Professional Documents
Culture Documents
CISA
ExamESSENTIALS Ed.
Study Guide
Covering the 2009 Syllabus
ã
ExamREVIEW PRO & ExamREVIEW PRESS
2009
All rights reserved. No part of the contents of this book may be reproduced or
transmitted in any form or by any means without the written permission of the
publisher.
Important – Please Read
Due to the variety of fonts installed on the users'
systems, Acrobat may prompt you to download an
additional language component (which is FREE from
Adobe anyway).
If you receive a message saying that a Traditional
Chinese language pack has to be downloaded in order
to load this eBook, please click YES to have Acrobat
download the update. The size of the update is about
7M. Don’t worry, this download is safe.
Table of Contents
END USER LICENSE AGREEMENT 7
EXAM FORMAT 13
ABOUT THIS BOOK 14
EXAM TOPICS 15
EXAM REGISTRATION CONTACTS 19
STUDY PSYCHOLOGY & EXAM TACTICS 20
KEY EXAM STRATEGIES 21
SECURITY THEORIES 25
THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM 27
DEFENSE IN DEPTH 27
VULNERABILITIES 28
SECURITY MEASURES 45
STANDARDS AND GUIDELINES 49
IS ORGANIZATION AND INFORMATION ASSETS PROTECTION 55
THE STAKEHOLDERS 56
THE BOARD 57
THE AUDIT MANAGER 58
AUDIT PERSONNEL 59
IS CONTROLS 61
THE IMPORTANCE OF THE USE OF CONTROLS 61
CLASSIFICATION OF CONTROLS 62
GENERAL CONTROLS VS APPLICATION CONTROLS 63
ACCESS CONTROL AND THE AUDITING PROCESS 66
IT STRATEGIC PLANNING 121
IT STRATEGIC PLANNING DEFINED 121
THE ROLE OF IS AUDITING IN THE PLANNING PROCESS 122
INHOUSE OR OUT SOURCE? 123
AVOIDING CONFLICTS OF INTERESTS 124
PROTECTION OF INFORMATION ASSETS THROUGH SECURITY POLICY 126
INFORMATION ASSETS DEFINED 126
DATA CLASSIFICATIONS AND LAYER OF RESPONSIBILITIES 129
SECURITY POLICY 131
SECURITY MODELS AND MODES OF OPERATIONS 138
EXAMPLE POLICY 141
CONSEQUENCES OF VIOLATIONS 143
EVALUATION 144
ORGANIZATION SPECIFIC CLASSIFICATION SCHEME 145
CHANGE CONTROL 146
BUSINESS CONTINUITY PLANNING 148
DEFINITION 148
BCP VS BPCP VS DRP 149
BCP PHASES 150
STAKEHOLDERS AND CRISIS COMMUNICATIONS 151
THE RISK ASSESSMENT FLOW 153
RISK VS THREAT AND VULNERABILITY 158
IDENTIFYING RISKS 159
LOSS CALCULATIONS 161
BUSINESS IMPACT ANALYSIS DEFINED 164
BIA GOALS AND STEPS 165
BIA CHECKLIST 166
PREPARING FOR EMERGENCY 168
MANAