAMAGE
ARISING EITHER DIRECTLY OR INDIRECTLY FROM ANY SUCH. IT IS SOLELY YOUR
9
Notes:
RESPONSIBILITY TO EVALUATE THE ACCURACY, COMPLETENESS AND USEFULNESS
OF ALL OPINIONS, ADVICE, AND OTHER INFORMATION PROVIDED THROUGH THE
BOOK.
LIMITATION OF LIABILITY
IN NO EVENT WILL EXAMREVIEW.NET BE LIABLE FOR (I) ANY INCIDENTAL,
CONSEQUENTIAL, OR INDIRECT DAMAGES (INCLUDING, BUT NOT LIMITED TO,
DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR
INFORMATION, AND THE LIKE) ARISING OUT OF THE USE OF OR INABILITY TO USE
THE BOOK. EVEN IF EXAMREVIEW.NET OR ITS AUTHORIZED REPRESENTATIVES HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (II) ANY CLAIM
ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN THE BOOK.
BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION
MAY NOT APPLY TO YOU. IN SUCH STATES, EXAMREVIEW.NET LIABILITY IS LIMITED
TO THE GREATEST EXTENT PERMITTED BY LAW.
ExamREVIEW.NET makes no representations whatsoever about any other web site which are
referenced in the book. When you access a nonExamREVIEW.NET web site, please understand that it
is independent from ExamREVIEW.NET, and that ExamREVIEW.NET has no control over the
content on that web site. In addition, a link to a ExamREVIEW.NET web site does not mean that
ExamREVIEW.NET endorses or accepts any responsibility for the content, or the use, of such web site.
3. Indemnification.
You agree to indemnify, defend and hold harmless ExamREVIEW.NET, its officers, directors,
employees, agents, licensors, suppliers and any third party information providers to the Book from and
against all losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from
any violation of this Agreement (including negligent or wrongful conduct) by you or any other person
using the Book.
4. Third Party Rights.
10
Notes:
The provisions of paragraphs 2 (Use of the Book), and 3 (Indemnification) are for the benefit of
ExamREVIEW.NET and its officers, directors, employees, agents, licensors, suppliers, and any third
party information providers to the Book. Each of these individuals or entities shall have the right to
assert and enforce those provisions directly against you on its own behalf.
5. Termination.
This Agreement may be terminated by either party without notice at any time for any reason. The
provisions of paragraphs 1 (Copyright, Licenses and Idea Submissions), 2 (Use of the Book), 3
(Indemnification), 4 (Third Party Rights) and 6 (Miscellaneous) shall survive any termination of this
Agreement.
6. Miscellaneous.
This Agreement shall all be governed and construed in accordance with the laws of Hong Kong
applicable to agreements made and to be performed in Hong Kong. You agree that any legal action or
proceeding between ExamREVIEW.NET and you for any purpose concerning this Agreement or the
parties' obligations hereunder shall be brought exclusively in a court of competent jurisdiction sitting
in Hong Kong. Any cause of action or claim you may have with respect to the Book must be
commenced within one (1) year after the claim or cause of action arises or such claim or cause of
action is barred. ExamREVIEW.NET's failure to insist upon or enforce strict performance of any
provision of this Agreement shall not be construed as a waiver of any provision or right. Neither the
course of conduct between the parties nor trade practice shall act to modify any provision of this
Agreement. ExamREVIEW.NET may assign its rights and duties under this Agreement to any party at
any time without notice to you.
Any rights not expressly granted herein are reserved.
11
Notes:
Every effort has been made to ensure the accuracy of this book. If you have
comments, questions, or ideas regarding this book, please let us know by
emailing to this address: michael@ExamREVIEW.NET
This electronic book was originally created as a print book. For simplicity, the
electronic version of this book has been modified as little as possible from its
original form.
12
Notes:
Exam Format
The following question formats are used in the CISA exams:
Text Based Multiple-choice: The examinee selects one option that best
answers the question or completes a statement.
Multiple-response: The examinee selects multiple options that best answers

the question or completes a statement.
Sample Directions (Scenario): Read the statement or question and from the
response options, select only the option(s) that represent the BEST possible
answer(s).
There are no fill in the blank questions. There are no graphical questions.
You will mostly be asked to pick one choice as the answer. However, some
questions will require you to pick multiple items – something like “i and ii”, “i,
iii & v” …etc.
q For international candidates, it takes about two months to receive

the results.
q As of 2004 all CISA exams are paper and pencil based.
13
Notes:
About this book
The CISA exam has a lot of questions that ask for your "best decisions" - of the
hundreds of questions you will encounter in the exam, a significant portion of
them requires that you pick the best possible options. These best options are
often based on expert advices and best practices not found in the standard
exam text books.
Our CISA ExamESSENTIALS Guide goes the expert-advice way. Instead of

giving you the hard facts, we give you information that covers the best practices.
With this information, you will always be able to make the most appropriate
expert judgment in the exam.
If you are looking for the hard facts, visit the following ISACA link:
http://www.isaca.org/TemplateRedirect.cfm?Template=/ContentManagemen
t/ContentDisplay.cfm&ContentID=15262
* In case this link no longer works, refer to the Standards section of ISACA’s
web site.
This is the place where most “official” IS auditing standards and guidelines are
listed. In the exam you will encounter certain questions that test your
memorization skills – you will have to get these hard facts “fully loaded” into
your memory. We believe that the official published material is the best source
of information in this regard.
14
Notes:
Our guide focuses on the best business practice and expert advice side
of the exam.
Exam Topics
The official exam objectives can be found from the CISA exam page:
http://www.isaca.org/cisaexam
I personally do not recommend that you spend too much time on these
objectives. The reasons are:
l many of them simply require nothing but basic common sense – you will
be able to answer the corresponding questions easily anyway
l the list is way too detailed – if you go through them one by one, it will take
you a year or so to finish
l many of the objectives are heavily overlapped
l to me, they look confusing
15
Notes:
Instead, I prefer to focus on the following areas (because they often involve
topics that do not have fixed answers but instead require the “best possible”
options):
l Access control models.
l The auditing process.
l IT strategic planning.
l Protection Policy for Information Assets
l Business Continuity Planning.
l Risk management.
l Project Management.
l Change Management.
Why do we choose these topics? Firstly, according to many recent CISA

“graduates”, these are the topics that frequently give them surprises. Secondly,
if you watch closely what ISACA at present offers together with the Big 5
accounting firms, you should notice that these topics are always emphasized.
16
Notes:
Most candidates fail the exam because they focused too much on the IT side of
the exam, with little or no preparation on the auditing related disciplines.
Remember, a large number of the CISA exam candidates are from the
accounting profession where business auditing is a major daily duty.
The exam is about 40% TECHNOLOGY and 60% BUSINESS
PRACTICE.
Tech gurus do not really have an edge because no in-depth nor advanced
technologies are tested here. Instead, the “practical business people” with
sufficient technology knowledge rule.
The tech questions are easy because they are (and are bound to be)
straight forward. The business practice related questions are difficult
because business rationales are never straight forward – too many factors
come into play and therefore making every scenario highly complicated.
And remember, technology does not mean IT technology alone. It also means
Physical Security Technology as well as Biometrics, and many more. As of the
time of this writing the state of biometrics technology is very sophisticated and
accurate, but is highly expensive. Other potential barriers include user
acceptance, enrollment time and throughput. Still, it is gaining ground,
especially in environment where security is CRITICAL.
Take a look at the security measures your company has implemented and
critically assess their features and effectiveness. This will help.
17
Notes:
!!! Biometrics is an important topic. Check out the various forms of biometrics
technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm
18
Notes:
Exam Registration Contacts
The CISA exam is offered throughout the world twice a year (in June and in
December). The best way to register for the exam is to request for the exam
bulletin from the ISACA Certification Department via email at
certification@isaca.org or by phone at +1.847.253.1545.
I do recommend that you register early. As I remember, there is an early bird

discount available …
19
Notes:
Study Psychology & Exam Tactics
ü Always plan ahead!
ü Always maintain a positive attitude.
ü Prepare systematically using ExamReview materials.
ü Ensure you have enough sleep! Health is essential for maintaining a

fighting spirit.
ü Arrive at the test center in time to have a margin of safety.
ü Dress yourself in a manner with emphasis on comfort. Always have a coat

ready just in case the A/C is way too powerful.
ü Read the exam instructions carefully before answering the first question.
20
Notes:
Key exam strategies
To be successful in the CISA exam, you must know how the questions are
structured. The official saying is that the CISA examination will require the
candidates to answer questions and to make judgments based on the
information learned in courses and on their own professional experiences.
Based on our experiences, however, tackling CISA questions involve several
major strategies:
Strategy One: Keyword or key phrase matching.
Example: Which of the following would be included in an information security

strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for information security projects
D. Annual budgetary targets for the security department

21
Notes:
The key phrase here is "strategic plan". As we all know, a strategic plan is a very
high level thing. Look at the choices, only choice B has a high level element,
which is "business objective". Therefore, B is the correct answer.
Strategy Two: Choices grouping.
Example: The MOST important responsibility of an information security

manager in an organization is:
A. recommending and monitoring security policies.
B. promoting security awareness within the organization.

C. establishing procedures for security policies.
D. administering physical and logical access controls.
When you try to classify or group the choices, you will find that choice B, C and
D can be classified into one group – a group of implementation activities.
Choice A, on the other hand, takes place way before the implementation phase.
Therefore, choice A is the answer.
22
Notes:
Strategy Three: Think tricky.
You need to know how to pick the BEST answer out of several technically
possible answers. To do this you need to think tricky – the questions are always
written with trickiness in mind (believe me, this is exactly the case with most
ISACA exam questions).
As an example, you are asked to evaluate the following statements:
· In the context of information security, the term Granularity refers to the

level of detail to which a trusted system can authenticate users.

level of detail to which imperfections of a trusted system can be
measured.

level of detail to which packets can be filtered.

level of detail to which an access control system can be adjusted.
Which statement is the BEST one?
23
Notes:
To pick the BEST choice, you must keep in mind that Granularity is a term
which could be applied to a multitude of usage within the context of IT security.
It can be for packet filtering, and it can also be for user access. The last
statement said "access control system" without specifying its exact type. It is
therefore representative of almost all possible types of access control system.
You know what, this is exactly the type of answer expected. Kinda tricky, isn't it?
24
Notes:
Security Theories
A security stance is a default position on security matters. The 2 primary

security stances are:
i, "Everything not explicitly permitted is forbidden" (default deny). This

improves security at the cost of functionality. A good approach to use if you
have lots of security threats. You may find this approach helpful basing on the
principle of least privilege (sometimes also known as the principle of least
authority - POLA), that every module of a computing environment should be
able to access only such resources that are necessary to its legitimate purpose.
Do keep in mind, an over restrictive system can sacrifice usability. The lack of
flexibility can also hinder usability.
ii, "Everything not explicitly forbidden is permitted" (default permit). This

allows greater functionality by sacrificing security. This is only a good approach
in an environment where security threats are non-existent or negligible. Many
earlier Windows systems give Everyone full control, which is no good security-
wise.
25
Notes:
Proper balance of security risks is needed for implementing practical
computing systems.
There are two different approaches to security in computing. One focuses

mainly on external threats, and generally treats the computer system itself as a
trusted system. The other regards the computer system itself as largely an
untrusted system, and redesigns it to make it more secure in a number of ways.
Most current real-world computer security efforts focus on external threats, and
generally treat the computer system itself as a trusted system. Some observers
consider this to be a disastrous mistake, and point out that this distinction is the
cause of much of the insecurity of current computer systems - once an attacker
has subverted one part of a system without fine-grained security, he or she
usually has access to most or all of the features of that system. In other words,
this security stance tends to produce insecure systems.
The 'trusted systems' approach has been predominant in the design of many
earlier software products, due to the long-standing emphasizes on functionality
and 'ease of use' over security.
26
Notes:
The computer system itself as largely an untrusted system
The “untrusted system” approach seeks to enforce the principle of least

privilege to great extent, where an entity has only the privileges that are needed
for its function. That way, even if an attacker has subverted one part of the
system, fine-grained security ensures that it is just as difficult for them to
subvert the rest. Furthermore, by breaking the system up into smaller
components, the complexity of individual components is reduced, opening up
the possibility of using techniques such as automated theorem proving to prove
the correctness of crucial software subsystems. Where formal correctness
proofs are not possible, rigorous use of code review and unit testing measures
can be used to try to make modules as secure as possible.
Defense in depth
From a technical perspective, design with the above mentioned technique

often make use of the concept of "defense in depth", where more than one
subsystem needs to be compromised to compromise the security of the
system and the information it holds.
27
Notes:
A typical defense in depth approach divides the key security elements into
layers for creating a cohesive defense strategy. To ensure effective IT
security, you must design, implement, and manage IT security controls for
each layer of this layered model. As an example: you may divide your
controls into the layers of network, hardware, software, and data.
From a broader perspective, an important principle of the Defense in Depth strategy is

that in order to achieve Information Assurance you need to maintain a balanced focus on
the critical elements of People, Technology and Operations.
In any case, security should not be view as an all or nothing issue. The
designers and operators of systems should assume that security breaches are
inevitable in the long term, that full audit trails should be kept of system
activity so that when a security breach occurs, the mechanism and extent of
the breach can be determined. In fact, storing audit trails remotely, where
they can only be appended to, can keep intruders from covering their tracks.
Vulnerabilities
To understand the techniques for securing a computer system, it is

important to first understand the various types of attacks that can be made
against it. These threats can typically be classified into the following
categories:
28
Notes:
l You may think of salami attack as a concept that can be applied to
scenarios with and without relation to computing. In general, a salami
attack is said to have taken place when tiny amounts of assets are
systematically acquired from a very large number of sources. Since the
process takes place below the threshold of perception and detection, an
ongoing accumulation of assets bit by bit is made possible. An example:
the digits representing currency on a financial institution’s computer
could be modified in such a way that values to the right of the pennies
field are automatically rounded down. The salami concept can apply in
information gathering - aggregating small amounts of information from
many sources with an attempt to derive an overall picture of an
organization.
l Bribes and extortion can occur! With promises or threats that cause
your staff to violate their trust, information security can be at risk big
time! This is more a HR issue but still you need to think of ways to
safeguard security assuming bribery is not entirely impossible.
l Software flaws such as buffer overflows, are often exploited to gain

control of a computer, or to cause it to operate in an unexpected
manner.
29
Notes:
NOTE: Buffer overflow (buffer overrun) is supposed to be a programming
error which may result in memory access exception - that is, a
process make attempt to store data beyond the fixed boundaries of a
buffer area. With careless programming, this kind of access attempt
can be triggered by ill-intented codes. Stack-based buffer overflows
and heap-based buffer overflows are the 2 popular types of attack of
this nature. Techniques such as Static code analysis can help
preventing such attack. You should also always opt for the use of
safe libraries.
l Many development methodologies rely on testing to ensure the quality

of any code released; this process often fails to discover extremely
unusual potential exploits. The term "exploit" generally refers to small
programs designed to take advantage of a software flaw that has been
discovered, either remote or local.
NOTE: As a pre-attack activity, footprinting refers to the technique of

collecting information about systems thru techniques such as Ping
Sweeps, TCP Scans, OS Identification, Domain Queries and DNS
Interrogation. Tools involved may include samspade, nslookup,
traceroute, neotrace and the like. Passive fingerprinting, on the other
hand, is based primarily on sniffer traces from your remote system.
Rather than proactively querying a remote system, you capture
30
Notes:
packets that pass-by instead.
l Any data that is transmitted over an IP network is at some risk of being

eavesdropped or even modified. Voice over IP has the same security
issues as running regular applications which rely on IP for transmission.
NOTE: The OSI model is a layered model which gives abstract description
for network protocol design. It is a seven layer model, and IP runs at
layer 3, even though the TCP/IP suite itself has its own 4 layer
structure. TCP runs at OSI layer 4, which is on top of IP, for
providing connection oriented service in between the sender and the
recipient.
TCP is supposed to provide guaranteed delivery. Every single TCP

segment contains a TCP header with the source and destination port,
a sequence number that identifies the first byte of data, and an
acknowledgment number that indicates an acknowledgment by the
recipient. There are also 6 flag bits, which are URG, ACK, PSH,
RST, SYN and FIN. Keep in mind, TCP does not make any
assumptions about the underlying IP network.
31
Notes:
You can perceive ports as the actual endpoints of every TCP
connection. Examples of well known ports include http port 80, SSL
port 443 and others.
ICMP is quite special. It runs at the IP layer mostly for sending one-
way informational messages to a networked host. "ping" is an utility
which uses ICMP.
The 4 TCP areas that hackers usually look at for determining the
operating system may include TTL (the Time To Live on the
outbound packet), Window Size, DF (the Don't Fragment bit) and
the TOS (the Type of Service). Thru analyzing these and compare
with the database of signatures there is a chance you can tell what the
remote operating system is.
l Non-IP based networks are also highly hack-able. Sniffing was pretty
common on the Ethernet (and also on IP networks).
Packet sniffer (another name for protocol analyzer) can be deployed

to intercept and log netowrk traffic that passes through the network.
It can capture unicast, multicast and broadcast traffic provided that
you put your network adapter into promiscuous mode. You may
sniff to analyze network problems, or to gain information for
32
Notes:
launching a network attack.
Wireshark (formerly Ethereal) is a free protocol analyzer you may use

for network troubleshooting and sniffing. The functionality it offers
is similar to tcpdump but it provides a GUI for ease of use.
l Even machines that operate as a closed system can be eavesdropped

upon via monitoring the faint electro-magnetic transmissions generated
by the hardware such as TEMPEST.
l Wireless networks are highly hack-able.
NOTE: In the world of WLAN, a BSS refers to a set of wireless stations

which communicate with each others. The 2 types of BSS are
independent BSS and infrastructure BSS. The former is an ad-hoc
network that has no access points. The latter requires the use of
access points. Both of them are not too secure by default.
WEP is the original encryption standard for WLAN. It uses key

lengths in the range of 128-and 256-bit, but is still considered way
less secure than WPA. WPA deploys a pre-shared Shared Key for
establishing a 8-63 character passphrase.
Accidental association could be a form of attack that takes place

when one's computer latches on to an access point that belongs to a
33
Notes:
neighboring and overlapping network. Sometimes this can happen
accidentally - that is, the user has no intent to crack into the
overlapping network at all.
Access points exposed to non-filtered traffic can be vulnerable.

Broadcast traffic like OSPF, RIP and HSRP ... etc can be corrupted
through the injection of bogus reconfiguration commands.
You should always have your access points arranged in such a way
that radio coverage is available only to your desired area. Wireless
signal that "spills" outside of your desired area could be sniffed.
To further secure your WLAN you should always change the default
SSID as most hackers know most default names of most equipments.
Avoid using dictionary word to form your SSID. Use something hard
to guess.
l A computer system is no more secure than the human systems

responsible for its operation. Malicious individuals have regularly
penetrated well-designed, secure computer systems by taking advantage
of the carelessness of trusted individuals, or by deliberately deceiving
them. The availability of the internet makes penetration even easier as
everything is now connected. Attacking web servers had become an exciting yet
enjoyable challenge by hackers.
34
Notes:
NOTE: In a web infrastructure you have router, firewall and a web server.
Web server serves requests through port 80 and 443 (SSL). Different
servers work slightly differently, thus having different vulnerabilities.
Scanning tools may, through the active ports and obtaining response,
to identify the target servers and carry out possible attacks. This is
especially true for web server software that has too many ports other
than the required ports opened.
IIS can be extremely vulnerable if you simply follow the default

installation options. Windows and IIS always install and configure
superfluous services that are unpatched, which are the easy targets.
Another problem is that IIS uses a few built-in default accounts that
are weakly protected. You should change the defaults - change the
account names and the passwords whenever possible. Close all
unnecessary ports too.
Part of the reason why IIS is so vulnerable is that it runs on

Windows, which is not a very secure platform by design.
Null sessions are no good - they allow attacker to extract system

critical information such as user account names. NT, 2000 and
Windows Server 2003 domain controllers are believed to be
susceptible to enumeration via null sessions. One way to prevent this
is to block UDP port 137 and 138, TCP port 139 and 445. You want
to do this via a firewall at the edge of the network.
35
Notes:
Another vulnerability on Windows is the inter-process
communications (IPC) mechanism. It is a mechanism that allows a
process to communicate with another. This can take place on
different computers that are connected through a network, that is
why it can be bad - real bad.
l Social engineering is a collection of techniques used to manipulate

people into performing actions or divulging confidential information.
While similar to a confidence trick or simple fraud, the term typically
applies to trickery for information gathering or computer system access.
l Denial of service (DoS) attacks are not primarily a means to gain

unauthorized access or control of a system. They are instead designed
to render it unusable. Attackers can deny service to individual victims,
such as by deliberately guessing a wrong password 3 consecutive time
and thus causing the victim account to be locked, or they may overload
the capabilities of a machine or network and block all users altogether.
These types of attack are, in practice, very hard to prevent, because the
behavior of whole networks needs to be analyzed, not only of small
pieces of code. Distributed denial of service (DDoS) is even worse - a
large number of compromised hosts are used to flood a target system
with network requests, thus attempting to render it unusable through
resource exhaustion.
36
Notes:
l Many computer manufacturers used to preinstall backdoors on their
systems to provide technical support for customers. With the existences
of backdoors, it is possible to bypass normal authentication while
intended to remain hidden to casual inspection. The backdoor may take
the form of an installed program or could be in the form of an existing
"legitimate" program, or executable file.
NOTE: A backdoor refers to a generally undocumented means of getting

into a system, mostly for programming and
maintenance/troubleshooting needs. Most real world programs have
backdoors.
On Windows some backdoor programs may get themselves installed

to start when the system boots. You want to know if there are
services that are somewhat configured to automatically start - they
may be Trojan horse or backdoor program.
l A specific form of backdoors is rootkit, which replaces system binaries

of the operating system to hide the presence of other programs, users,
services and open ports.
37
Notes:
NOTE: rootkit originally describes those recompiled Unix tools that would
hide any trace of the intruder. You can say that the only purpose of
rootkit is to hide evidence from system administrators so there is no
way to detect malicious special privilege access attempts.
l To some, secrecy means security so closed source software solutions

are preferable. In the modern days this may not always be true. With
the open source model, people may freely revise and inspect codes so
back doors and other hidden tricks / defects can hardly go undetected.
l Malware is software designed to infiltrate or damage a computer system

without the owner's informed consent. It is a blend of the words
"malicious" and "software". The expression is a general term used by
computer professionals to mean a variety of forms of hostile, intrusive,
or annoying software or program code. Software is considered malware
based on the intent of the creator rather than any particular features. It
includes computer viruses, worms, trojan horses, spyware, adware, and
other unwanted software.
38
Notes:
NOTE: As a common type of Trojan horses, a legitimate software might
have been corrupted with malicious code which runs when the
program is used. The key is that the user has to invoke the program
in order to trigger the malicious code. In other words, a trojan horse
simply cannot operate autonomously. You would also want to know
that most but not all trojan horse payloads are harmful - a few of
them are harmless. Most trojan horse programs are spread through e-
mails. Some earlier trojan horse programs were bundled in "Root
Kits". For example, the Linux Root Kit version 3 (lrk3) which was
released in December 96 had tcp wrapper trojans included and
enhanced in the kit.
Keystroke logging (in the form of spyware) was originally a function

of diagnostic tool deployed by software developers for capturing
user's keystrokes. This is done for determining the sources of error
or for measuring staff productivity. Imagine if someone uses it to
capture user input of critical business data such as CC info ... You
may want to use anti spyware applications to detect and clean them
up. Web-based on-screen keyboards may be a viable option for web
applications.
39
Notes:
NOTE: The majority of malware and viruses exploit known vulnerabilities in
popular OS. They typically come out within days after a vulnerability
is announced. One way to protect your computers against these
threats is to keep your OS and software security updates as current as
possible through applying service packs, patches and hot fixes.
l The best-known types of malware are viruses and worms, which are
known for the manner in which they spread, rather than any other
particular behavior. Originally, the term computer virus was used for a
program which infected other executable software, while a worm
transmitted itself over a network to infect computers. More recently,
the words are often used interchangeably.
NOTE: Nonresident viruses proactively and immediately search for victims

to infect and then transfer control to the infected application
program. Resident viruses don't do that. Instead, they wait in
memory on execution and infect new victims that are invoked on the
system. Modern anti virus software can fight against both. Examples
of modern AV software includes Norton AV, PC Tools AV, AVG
Pro, F-Prot, and NOD32.
Note that viruses that are capable of rewriting themselves

dynamically to avoid getting detected are metamorphic. The core of
40
Notes:
the payload of these viruses is a metamorphic engine.
l Direct access attacks may be conducted through the use of common

consumer devices. For example, someone gaining physical access to a
computer can install all manner of devices to compromise security,
including operating system modifications, software worms, keyboard
loggers, and covert listening devices. The attacker can also easily
download large quantities of data onto backup media or portable
devices.
To secure a system, one should aim at reducing vulnerabilities. For example,

in order to harden a Linux system you would first disable any unnecessary
services/ports, and then have the rlogin service disabled. Unnecessary
TCP/UDP ports should be closely monitored. Similar things could be done
on Windows.
Computer code is regarded by some as just a form of mathematics. It is

theoretically possible to prove the correctness of computer programs
41
Notes:
though the likelihood of actually achieving this in large-scale practical
systems is regarded as unlikely in the extreme by most with practical
experience in the industry. In practice, only a small fraction of computer
program code is mathematically proven, or even goes through
comprehensive information technology audits or inexpensive but extremely
valuable computer security audits.
On the other hand, it is technically possible to protect messages in transit by

means of cryptography. You may also work at preventing information
leakage. Information Leakage Detection and Prevention (ILD&P or ILDP)
is a computer security term referring to systems designed to detect and
prevent the unauthorized transmission of information from the computer
systems of an organization to outsiders.
Audit questions related to cryptography may include:
l Does your organization use cryptographic technology to protect

sensitive information during transmission? Does the technology you
use provide a digital signature capability for messages containing
sensitive information?
l Does your organization use cryptographic technology to protect
sensitive information stored in the system and in archives?
42
Notes:
l Does your organization have a policy that clearly states when
information is to be encrypted?
In some systems, non-administrator users are over-privileged by design, in

the sense that they are allowed to modify internal structures of the system.
In some environments, users are over-privileged because they have been
inappropriately granted administrator or equivalent status. In some worst
case scenarios, administrators are like cow boys who often go wild. Relevant
questions to ask in this regard may include:
l How many system administrators does your organization have?

l Do your system administrators work full-time as system administrators?
What if they also work for someone else...
l Are your system administrators contractor employees? How much
control you want them to be able to exercise?
l Is there segregation of duties among system administrators?
l Does each system administrator have a delegate and/or backup person?
What can they perform on the systems?
l Are program modifications approved by the configuration control
function required to be installed by system administrators?
l Is there consistency in the implementation of security procedures by
system administrators in the organization?
43
Notes:
Technically speaking, all Social Engineering techniques are based on flaws
in human logic known as cognitive biases. These bias flaws are used in
various combinations to create attack techniques. For example, pretexting is
the act of creating and using an invented scenario (the pretext) to persuade a
target to release information or perform an action and is usually done over
the telephone. It's more than a simple lie as it most often involves some
prior research or set up and the use of pieces of known information to
establish legitimacy in the mind of the target. Phishing, on the other hand,
applies to email appearing to come from a legitimate business requesting
"verification" of information and warning of some dire consequence if it is
not done. Sadly, social engineering and direct computer access attacks can
only be effectively prevented by non-computer means, which can be
difficult to enforce, relative to the sensitivity of the information. Social
engineering attacks in particular are very difficult to foresee and prevent.
Remember, in the real world the most security comes from operating
systems where security is not an add-on but a built-in (such as the IBM
OS/400).
44
Notes:
Security measures
A state of computer "security" is the conceptual ideal, attained by the use of

the processes of Prevention, Detection, and Response.
Prevention:
User account access controls and cryptography can protect systems files and
data, respectively. Firewalls are by far the most common prevention systems
from a network security perspective as they can shield access to internal
network services, and block certain kinds of attacks through packet filtering.
NOTE: Stateful firewall can determine whether an IP packet belongs to a

new connection or is actually part of an existing connection. Packet
filter does not care about this at all.
To prevent messages from being intercepted during transmission over the

network, technologies like IPSec and SSL should be considered.
45
Notes:
NOTE: IPsec is different from SSL in that it runs at layer 3, so it can protect
both TCP and UDP traffic. SSL operates from the transport layer up
so less flexibility can be offered. The goal of SSL is to provide
endpoint authentication as well as communications privacy via
cryptography.
Symmetric key algorithms use trivially related (or even identical)

cryptographic keys for decryption and also encryption. They use
much less computational power, but would require the use of a
shared secret key on each end. The storage and exchange of such
shared secret can be a source of security risk. Asymmetric key
algorithms use different keys so they don't have to worry about the
shared secret but they consume way more CPU power.
RSA is an example of asymmetric algorithm. With both a public key

and a private key, it is used primarily for public key encryption. It is,
in fact, suitable for both signing and encryption. However, adaptive
chosen ciphertext attack can be used against RSA encrypted
messages. Also, timing attacks can be used against RSA's signature
scheme.
In addition to message encryption, you may want to enforce non-

repudiation. You may use a public key certificate (one that
incorporates a digital signature) to bind a public key with an identity.
In a PKI, the signature is typically of a Certificate Authority.
In a typical PKI a hash function is often used to turn data into a

smaller number which serves as a digital sort of fingerprint. In
46
Notes:
cryptography, a good hash function allows for "one-way" operation,
meaning there is almost no way to calculate the data input value.
SHA is one example. It has several variants, which are SHA-1, SHA-
224, SHA-256, SHA-384, and SHA-512. They are designed by the
NSA and published thru the NIST. MD5 is another example. It uses
a 128-bit hash value to create a hash that is typically a 32 character
hex number.
Detection:
Intrusion Detection Systems are designed to detect network attacks in
progress and assist in post-attack forensics, while audit trails and logs serve
a similar function for individual systems.
NOTE: A typical IDS has a few components, such as sensors which detect
and generate security events, a console interface for you to monitor
events and alerts plus managing the setup, and an engine which
records and analyzes the logged events. These components work
together such that a suspected intrusion may be evaluated and
signaled (through an alert or an alarm). One may, however, flood an
IDS with way too many traffic such that the IDS is too busy keeping
up with the pace.
47
Notes:
Response:
"Response" is necessarily defined by the assessed security requirements of
an individual system and may cover the range from simple upgrade of
protections to notification of legal authorities, counter-attacks, and the like.
Example audit questions:
l Does your organization have an Internet access policy?
l How are network services accessed by members of your organization?
l Is back door access by unapproved means possible?
l Does your organization have a firewall? If so, how is it configured? What

services are accessible by external users inside and outside of this firewall?
l Does your organization have an IDS? If so, who defines the IDS
knowledge base?
l Who has external remote access to your organization’s systems?
l Is your network’s internal architecture hidden from untrusted external

users?
48
Notes:
l Do you have any established session control practices in place?
Standards and guidelines
ISACA has become a pace-setting global organization for information

governance, control, security and audit professionals. Their IS auditing and
control standards are followed by many.
Apart from guidelines published by ISACA, you may also refer to the SoGP.
The Standard of Good Practice (SoGP) is a detailed documentation of best
practices for information security. It is published and revised biannually by the
Information Security Forum (ISF), an international best-practices organization.
The Standard is developed from research based on the actual practices of and
incidents experienced by major organizations. Its relatively frequent update
cycle of two years also allows it to keep up with technological developments
and emerging threats. In fact, the Standard is used as the default governing
document for information security behavior by many major organizations, by
itself or in conjunction with other standards such as ISO 17799 or COBIT.
49
Notes:
One of the most widely used security standards today is ISO 17799 which
started in 1995. This standard consists of two basic parts. BS 7799 part 1 and
BS 7799 part 2 both of which were created by (British Standards Institute) BSI.
Recently this standard has become ISO 27001. The National Institute of
Standards and Technology (NIST) has released several special papers
addressing cyber security. Three of these special papers are very relevant to
cyber security: the 800-12 titled “Computer Security Handbook”; 800-14 titled
“Generally Accepted Principals and Practices for Securing Information
Technology;” and the 800-26 titled “Security Self-Assessment Guide for
Information Technology Systems”.
ISO 17799 states that information security is characterized by integrity,

confidentiality, and availability. The ISO 17799 standard is arranged into eleven
control areas; security policy, organizing information security, asset
management, human resources security, physical and environmental security,
communication and operations, access controls, information systems
acquisition/development/maintenance, incident handling, business continuity
management, compliance.
The Sarbanes–Oxley Act of 2002 (commonly called SOX or SarBox) is a

United States federal law passed in response to a number of major corporate
50
Notes:
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework (which will be addressed later) in
management/auditor assessment of controls. Auditors have also looked to the
IT Governance Institute's "COBIT: Control Objectives of Information and
Related Technology" for more appropriate standards of measure. Since the
financial reporting processes of most organizations are driven by IT systems, it
is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing
Standard 2" states:
"The nature and characteristics of a company's use of information technology

in its information system affect the company's internal control over financial
reporting."
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.
51
Notes:
The SEC identifies the COSO framework by name as a methodology for
achieving compliance. The COSO framework defines five areas, which when
implemented, can help support the requirements as set forth in the Sarbanes-
Oxley legislation. These five areas and their impacts for the IT Department are
Risk Assessment, Control Environment, Control Activities, Monitoring, and
Information & Communication.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

is a U.S. private-sector initiative. Formed in 1985, its major objective is to
identify the factors that cause fraudulent financial reporting and to make
recommendations to reduce its incidence. COSO has established a common
definition of internal controls, standards, and criteria against which companies
and organizations can assess their control systems.
The Federal Information Security Management Act (FISMA) is a US federal

law enacted way back in 2002. It imposes a mandatory set of processes that
have to be followed for information systems operated by a government agency
or by a contractor which works on behalf of the agency. The Federal
Information Processing Standards (FIPS), on the other hand, are a set of
publicly announced standards developed by the US government for use by
52
Notes:
non-military government agencies and their contractors. FIPS 46 in particular
covers some major Data Encryption Standards, while FIPS 140 covers security
requirements for cryptography modules.
ISO 27001 sets out the requirements for information security management
systems. On the other hand, ISO 27002 offers a code of practice for
information security management.
British Standard 7799 Part 3 provides guidelines for information security risk
management. COBIT links IT initiatives to business requirements, organises IT
activities into a generally accepted process model, identifies the major IT
resources to be leveraged and defines the management control objectives to be
considered. ITIL (or ISO/IEC 20000 series) focuses on the service processes
of IT and considers the central role of the user.
Trusted Computer System Evaluation Criteria (TCSEC) has classification on

the various security requirements based on the evaluation of functionality,
effectiveness and assurance of operating systems for the government and
military sectors. TCSEC was introduced in 1985 and retired in 2000.
53
Notes:
Information Technology Security Evaluation Criteria (ITSEC) is the first single
standard for evaluating security attributes of computer systems by the countries
in Europe.
Common Criteria (also known as ISO/IEC 15408) combines and aligns

existing and emerging evaluation criteria with a collaborative effort among
national security standards organisations of Canada, France, Germany, Japan,
Netherlands, Spain, UK and US. Common Criteria Evaluation and Validation
Scheme (CCEVS) establishes a national program for the evaluation of
information technology products for conformance to the International
Common Criteria for Information Technology Security Evaluation.
ISO/IEC 13335 (IT Security Management) offers a series of guidelines for

technical security control measures. On the other hand, the Payment Card
Industry Data Security Standard offers 12 core security requirements, which
include security management, policies, procedures, network architecture,
software design and other critical measures.
54
Notes:
IS Organization and Information Assets
Protection
There must be a proper Information Management Policy in place and

integrated with the Information Security Policy. This policy should clearly
define information as an asset of the business unit that needs protection, and
that local business managers are the owners of information who are ultimately
held responsible. In fact, to get the staff really serious about information
security, it is necessary to define roles and responsibilities of those involved in
the ownership and classification of information.
No organization on earth has unlimited resources. You just cannot protect

everything to the fullest extent. Therefore it is important for you to classify the
information assets and then allocate resources accordingly. You also need to
know whether it is cost effective to protect a certain information asset – what if
the protection measure itself costs even more to implement? However, you
must assess the cost element accurately and comprehensively. Some costs may
not be easily quantified even though they could hurt big time when things go
wrong (legal cost as an example).
55
Notes:
The stakeholders
A critical factor in protecting information assets is laying the foundation for

effective information security management. In fact, commercial, competitive
and legislative pressures from around the business environment often require
the implementation of proper security policies and related logical access
controls. Security failures are often costly to business. Losses may be suffered as
a result of the failures or costs may be incurred when recovering from the
security incident, followed by more costs to secure the systems and prevent
repeated failures. Job positions within an organization that have information
security responsibilities may include and not limited to the following:
l Executive management (Senior management, Directors …etc)
l Security committee
l Data owners
l Process owners
l IT developers
l Security specialists
l Auditors
56
Notes:
l Users
The board
The board of directors and senior management are responsible for ensuring
that the organization's system of internal controls is operating effectively. An
“audit committee” should be appointed to oversee audit functions and to
report on audit matters periodically to the board. FYI, in order to comply with
the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to
appoint outside directors as audit committee members. On the other hand, all
members of a stock-issuing institution’s audit committee must be members of
the board of directors and be independent.
The ability of the audit function to achieve desired objectives depends largely
on the independence of audit personnel. This is especially true if the auditors
are internal auditors rather than outside auditors.
The board of directors should ensure that written guidelines for conducting IT
audits have been adopted, and should assign responsibility for the internal audit
57
Notes:
function (IT audit is commonly conducted in-house by the internal audit
function) to a member of management who has sufficient audit expertise and is
independent of the other business operations of the organization. In general,
the position of the auditor within the organizational structure, the reporting
authority for audit results, and the auditor’s responsibilities should indicate the
degree of auditor independence within the organization. The board should do
its best to ensure that the audit department does not participate in activities that
may compromise, or appear to compromise, its independence. These activities
may include preparing reports or records, developing procedures, or
performing other operational duties normally reviewed by auditors. Keep in
mind, the auditor’s independence may also be determined by analyzing the
reporting process and verifying that management does not interfere with the
candor of the findings and recommendations.
The audit manager
The audit manager is responsible for implementing board-approved audit

directives. This manager should oversee the audit function and provides
leadership and direction in communicating and monitoring audit policies,
practices, programs, and processes conducted by the internal audit staff. The
extent of external audit work (if any) should be clearly defined in a separate and
formal engagement letter. This letter should discuss the scope of the audit, the
58
Notes:
objectives, resource requirements, audit timeframe, and resulting reports. Expect
a bunch of meetings, coordination, collaboration, and conflicts between the outside guys and the
insiders.
Audit personnel
The auditors, whether internal or external, should in any case be granted the
authority to access records and staff necessary to perform auditing and
reporting. In fact, for any audit effort to be successful, a reporting line MUST
be identified to the highest level of the organization. The auditor's right of
access to information must be clearly identified early in the process.
Management should be required to respond formally, and in a timely manner,
to significant adverse audit findings by taking appropriate corrective action. The
auditors in turn should discuss their findings and recommendations periodically
with the audit committee.
Personnel performing IT audits should have information systems knowledge

commensurate with the scope and sophistication of the organization’s IT
environment and possess sufficient analytical skills to determine and report the
59
Notes:
root cause of deficiencies (they don't have to be CISA certified - although
certification is a "plus").
Sometimes the audit function will be requested to take a role in the

development, acquisition, conversion, and testing of major applications. It is
necessary that such participation be independent and objective. Auditors can
determine and should recommend appropriate controls to project management.
However, such recommendations should not pre-approve the controls. At the
most they should only guide the developers in considering appropriate control
standards and structures throughout their project.
60
Notes:
IS Controls
The importance of the use of controls
According to the internal control principle (GASSP), information security

forms the core of an organization's information internal control system, that
"the internal control standards define the minimum level of quality acceptable
for internal control systems in operation and constitute the criteria against
which systems are to be evaluated. These internal control standards apply to all
operations and administrative functions but are not intended to limit or
interfere with duly granted authority related to development of legislation, rule-
making, or other discretionary policymaking in an organization or agency."
There are many ways to classify controls. From an IS perspective, some said
they may be generally classified as physical, technical, or administrative in nature.
Some said that they can be further classified as either preventive or detective.
Three other types of controls, namely deterrent, corrective, and recovery, may
further supplement such classification.
61
Notes:
Classification of controls
l Examples of physical controls include locks, security guards, badges,

alarms, and similar measures to control access to computers, related
equipment, and the processing facility itself.
l Technical controls refer to safeguards incorporated in computer hardware,

operations or applications software, communications hardware and
software, and related devices. They are sometimes referred to as logical
controls.
l Administrative controls refer to management constraints, operational

procedures, accountability procedures, and supplemental administrative
controls established for providing an acceptable level of protection for
computing resources.
l Preventive controls attempt to avoid the occurrence of unwanted events.

Detective controls, on the other hand, attempt to identify unwanted events
after they have occurred. Deterrent controls attempt to discourage
individuals from intentionally violating information security policies or
procedures by making it difficult or even undesirable to perform
unauthorized activities. Corrective controls, on the other hand, attempt to
62
Notes:
remedy the circumstances that allowed the unauthorized activity and return
conditions to what they were before the violation.
l Recovery controls attempt to restore lost resources or capabilities and help

the organization recover losses caused by a security violation.
General Controls VS Application Controls
From a broader perspective, you can view controls as either General Controls
or Application Controls. General controls are about the overall information-
processing environment. They include:
l Organizational Controls (in particular the segregation of duties controls).
l Data Center and Network Operations Controls
l Hardware & Software Acquisition and Maintenance Controls
l Access Security Controls
l Application System Acquisition, Development, and Maintenance Controls
63
Notes:
Application controls, on the other hand, cover the processing of individual
applications and help ensure the completeness and accuracy of transaction
processing, authorization, and validity. They typically include:
l Data Capture Controls to ensure that all transactions are properly recorded
in the application system
l Data Validation Controls to ensure that all transactions are properly valued.
l Processing Controls to ensure the proper processing of transactions.
l Output Controls to ensure that computer output is not distributed to

unauthorized users.
l Error Controls to ensure that errors are corrected and properly

resubmitted at the correct point in processing.
Keep in mind that different types of network model often require the use of
different combinations of control. You must have basic foundation knowledge
on networking in order to pick the correct answers. Know LAN networking
and WAN networking. Know distributed computing and client server
64
Notes:
computing. Know server computing and thin client computing. Don’t attempt
to take the exam until you are completely familiar with these basic concepts.
Tests of controls refer to audit procedures that are performed to evaluate

the effectiveness of either the design or the operation of the internal
controls in question. A CISM plans and implements the needed controls.
A CISA, on the other hand, tests these controls.
65
Notes:
Access Control and the Auditing Process
Access control protects your systems and resources from unauthorized access.
An access control model is a framework that dictates how subjects access
objects. The most popular models are: mandatory access control, discretionary
access control and role-based access control. Even though these models are
often associated with IT technology, try to think of them as security
management principles – they can be applied to disciplines other than IT.
Access Control Models
The decision of what access control models to implement is based on

organizational policy and on two generally accepted standards of practice,
which are separation of duties and least privilege. Controls (in the context of
Access Control) may be characterized as either mandatory or discretionary.
With mandatory controls, only administrators may make decisions that bear on
or derive from the predefined policy. Access controls that are not based on
66
Notes:
established policy may be characterized as discretionary controls (or need-to-
know controls).
With the Discretionary model, the creator of a file is the ‘owner’ and can grant
ownership to others. Access control is at the discretion of the owner. Most
common implementation is through access control lists. Discretionary access
control is required for the Orange Book “C” Level.
Mandatory controls are prohibitive and permissive. With the Mandatory model,
control is based on security labels and categories. Access decisions are based on
clearance level of the data and clearance level of the user, and, classification of
the object. Rules are made by management, configured by the administrators
and enforced by the operating system. Mandatory access control is required for
the Orange Book “B” Level.
With the Role-Based model, access rights are assigned to roles – not directly to
users. Roles are usually tighter controlled than groups - a user can only have
one role.
67
Notes:
ACLs VERSUS Capabilities
The two fundamental means of enforcing privilege separation and

controlling access are access control lists (ACLs) and capabilities. The
semantics of ACLs have been proven to be insecure in many situations. It
has also been shown that ACL's promise of giving access to an object to
only one person can never be guaranteed in practice. Both of these
problems are resolved by capabilities. This does not mean practical flaws
exist in all ACL-based systems, but only that the designers of certain utilities
must take responsibility to ensure that they do not introduce flaws.
For various historical reasons, capabilities have been mostly restricted to

research operating systems and commercial OSes still use ACLs.
Capabilities can, however, also be implemented at the language level, leading
to a style of programming that is essentially a refinement of standard object-
oriented design. A reason for the lack of adoption of capabilities may be
that ACLs appeared to offer a quick fix for security without pervasive
redesign of the operating system and hardware.
68
Notes:
What is Orange Book, by the way?
Orange Book refers to the US Department of Defense Trusted Computer

System Evaluation Criteria. Although originally written for military systems, the
security classifications are now broadly used within the computer industry.
The Orange Book security categories range from D (Minimal Protection) to A

(Verified Protection):
D - Minimal Protection - Any system that does not comply to any other
category, or has failed to receive a higher classification.
C - Discretionary Protection - applies to Trusted Computer Bases (TCBs) with

optional object (i.e. file, directory, devices etc.) protection.
B - Mandatory Protection - specifies that the TCB protection systems should be
mandatory, not discretionary.
A - Verified Protection - the highest security division.

Further information on the Orange Book categories can be found here:
http://www.dynamoo.com/orange/summary.htm
69
Notes:
Types of Access Control
To ensure that access controls adequately protect all of an organization’s

resources, it is recommended that you first categorize the resources that need
protection.
In an access control model, there are subject and object:
l Subject: Entity requiring access to an object – user, process. (Active).
l Object: Entity to which access is requested – file, process. (Passive).

Access control information can be viewed as a matrix with rows representing
the subjects, and columns representing the objects.
Access control consists of the following primary areas:
l Identification
l Authentication
l Authorization
70
Notes:
l Accountability
The AAA concept
The three “As” are often being referred to as the AAA concept. The general
types of authentication are:
l Something a person knows (eg. password)
l Something a person has (eg. ID card)
l Something a person is (eg. role and title)
Strong authentication requires two of the above and is known as two-factor

authentication.
Authentication is the first line of defense. Questions you may ask here:
l What password rules are enforced, in particular in terms of length and

alphanumeric combinations?
l How often are users required to change their passwords?

71
Notes:
l Does your system use a password cracker to identify nonsecure passwords?
l Does your organization keep a password history file?
l Do users have unique authentication for different types of access?
l Does your organization use authentication other than reusable passwords?

Any policy for use of such authentication?
Authorization determines if you can carry out the requested actions. Access
criteria types include and not limited to:
l Roles
l Groups
l Physical or logical location
l Time of day
l Transaction type
l … etc
72
Notes:
A common practice is to have all access criteria default to “no access” at the
very beginning, although this may not be always true in modern days OS for
usability sake (for example, in earlier Windows everyone has full control by
default).
Authentication deals with how one’s user account is established. There are also
issues dealing with how such account should be handled and protected (i.e. user
account management) . Some questions you may ask include:
l Is logoff at the end of the day required?
l Are there automatic session timeouts?
l Can a user use a password to lock the screen?
l Does an unsuccessful logon indicate the cause of failure?
l Under what circumstances are accounts locked?
l Is the user informed about the last successful/unsuccessful logon attempt?
73
Notes:
Establishing Accountability through event logging
Accountability determines who is responsible for a particular action taken. To

properly establish accountability, audit trail and logging facility must be available.
As an example, here is a list of what should be logged in a networked
environment:
· System startup
· System shutdown
· File system full
· Hardware failures
· Logins: failed and successful / local or remote
· Account creation: failed and successful;
· Account modification: failed and successful; assigning, changing or

removing rights and privileges
· Account removal: failed and successful

74
Notes:
· Account disabled
· Password/security information copied: failed and successful
· System configuration change: failed and successful
· Operating system patch applied
· Network connections: failed and successful
· Audit logs modification: failed and successful
· Object access: failed and successful
The audit process
You need to know the fundamentals of auditing – not just IS auditing, but
auditing in general.
Most CISA study text books in the market fail to give a complete and clear
picture of the auditing process as a whole. We will fill this gap here.
75
Notes:
At the end of this e-book there is a sample IS Audit Questionnaire. Go
through that Questionnaire and you will understand exactly what are
expected to be accomplished by an IS audit.
Note that several information technology audit related laws and regulations
have been introduced since 1977. These include the Gramm Leach Bliley Act,
the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability
Act, the London Stock Exchange Combined Code, King II, and the Foreign
Corrupt Practices Act. You are expected to understand what they are for.
* Health Insurance Portability and Accountability Act (HIPAA)
* Gramm-Leach-Bliley Act (GLBA)
* Sarbanes-Oxley Act (SOX)
* Foreign Corrupt Practices Act (FCPA)
The Sarbanes–Oxley Act and the COSO framework
76
Notes:
The Sarbanes–Oxley Act of 2002 (commonly called SOX or SarBox) is a
United States federal law passed in response to a number of major corporate
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework in management/auditor
assessment of controls. Auditors have also looked to the IT Governance
Institute's "COBIT: Control Objectives of Information and Related
Technology" for more appropriate standards of measure.
Since the financial reporting processes of most organizations are driven by IT

systems, it is apparent that IT plays a vital role in internal control. As PCAOB's
"Auditing Standard 2" states:
"The nature and characteristics of a company's use of information technology

in its information system affect the company's internal control over financial
reporting."
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
77
Notes:
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.
The SEC identifies the COSO framework by name as a methodology for

achieving compliance. The COSO framework defines five areas, which when
implemented, can help support the requirements as set forth in the Sarbanes-
Oxley legislation. These five areas and their impacts for the IT Department are
Risk Assessment, Control Environment, Control Activities, Monitoring, and
Information & Communication.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

is a U.S. private-sector initiative. Formed in 1985, its major objective is to
identify the factors that cause fraudulent financial reporting and to make
recommendations to reduce its incidence. COSO has established a common
definition of internal controls, standards, and criteria against which companies
and organizations can assess their control systems.
78
Notes:
What is auditing, by the way?
“An audit is a management instrument which can identify the improvement potential of
business processes (process audit) or of the management system as a whole (system audit). At
the same time, audits allow the supervision of already started measures. Audits therefore help
to improve the effectiveness of management systems and consequently the whole company
organization”1.
An audit:
o compares your actual process against your documented process
o reports to what extent you are following your document process.
o acts as a verification exercise - if you think you are following your

documented process but you do not verify this with an audit, there is a
very good chance that you are not actually following your own processes.
o the audit process is not a process of criticizing anyone or anything in any

way
1 http://www.experteam.de/starte/leistungen/Themen/SWQualitaetsmanagement/Auditierung.html
79
Notes:
“Every successful audit is based on sound planning and an atmosphere of constructive
involvement and communication between the client and the auditor”2.
A Security Audit refers to the process or event with the security policy or
standards as a basis to determine the overall state of the existing protection and
to verify whether existing protection has been performed properly. It needs to
target at and focus on finding out whether the current environment is securely
protected in accordance with the defined security policy. A security audit would
therefore require a complete inventory list and audit checklists, which may
cover different areas of IT such as web application, network architecture,
wireless network, etc. It would practically involve the use of security audit tools
and different review techniques for revealing the security loopholes.
In the context of IT security, an audit is not the same as an assessment. Security

Risk Assessment is a process of evaluating security risks related to the use of
information technology. It is conducted at the very beginning for identifying
what security measures are required and when there is a change to the
information asset or its environment. On the other hand, a Security Audit is a
2 http://www.auditnet.org/process.htm
80
Notes:
repetitive checking process to ensure that these security measures are properly
implemented from time to time. You may safely conclude that Security Audit is
performed more frequently than Security Risk Assessment.
The success of every audit is based on careful planning and preparation. It is

directly dependent on the knowledge and degree of experience of the auditors.
Consistent reprocessing of the audit results and the supervised implementation
of defined correction and improvement measures ensure the benefits for the
audited organization and its processes.
In the context of IT:
Formerly called an Electronic data processing (EDP) audit, an IT audit refers to

the process of collecting and evaluating evidence of an organization's
information systems, practices, and operations. Obtained evidence evaluation
can be used to ensure whether the organization's information systems safeguard
assets, maintains data integrity, and is operating effectively and efficiently to
achieve the organization's objectives.
81
Notes:
NOTE: Auditing allows one to define the sequence of steps which occurred
prior to a security incident. Traceability is the key. In practice, good
IS security procedures often specify the use of software and/or other
mechanisms which comes with some sort of automatic auditing
facility for providing traceability.
Gathering reliable information to perform an IT audit requires a review of all of

the available written documents on each area of control as well as each critical
asset element, in addition to interviews.
The role of an auditor
The role of an auditor is to review the integrity of the subject in question. The
auditor does not participate in the creation or implementation of the subject.
He is merely an observer, an examiner and a reviewer.
One major duty of an IS Auditor is to audit the access control

mechanisms currently in place.
82
Notes:
Keep in mind, auditor's active participation in the procedure being audited
would be a potential conflict of interest. That is why a former programmer of
the developer team shouldn’t be assigned to audit the work of the developer
team at present.
An auditor acts for the best interest of the client. He/she must place the
responsibilities to be extremely fair and honest ahead of his/her own
interest. This is what FIDUCIARY RESPONSIBILITY is all about.
The Audit process flow
Information Security Auditing covers topics from auditing the physical security
of data centers to the auditing logical security of databases and highlights key
components to look for and different methods for auditing these areas. To be
effective and efficient, one should be adequately educated about the
organization and its critical business operations through the following activities:
l Meet with IT management to determine possible areas of concern
l Review the current IT organization chart

83
Notes:
l Review job descriptions of involved employees
l Research all operating systems, software applications and equipment

operating within the organization
l Review the overall IT policies and procedures
l Evaluate the organization's IT budget and systems planning

documentation
l Review the organization's disaster recovery plan
Following is a list of objectives one as an IS auditor should review for

identifying audit risks in the operating environment and assessing the controls
in place that may mitigate those risks.
l Personnel procedures and responsibilities
l Change management processes are in place and properly followed
l Appropriate back up procedures are in place to minimize downtime and

prevent loss of important data
l The workplace has adequate physical security controls to prevent

unauthorized access Information Assets
84
Notes:
l Adequate environmental controls are in place to ensure equipments are
protected from natural disasters
Below is the audit flow chart developed by UNISA of Australia. Different types
of audit conducted in different industries may have variations to this “model
flow”, and this chart is shown here to give you an idea of how the pros conduct
a planned audit in the real world.
85
Notes:
86
Notes:
87
Notes:
Overall Strategies
General Principles for Developing an Audit Strategy include:

In order to have an appropriate auditing strategy and to avoid unnecessary
auditing, you must have a clear understanding of the reasons for auditing.
Additionally, in order to prevent unnecessary audit information from cluttering
the meaningful information, it is important to audit the minimum number of
statements, users, or objects required to get the targeted information.
General Principles for Auditing Suspicious IS Activity:
Audit generally, then specifically. In other words, enable general audit options at
first, then use more specific audit options. This will help the auditor gather the
evidence required to make concrete conclusions regarding the origins of
suspicious activity. Remember to protect the audit trail so that audit
information cannot be added, changed, or deleted without being audited.
General Principles for Auditing Normal IS Activity:
88
Notes:
This refers to the process of gathering historical information about particular IS
activities. In order to avoid cluttering the meaningful information with useless
audit information, you should audit only the targeted activities. After you have
collected the required information, archive audit records that are of interest and
purge the audit trail of this information.
NOTE: Effective audit trails in the practical world should at the least
document each action requested, detect any changes made or
attempted, and create a log of all the missed attempts. The log should
be consistent and patterned by items such as user session and
date/time, plus showing the command issued and the files affected.
The log should be stored in a hidden location, using some sort of
separately identifiable encrypted formats.
You should log the activities of both the regular users and the power users
(administrators …etc). Regular users tend to make careless mistakes, while
power users are capable of making intentional errors.
89
Notes:
NOTE: An Administrator's Log provides a history of the actions taken by the
administrator, who has been charged with responsibility to authorize the
access and use of corporate data and application. Through this log,
actions of the administrator can be thoroughly audited to assure that
corporate policy and procedure have not been unintentionally tampered
with.
Audit Planning
An important part of the process for managing an audit function involves

planning, an activity that covers both audit administration and assignment. One
of the first tasks you must do at this planning stage is to develop a working
budget. You as the IT audit manager must know the capabilities of the audit
staff assigned to the project. In addition to budgeted time needed to perform
the audit, you should also budget time needed to train the audit staff and allow
time for any error correction purposes.
While planning the audit, you should decide what level of the risk of reaching
an incorrect conclusion based on the audit findings that is acceptable.
90
Notes:
There are 2 types of possible risk here:
l The Risk of Incorrect Acceptance – the risk that a material misstatement is

assessed as unlikely, when in fact the population is materially misstated.
l The Risk of Incorrect Rejection – the risk that a material misstatement is

assessed as likely, when in fact the population is not materially misstated.
The more effective and extensive the audit work is, the less the risk that a
weakness will go undetected and you will issue an inappropriate report. Such
audit risk is dependent on the assessed levels of inherent risk, control risk, and
detection risk (Control risk is determined by evaluating an organization’s
internal control structure. You can implement compliance testing procedures
when the effectiveness of an organization’s internal controls is evaluated. The
level of detection risk is further determined by the assessment of inherent risk
and the assessment of control risk following compliance testing). In fact, these
risks can be quite accurately determined when performing a risk assessment of
the organization.
There should also be a risk assessment process that describes and analyzes the
risks inherent in the existing IT operation. You should update the risk
assessment as necessary to reflect changes to internal control or work processes,
91
Notes:
and to incorporate new operations (if any). In fact, the level of risk should be
one of the most significant factors considered when determining the frequency
and depth of audit activities.
When assessing materiality, you should consider the aggregate level of error
acceptable to management, the IT audit committee, and the appropriate
regulatory agencies. You need to consider the potential for the cumulative
effect of small errors or weaknesses to become material. While establishing
materiality, you may audit non-financial items such as physical access controls,
logical access controls, and systems for personnel management, manufacturing
control, design, quality control, and password generation...etc etc.
The audit plan should detail the audit function’s budgeting and planning
processes. The plan should describe audit goals, schedules, staffing needs, and
reporting. The audit plan should ideally be defined by combining the results of
the risk assessment and the resources required to yield the timing and frequency
of planned audits. The audit committee should formally approve this audit plan.
The auditors should in turn report the status of planned versus actual audits
regularly.
92
Notes:
For successful audits, you need to know:
o the audit objectives
o the audit methodology
o the resource allocation
At the planning portion of the audit, an auditor should perform the following:
1. notify the client of the audit
2. discuss the scope and objectives of the examination with organization

management in a formal meeting
3. gather information on important processes
4. evaluate existing controls
5. plan the remaining audit steps
Controls that deserve your attention may include:
93
Notes:
l Interception Controls: Interception can be deterred by physical access
controls at data centers and offices. Note that encryption also helps to
secure wireless networks. You should continually evaluate your client’s
encryption policies and procedures. In particular, you should verify that
management has controls in place over the data encryption management
process. Access to keys should require dual control, keys should be
composed of two separate components and should be maintained on a
computer that is not accessible to programmers or outsiders.
l Availability Controls: The network should have redundant paths between

resources. Automatic fallback / Hot standby / Fault Tolerance
mechanisms should also be put in place.
l Access/entry point Controls: Controls at the point where the network

connects with external network for limiting the traffic that pass through
the network, such as firewalls, intrusion prevention systems, and antivirus
software.
A firewall acts as a choke point in the network where all passing-by traffics are inspected. A
proxy firewall acts as a middleman between the two parties so there is no direct connection
between them. It works by making a copy of each incoming packet, changing the source address
and then transmitting it to the final destination.
94
Notes:
Application level proxies inspect the entire packet and make filtering decisions based on both
the header information and the actual packet content. They allow for the greatest level of control
at the expense of resource consumption. Circuit level proxies make filtering decisions based on
basic information such as packet header information, IP addresses, ports, and protocol type.
They are less secure. Routers can achieve basic protection by filtering IP address through the use
of access control lists. They are never intended for providing serious firewalling service.
l Logical Security Controls: The key points in auditing logical security

include Passwords, Account Termination Procedures, Special Privileged
User Accounts, and Remote Access.
l Application Security Controls: Application Security centers around the

main functions of Programming, Processing and Access. When it comes to
programming it is important to ensure proper physical and password
protection exists around servers and mainframes for the development and
update of key systems. With processing it is important that procedures and
monitoring of a few different aspects such as the input of falsified or
erroneous data, incomplete processing, duplicate transactions and untimely
processing are in place. With access it is important to realize that
maintaining network security against unauthorized access is one of the
major focuses nowadays as threats can come from both internal and
external sources.
95
Notes:
Talking about application security, you would also need to know the different methods of
software system testing.
l With Black box testing, the tester has no previous knowledge on the test object's internal
structure and would not examine the codes involved. The test is therefore unbiased.
However, since the tester is independent of the designer, it is almost impossible to ensure
that all existent "paths" of the system are fully tested. On the contrary, White box testing
(also known as clear box testing/glass box testing/structural testing) uses an internal
perspective of the system to design test cases. Test cases are therefore designed and
implemented based on full knowledge of the test object's internal structure. The tester has
to know the codes inside and out in order to test accurately. Bias is therefore possible to
exist.
l Stress testing is a common way to test and determine the stability of a given system. It
involves testing beyond normal operational capacity in order to observe system performance
under stress. Emphasis is on robustness, availability, and error handling during heavy
workload.
l A use case is a technique commonly used for capturing functional requirements of systems.
It allows you to describe the sequences of events that, when taken together, can lead to the
completion of a particular set of system activities for achieving a particular purpose.
l Boundary value analysis is a special software testing design technique for determining test
cases that cover specifically those off-by-one errors (logical errors which involve the discrete
96
Notes:
equivalent of a boundary condition). This type of analysis is valuable as the boundaries of
input ranges to a software program are often liable to defects.
<< For an in-depth list of controls from a technical perspective, refer to

the earlier section on IS Control >>
Audit sampling, which is often desirable due to practical needs, refers to the
application of an audit procedure to usually less than 100% of the population so
you may evaluate audit evidence within a class of transactions for the purpose
of forming a conclusion concerning the population. Sampling may be done
statistically through Random Sampling or Systematic Sampling, or non-
statistically through Haphazard Sampling or Judgmental Sampling. Do note that
sample size is a factor that may affect the level of sampling risk - the smaller the
sample size the more likely you will end up with more errors.
You should also make decisions about the nature, extent, and timing of
evidence to be gathered. The types of evidence may include:
l Observed processes, such as a physical entrance security system in

operation.
97
Notes:
l Documentary audit evidence, such as activity and control logs.
l Representations, such as written policies and procedures.
l Analysis, such as comparison of error rates between applications and

transactions.
The outcomes of the audit planning stage should include:
o Announcement Letter – have the client informed of the audit through

an announcement or engagement letter. Such a letter communicates the
scope and objectives of the audit, the auditors assigned to the project
and other relevant information.
o Initial Meeting - at this meeting the client describes the unit or system
to be reviewed, the organization, available resources and other relevant
information. The client also identifies issues or areas of special concern
that should be addressed.
o Preliminary Survey - the auditor gathers relevant information about the

target unit in order to obtain a general overview of operations.
o Control Review - the auditor reviews the target unit's existing control
structure. To save time, the auditor uses a variety of tools and
98
Notes:
techniques to gather and analyze information about the operation. One
primary objective here is to determine the areas of highest risk and
design tests to be performed in the fieldwork section.
o Audit Program – the preparation of the audit program which outlines

the fieldwork necessary to achieve the audit objectives.
Keep in mind:
“The IS auditor should consider whether his or her organizational status is appropriate for the
nature of the planned audit. Where this is not considered to be the case, the hiring of an
independent third party to manage or perform this audit should be considered by the
appropriate level of management”3.
In fact, you may audit your audit program and policy through asking questions
like:
l Is there a mandatory auditing policy in place?
3 http://www.isaca.org/standard/guide1.htm
99
Notes:
l What information is audited?
l Is the audited information analyzed and reported on promptly and

regularly?
l Are IT security personnel trained in audit analysis?
l Are the contents of audit logs protected from unauthorized access,

modification, and/or deletion?
l Is there a policy stating how long the captured audit logs are to be retained?
Recommended types of audit
INFOSEC recommends a number of types of audit which deserve your serious

attention.
You want to have a FIREWALL AUDIT to ensure that the firewall and the
associated systems have all been properly configured to enforce the security
policy with the minimal and optimal security protection. The firewall should be
audited for its configuration and also for its physical access control.
100
Notes:
You want to conduct an INTERNAL NETWORK AUDIT to discover any
vulnerability that could be exploited by authorized internal users, and to
identify any weaknesses and strengths in the controls of the internal systems
and networks. The topology of internal network infrastructure should also be
reviewed. The audit test should include an internal network scan to check for
any security holes on specified times or pre-agreed periods. The scanning on
critical hosts or workstations should be included as part of the test effort.
You want to have an EXTERNAL NETWORK AUDIT for identifying

security weaknesses of the systems and networks from outside such as the
Internet. This can help to anticipate external attacks that might cause security
breaches by scanning and launching attacks from the outside Internet to the
internal network at specified and pre-agreed time and locations.
You want to have a PHONE LINE AUDIT for identifying undocumented or

uncontrolled modems connecting internal computers directly to the telephone
network. This aims at eliminating any unauthorized or inappropriate modem
connection and configuration to your internal network and systems.
101
Notes:
You want to perform SECURITY POLICY, GUIDELINES &
PROCEDURES REVIEW to review or develop the existing security policy,
guidelines and procedures. You want to focus on the high-level overall
organization-wide security policy, or on specific systems, networks or areas that
are under concerns.
You want to perform HOST SECURITY AUDIT for assessing the operating
system level security of different the computer server platforms.
Misconfiguration of the operating systems may open up security holes that may
not be known by your system administrators and the goal of this audit is to sort
them all out.
You want to perform an INTERNET SECURITY AUDIT to identify those

security weaknesses of the systems and networks that are in connection with
the Internet. It is sort of a combination of the internal network and external
network security audit with major focus on the Internet gateway.
You want to perform a REMOTE ACCESS SECURITY AUDIT. The goal is

to deal with those vulnerabilities that are associated with remote access services
102
Notes:
via communication links such as dial-up connections and/or broadband
connections.
You want to perform a WIRELESS NETWORK SECURITY AUDIT to deal

with vulnerabilities that are associated with wireless network. You also want to
perform a WEB APPLICATION SECURITY AUDIT which deals with
vulnerabilities relevant to your web applications.
Example Audit Objectives and Procedures
FYI, below is an example document detailing the objectives and procedures of

a proposed network audit:
Objective:
To assess whether access from the internal network to the
Internet and from the Internet to the internal network
are controlled.
103
Notes:
Criteria:
The Internet policy should convey to all staff the intent
of the controls to be implemented by the firewall.
Procedures:
a) Obtain a copy of the Internet Policy.
b) Identify the process that was used to develop the
policy. Ascertain whether the process considered the
value of and degree of reliance on the firewall and the
severity, probability, and extent of the potential for
direct and indirect harm.
c) Assess whether the policy:
* identifies the specific assets that the firewall is
intended to protect and the objectives of that protection
(integrity, availability, and confidentiality);
* describes the organizational structure and associated
responsibilities and accountability of personnel who will
be charged with implementing the policy, monitoring
compliance with the policy and adhering to the policy;
* supports the legitimate use and flow of data and
104
Notes:
information; and
* documents what information passing through the firewall
will be monitored (limit organizational liability, reduce
abuse, support prosecution for abuse); and
* is consistent both in tone and in principle with other
organizational policies and accepted practice (e.g
availability of Internet access for nonbusiness use)
d) Ascertain whether legal counsel has reviewed the
policy to ensure consistency with requirements and
limitations imposed externally (laws, regulations etc.).
e) Determine whether management approval of the policy
has been sought and granted and the date of the most
recent review of the policy by management.
f) Identify how the Internet policy was/is communicated
to users and how awareness is maintained. Select a sample
of users and discuss their understanding of their
responsibilities related to Internet use and how to
report problems.
g) Determine whether standards and procedures have been
defined to specify the means by which the policy is
implemented.
105
Notes:
h) Assess whether the standards and procedures specify
who is responsible and empowered to do each function
required for the proper operation of the firewall.
i) Assess whether the security policy:
* is easy to read and locate relevant sections;
* is versioned and dated;
* is carefully worded with all ambiguous terms precisely
defined;
* sets out acceptable conditions of use as well as
unacceptable conditions of use;
* is widely communicated to affected persons; and
* is reviewed at regular intervals.
j) Consider whether the following issues are addressed in
the policy document:
* Scope of the policy in relation to other internal and
external networks with which it may be connected.
* Basic philosophy that may be used for making non
deterministic decisions.
106
Notes:
* Governing policies, such as Federal and Provincial Law,
contractual terms and conditions, or other policies
internal to the Company.
* Identification of the person who has ultimate authority
to interpret and apply the policy to a particular
situation.
* Allowance for the policy to be temporarily waived by a
person of authority under certain conditions or
guidelines.
* Formal definition of how the people affected by the
policy will be informed of its contents.
* Frequency and necessity for reviews of the policy.
* Outline of the assets that must be protected, and from
what threats.
* Security incident handling principles.
* Guidelines for liability of personnel with regard to
security breaches to discourage people from hiding
details of a breach that they may have (somewhat
innocently) been involved in.
107
Notes:
* Guidelines regarding investigation of incidents and
courses of action that could be taken by decisionmakers
based upon details of the security breach, including
referral to law enforcement agencies, as well as internal
investigation and disciplinary principles.
k) Consider whether the rights and responsibilities of
users are addressed in the policy document, including:
* Account use, by both the account holder and the
resource provider. Special conditions may apply to the
use of normal user accounts, and public access accounts
(like anonymous ftp), and these conditions could be
expressed here.
* Software and data access and use, including sources of
data and software.
* Disclosure of information which is potentially harmful,
such as password information or configuration
information.
* Etiquette, including acceptable forms of expression
(e.g. nonoffensive expression expected for unsolicited
electronic mail), and unacceptable practices (such as the
forging of electronic mail and news articles).
* Password use and format.
108
Notes:
* Rights to privacy, and the circumstances under which
the resource provider may intrude on the files held under
or activities practiced by an account.
* Other miscellaneous guidelines regarding reasonable
practices, such as the use of CPU cycles and temporary
general access storage areas. Copyright issues may also
be discussed here.
l) Consider whether the rights and responsibilities of
resource providers are addressed in the policy document,
including:
* physical security guidelines;
* privacy guidelines; and
* configuration guidelines, including:
allocation of responsibility;
network connection guidelines;
authentication guidelines;
authority to hold and grant account guidelines;
109
Notes:
auditing and monitoring guidelines;
password format, enforcement and lifetime guidelines;
and
login banners.
You may also perform audit using a wide range of computer tools. For example,
you may perform vulnerability scans using an automated vulnerability scanning
tool to quickly identify known vulnerabilities on the target hosts or devices.
However, since a large amount of system requests will be generated from the
automated vulnerability scanning tool, the system and network performance of
the target groups will likely be impacted during the vulnerability scanning
process. You must therefore devise a plan to minimize possible service
interruption during the scanning process. Also noted that some of the potential
vulnerabilities identified by the automated scanning tool may not represent real
vulnerabilities in the practical real world context. therefore, you should realize
that false positives is not impossible and professional judgment must be
exercised from time to time.
110
Notes:
While network vulnerability scanning is a good method to collect vulnerability
information within a short period of time, it is non-intrusive and would not
attempt to exploit the identified vulnerability. A penetration testing may need to
be adopted if more in-depth findings are desired.
Penetration testing may be performed internally or externally. It involves using

automated tools to scan the network or system to create a complete map of
connected workstations and servers, as well as to identify vulnerabilities from
either inside or outside the network and system under study by attempting to
penetrate them. Sometimes penetration testing may also involve user interviews
and the use of different hacking techniques to test the system or network. The
level of details and types of hacking would have to be thoroughly planned and
agreed upon on prior to proceeding.
In any case, PLAN THEIR USE EARLY PRIOR TO MOVING ON

TO THE FIELDWORKS.
Audit Fieldworks
111
Notes:
During the audit process, the fieldwork concentrates on transaction testing and
informal communications. At this stage the auditor determines whether the
controls identified during the preliminary review are operating properly and in
the manner described.
Remember, you do NOT audit every piece of items. With the help of statistical
sampling techniques, you determine (mostly in a random manner) which piece
of item to work on.
One major purpose of fieldwork is to accumulate sufficient, competent,

relevant, and useful evidence to support the audit comments and
recommendations:
o Audit evidence is sufficient when it is factual and is convincing enough
for an informed person to reach the same conclusion.
o Evidence is competent if it consistently produces the same outcomes.
The activities at this stage often include:
112
Notes:
o Transaction Testing - procedures usually include testing the major
controls and the accuracy and propriety of the transactions. Various
techniques including sampling are used to enhance productivity.
o Advice & Informal Communications - the auditor may discuss any

significant findings with the client. The client may, in return, offer
insights and work with the auditor to determine the best method of
resolving the finding. Most of the time these communications are oral.
Written forms of communication usually indicate the existence of
serious problems.
o Audit Summary - the auditor summarizes the audit findings, conclusions,
and recommendations necessary for preparing the audit report
discussion draft.
o Working Papers – sort of “scratch paper” that are kept for supporting
the audit opinion. They are comprehensive in nature.
In field work IT auditors may use computer-assisted audit techniques (CAATs)

to improve audit coverage by reducing the cost of testing and sampling
procedures that otherwise would be performed manually. CAATs typically
include tools and techniques such as generalized audit software, utility software,
test data, application software tracing and mapping, and audit expert systems.
113
Notes:
Whatever the source, audit software programs should remain under the strict
control of the audit department.
You use CAATs to test application controls as well as perform substantive tests
on sample items. Types of CAATs include Generalized Audit Software (GAS),
Custom Audit Software (CAS), Test Data, Parallel Simulation and Integrated
Test Facility. Through the use of CAATs, you will be able to obtain evidence to
support their final conclusions developed on the audit.
Audit evidence needs to be sufficient, reliable, relevant, and useful in order for
you to form an opinion and to support their findings and conclusions. You
need to devise procedures to gather and organize audit evidence. You should
select the most appropriate procedure for the audit objective. Possible options
include:
l Inquiry and/or Observation
l Inspection
l Confirmation
l Reperformance
114
Notes:
l Monitoring
Working papers is the formal collection of auditors notes, documents,

flowcharts, correspondence, results of observations, plans and results of tests,
the audit plan, minutes of meetings, computerized records, data files or
application results, and evaluations that document the auditor activity for the
entire audit period. They are essential to support the auditor’s findings and
recommendations in the audit report.
To conclude the fieldwork stage, a list of significant findings from which the
auditor will prepare a draft of the audit report is produced.
Audit Program
An audit program acts as the link between the preliminary survey and the field
work. In the preliminary survey the auditors identify operating objectives, risks,
operating conditions and control procedures. In field work they gather evidence
about the effectiveness of control systems based on observations,
documentation, verification and other audit procedures.
115
Notes:
For a list of popular audit programs you may refer to this hyperlink:
http://www.auditnet.org/asapind.htm
Audit Report
This is the principal product of the audit process - you express your opinions,
present the audit findings, and discuss recommendations for improvements.
According to IS Auditing Standard 070 (Reporting), The IT auditor should provide a report
in an appropriate form, upon the completion of the audit. The report should state the scope,
objectives, period of coverage, and the nature, timing, and extent of the audit work performed.
The report should state the findings, conclusions, and recommendations and any reservations,
qualifications or limitations of scope that IT auditor has with respect to the audit.”
It is always advisable for you to first discuss the rough draft with your client
prior to issuing the final report:
1. When the fieldwork is completed, the auditor drafts the report and gives
it to the audit management for a thorough review. A discussion draft is
prepared for the unit's operating management and is submitted for the
client's review before the exit conference.
116
Notes:
2. When audit management has approved the discussion draft, the auditor
meets with the unit's management team to discuss the findings,
recommendations, and text of the draft. At this meeting (which is
known as the Exit Conference), the client is given the chance to
comment on the draft. The ultimate goal is for the group to reach an
agreement on the audit findings (and to maintain a friendly relationship
with the client).
3. After an agreement is made, the auditor prepares a formal draft which

takes into account any revisions resulting from the exit conference and
other discussions. When the changes have been reviewed by audit
management and the client, the final report is produced and rendered to
the audit management as well as the client. The approval of the client
and the Audit Director is required for release of the report to any third
party.
4. The client should be given the opportunity to respond to the audit

findings prior to issuance of the final report which can be included or
attached to our final report. However, if the client decides to respond
after the report has been issued, the first page of the final report should
include a letter requesting the client's written response to the report
recommendations.
117
Notes:
You should discuss the draft of the audit report with management
to give management the chance to correct any weaknesses or
deficiencies before they are reported and/or even released to the
public. You may do this in the form of a Management Comment
Letter.
5. In the response, the client should explain how report findings will be
resolved. An implementation timetable should also be included. It is
technically acceptable for the client to respond with a decision not to
implement an audit recommendation and to bear the risks associated
with an audit finding.
6. Finally, the client may comment on the performance of the audit. This
feedback can be very beneficial to the audit team.
Audit FollowUp
Within a period defined by the client, the auditor will perform a follow-up
review to verify the resolution of the report findings:
118
Notes:
1. Follow-up Review - the client response letter is reviewed and the actions
taken to resolve the audit report findings may be tested. Unresolved
findings will be discussed in the follow-up report.
2. Follow-up Report - lists the actions taken by the client to resolve the
original report findings. Any unresolved findings will be mentioned as
well. It is a recommended practice to have a discussion draft of each
report with unresolved findings circulated to the client before the follow-
up report is issued (again, this is for reaching agreement and maintaining
friendly relationship).
To keep things going properly, you should use a process that enables yourself
to track the status of client management's actions on significant findings and
recommendations.
Note:
If after issuing the audit report it is found that some procedures had been
omitted, you may need to review the available audit alternatives in order to
compensate for the omission. If unfortunately the omitted procedures actually
present material bearing on the audit outcome, the worst case scenario is that
you will have to issue a new report and have the old one cancelled.
119
Notes:
Audit Assessment
Upon completion, your audit work should be evaluated by a partner or senior

manager based on a number of criteria, including:
l Audit Completeness and Pertinence
l Accuracy
l Appropriate Conclusions, Findings and Recommendations
l Follow-up to Findings and Recommendations
120
Notes:
IT Strategic Planning
IT Strategic Planning defined
Strategic planning is an important activity for information technology

organizations. IT Strategic Planning is closely related to IT governance, which
comprises the body of issues addressed in considering how IT is applied within
the enterprise.
The key goal of the IT strategic planning process is to translate your

organization’s vision into detailed short and long-term IT plans and processes
that match the company’s business plan and ensure that employees, clients,
suppliers, and partners can easily and securely interact and collaborate:
o IT strategic plans must be aligned with institutional mission, plans, and

priorities. An IT plan must also be flexible to adapt to changes. Most
importantly, IT strategic planning must occur as part of a process that
ensures that the best ideas are put forward and a process that creates
investment on the part of stakeholders.
o Strategic IT planning must include setting long-term goals, identifying

performance goals, selecting the portfolio of IT investments to support
121
Notes:
those goals and continuously measuring the performance of IT
investments. It must be tightly coupled with the organization’s strategic
planning and it must be an intrinsic and integrated part of the budget
process.
Remember, IT is a serious (and expensive) investment. Management often

measures investment from a monetary standpoint. Investment MUST produces
returns (in the form of savings or profit increases).
The role of IS Auditing in the planning process
The IS auditor should consider the following options in establishing the overall
objectives of any audit associated with IT governance and the IT strategic
planning process. These options, as mentioned by ISACA4, should include:
o Reporting on the system of governance and/or its effectiveness
o Inclusion or exclusion of financial information systems
4 http://www.isaca.org/standard/guide1.htm
122
Notes:
o Inclusion or exclusion of non-financial information systems
ISACA (above) further defines the following points that should be considered
by the auditor when reviewing the IT strategic planning process:
o There is a clear definition of IT mission and vision
o There is a strategic information technology planning methodology in

place
o The methodology correlates business goals and objectives to IT business

goals and objectives
o This planning process is periodically updated (at least once per year)
o This plan identifies major IT initiatives and resources needed
o The level of the individuals involved in this process is appropriate
Inhouse or Outsource?
123
Notes:
Note that one major duty of the IS auditors is to validate the acquisition or
development of the business application systems. From a security standpoint,
you need to tell if doing it in house is more secure (and is easier to control) than
buying it off the shelf. A tradeoff is involved in the decision, and different
answers are expected in different circumstances. The general guideline is that
doing it in house allows for more control over the development process and
can allow you to build in more security features. However, this can be costly as
you need to recruit, train and manage your IT team to do the job.
Also, when your own development team is involved you must clearly define the
roles and responsibilities of each team member. Certain roles must not be
overlapped, and certain duties must be clearly separated.
Avoiding conflicts of interests
“The principle of separation of duties is that an organization should carefully

separate duties, so that people involved with checking for inappropriate use are
not also capable of making such inappropriate use. No person should be
responsible for completing a task involving sensitive, valuable or critical
information from beginning to end. Likewise, a single person must not be
responsible for approving their own work”.
124
Notes:
The general guidelines here are:
l you don’t test nor QC your own work.
l creation and daily administration must NOT be performed by the same

individual
Other examples include:
l development VS production
l security VS audit
l account payable VS accounts receivable
l encryption key management VS changing of keys
125
Notes:
Protection of Information Assets through
Security Policy
Information Assets defined
Information Assets which are mostly of an intellectual nature are the vital
business resources that require protection commensurate with their value.
Mechanisms shall be in place to protect these assets from intentional (or
unintentional) modification, destruction, unauthorized disclosure, or other
malfeasance. The end goal is to make sure that confidentiality, integrity, and
availability of these assets are adequately maintained.
Confidentiality - Protecting sensitive information from unauthorized

modification or disclosure.
Integrity - Safeguarding the accuracy and completeness of information and

computer software.
Availability - Ensuring that all systems, networks, applications and information

are available and accessible by authorized users when they are required.
126
Notes:
Assets - Protection from damage, loss or misuse of all computer and
communications equipment, including computing and communications
premises, data storage media, application/system computer programs and
documentation.
According to INFOSEC, values of information assets may be expressed in

terms of tangible values such as replacement costs of IT facilities, hardware,
media, supplies, documentation, and IT staff supporting the systems; intangible
values such as goodwill and replacement costs of data; Information values; and
Data classification of the information stored, processed, or transmitted by the
asset.
When we talk about the protection of information assets, we are dealing with
two issues here:
1. The policy for offering protection
2. The technology that is in use for offering protection
127
Notes:
NOTE: Practically speaking, copy protection is also a significant issue. If the
software you use (which is part of your information assets) has a
serial number you may be held liable for the illegal copies spawned
from the original copy running on your computer system.
You need to have an idea of what it takes to shape a proper set of Information
Assets Protection policy. Then you know how to go head with an audit.
Questions you may ask here:
l Does your organization have a written security policy?
l Does the policy identify all individuals responsible for implementing that
policy and what their duties are?
l Does the policy identify the steps to be taken if there is a security breach?
l Does the policy identify what information it is most important to protect?
l Does the policy identify enforcement procedures that identify the penalties
associated with a security breach?
128
Notes:
l Is the policy known by all individuals who have the responsibility for
implementing that policy?
l Has a security plan been developed based on the security policy?
Data classifications and Layer of responsibilities
The purpose of data classification is to indicate the level of confidentiality,

integrity and availability that is required for each type of information.
The US Classifications are:

Commercial Military
Confidential Top Secret
Private Secret
Sensitive Confidential
Public Sensitive but unclassified
Public
The Data Owners are the senior managers who are ultimately responsible for
protection and use of data. They often determine the data classification. The
Data Custodians, on the other hand, are responsible for maintenance and
129
Notes:
protection of data, such as making backups and performing restores. The IT
guys in the IT department are usually of this role.
NOTE: Before you give classified information to anyone, you as the holder of the
information MUST do whatever you can to ensure that the person to
whom you are giving the information possess the proper level of security
clearance has the “need-to-know”.
130
Notes:
Security Policy
Policy is issued top down. It is signed by the top person in the organization,
and that compliance is mandatory. On the other hand, procedures tell the steps
needed for attaining compliance.
The overall objective of a security policy is to control human behavior in an

attempt to reduce the risk to information assets by accidental or deliberate
actions. Top management should set a clear policy direction and demonstrate
support for the maintenance of information security through the commitment
to developing an information security policy across the organization. Such
policy should apply to ALL business units and entities with access to
information assets owned by or entrusted to the organization.
A Baseline IT Security Policy is a top-level directive statement that sets the

minimum standards of a security specification for all departments of the
organization. It states clearly what aspects are of paramount importance to a
department. In other words, it provides the basic rules which must be observed
as mandatory. On the other hand, security guidelines serve to introduce general
concepts relating to Information Technology Security as well as elaborate
131
Notes:
interpretations on the Baseline IT Security Policy. It also provides some
guidelines and considerations for defining detailed security requirements.
Support from the top management is a MUST! Therefore, the policy

document MUST be approved by management and be communicated
to all employees. It should EMPHASIS management commitment and
set out the organization.　
Once defined and implemented, the policy owner should be held responsible
for its maintenance and review according to a de fined periodic review process
(update & maintenance of the policy is kind of a hands-on job). Such process
should ensure that a review takes place in response to any changes affecting the
basis of the original risk assessment.
Ownership of critical information and systems should be assigned to capable

individuals, with responsibilities clearly defined and accepted. Responsibilities of
these owners should include:
a) determining business (and the relevant information security) requirements.
b) ensuring information and systems are protected in line with their importance
to the organization.
132
Notes:
c) determining which users are authorized to access particular information and
systems.
d) ‘signing-off’ access privileges for each user or set of users.
e) defining information interchange agreements.

f) developing service level agreements.
g) ‘signing-off’ specifications for business requirements.
h) authorizing new or significantly changed systems.
i) ensuring users are aware of their security responsibilities and are able to fulfill
them.
j) being involved with security audits/reviews.
These responsibilities should be clearly documented. Responsibilities for

protecting information and systems should be communicated to ‘owners’ and
accepted by them.
133
Notes:
Do keep in mind, ALL USERS, NOT just the owners, have a
responsibility to ensure the protection of information and computing
assets!
And for the purpose of the exam, remember that the necessary components
that fit together for effective security management practices are:
l Data classification
l Operational activities
l Safeguard selection
l Separation of duties
l Management security responsibilities
l Guidelines and procedures
l Risk assessment
l Policies and standards
l Security awareness.
134
Notes:
The above are concerns at a broader level. On the other hand, at the actual
admin level questions you may ask concerning the hand-son management,
enforcement and implementation of security procedures may include:
l How many system administrators does your organization have?
l Do your system administrators work full-time as system administrators?
l Are your system administrators contractor employees?
l Is there segregation of duties among system administrators?
l Does each system administrator have a backup person?
l Are program modifications approved by the configuration control

function required to be installed by system administrators?
l Is there consistency in the implementation of security procedures by

system administrators in the organization?
135
Notes:
To ensure successful implementation of security policies and procedures,
security awareness training, the factors of Awareness, Training and Education
must be considered. Note that:
· Systems development staff needs skills to design systems in a disciplined

manner and develop security controls.
· IT staff needs skills to run computer installations and networks correctly

and apply security controls. Beware of potential segregation of duties
issue though*.
· Business users needs skills to use systems correctly and apply security
controls
· Information security specialists needs skills to understand the business,

run security projects, communicate effectively, and perform specialist
security activities.
General questions you may ask concerning user training may include:
l Is there a formal information security training program within your

organization?
136
Notes:
l Are new employees required to receive security awareness training within a
specified number of days after hiring?
l Are employees required to get updated security training at regular intervals?
* The risk of IT staff disrupting the running of the network either in error or by malicious
intent should be reduced by the following measures:
a) segregating the duties of staff running the network from those developing/designing the
network.
b) ensuring all network and external staff sign non-disclosure/confidentiality agreements.
c) minimizing reliance on key individuals by automating tasks as well as ensuring complete

and accurate documentation.
d) organizing duties in such a way as to minimize the risk of theft, fraud, error and
unauthorized changes to information.
e) screening applicants for positions that involve running the network through taking up
references and checking career history.
137
Notes:
Security Models and Modes of Operations
A model is a symbolic representation of a policy. It maps the desires of the

policy into a set of rules to be followed by a computer system. It defines the
dos and donts to achieve the goals of the security policies. Even though these
are mostly theoretical information of not much practical value, the exam will
have quite a few questions on them.
The Bell-LaPadula Model was developed by the military in the 1970s to address
leakage of classified information. Main goal is confidentiality. A system using
the Bell-LaPadula model would be classified as a multi-level security system.
The Bell-LaPadula is a state machine model, and could also be categorized as an
information flow model.
The Biba Model is also a state machine model. It is similar to Bell-LaPadula

except that it addresses data integrity rather than data confidentiality. The data
integrity focus is characterized by three goals:
l Protection from modification by unauthorized users.
l Protection from unauthorized modification by authorized users.

138
Notes:
l Internally and externally consistent.
The Clark-Wilson model takes a different approach to protecting integrity.

Users cannot access objects directly, but must go through programs that
control their access.
The various information flow models have one thing in common: they have
each object assigned a security class or value. Information is constrained to flow
only in the directions permitted by the security policy.
Based on the above mentioned models, several modes of operations can be

developed for defining the security conditions under which the system actually
functions.
l With the Dedicated Security Mode, all users have the clearance and the
“need to know” to all the data within the system.
139
Notes:
l With the System-High Security Mode, all users have clearance and
authorization to access the information in the system, but not necessarily a
need to know.
l With the Compartmented Security Mode, all users have the clearance to all
information on the system but might not have need to know and formal
access approval. Users can access a compartment of data only.
l The Multilevel Security Mode permits two or more classification levels of

information to be processed at the same time. Users, however, do not have
clearance for all of the information being processed.
Under Limited Access, the minimum user clearance is “not cleared” and the
maximum data classification is “sensitive but unclassified”. Under Controlled
Access, there is a limited amount of trust placed on system hardware and
software.
Some questions you may ask when auditing user account related issues:
l What is the procedure for establishing accounts? What level of supervisor

approval is required?
140
Notes:
l Who has root/admin access to your systems?
l Can accounts be accessed remotely? If so, by whom? What kind of

justification is required before remote access is permitted?
l What is the procedure for forgotten passwords?
l What is the procedure for closing accounts when an employee is

terminated?
l What is the procedure for monitoring inactive accounts?
l What is the technical process by which accounts are established?
Example Policy
The role of the CIO and his/her peers involves developing and publishing
policy in consultation with Business Units and Service Providers as well as
promoting the development of the various supporting standards and
Guidelines.
Below is an example of the terms included in a real life security policy:
141
Notes:
1. Sample company information technology assets must not be used for private
commercial purposes.
2. Users must not breach copyright, nor use facilities for illegal purposes.
3. Users must protect Sample company and vendor intellectual property.

4. Users, external suppliers and clients must, on request, sign a confidentiality
agreement in respect of the use of IT facilities, documentation and data,
including non-disclosure of Sample company information to third parties.
5. All users must abide by Sample company acceptable use policies for e-mail
and Internet and not download, transmit, distribute or store any harassing or
obscene messages and files, or any objectionable material via a Sample
company PC or network. This includes the use of insulting, sexist, racist,
obscene, suggestive or any other inappropriate language.
6. All users are personally accountable for their own logon-id and password.
Passwords must not be disclosed nor shared.
7. The Standards and Guidelines supporting this policy form part of the Policy.
8. Users are responsible for meeting published information technology
standards, guidelines and acceptable use policies.
142
Notes:
9. Appropriate levels of security and encryption will be used when
communicating electronically with external parties. All items for encryption
must be authorized and copies of encryption keys must be lodged with the IT
Security Officer.
10. Any variations or departures from the IT Security Policy must be endorsed
by the Chief Information Officer and must be available for audit.
11. Sample company reserves the right to monitor usage and electronically
record security breaches to ensure compliance is maintained.
12. All Sample company PC's will be loaded with Virus Checking software.
Users must not disable or change the configuration settings of this software
unless directed to do so by an appropriate Technology Group staff member.
13. Authorization must be obtained from the appropriate Technology Group

before any form of communications equipment, including modems, are
attached to the Sample company IT Network.
Consequences of violations
In order for a security policy to be effective, the CONSEQUENCES OF

SECURITY POLICY VIOLATIONS must be clearly defined upfront. In
143
Notes:
fact, any security exposures, misuse or non-compliance must be reported as
soon as an occurrence is identified. Failure to comply with the Information
Technology Security Policy and supporting sub-policies, for internal staff may
lead to disciplinary procedures, for external suppliers and consultants may lead
to the suspension of contracts and withdrawal of access to the organization’s
information systems …etc.
Evaluation
Broadly known as the “Orange” Book, the US Dept of Defense has developed
TCSEC (Trusted Computer Systems Evaluation Criteria) to provide a graded
classification for computer system security. The graded classification hierarchy
has four levels:
A – Verified Protection
B – Mandatory Protection
C – Discretionary Protection
D – Minimal Security
144
Notes:
The evaluation criteria involve four main areas: Security, Policy, Accountability
and Assurance and Testing. Note that the red book is an interpretation of the
Orange book for networks and network components. The Red Book TNI
ratings are:
l None
l C1 – Minimum
l C2 – Fair
l B2 – Good
Organization specific classification scheme
There may be a need for an organization specific security classification scheme

that applies across your organization, which should be used to determine
varying levels of the importance of information or systems and the sensitivity of
information or systems. Such security classification scheme should take account
of the possible business impact of a loss of confidentiality, integrity or
availability of information, and be used to classify information held in
electronic or paper form, software and hardware. It should be applied to
business applications, computer installations, networks and systems under
145
Notes:
development, with the purpose of explaining how to resolve conflicting
classifications.
A comprehensive security classification scheme should require critical

information and systems to be distinguished from other information and
systems, that information and systems are protected in line with their
classification. It has to be sign-off’ by the relevant business owners, and that its
security classifications have to be reviewed whenever changes are made.
Change control
Change control is an important element – it describes the procedures for

making and controlling changes to information. Put it this way, change control
procedures restrict the way people make changes to information assets.
The five general procedures for implementing change control are:
‧ Applying to introduce a change

146
Notes:
‧ Cataloging the intended change
‧ Scheduling the change
‧ Implementing the change
‧ Reporting the change to appropriate parties
Change Control is critical to software development as well. Refer to the section

on Change Management for more information.
147
Notes:
Business Continuity Planning
“According to a recent Gartner Group document, a business continuance plan should include:
a disaster recovery plan, which specifies an organization's planned strategies for post-failure
procedures; a business resumption plan, which specifies a means of maintaining essential
services at the crisis location; a business recovery plan, which specifies a means of recovering
business functions at an alternate location; and a contingency plan, which specifies a means of
dealing with external events that can seriously impact the organization”.
Definition
Business continuity is a term that describes the processes and procedures an

organization puts in place to ensure that essential functions can continue during
and after a disaster. Business continuity planning seeks to prevent interruption
of mission-critical services, and to reestablish full functioning as swiftly and
smoothly as possible.
From a practical standpoint, you must understand that it may not be practical
for any but the largest business functions to maintain full functioning
throughout a disaster crisis. You cannot afford to keep everything running non-
stop due to the high cost involved. In fact, the very first step in business
148
Notes:
continuity planning is deciding which of the organization's functions are
essential, and apportioning the available budget accordingly.
BCP vs BPCP vs DRP
Should it be called Business Continuity Planning (BCP)? Business Process

Contingency Planning (BPCP)? Or Disaster Recovery Planning (DRP)?
Traditionally, planning for the restoration and continuation of IT infrastructure
services to support mission-critical business processes was referred to simply as
DRP. Still, at the end of the day their objectives are very similar. Contingency
planning is a popular term to use. So is disaster recovery planning.
One DRP related term is Fault Tolerance. Fault-tolerance (also known as

graceful degradation) is the property that enables a system to continue
operating properly in the event of the failure of some of its components. Fault -
tolerance is particularly sought-after in high-availability or life-critical systems.
With fault tolerance mechanism in place you subject to way less disruption
when things go wrong.
149
Notes:
BCP Phases
The phases of development for any BCP (Business Continuity Planning)

program should include:
l Initiation
l Business impact analysis
l Strategy development
l Plan development
l Implementation
l Testing
l Maintenance
The four most important elements of a BCP are:
l Scope plan initiation
l Business impact Analysis – includes vulnerability assessment

150
Notes:
l Business continuity plan development
l Plan approval and implementation
The key phrase in business continuity is "reduce risk", which means to prepare
for any event that could jeopardize your business ability to operate. If disaster
strikes, companies have everything to lose - critical data, profits, and
information…etc, all of which are critical to the running of any company.
BCP should not be a pure IT call. In fact, it should be considered as a business

call. It should be developed by a team representing ALL functional areas of the
organization.
BCP is in fact a project. Managing a BCP is like managing a project. A formal

project needs to be established, and activities should commence only when the
project has been approved by the Board of Directors of the organization.
Stakeholders and crisis communications
You will need to take into account the various stakeholders in the equation.
Below are the stakeholders that will most likely be involved:
151
Notes:
l Internal (corporate and business unit level) groups
l External groups (customers, vendors, suppliers, public, INSURANCE

COMPANIES)
l External agencies (local, state, national governments, emergency

responders, regulators, etc.)
l Media (print, radio, television, Internet)
Important points to remember regarding the arrangement with these

stakeholders for handling emergencies shall include:
l A list of important contacts must be maintained all the time by several key
people in the organization. One of these key people must be available off-
site (imagine what can happen if all the key people get buried in the
destructed building).
l Determine the chain of command structure – who should be in charge if,

let’s say, the president may never be available again?
l Each business unit should have at least one person assigned to keep a list
of contacts of all the staff within the unit – during a tragedy there is a need
152
Notes:
to find out who is still missing. There is also a need to keep the family
members of the staff fully informed on what is happening.
l A crisis communication plan must always be in place. Communications

must be properly maintained with the outside world during the tragedy.
You will need help from various external agencies. In fact, get in touch
with these agencies regularly to determine how you all can work together in
the case of emergency. You will also want to let your customers know that
everything is under control and there is no need for them to worry too
much.
l It will be very ugly if the person in charge of the organization is the last one
who is informed of the tragedy. When something goes wrong, the CEO is
often the target of the media. Do NOT upset the media. Do NOT upset
the reporters.
The Risk Assessment Flow
As said previously, Security Risk Assessment can be defined as a process of

evaluating security risks related to the use of information technology. It is
conducted at the very beginning for identifying what security measures are
required and when there is a change to the information asset or its environment.
Assessing security risk should therefore be treated as the initial step to evaluate
153
Notes:
and identify risks and consequences associated with vulnerabilities. It provides a
basis for company management to establish an effective security program.
Based on the assessment results, you develop security policies and guidelines,
assign security responsibilities and implement technical security protections.
You then perform cyclic compliance reviews and re-assessment to assure that
security controls are properly put into place to meet users' security requirements,
and to cope with the rapid environmental changes of all kinds. You would need
to rely on continuous feedback and monitoring to achieve this.
Security risk assessment has to be treated as an on-going activity. It should be

conducted at least once every two years to explore the risks in your information
systems. Do understand that a security risk assessment can only give a snapshot
of the risks at a particular time. Therefore, for mission-critical information
system, you should conduct security risk assessment more frequently.
High-level Assessment emphasizes on the analysis of overall infrastructure or

design of a system in a more strategic and systematic approach. Comprehensive
Assessment is typically conducted periodically for the security assurance of all
information systems or selected information systems of a particular department.
Pre-production Assessment is commonly conducted on new information
systems before they are rolled out.
154
Notes:
Prior to conducting risk assessment you should get yourself started with
building up a solid knowledge base. You need to the current and historical
internal environment, the current and historical external environment, internal
and external dependencies and vulnerabilities, threat profiles, as well as
countermeasure choices and related costs.
Throughout the different stages of security risk assessment a large amount of

data and system configurations will have to be collected where some of them
may contain sensitive Therefore, you must ensure all the collected data are
stored securely. The use of file encryption tools and lockable cabinet/room
should be planned early.
The kinds of information that are often desired for performing an assessment
as per recommended by INFOSEC include:
l Security requirements and objectives
l Information available to the public or found in the web pages
l Physical assets such as hardware equipment

155
Notes:
l Systems such as operating systems, network management systems
l Contents such as databases and files
l Applications and servers information
l Network such as supported protocols and network services offered
l Access controls process, application operation process, etc.
l Identification and authentication mechanisms requirements
l Documented or informal policies and guidelines
According to INFOSEC, the assessment process of a system should include

the identification and analysis of a number of elements, including:
l all assets of and processes related to the system
l threats that could affect the confidentiality, integrity or availability of the

system
l system vulnerabilities to the threats
l potential impacts and risks from the threat activity

156
Notes:
l protection requirements to control the risks
l selection of appropriate security measures and analysis of the risk

relationships
You may collect these information through using General control review,
System review, and Vulnerability identification. With General Control Review
you identify threats arisen from the existing general security processes by
examining the systems through interviews, site visits, documentation review,
and observation etc. System Review focuses on system elements such as System
files or logs, Running processes, Access control files, User listing, Configuration
Settings, Security Patch level ...etc. Vulnerability Identification would often
involve using automated tools such as Vulnerability Scanning and Penetration
Testing over the network.
One important element to consider when preparing your risk assessment is to

estimate the potential losses to which a business is exposed. The objective of
the loss potential estimate is to identify critical aspects of the business operation
and to place a monetary value on the loss estimate. The second step of the risk
analysis is to evaluate the threats to the business. The third step in the risk
analysis is to combine the estimates of the value of potential loss and
probability of loss to develop an estimate of annual loss expectancy (ALE). The
157
Notes:
purpose is to pinpoint the significant threats as a guide to the selection of
security measures and to develop a yardstick for determining the amount of
money that is reasonable to spend on each of them.
Risk VS Threat and Vulnerability
The traditional definition of risk:

Risk is the product of threat and vulnerability. This model of risk is appropriate
for assets where applicable threat data can be well predicted from historical
events.
One way to represent this is:
Risk = Threat x Vulnerability
Note that this model of risk assumes that we have knowledge of our
vulnerabilities and our threats.
158
Notes:
Threat is typically defined as an event (such as a flood, tornado, computer virus
outbreak …etc.) of low probability yet highly damaging that really catches your
attention. The chance of the event occurring is a probability that the event has
happened. There is no time constraint. The event will likely happen over some
defined period of time. There exists a probability that describes the frequency
of such an event. Vulnerability, on the other hand, is usually defined as a
weakness that is exploited in some very negative way by the threat.
You perform Threat Analysis to identify the threats and to determine the
likelihood of their occurrence and their potential to harm systems or assets.
System error or control logs are usually good sources of data for this.
Social threats are directly related to human factors, which can be intentional or
unintentional. Technical threats are usually caused by technical problems.
Environmental threats are usually caused by environmental disasters.
Identifying Risks
The key part of the BCP Process is the assessment of the potential risks to the
business which could result from disasters or emergency situations. You MUST
consider ALL the possible incidents and the impact that follows. Examples of
159
Notes:
the risks that are possible for any organization on earth include (and not limited
to):
o Environmental Disasters
o Deliberate Disruption (e.g. terrorist attack)

o Loss of Utilities and Services
o Equipment or System Failure
o Serious Information Security Incidents
Risk results may be analyzed using Qualitative & Quantitative Methods and/or
Matrix Approach. With Qualitative method you use descriptive, word scales or
rankings of significance/severity based on experience and judgment. It is more
subjective in nature. On the contrary, Quantitative method uses numerical
information to arrive at percentages or numerical values. Generally speaking, a
qualitative method is better for initial screening while a quantitative method is
more ideal for detailed and specific analysis on some critical elements and for
further analysis on high-risk areas. A matrix approach would involve
documenting and estimating the three major needs of security protection,
which are confidentiality, integrity and availability, in three different levels
160
Notes:
of severity (high, medium, low). The risk level would be ranked based on the
criticality of each risk elements. The idea is that risk interpretation should be
limited to the most significant risks so as to reduce the overall effort and
complexity.
Loss Calculations
The 3 major models are:
l Single Loss Expectancy (SLE)
l Annualized Loss Expectancy (ALE)
l Cumulative Loss Expectancy (CLE)
The Single Loss Expectancy model is the model upon which the Annualized
Loss Expectancy and Cumulative Loss Expectancy models are based. This
simple (and less accurate) model has its roots in accounting, with the purpose
of determining how much value in terms of dollars will be lost, and is often
used to express the results in a financial impact analysis.
161
Notes:
The Annualized Loss Expectancy Model of risk comes closer (relatively) to
painting an accurate picture of risk by adding the probability of an event
happening over a single year’s time. To reach an answer, you need to first
calculate the Single Loss Expectancy to determine this value. Then you obtain
the product of the Single Loss Expectancy and the value of the asset to
produce the Annualized Loss Expectancy. The formula looks like this:
Single Loss Annualized Rate Annualized Loss

Expectancy x of Occurrence = Expectancy
The Cumulative Loss Model approaches risks by taking into account all of the
bad things that are likely to happen to your business over the next year. You
will need to look at each threat, the probability of each threat against your
business, and then derive an expected loss. You can take all of the threats, and
compute the annual rate of each threat occurring. This is a relatively
complicated model and is less emphasized in the exam.
162
Notes:
From a CISA point of view, of particular importance when considering
business risks and the impact of potential emergencies is the disruption to, and
availability of, IT services and communications that are supposed to run 24 x7.
As an IS auditor, some of the more important issues that should be considered

when assessing the level of risk associated with IT services and
communications include:
o Specification of IT and Communications Systems and Business

Dependencies
o Key IT, Communications and Information Processing Systems
o Key IT Personnel and Emergency Contact Information

o Key IT and Communications Suppliers and Maintenance Engineers
o Existing IT Recovery Procedures
163
Notes:
At the end of the day you want to know how one may continue IT function
should something goes seriously wrong. Contingency planning is therefore a
critical factor to consider. Questions you should ask may include:
l Does your organization have a contingency plan for dealing with

natural and manmade disasters? If so, who maintains the contingency
plan and who is responsible for its implementation?
l Does your organization have an uninterrupted power source (UPS) to

increase the possibility of an orderly shutdown without loss of data?
l Does the contingency plan identify and prioritize the resources that
are most important to protect in an emergency?
l Is the contingency plan tested periodically?
Business Impact Analysis defined
The BIA is an evaluation of the strengths and weaknesses of your company’s

disaster preparedness and the impact an interruption would have on your
business.
164
Notes:
Every BIA should include an exploratory component to reveal any
vulnerabilities, and a planning component to develop strategies for minimizing
risk. A well done BIA should be capable of identifying costs linked to failures,
such as loss of cash flow, replacement of equipment, salaries paid to catch up
with a backlog of work, and loss of profits …etc.
The result of analysis is a business impact analysis report, which describes the
potential risks specific to the organization studied. It should quantify the
importance of business components and suggest appropriate fund allocation
for measures to protect them. The possibilities of failures are likely to be
assessed in terms of their impacts on safety, finances, marketing, legal
compliance, and quality assurance.
BIA goals and steps
As part of the risk assessment effort, business impact analysis has 3 primary
goals:
l Criticality Prioritization: Critical business units must be identified and

prioritized.
l Downtime Escalation: Estimate the maximum tolerable downtime.
165
Notes:
l Resource Requirements: Identify resource requirements for the critical
processes.
Business impact analysis generally involves 4 steps:

1. Gathering the needed assessment materials
2. The vulnerability assessment
3. Analyzing the information compiled
4. Documenting the results and presenting recommendations to

management.
BIA checklist
You will need inputs from both the top management and the line managers.
- Determine the business areas
- For each business area, determine the business processes and identify
the essential processes.
166
Notes:
- For the business processes, estimate the costs of failure
What are the costs of non-performance?
What are the costs of late performance?
What is the max tolerable delay in performance?
- Determine attributes for the business processes
Description of process
Frequency of process
Manpower requirements (numbers, skills, who do what)
- Establish communication facilities required
- Establish IT facilities required
- Establish non-IT facilities required
- Establish clerical requirements

- For the business processes, establish the minimum resources required
to operate.
167
Notes:
Priorities essential business processes – this is VERY IMPORTANT. One key
assumption behind every BIA is that every component of the organization is
reliant upon the continued functioning of every other component, but that
some are more crucial than others and require a greater allocation of funds in
the wake of a disaster.
- Summarize the requirements for the business processes
Determine the minimum acceptable backup plan
Determine the minimum acceptable recovery configuration
Determine the time scales
- Consider alternative backup/recovery solutions (cost/benefit analysis,

Hot site VS Cold site)
- Determine the Backup and Business Recovery Strategy
Preparing for emergency
168
Notes:
To minimize the effects of potential emergencies, focus must be placed on
those business activities that are keys to the continued viability of the business,
such as:
o Back-up and Recovery Strategies
o Key BCP Personnel and Supplies
o Key Documents and Procedures
Backup is critical. Key questions here include:
l Does your organization have backup policies and procedures?
l How often are system and user backups performed?
l Who is authorized to perform backups?
l Are backup media stored in a secure location offsite?
169
Notes:
l Are backup media tested regularly for restorability/recoverability of
files?
l Can an operational capability be restored within acceptable time

constraints?
l What are the policies and procedures regarding archived data?
The key personnel and the IT staff should be well trained to tackle through
emergency situation and incidents. Ask these questions:
l Have users and system administrators received training on how to carry

out their respective responsibilities when an incident occurs? Do they
receive awareness reminders and periodic refresher training?
l Does your organization maintain a knowledge base of past incidents and

“lessons learned” for future use?
Managing recovery
170
Notes:
One critical part of handling any serious emergency situation is in the
management of the Disaster Recovery Phase. Remember, the priority during
recovery is ALWAYS the safety and well being of the employees and other
involved persons. LIFE is the most important asset. Other priorities include
the minimization of the emergency itself, the removal or minimization of the
threat of further injury or damage and the re-establishment of external services
(power, telecom …etc).
The Business Recovery Phase will then follow directly on from the Disaster
Recovery Phase. This Phase involves the restoration of normal business
operations. From a business perspective, this is the most critical phase of the
whole BCP exercise as the efficiency and effectiveness of the procedures here
could have a direct bearing on the organization’s ability to survive the
emergency.
For a business to truly recover, from an IS standpoint these are items that are
critical:
o Power and Other Utilities
o Premises, Fixtures and Furniture
171
Notes:
o Communications Systems
o IT Systems
o Production and Other Equipments
o Information and Documentation
Testing the plan
The effectiveness of the BCP in emergency situations can only be assessed if

rigorous testing is carried out in realistic conditions. Therefore, the BCP should
be tested within a realistic environment with simulating conditions applicable in
an actual emergency. All persons who will be involved with recovering a
particular business process during emergency should be REQUIRED to
participate in the testing process.
The BCP test itself should be carefully planned as well. The objectives and
scope of the tests are outlined below:
o Develop Objectives and Scope of Tests
172
Notes:
o Setting the Test Environment
o Prepare Test Data
o Identify Who is to Conduct the Tests
o Identify Who is to Control and Monitor the Tests
o Prepare Feedback Questionnaires
o Prepare Budget for Testing Phase
o Training Core Testing Team for each Business Unit
The following activities must be emphasized during the test:
1. Test each part of the Business Recovery Process
2. Test Accuracy of Employee and Vendor Emergency Contact Numbers
3. Assess Test Results
The test process gives IS auditors a good chance to see if the IS controls
relevant to BCP actually work as planned.
173
Notes:
User Acceptance
About user acceptance testing - each user should create a test script designed
to validate the accuracy and performance of its application in a contingency
environment. The test scripts should be defined in such a way that a clear
indication of whether or not they can do business as usual as stated in their
recovery requirements must be made available.
Users should be asked to provide their views on the testing process and on the
results of the test. The users should also provide comments regarding
improvements and modifications that they would like to see as a result of the
test. Upon completion a user sign-off sheet should be provided for this
purpose and must be signed off by a manager of the business.
Plan maintenance
In today’s world, the pace of change will never slow down but will continue to
increase. It is necessary for the BCP to keep pace with these changes in order
for it to be useful in the event of a disruptive emergency.
174
Notes:
To ensure that the BCP is regularly updated, the following must be established:
o Change Control Procedures for Updating the Plan
o Responsibilities for Maintenance of Each Part of the Plan
o Test All Changes to Plan
o Advise Person Responsible for BCP Training
The IS auditor, when appropriate, should assist in the process by checking

whether the controls and procedures for the update process are properly
implemented and followed.
For your interest, take a look at the following fragment of a real world audit
report with BCP involved:
Has the Department Adequately Planned For the Actions It Must Take In the Event Of
A Disaster To Minimize the Loss of Computer Operations?
175
Notes:
An organization needs good business continuity planning in order to quickly
recover critical operations after a disaster. Business continuity planning
addresses an organization's ability to continue functioning when normal
operations are disrupted. By necessity, it includes planning for contingencies
and disaster recovery, and is focused on the computer functions that are most
necessary to continued agency operations. Continuity planning enables an
organization to minimize the loss of communications and important
computer operations during an emergency.
The Department has done little business continuity planning for its critical
computer programs. Department management have implemented some
sound practices, such as a system for backing up critical data. However, the
Department doesn't meet many other planning standards. We found
problems such as the following:
Ø The Department hasn't conducted a risk analysis to assess possible

disaster scenarios or threats
Ø The existing continuity plan doesn't assign roles and responsibilities to
176
Notes:
specific staff, and is limited in the recovery instructions it gives
Ø The Department hasn't made any arrangements for off-site processing

for its critical computer programs.
Incident Handling
The major activities involved in the planning and preparation of an incident

handling mechanism should as a minimum include:
l Security Incident Handling Plan
l Reporting Procedure
l Escalation Procedure
l Security Incident Response Procedure
l Training and Education
l Incident Monitoring Measure
177
Notes:
There has to be a proper reporting procedure in place so that in case an
incident occurs, all parties involved would know whom they should report to,
and in what way, and what should be noted and reported. Such reporting
procedure should have a clearly identified point of contact, and comprises
simple but well-defined steps to follow. It should be widely published to all
concerned staff for their information and reference. You should ensure that all
related staff are familiar with the reporting procedure and are capable of
reporting security incident instantly.
There must also be a comprehensive Escalation Procedure established. Such

procedure would define the way to escalate the incident to management and
relevant parties for ensuring that important decisions are promptly taken. You
need to put in place an important contact list for addressing legal, technical, and
managerial issues that should be prepared to facilitate different stages of
security incident handling. You should set out the points of contact with the
corresponding contact information as well as the various levels for notification
basing on the type and severity of the impact caused by the incident.
The system or functional area's manager must establish a security incident

response procedure for guiding the security incident response team through the
178
Notes:
incident handling process. Moreover, a sufficient level of security measures for
incident monitoring must be implemented to protect the system during normal
operation as well as to monitor potential security incidents. For example, you
want to install firewall device and apply authentication and access control
measures to protect important system and data resources. You also want to
install intrusion detection tool to proactively monitor, detect and respond to
system intrusions or hacking. It may be a good idea to also install anti-virus tool
and malicious code detection and repair software to detect and remove
computer virus and malicious codes, and prevent them from affecting the
system operation.
179
Notes:
Risk Management
“Risk is a concept that auditors and managers use to express their concerns about the probable
effects of an uncertain environment. Because the future cannot be predicted with certainty,
auditors and managers have to consider a range of possible events that could take place”5.
“Risk management is a discipline for dealing with uncertainty”6.
As mentioned by David McNamee in his article “Management Control

Concepts”, uncertainty and randomness exist in nature, that risk is not
something to be worried or concerned about but something to be managed. In
fact, managing a range of risks is required for both survival and success in
nowadays environment.
Every organization can and should use risk management strategies and tools to
protect vital assets.
5 http://www.mc2consulting.com/riskart2.htm
6 http://www.nonprofitrisk.org/tutorials/rm_tutorial/2.htm
180
Notes:
The discipline of risk management aims at helping an organization to identify,
assess and control risks that may be present in operations, service delivery,
staffing, and governance activities.
Good risk management can reduce legal costs and lawsuit altogether.
Remember, legal cost is one of the worst nightmares an organization can ever
have.
Risk management defined
The risk management process provides a framework for identifying risks and
deciding what to do about them. Since not all risks are created equal, risk
management does not simply identify risks but also to weigh various risks and
make decisions about which risks deserve immediate attention.
The risk management steps
The steps involved in proper risk management shall include:
181
Notes:
o Context establishment - begin a risk management program by setting
goals and identifying any potential barriers or impediments to the
implementation of the program.
o Risks identification - categorize risks according to the major categories of

assets of the organization in question.
o Risks evaluation and prioritization - establish a list of risk related action

items in priority order.
o Strategies selection and implementation – use risk management

techniques to address virtually every risk your organization is facing.
Such techniques should include:
v Avoidance - do not offer programs that pose too great a risk.
v Modification – modify an activity to make it safer for all involved.
v Retention - make conscious decisions to retain risk.
v Sharing - share risk with another organization through contractual

arrangement, such as insurance contracts and risk management
service contracts.
182
Notes:
o Program update – keep the risk management techniques and plans
periodically reviewed and updated to make certain that they remain the
most appropriate strategy.
Always remember, people are the heart and soul of your organization that are
irreplaceable. Risks associated with people’s life always deserve the most
attention.
IS Auditing and Risk Management
IS auditors may participate in assessing and controlling new systems and

technologies that are emerging in the business world. By applying a risk and
audit framework for assessment and control, new methods of systems planning,
development, deployment and operation can be introduced in a relatively “safe”
manner. Questions you may ask here:
l Has an overall risk assessment been performed on critical information

assets? If so, how recently was it performed or updated?
l Have risks previously identified been corrected? Are there remaining

vulnerabilities that have not been addressed?
183
Notes:
Riskbased Auditing
When performing audit assignments, there are usually two different approaches:
the checklist approach VS the risk-based approach.
Auditing using checklists is basically auditing without an appreciation of why

the auditor is doing some particular task, and can be seen as auditing without an
understanding of the risks involved in the business process.
On the other hand, with risk-based auditing, the auditor must have a thorough
understanding of the business process as well as the risks and controls in the
system for achieving the organization's goals. The risk-based audit plan is
specifically tuned to spend more time on the areas of highest risk and greatest
importance to the goals. Less time will be spent on areas of lower importance
and lower risk.
184
Notes:
Risk Management Readings
Below is a list of HIGHLY RECOMMENDED REFERENCE READINGS.

I strongly recommend that you go through all of them:
The New Risk Management
http://www.intekworld.com/Newsletters/vol3/10oct04/riskmanagement
.htm
Failure in Risk Management
http://www.findarticles.com/p/articles/mi_m3937/is_2000_Jan/ai_6219
7034
Assessing Internet Security Risk, Part One: What is Risk Assessment?

http://www.securityfocus.com/infocus/1591
185
Notes:
Trends: Rethinking risks
http://www.cioinsight.com/article2/0,1397,1458270,00.asp?kc=CTNKT0
209KTX1K0100481
186
Notes:
Project Management
“Project Management is a decision-making and strategic risk. It is defined as the application of

knowledge, skills, tools, and techniques to project activities in order to meet or exceed
stakeholder needs and expectations from a project”7.
Project Management defined
Project management is not simply a technical subject. Instead, it is a business

one. It involves balancing the competing demands of:
v scope
v time
v cost
v quality
v different stakeholders
7 http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAuditPage!OpenDocument
187
Notes:
To be precise, Project Management is the defining, planning, scheduling, and
controlling of the tasks that must be completed to reach your goal and the
FAIR allocation of the resources to perform those tasks. On the other hand, a
Project Performance audit is an audit for helping you to understand the current
capability of your project management processes or staff, benchmark your
business against best practice, and help you focus improvement to maximum
effect.
Project Management and Audit
Remember, controlling the project is important because things never work out
exactly as planned. To meet your goal, it's important that you be on top of
changes. This is where the audit function fits in.
To truly appreciate the relationship between IS audit and Project Management,
I recommend that you read the following REAL LIFE Project Management
audit documents that have been used by real world government organizations /
NGOs:
188
Notes:
The Canadian Passport Office IRIS Project
http://www.ppt.gc.ca/publications/iris_oct99.aspx
Template - PM Audit Checklist
http://www.auditnet.org/docs/PM-
AuditQuestionnaire.pdf#search='PROJECT%20MANAGEMENT%20AUD
IT'
Also, read the following document in-depth. This is an excellent article that
describes the complex relationship between Project Management, Risk
Management and the Auditing function:
http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAudi
tE-businessrisksProjectMgmt!OpenDocument
By going through these documents, you will be able to tell exactly the role of
the audit function in a project management context.
189
Notes:
Change Management
Change Management Defined
You can think of Change Management as
v The task of managing change
v An area of professional practice
v A body of knowledge
One meaning of managing change refers to the making of changes in a planned

and managed or systematic fashion, with the aim of more effectively
implementing new methods and systems in an ongoing organization. These
changes may be of the type which the organization exercises little or no control,
or of the type that is well-planned.
190
Notes:
As an “Area of Professional Practice”, we see many independent consultants
who acknowledge that they are change agents that manage change for their
clients, that their practices are change management practices. And stemming
from the view of change management as an area of professional practice, there
arises the third definition of change management: the subject matter of change
management as a body of knowledge.
In fact, at the heart of change management we have the change problem - some
future state to be realized, some current state to be left behind, and some
process for getting from the one to the other. At the conceptual level, the
change problem is a matter of moving from one state to another. At the
practical level, changes and the change problems they present are problems of
adaptation, that they require the organization to adjust itself to an ever-changing
set of circumstances.
Change management auditing, with respect to the IT control environment

within an organization, is aimed at limiting unauthorized changes and errors
and disruption from changes to essential IT assets, including computer
applications and system platforms. A change management control system is
therefore made available for setting out procedures to analyze, implement, and
review changes to information technology infrastructure.
191
Notes:
Change Management strategies
Generally speaking, there is no single strategy in regards to change management.

One may adopt a general or what is called a "grand strategy", but for any given
initiative some mix of strategies is the best option.
Four strategies have been outlined in Fred Nickols’s article “Change

Management 101”:
192
Notes:
Strategy Description
People are rational and will follow their self-
interest — once it is revealed to them. Change
Rational-Empirical
is based on the communication of information
and the proffering of incentives.
People are social beings and will adhere to
cultural norms and values. Change is based on
Normative-Reeducative redefining and reinterpreting existing norms and
values, and developing commitments to new
ones.
People are basically compliant and will
generally do what they are told or can be made
Power-Coercive
to do. Change is based on the exercise of
authority and the imposition of sanctions.
People oppose loss and disruption but they
adapt readily to new circumstances. Change is
Environmental-Adaptive based on building a new organization and
gradually transferring people from the old one
to the new one.
193
Notes:
The proper mix of strategies to be used can be determined by the following
factors:
v Degree of Resistance
v The Stakes
v The Time Frame
v Expertise
v Dependency
Along the journey of making changes, there is a need to control the change
process and the elements within it. Change control is often perceived as a part
of the Change Management process where the audit function may fit in.
Change Management VS Change Control VS

Configuration Management
194
Notes:
If we play with the textual definitions, one may argue that Change Management
and Change Control are two totally different disciplines. In fact, in the field of
Project Management, there tend to be differing understandings of these terms
or expressions. The problems are compounded where participants are
unfamiliar with project work and do not recognize the implicit context.
The term Change Management is normally used to mean the achievement of

change in human behavior as part of an overall business solution. The term
Change Control, which is often being referred to as "Change Management",
refers to the management process for requesting reviewing, approving, carrying
out and controlling changes to the project's deliverables.
Change Control is usually applied once the first version of a deliverable has
been completed and agreed.
Sometimes people associate Change Control with Configuration Management,

which is the technical and administrative control of the multiple versions or
editions of a specific deliverable (particularly where the component has been
changed after it was initially completed):
195
Notes:
“Configuration Management is the identification and maintenance of the configuration of a
software product, throughout the product's life, and including both successive and parallel
product versions, for the purpose of systematically controlling changes and thereby maintaining
the product's integrity and traceability”8.
Change Control
“Change Control is a technique for the management of modifications to existing application

software. Compared with the reactive-ness of Incident Reporting, Change Control recognizes the
need for adaptation to externally imposed change, and looks for opportunities for internally
instigated change. It is concerned not only with adaptation of an application's existing functions,
but also with its extension to include new functions”9.
To know what change control exactly is, take a look at the following fragment
of an audit report extracted from a real world case:
8 http://www.anu.edu.au/people/Roger.Clarke/SOS/ChgeCtl90.html
9 Ibid.
196
Notes:
Does the Department Adequately Manage the Maintenance and Updating of Its Critical
Software?
Because of the dynamic nature of computer software, it's important to have a

well organized system to manage the process of making changes. Large and
complex computer programs are constantly in flux. As a result, computers
programs remain works in progress long after they are put into daily use.
However, if changes to the software aren't well organized and closely
managed, the software can quickly become unreliable.
The Department places the responsibility for managing changes on the users,
where it belongs. System changes are approved and monitored by several
steering groups made up of users of the system from across the state, as well
as representatives from the Department's programming staff. While
programmers make the actual changes, users decide which changes need to be
made and set priorities for the programmers.
Overall, the change control process needs to be better organized and

197
Notes:
documented. The system of user groups the Department uses to control the
process is well designed. However, change control as a whole could be
improved by adding more organization and better documentation.
Specifically, the Department could improve its system by:
Ø developing written change control policies
Ø developing a policy requiring the system supervisor to approve in

writing incorporation of software changes into the production software
Ø in the case of significant changes, requiring formal user acceptance

tests before the final changes are allowed to be incorporated into the
production software
Ø requiring staff to update user operation manuals when changes are

made to the software
Change control is often being perceived as a means of prolonging the life of an

application that must be increasingly a proactive measure driven by business
needs and initiated by functional managers. The IS auditors help to check and
198
Notes:
find out whether the proper IS control mechanisms needed by the change
control process are in place and are properly followed.
Refer to the summary below for several more related terms:
In the context of IT, the term configuration management (configuration

control) often refers to:
i, the management of security features and assurances through control of

changes made to hardware, software, firmware, documentation, test, test
fixtures and test documentation of an automated information system,
throughout the development and operational life of a system; and
ii, the control of changes, including the recording thereof, that are made to the
hardware, software, firmware, and documentation throughout the system
lifecycle.
Revision control (also known as version control) refers to the management of

multiple revisions of the same unit of information. It is most commonly used in
system engineering and software development to manage ongoing development
199
Notes:
of digital documents like application source code. Changes are identified by
incrementing an associated number or letter code, termed the "revision
number", "revision level", or simply "revision" and associated historically with
the person making the change.
Release Management is the discipline within software engineering of

managing software releases. A release manager serves as a liaison between
varying business units to guarantee smooth and timely delivery of software
products or updates. He also holds the keys to production systems and takes
responsibility for their quality and availability.
Key points to follow:
· Prior to changes being applied to the live environment, change requests

should be documented through a change request form and accepted
only from authorized individuals. All changes have to be approved by
the application ‘owner’, and that the possible impact of changes should
be assessed in terms of overall risk and on other components of the
application. Additionally, all changes should be tested and should be
reviewed to ensure that they do not compromise security controls. Back-
out positions should be established so that the changes can be backed-
out if they fail.
200
Notes:
· Application changes should be performed by individuals who are
capable of making changes correctly and securely and be supervised by a
specialist. It must also be signed-off by the application owner.
· Arrangements should be made to ensure that once changes have been

applied, version control is maintained and that details of changes are
communicated to relevant individuals. Additionally, checks must be
performed on a regular basis to confirm that only intended changes have
been made, such as using code comparison programs or checking
‘before and after’ contents of key records such as within customer
master files.
From a pure software development point of view, Release Management is

closely related to Change Control.
Questions you may ask concerning configuration management:
l Does your organization have a configuration control plan?
201
Notes:
l Does your organization have a configuration control function or the
equivalent to direct activities in this area? If so, does the configuration
control function approve and record all changes to hardware, software, and
firmware?
l Does your organization have network and system diagrams and a list of all
system resources?
l Are only authorized individuals allowed to move and install computer

equipment?
202
Notes:
Application Program Development
Basic knowledge on database system, data modeling, procedural

programming and object oriented programming is required under this
knowledge domain.
Security is an issue that must be addressed in each phase of the development

effort, not just at the end of development. Therefore, separation of duties has
to be practiced all the time, and a programmer should never have direct access
to codes that are in the production stage. Remember, separation of duties is
always the correct answer!
General guidelines
Program development security is particular important when there is proprietary

software under development. The general guidelines are:
203
Notes:
l Allow only the applications programmers to have access to application
programs under development, and nothing else.
l Allow only systems programmers to have access to system programs under

development, and nothing else.
l Allow only librarians to have write access to system and application

libraries, and nothing else.
l Allow access to live data only through programs that are in the application
libraries, and nothing else.
l Proper change controls must be in place if changes to program codes are

regularly required.
System change control
Changes must be authorized, tested and recorded. Changes can be approved

only if they do not affect the security level of the system.
The change control sub-phases include:

204
Notes:
- Request control
- Change control
- Release control
The change control process includes the following steps:
- Make a formal request of change
- Analyze the request
- Record the change request
- Submit the change request for approval
- Develop the change
Software development processes and models
System development life cycle (SDLC) refers to the process of developing

information systems through investigation, analysis, design, implementation and
205
Notes:
maintenance. It is a systems approach to problem solving and is made up of
several phases, including:
l Software concept
l Requirements analysis
l Architectural design
l Coding and debugging
l System testing
The Waterfall Model as a popular version of the systems development life cycle
model for software engineering includes the following phases:
- System requirements
- Software requirements
- Analysis
- Program design
206
Notes:
- Coding
- Testing
- Operations & Maintenance
The waterfall model describes a development method that is linear and

sequential. It offers distinct goals for each phase of development. The
advantage is that it allows for departmentalization and managerial control. For
example, a schedule can be set with deadlines for each stage of development
and a product can proceed through the development process step by step
without much complexity. The disadvantage is that it does not allow for much
reflection or revision. That means, once an application is in the testing stage, it
is very difficult to go back and change something that was not well-thought out
in the concept stage.
The spiral model is a development model that combines elements of both

design and prototyping-in-stages in an effort to combine advantages of both
the top-down approach and the bottom-up methodology. Under this model,
each phase starts with a design goal and ends with the client reviewing the
progress thus far. Analysis and engineering efforts are applied at each phase of
the project, with an eye toward the overall end goal of the project.
207
Notes:
The Chaos model is a structure of software development that extends the spiral
model and the waterfall model. It notes that the phases of the life cycle apply to
all levels of projects, from the whole project to individual lines of code. In fact,
this model has several tie-ins with the chaos theory:
l It helps explain why software is so unpredictable.
l It explains why high-level concepts like architecture cannot be treated

independently of low-level lines of code.
l It provides a hook for explaining what to do next in terms of the chaos

strategy.
Buy VS Make: Acquisition Management Methods
It is very common for an organization to purchase off-the-shelf or tailor made

software from the outside. Because of this, it is important to investigate the
acquisition process used by the organization so as to comply with the defined
security guidelines and procedures. In fact, part of that contract/outsourcing
process should include making sure that the security vendor’s service levels are
spelled out satisfactorily. A recommended way is to devise an evaluation matrix
208
Notes:
that lists the requirements of the organization and rates each service provider
on how well they achieve each requirement.
If acquisition is conducted through bidding, certain controls of the bidding

process should be in place. Here are the general guidelines:
· A formal bidding process should be open and fair, encourage

competition, and provide the purchasing entity with the best product at
the lowest possible price.
· Develop a checklist for the review of various requirements for formal

bids, including insurance, bonding, specifications, and evaluation and
award.
· Establish a system to monitor compliance with the bid tabulation

procedure, including the rules and controls for accepting bid changes
after the bids are opened.
· Develop and implement an effective filing system for bid files.
· Require that all purchase specifications clearly state the bid evaluation
criteria and ascertain that the staff use only the evaluation criteria
included in the purchase specifications.
· Criteria for bids should be laid out in the request for proposal.
209
Notes:
· Formal bidders list should be maintained.
· Bids should be opened and recorded by someone not involved in the

bid evaluation process. Retain the bid envelope that shows the dates
and times of bid receipt and opening, and file it with the other bid
documents.
210
Notes:
Technical Readings
There are 5 sections included in this part of the study guide. They cover the
majority of technical topics that will be tested in the CISA/CISM exams. By
going through all of them your readiness of the real exams can be reasonably
assured.
q Section 1: Topics on security theory.
q Section 2: Topics on Hacking, attacking, defending and

auditing.
q Section 3: Topics on encryption and VPN.
q Section 4: Topics on responding to attacks
q Section 5: Topics on viruses.
As a reminder: Biometrics is an important topic. Check out the various forms

of biometrics technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their
drawbacks and their impacts.
211
Notes:
Slide 1
Technical Readings
for CISA/CISM candidates
Covering the technical elements of the 2005/06 objectives
Copyright 2005/06. All rights reserved. 1
212
Notes:
Slide 2
What is included in this study guide?
n There are 5 sections included in this part of the study
guide. They cover the majority of technical topics that will
be tested in the CISA/CISM exams. By going through all
of them your readiness of the real exams can be
reasonably assured.
q Section 1: Topics on security theory.
q Section 2: Topics on Hacking, attacking, defending and auditing.
q Section 3: Topics on encryption and VPN.
q Section 4: Topics on responding to attacks
q Section 5: Topics on viruses.
213
Notes:
Slide 3
What is included? cont’d
n Basically, we did all the homework for you! We:
q reviewed the major preparation products available in the
market and identified the missing critical information
q collected and summarized these missing pieces and presents
them to you in an easytofollow style
214
Notes:
Slide 4
Before you begin…
n Make sure you have enough time – based on
past experience, it takes an average student
3 full days at the least to go through all the
sections.
215
Notes:
Slide 5
Before you begin…
n Copyright Information
q Some contents of this product are extracted and recompiled
from the various Linux Security HOWTO document which is
copyrighted by Kevin Fenzi and Dave Wreski, and distributed
under the following terms:
n Linux HOWTO documents may be reproduced and distributed in
whole or in part, in any medium, physical or electronic, as long as
this copyright notice is retained on all copies. All translations,
derivative works, or aggregate works incorporating any Linux
HOWTO documents are covered under this copyright notice.
n Information presented in this product is
platform independent. Content has been
modified to fulfill the purpose of this product.
216
Notes:
Slide 6
Section 1
Security Theory
217
Notes:
Slide 7
Section 1 – Issue 1
n Why Do We Need Security?
q In the everchanging world of global data communications,
inexpensive Internet connections, and fastpaced software
development, security is becoming more and more of an
issue. Security is now a basic requirement because global
computing is inherently insecure. As your data goes from
point A to point B on the Internet, for example, it may pass
through several other points along the way, giving other
users the opportunity to intercept, and even alter, it. Even
other users on your system may maliciously transform your
data into something you did not intend.
q Unauthorized access to your system may be obtained by
intruders, also known as "crackers", who then use
advanced knowledge to impersonate you, steal information
from you, or even deny you access to your own resources.
218
Notes:
Slide 8
n How Secure Is Secure?
q First, keep in mind that no computer system can
ever be completely secure. All you can do is make
it increasingly difficult for someone to compromise
your system. For the average home user, not
much is required to keep the casual cracker at
bay. However, for highprofile users (banks,
telecommunications companies, etc), much more
work is required.
219
Notes:
Slide 9
Section 1 – Issue 2 cont’d
n How Secure Is Secure?
q Another factor to take into account is that the more secure
your system is, the more intrusive your security becomes.
You need to decide where in this balancing act your
system will still usable, and yet secure for your purposes.
For instance, you could require everyone dialing into your
system to use a callback modem to call them back at their
home number. This is more secure, but if someone is not
at home, it makes it difficult for them to login. You could
also setup your system with no network or connection to
the Internet, but this limits its usefulness.
220
Notes:
Slide 10
q If you are a medium to largesized site, you
should establish a security policy stating how
much security is required by your site and what
auditing is in place to check it.
221
Notes:
Slide 11
n What Are You Trying to Protect?
q Before you attempt to secure your system, you
should determine what level of threat you have to
protect against, what risks you should or should
not take, and how vulnerable your system is as a
result. You should analyze your system to know
what you're protecting, why you're protecting it,
what value it has, and who has responsibility for
your data and other assets.
222
Notes:
Slide 12

q Risk is the possibility that an intruder may be successful in attempting
to access your computer. Can an intruder read or write files, or execute
programs that could cause damage? Can they delete critical data? Can
they prevent you or your company from getting important work done?
Don't forget: someone gaining access to your account, or your system,
can also impersonate you. Additionally, having one insecure account
on your system can result in your entire network being compromised.
If you allow a single user to login using a .rhosts file, or to use an
insecure service such as tftp, you risk an intruder getting 'his foot in
the door'. Once the intruder has a user account on your system, or
someone else's system, it can be used to gain access to another
system, or another account.
q Threat is typically from someone with motivation to gain unauthorized
access to your network or computer. You must decide whom you trust
to have access to your system, and what threat they could pose.
223
Notes:
Slide 13
n Types of intruders:
q The Curious This type of intruder is basically interested
in finding out what type of system and data you have.
q The Malicious This type of intruder is out to either bring
down your systems, or deface your web page, or otherwise
force you to spend time and money recovering from the
damage he has caused.
q The HighProfile Intruder This type of intruder is trying
to use your system to gain popularity and infamy. He might
use your highprofile system to advertise his abilities.
224
Notes:
Slide 14
q The Competition This type of intruder is interested in
what data you have on your system. It might be someone
who thinks you have something that could benefit him,
financially or otherwise.
q The Borrowers This type of intruder is interested in
setting up shop on your system and using its resources for
their own purposes. He typically will run chat or irc servers,
porn archive sites, or even DNS servers.
q The Leapfrogger This type of intruder is only interested
in your system to use it to get into other systems. If your
system is wellconnected or a gateway to a number of
internal hosts, you may well see this type trying to
compromise your system.
225
Notes:
Slide 15
n Vulnerability
q It describes how wellprotected your computer is from
another network, and the potential for someone to gain
unauthorized access. What's at stake if someone breaks
into your system? Of course the concerns of a dynamic
PPP home user will be different from those of a company
connecting their machine to the Internet, or another large
network.
q How much time would it take to retrieve/recreate any data
that was lost? An initial time investment now can save ten
times more time later if you have to recreate data that was
lost. Have you checked your backup strategy, and verified
your data lately?
226
Notes:
Slide 16
n Developing A Security Policy
q Create a simple, generic policy for your system
that your users can readily understand and follow.
It should protect the data you're safeguarding as
well as the privacy of the users. Some things to
consider adding are: who has access to the
system (Can my friend use my account?), who's
allowed to install software on the system, who
owns what data, disaster recovery, and
appropriate use of the system.
227
Notes:
Slide 17
q A generallyaccepted security policy starts with the phrase
That w hich is not permitted is prohibited
n This means that unless you grant access to a service for a user, that user
shouldn't be using that service until you do grant access. Make sure the
policies work on your regular user account. Saying, "Ah, I can't figure out
this permissions problem, I'll just do it as root" can lead to security holes
that are very obvious, and even ones that haven't been exploited yet.
n rfc1244 is a document that describes how to create your own network
security policy.
n rfc1281 is a document that shows an example security policy with
detailed descriptions of each step.
n Finally, you might want to look at the COAST policy archive at
ftp://coast.cs.purdue.edu/pub/doc/policy to see how a reallife security
policy looks like. There are policy files for public download.
228
Notes:
Slide 18
n Means of Securing Your Site
q What would happen to your reputation if an intruder deleted some of your
users' data? Or defaced your web site? Or published your company's
corporate project plan for next quarter? If you are planning a network
installation, there are many factors you must take into account before adding
a single machine to your network.
q Even if you have a single dialup PPP account, or just a small site, this does
not mean intruders won't be interested in your systems. Large, highprofile
sites are not the only targets many intruders simply want to exploit as
many sites as possible, regardless of their size. Additionally, they may use a
security hole in your site to gain access to other sites you're connected to.
q Intruders have a lot of time on their hands, and can avoid guessing how
you've obscured your system just by trying all the possibilities. There are
also a number of reasons an intruder may be interested in your systems,
which we will discuss later.
229
Notes:
Slide 19
n Host Security
q Perhaps the area of security on which administrators
concentrate most is hostbased security. This typically
involves making sure your own system is secure, and
hoping everyone else on your network does the same.
Choosing good passwords, securing your host's local
network services, keeping good accounting records, and
upgrading programs with known security exploits are
among the things the local security administrator is
responsible for doing. Although this is absolutely necessary,
it can become a daunting task once your network becomes
larger than a few machines.
230
Notes:
Slide 20
n Local Network Security
q Network security is as necessary as local host
security. With hundreds, thousands, or more
computers on the same network, you can't rely on
each one of those systems being secure.
Ensuring that only authorized users can use your
network, building firewalls, using strong
encryption, and ensuring there are no "rogue"
(that is, unsecured) machines on your network are
all part of the network security administrator's
duties.
231
Notes:
Slide 21
n Security Through Obscurity
q One type of security that must be discussed is "security
through obscurity". This means, for example, moving a
service that has known security vulnerabilities to a non
standard port in hopes that attackers won't notice it's there
and thus won't exploit it. Rest assured that they can
determine that it's there and will exploit it. Security through
obscurity is no security at all. Simply because you may
have a small site, or a relatively low profile, does not mean
an intruder won't be interested in what you have.
232
Notes:
Slide 22
n Physical Security
q The first layer of security you need to take into
account is the physical security of your computer
systems. Who has direct physical access to your
machine? Should they? Can you protect your
machine from their tampering? Should you?
q How much physical security you need on your
system is very dependent on your situation,
and/or budget.
233
Notes:
Slide 23

q If you are a home user, you probably don't need a lot
(although you might need to protect your machine from
tampering by children or annoying relatives). If you are in a
lab, you need considerably more, but users will still need to
be able to get work done on the machines. Many of the
following sections will help out. If you are in an office, you
may or may not need to secure your machine offhours or
while you are away. At some companies, leaving your
console unsecured is a termination offense.
q Obvious physical security methods such as locks on doors,
cables, locked cabinets, and video surveillance are all good
ideas, but beyond the scope of this document. :)
234
Notes:
Slide 24
n Computer locks
q Many modern PC cases include a "locking"
feature. Usually this will be a socket on the front
of the case that allows you to turn an included key
to a locked or unlocked position. Case locks can
help prevent someone from stealing your PC, or
opening up the case and directly
manipulating/stealing your hardware. They can
also sometimes prevent someone from rebooting
your computer from their own floppy or other
hardware.
235
Notes:
Slide 25
q These case locks do different things according to the support in
the motherboard and how the case is constructed. On many PC's
they make it so you have to break the case to get the case open.
On some others, they will not let you plug in new keyboards or
mice. Check your motherboard or case instructions for more
information. This can sometimes be a very useful feature, even
though the locks are usually very lowquality and can easily be
defeated by attackers with locksmithing.
q Some machines (most notably SPARCs and macs) have a
dongle on the back that, if you put a cable through, attackers
would have to cut the cable or break the case to get into it. Just
putting a padlock or combo lock through these can be a good
deterrent to someone stealing your machine.
236
Notes:
Slide 26
Section 2
Hacking, attacking, defending and auditing
237
Notes:
Slide 27
n To be able to defend and audit, you should
know how to hack (think like a hacker)J
238
Notes:
Slide 28
n Packet Sniffers
q One of the most common ways intruders gain access to more
systems on your network is by employing a packet sniffer on a
already compromised host. This "sniffer" just listens on the
Ethernet port for things like passwd and login and su in the
packet stream and then logs the traffic after that. This way,
attackers gain passwords for systems they are not even
attempting to break into. Cleartext passwords are very
vulnerable to this attack.
q Example: Host A has been compromised. Attacker installs a
sniffer. Sniffer picks up admin logging into Host B from Host C. It
gets the admin's personal password as they login to B. Then, the
admin does a su to fix a problem. They now have the root
password for Host B. Later the admin lets someone telnet from
his account to Host Z on another site. Now the attacker has a
password/login on Host Z.
239
Notes:
Slide 29
q In this day and age, the attacker doesn't even
need to compromise a system to do this: they
could also bring a laptop or pc into a building and
tap into your net.
q Using ssh or other encrypted password methods
thwarts this attack. Things like APOP for POP
accounts also prevents this attack. (Normal POP
logins are very vulnerable to this, as is anything
that sends cleartext passwords over the network.)
240
Notes:
Slide 30
n SATAN, ISS, and Other Network Scanners
q There are a number of different software packages out there that do port
and servicebased scanning of machines or networks. SATAN, ISS, SAINT,
and Nessus are some of the more wellknown ones. This software connects
to the target machine (or all the target machines on a network) on all the
ports they can, and try to determine what service is running there. Based on
this information, you can tell if the machine is vulnerable to a specific exploit
on that server.
n SATAN (Security Administrator's Tool for Analyzing Networks) is a port scanner
with a web interface. It can be configured to do light, medium, or strong checks on a
machine or a network of machines. It's a good idea to get SATAN and scan your
machine or network, and fix the problems it finds. Make sure you get the copy of
SATAN from metalab or a reputable FTP or web site. There was a Trojan copy of
SATAN that was distributed out on the net. Note that SATAN has not been updated
in quite a while, and some of the other tools below might do a better job.
241
Notes:
Slide 31
n ISS (Internet Security Scanner) is another portbased
scanner. It is faster than Satan, and thus might be better
for large networks. However, SATAN tends to provide
more information.
n Abacus is a suite of tools developed by Psionic to
provide hostbased security and intrusion detection.
242
Notes:
Slide 32
n SAINT is a updated version of SATAN. It is webbased
and has many more uptodate tests than SATAN.
n Nessus is a free security scanner. It has a graphical
interface for ease of use. It is also designed with a very
nice plugin setup for newly updated portscanning tests.
243
Notes:
Slide 33
n Security scanners are often used in the
process of security auditing as well as
footprinting.
q Footprinting is the first step in information
gathering of hackers to perform a successful
attack, one needs to gather information –
information on all aspects of the perspective
organization’s security posture, profile of their
Intranet, remote access capabilities, and
intranet/extranet presence…etc.
244
Notes:
Slide 34
n Footprinting relies on info gathering. These are popular
sources of such info:
q American Registry for Internet Numbers
q CERT®/CC Finding Site Contacts
q InterNIC
q Network Operations Centers List
q Network Solutions
q US Security and Exchange
q Enumeration is also an information gathering technique,
but is an intrusive one!
n It is the process of extracting valid user accounts, poorly
protected File Shares or other resources from a target system.
q This process is usually logged.
245
Notes:
Slide 35
q Security auditing to be performed before anything
had happened typically involves the use of
Security Scanners and other tools to test the
security level of the network.
246
Notes:
Slide 36
q Security auditing to be performed after things had
gone wrong typically involves the examination of
the audit trail.
n However, the presence of Rootkits and Cover Tracks
may hinder this process.
q Rootkits are tools used by hackers to hide their presence on
compromised systems. They are mostly collections of
trojaned binaries that replace the common commands.
q Cover tracks can wipe out the audit logs. Examples include
Wipe and Zap.
247
Notes:
Slide 37
n Detecting Port Scans
q There are some tools designed to alert you to probes by SATAN
and ISS and other scanning software. However, if you liberally
use tcp_wrappers, and look over your log files regularly, you
should be able to notice such probes. Even on the lowest setting,
SATAN still leaves traces in the logs on a stock Red Hat system.
q There are also "stealth" port scanners. A packet with the TCP
ACK bit set (as is done with established connections) will likely
get through a packetfiltering firewall. The returned RST packet
from a port that _had no established session_ can be taken as
proof of life on that port. I don't think TCP wrappers will detect
this.
248
Notes:
Slide 38
n Denial of Service Attacks
q A "Denial of Service" (DoS) attack is one where the
attacker tries to make some resource too busy to answer
legitimate requests, or to deny legitimate users access to
your machine.
q Denial of service attacks have increased greatly in recent
years.
249
Notes:
Slide 39
q There is no fixed format of DoS. In fact, there are
many types of DoS attacks that are based on tons
of different methods. A Denial of Service Attack
can be based on crashing routers which makes a
network inaccessible, crashing DNS servers
which prevents the use of Domain Names,
congesting hosts with requests…etc etc – it can
be anything that stops things from working.
q A DoS Attack is ALWAYS used in conjunction
with an another attack.
250
Notes:
Slide 40
q SYN Flooding SYN flooding is a network denial
of service attack. It takes advantage of a
"loophole" in the way TCP connections are
created.
n Sometimes known as Synk4
n Systems which fall prey to the Syn Flooding attack will
have difficulty accepting any new incoming network
connections. Therefore, legitimate users attempting to
connect to the server will not be able to do so.
251
Notes:
Slide 41
q Pentium "F00F" Bug It was recently discovered
that a series of assembly codes sent to a genuine
Intel Pentium processor would reboot the machine.
This affects every machine with a Pentium
processor (not clones, not Pentium Pro or PII), no
matter what operating system it's running.
252
Notes:
Slide 42
q Ping Flooding / Smurf / Fraggle Ping flooding is a
simple bruteforce denial of service attack. The attacker
sends a "flood" of ICMP packets to your machine. If they
are doing this from a host with better bandwidth than yours,
your machine will be unable to send anything on the
network.
n A variation on this attack, called "smurfing", sends ICMP
packets to a host with your machine's return IP, allowing them
to flood you less detectably.
n Smurf attacks are network amplification attacks.
n Fraggle attack is similar to Smurf attack except that it
uses UDP echo packets, not ICMP echos.
253
Notes:
Slide 43

q Ping o' Death The Ping o' Death attack sends ICMP
ECHO REQUEST packets that are too large to fit in the
kernel data structures intended to store them. Because
sending a single, large (65,510 bytes) "ping" packet to
many systems will cause them to hang or even crash, this
problem was quickly dubbed the "Ping o' Death." This one
has long been fixed, and is no longer anything to worry
about.
q Teardrop / New Tear One of the most recent exploits
involves a bug present in the IP fragmentation code on
Linux and Windows platforms.
n Teardrop is an attack that exploits the vulnerability found in
some implementations of the packet reassembly.
n New Tear is a new teardrop type exploit which mainly affects
NT4 and Win95.
254
Notes:
Slide 44
q Land / LaTierra The Land attack uses IP
spoofing in combination with the opening of a
TCP connection. Both the source and destination
IP addresses are modified to be the same the
address of the destination host. It misleads the
machine to continue sending ACK packets and
thus remaining in the loop. The LaTierra attack is
similar except that LaTierra sends the TCP packet
to more than one port and more than once.
255
Notes:
Slide 45
q Blast – a small and quick TCP service stress test
tool that can spot potential weaknesses in your
network servers.
n It can be used as a tool for generating DoS attack!
q Bonk – an attack that modifies the frag offset.
n Also known as “teardrop reversed”
256
Notes:
Slide 46
n There are many ways to protect oneself
against DoS attacks. The most popular ways
are:
q patching the networking code of the OS kernel
q configuring the network with protective devices
such as firewalls.
257
Notes:
Slide 47
n Firewalls
q Firewalls are a means of controlling what
information is allowed into and out of your
local network. Typically the firewall host is
connected to the Internet and your local LAN,
and the only access from your LAN to the
Internet is through the firewall. This way the
firewall can control what passes back and
forth from the Internet and your LAN.
258
Notes:
Slide 48
q There are a number of types of firewalls and
methods of setting them up.
n Linux machines make pretty good firewalls. Firewall code
can be built right into 2.0 and higher kernels. The user
space tools ipfwadm for 2.0 kernels and ipchains for 2.2
kernels, allows you to change, on the fly, the types of
network traffic you allow. You can also log particular types
of network traffic.
n Windows 2000 provides simple packet filtering functions.
n Windows XP provides Internet Connection Firewall.
259
Notes:
Slide 49

n Webopedia classifies firewall techniques as
below:
“
q Packet filter: Looks at each packet entering or leaving the network and
accepts or rejects it based on userdefined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to configure. In addition,
it is susceptible to IP spoofing.
q Application gateway: Applies security mechanisms to specific applications,
such as FTP and Telnet servers. This is very effective, but can impose a
performance degradation.
q Circuitlevel gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets
can flow between the hosts without further checking.
q Proxy server: Intercepts all messages entering and leaving the network.
The proxy server effectively hides the true network addresses.
”
260
Notes:
Slide 50
q The National Institute of Standards and Technology
have put together an excellent document on firewalls.
Although dated 1995, it is still quite good
(http://csrc.nist.gov/).
261
Notes:
Slide 51
n BIOS Security
q The BIOS is the lowest level of software that configures or
manipulates your x86based hardware. All boot methods
access the BIOS to determine how to boot up your
machine. Other hardware has similar software
(OpenFirmware on Macs and new Suns, Sun boot PROM,
etc...). You can use your BIOS to prevent attackers from
rebooting your machine and manipulating your system.
q Many PC BIOSs let you set a boot password. This doesn't
provide all that much security (the BIOS can be reset, or
removed if someone can get into the case), but might be a
good deterrent (i.e. it will take time and leave traces of
tampering). This might slow attackers down.
262
Notes:
Slide 52
q Many x86 BIOSs also allow you to specify various other
good security settings. Check your BIOS manual or look at
it the next time you boot up. For example, some BIOSs
disallow booting from floppy drives and some require
passwords to access some BIOS features.
q Note: If you have a server machine, and you set up a boot
password, your machine will not boot up unattended. Keep
in mind that you will need to come in and supply the
password in the event of a power failure.
263
Notes:
Slide 53
n DLL Injection
q a method of inserting malicious code into another
running process's so that access to some
otherwise restricted piece of information is
possible.
264
Notes:
Slide 54
n Back Door
q an easy route back into an already compromised
system that was put in place by the current
attacker or a previous attacker. It may be a
program that binds itself to a specific port and
listens for the attacker to connect to it, or a pre
tested exploit that is configured by the attacker for
future reuse.
265
Notes:
Slide 55
n Privilege escalation
q the stage of penetration that occurs AFTER an
attacker has already gained access to a system.
q It aims at gaining administrator level privileges on
the system.
266
Notes:
Slide 56
n War dialing
q attack through the phone system.
q War dialers were originally developed by and for
phone phreaks seeking free longdistance service.
n They are well suited to the task of scanning and finding
modems for possible network entry.
n Examples include:
q Telesweep Secure
q PhoneSweep
q THCScan
267
Notes:
Slide 57
n Purloining and Pilfering
q Often being refer to as image and bandwidth theft.
q Digital watermarking is one way to protect against
image theft.
268
Notes:
Slide 58
Section 3
Encryption and VPN
269
Notes:
Slide 59
n VPNs Virtual Private Networks
q VPN's are a way to establish a "virtual" network on top of some
alreadyexisting network. This virtual network often is encrypted
and passes traffic only to and from some known entities that
have joined the network. VPNs are often used to connect
someone working at home over the public Internet to an internal
company network.
q VPNs use authenticated links to ensure that only authorized
users can connect to your network, and they use encryption to
ensure that data that travels over the Internet can't be intercepted
and used by others. VPN technology also allows a corporation to
connect to its branch offices or to other companies over a public
network while maintaining secure communications.
q In Windows 2000, VPNs are built using PPTP or L2TP.
270
Notes:
Slide 60
n PointtoPoint Tunneling Protocol (PPTP) provides
data encryption using Microsoft PointtoPoint
Encryption.
n Layer Two Tunneling Protocol (L2TP) provides data
encryption, authentication, and integrity using IPSec.
q PPTP is suitable for NonWindows 2000 computers.
q L2TP is suitable for Windows 2000 or Windows XP clients.
n If you want to try out configuring a VPN with Windows
2000, read the MS KB article 308208.
271
Notes:
Slide 61
n According to W ebopedia, "As the Internet and other
forms of electronic communication become more
prevalent, electronic security is becoming increasingly
important. Cryptography is used to protect email
messages, credit card information, and corporate data.
One of the most popular cryptography systems used
on the Internet is Pretty Good Privacy because it's
effective and free. Cryptography systems can be
broadly classified into symmetrickey systems that use
a single key that both the sender and recipient have,
and publickey systems that use two keys, a public key
known to everyone and a private key that only the
recipient of messages uses."
272
Notes:
Slide 62
n CA
q Certification authorities are responsible for
managing certificate requests and issuing
certificates to participating IPSec network peers.
These services provide centralized key
management for the participating peers and
simplify administration.
273
Notes:
Slide 63
n Digital signatures
q Digital signatures are enabled by public key cryptography and
are providing a means to digitally authenticate devices and
individual users.
q In public key cryptography, each user has a keypair containing
both a public and a private key. Anything encrypted with one of
the keys can be decrypted with the other.
q In simple terms, a signature is formed when data is encrypted
with a user's private key. The receiver verifies the signature by
decrypting the message with the sender's public key.
q The fact that the message could be decrypted using the sender's
public key shows that the holder of the private key must have
created the message.
274
Notes:
Slide 64
q How can you know with a high degree of certainty
that it really does belong to the sender, and not to
someone pretending to be the sender?
n Use digital certificates. A digital certificate contains
information to identify a user or device, such as the
name, serial number, company, department or IP
address. It also contains a copy of the entity's public key.
275
Notes:
Slide 65
n Since the certificate is itself signed by a certification
authority, it is trust worthy.
n To be able to validate the CA's signature, the receiver
must know the CA's public key. This is usually handled
outofband or through an operation done at installation.
q Without digital signatures, one must manually
exchange public secrets between each pair of
peers that use IPSec to protect communications
between them.
276
Notes:
Slide 66
n Legal issues
q Be careful when deploying cryptography technology
overseas. According to W ebopedia, "PGP is such an
effective encryption tool that the U.S. government actually
brought a lawsuit against Zimmerman for putting it in the
public domain and hence making it available to enemies of
the U.S. After a public outcry, the U.S. lawsuit was dropped,
but it is still illegal to use PGP in many other countries."
q By the way, if you want to learn more about PGP, refer to
its official home page at PGPI.ORG.
277
Notes:
Slide 67
Section 4
Responding to attacks
278
Notes:
Slide 68
n Security Compromise Underway.
q Spotting a security compromise under way can be a tense
undertaking. How you react can have large consequences.
q If the compromise you are seeing is a physical one, odds
are you have spotted someone who has broken into your
home, office or lab. You should notify your local authorities.
In a lab, you might have spotted someone trying to open a
case or reboot a machine. Depending on your authority
and procedures, you might ask them to stop, or contact
your local security people.
279
Notes:
Slide 69

n Detecting Physical Security Compromises
q The first thing to always note is when your machine was rebooted.
The only times your machine should reboot is when you take it
down for OS upgrades, hardware swapping, or the like. If your
machine has rebooted without you doing it, that may be a sign
that an intruder has compromised it. Many of the ways that your
machine can be compromised require the intruder to reboot or
power off your machine.
q Check for signs of tampering on the case and computer area.
Although many intruders clean traces of their presence out of
logs, it's a good idea to check through them all and note any
discrepancy.
q It is also a good idea to store log data at a secure location, such
as a dedicated log server within your wellprotected network.
Once a machine has been compromised, log data becomes of
little use as it most likely has also been modified by the intruder.
280
Notes:
Slide 70
q The syslog daemon can be configured to automatically
send log data to a central syslog server, but this is typically
sent unencrypted, allowing an intruder to view data as it is
being transferred. This may reveal information about your
network that is not intended to be public. There are syslog
daemons available that encrypt the data as it is being sent.
q Also be aware that faking syslog messages is easy with
an exploit program having been published. Syslog even
accepts net log entries claiming to come from the local host
without indicating their true origin.
281
Notes:
Slide 71
q Some things to check for in your logs:
n Short or incomplete logs.
n Logs containing strange timestamps.
n Logs with incorrect permissions or ownership.
n Records of reboots or restarting of services.
n missing logs.
n su entries or logins from strange places.
282
Notes:
Slide 72

q If you have detected a local user trying to compromise your
security, the first thing to do is confirm they are in fact who you
think they are. Check the site they are logging in from. Is it the
site they normally log in from? No? Then use a nonelectronic
means of getting in touch. For instance, call them on the phone
or walk over to their office/house and talk to them. If they agree
that they are on, you can ask them to explain what they were
doing or tell them to cease doing it. If they are not on, and have
no idea what you are talking about, odds are this incident
requires further investigation. Look into such incidents , and have
lots of information before making any accusations.
q If you have detected a network compromise, the first thing to do
(if you are able) is to disconnect your network. If they are
connected via modem, unplug the modem cable; if they are
connected via Ethernet, unplug the Ethernet cable. This will
prevent them from doing any further damage, and they will
probably see it as a network problem rather than detection.
283
Notes:
Slide 73
q If you are unable to disconnect the network (if you have a busy
site, or you do not have physical control of your machines), the
next best step is to use something like tcp_wrappers or ipfwadm
to deny access from the intruder's site.
q If you can't deny all people from the same site as the intruder,
locking the user's account will have to do. Note that locking an
account is not an easy thing. You have to keep in mind .rhosts
files, FTP access, and a host of possible backdoors.
q After you have done one of the above (disconnected the network,
denied access from their site, and/or disabled their account), you
need to kill all their user processes and log them off.
q You should monitor your site well for the next few minutes, as the
attacker will try to get back in. Perhaps using a different account,
and/or from a different network address.
284
Notes:
Slide 74
n Security Compromise has already happened
q So you have either detected a compromise that has
already happened or you have detected it and locked
(hopefully) the offending attacker out of your system. Now
what?
n Closing the Hole
q If you are able to determine what means the attacker used to get
into your system, you should try to close that hole. For instance,
perhaps you see several FTP entries just before the user logged in.
Disable the FTP service and check and see if there is an updated
version, or if any of the lists know of a fix.
q Check all your log files, and make a visit to your security lists and
pages and see if there are any new common exploits you can fix.
285
Notes:
Slide 75
n Assessing the Damage
q The first thing is to assess the damage. What has been
compromised? If you are running an integrity checker like
Tripwire, you can use it to perform an integrity check; it
should help to tell you what has been compromised. If not,
you will have to look around at all your important data.
q Since systems are getting easier and easier to install, you
might consider saving your config files, wiping your disk(s),
reinstalling, then restoring your user files and your config
files from backups. This will ensure that you have a new,
clean system. If you have to restore files from the
compromised system, be especially cautious of any binaries
that you restore, as they may be Trojan horses placed there
by the intruder.
286
Notes:
Slide 76
q Reinstallation should be considered mandatory upon an
intruder obtaining root access. Additionally, you'd like to
keep any evidence there is, so having a spare disk in the
safe may make sense.
q Then you have to worry about how long ago the
compromise happened, and whether the backups hold any
damaged work. More on backups later.
287
Notes:
Slide 77
n Backups, Backups, Backups!
q Having regular backups is a godsend for security matters. If
your system is compromised, you can restore the data you
need from backups. Of course, some data is valuable to the
attacker too, and they will not only destroy it, they will steal
it and have their own copies; but at least you will still have
the data.
288
Notes:
Slide 78
q You should check several backups back into the past before
restoring a file that has been tampered with. The intruder
could have compromised your files long ago, and you could
have made many successful backups of the compromised
file!
q Of course, there are also a raft of security concerns with
backups. Make sure you are storing them in a secure place.
Know who has access to them. (If an attacker can get your
backups, they can have access to all your data without you
ever knowing it.)
289
Notes:
Slide 79
n Tracking Down the Intruder.
q Ok, you have locked the intruder out, and recovered your
system, but you're not quite done yet. While it is unlikely
that most intruders will ever be caught, you should report
the attack.
q You should report the attack to the admin contact at the site
from which the attacker attacked your system. You can look
up this contact with whois or the Internic database. You
might send them an email with all applicable log entries and
dates and times. If you spotted anything else distinctive
about your intruder, you might mention that too. After
sending the email, you should (if you are so inclined) follow
up with a phone call. If that admin in turn spots your attacker,
they might be able to talk to the admin of the site where they
are coming from and so on.
290
Notes:
Slide 80
q Good crackers often use many intermediate systems, some
(or many) of which may not even know they have been
compromised. Trying to track a cracker back to their home
system can be difficult. Being polite to the admins you talk
to can go a long way to getting help from them.
q You should also notify any security organizations you are a
part of ( CERT or similar), as well as your system vendor.
291
Notes:
Slide 81
Section 5
Virus
292
Notes:
Slide 82
n Computer virus a computer program which
reproduces itself through legitimate
processes in computer programs and
operating systems. It can alter the behavior of
a program or operating system without the
knowledge of computer users.
q It itself is written with malicious purposes in
mind.
293
Notes:
Slide 83
n To know the CURRENT LATEST info on the
various viruses, visit the following web sites:
q WildList Organization International, the world's
premier source of information on which viruses
are spreading In the Wild (http://www.wildlist.org/ ).
q The Virus Bulletin, an international antivirus
publication that keeps track of the occurrence of
computer viruses (http://www.virusbtn.com/ ).
294
Notes:
Slide 84
n Virus experts in general prefer to categorize
viruses by:
q their behaviors
q the affected operating system platforms
q the type of programming languages used to
develop them
295
Notes:
Slide 85
n A majority of early viruses are Program
Viruses that infected programs which ended
in the .com and .exe file extensions.
q They infect executable files by placing their
programming instructions inside the other
programs.
q They do NOT infect .BAT files, since .BAT files
are simply text based scripts. They can be
embedded into .BAT files for execution though.
q They cannot bypass antivirus software.
296
Notes:
Slide 86
n Script viruses mostly affect scripting languages like
Microsoft Visual Basic and JavaScript became
commonplace.
n Macro viruses mostly affect business software, such
as MS Office. Macros let users automate a series of
commands inside documents or spreadsheets.
Macro instructions can easily be modified by viruses
to perform erratic behaviors.
n All these viruses can be detected by nowadays’ anti
virus software packages.
297
Notes:
Slide 87
n Boot sector viruses infected hidden startup
programs built into diskette media and hard
drives.
q Since they start before the operating system is
loaded, they can easily bypass the antivirus
software.
298
Notes:
Slide 88
n To further spread viruses, virus writers
developed Trojan horses – programs that
trick users into starting them and then install
malicious software.
n Hybrid viruses are another type of “latest
inventions”. They can act in more than one
way – as an example, an Internet worm may
be able to infect program files.
299
Notes:
Slide 89
n Melissa
q A very famous virus.
q Appearing in March 1999, it spread quickly and
caused massive troubles worldwide. In fact,
Microsoft had to shut down four out of six
incoming mail servers under the strain produced
by Melissa.
300
Notes:
Slide 90
Congratulations!
n You have completed all the sections.
n For the latest product information, please visit
our web sites:
q www.ExamREVIEW.NET
301
Notes:
Excellent public resources
Some of these web resources may have expired at the time you read this
document. If so please do a web search through Yahoo or Googles using the
resource title as the search subject. Good luck.
Know biometrics. Biometrics is an important topic. Check out the various

forms of biometrics technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their
drawbacks and their impacts.
Other recommended readings (primarily from NIST) include:
April 21, 2006: Draft Special Publication 800-92 Guide to Computer

Security Log Management
Adobe PDF (1,939 KB)

302
Notes:
http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf
This document provides detailed information on developing, implementing,

and maintaining effective log management practices throughout an enterprise.
It includes guidance on establishing a centralized log management infrastructure,
which includes hardware, software, networks, and media. It also discusses the
log management processes that should be put in place at an organization-wide
level, including the definition of roles and responsibilities, the creation of
feasible logging policies, and the division of responsibilities between system-
level and organization-level administrators. Guidance is also provided on log
management at the individual system level, such as configuring log generating
sources, supporting logging operations, performing log data analysis, and
managing long-term data storage.
August 15, 2005: Draft NIST Special Publication 800-26 Revision 1,

Guide for Information Security Program Assessments and System
Reporting Form
Adobe pdf (1,153 KB)
303
Notes:
http://csrc.nist.gov/publications/drafts/Draft-sp800-26Rev1.pdf
This draft document brings the assessment process up to date with key
standards and guidelines developed by NIST.
May 4, 2006: Draft Special Publication 800-80, Guide for Developing

Performance Metrics for Information Security
Adobe PDF (762 KB)

http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf
This guide is intended to assist organizations in developing metrics for an

information security program. The methodology links information security
program performance to agency performance. It leverages agency-level strategic
planning processes and uses security controls from NIST SP 800-53,
Recommended Security Controls for Federal Information Systems, to
characterize security performance.
304
Notes:
April 21, 2006: Draft Special Publication 800-53A, Guide for Assessing the
Security Controls in Federal Information Systems
Adobe PDF (5,487 KB)
http://csrc.nist.gov/publications/drafts/SP800-53A-spd.pdf
The document provides a comprehensive listing of methods and procedures to

assess the effectiveness of security controls in federal information systems.
Assessment procedures have been developed for each security control and
control enhancement in NIST Special Publication 800-53 with the rigor and
intensity of assessments aligned with the impact levels in FIPS 199.
March 13, 2006: Draft Federal Information Processing Standard (FIPS)

186-3 - Digital Signature Standard (DSS)
Adobe PDF (474 KB)

305
Notes:
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-
3%20_March2006.pdf
The draft defines methods for digital signature generation that can be used for
the protection of messages, and for the verification and validation of those
digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This
draft includes requirements for obtaining the assurances necessary for valid
digital signatures.
February 3, 2006: Draft Special Publication 800-88: Guidelines for Media

Sanitization
Adobe PDF (526 KB)
http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf
This guide is intended to assist organizations and system owners in making

practical sanitization decisions based on the level of sensitivity of their
information.
306
Notes:
Sample IS Audit Questionnaire
307
Notes:
You may download the latest sample questionnaire via the
web link below:
http://www.examreview.net/IT_Questionnaire.pdf
End of Study Guide
308
Notes:

CISA Certified Information Systems Auditor Module Study Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA Certified Information Systems Auditor Module Study Guide

Uploaded by

Copyright:

Available Formats

2009

The Number One Source of Exam and On­the­Job Information

CISA ExamESSENTIALS Guide

STRATEGY ONE : KEYWORD OR KEY PHRASE MATCHING. 21

ACCESS CONTROL MODELS 66

SECTION 1: TOPICS ON SECURITY THEORY 211

You may not decompile, "reverse-engineer", disassemble, or otherwise attempt to derive

Multiple-response: The examinee selects multiple options that best answers

q For international candidates, it takes about two months to receive

q As of 2004 all CISA exams are paper and pencil based.

Our CISA ExamESSENTIALS Guide goes the expert-advice way. Instead of

l many of the objectives are heavily overlapped

l to me, they look confusing

l Access control models.

l The auditing process.

l Protection Policy for Information Assets

l Business Continuity Planning.

Why do we choose these topics? Firstly, according to many recent CISA

I do recommend that you register early. As I remember, there is an early bird

ü Always plan ahead!

ü Always maintain a positive attitude.

ü Prepare systematically using ExamReview materials.

ü Ensure you have enough sleep! Health is essential for maintaining a

ü Arrive at the test center in time to have a margin of safety.

ü Dress yourself in a manner with emphasis on comfort. Always have a coat

Strategy One: Keyword or key phrase matching.

Example: Which of the following would be included in an information security

A. Specifications for planned hardware purchases

B. Analysis of future business objectives

C. Target dates for information security projects

D. Annual budgetary targets for the security department

Strategy Two: Choices grouping.

Example: The MOST important responsibility of an information security

B. promoting security awareness within the organization.

D. administering physical and logical access controls.

· In the context of information security, the term Granularity refers to the

· In the context of information security, the term Granularity refers to the

· In the context of information security, the term Granularity refers to the

· In the context of information security, the term Granularity refers to the

Which statement is the BEST one?

A security stance is a default position on security matters. The 2 primary

i, "Everything not explicitly permitted is forbidden" (default deny). This

ii, "Everything not explicitly forbidden is permitted" (default permit). This

There are two different approaches to security in computing. One focuses

The “untrusted system” approach seeks to enforce the principle of least

From a technical perspective, design with the above mentioned technique

From a broader perspective, an important principle of the Defense in Depth strategy is

To understand the techniques for securing a computer system, it is

l Software flaws such as buffer overflows, are often exploited to gain

l Many development methodologies rely on testing to ensure the quality

NOTE: As a pre-attack activity, footprinting refers to the technique of

l Any data that is transmitted over an IP network is at some risk of being

TCP is supposed to provide guaranteed delivery. Every single TCP

Packet sniffer (another name for protocol analyzer) can be deployed

Wireshark (formerly Ethereal) is a free protocol analyzer you may use

l Even machines that operate as a closed system can be eavesdropped

l Wireless networks are highly hack-able.

NOTE: In the world of WLAN, a BSS refers to a set of wireless stations

WEP is the original encryption standard for WLAN. It uses key

Accidental association could be a form of attack that takes place

Access points exposed to non-filtered traffic can be vulnerable.

l A computer system is no more secure than the human systems

The Number One Source of Exam and OntheJob Information

　 SECTION 1: TOPICS ON SECURITY THEORY 211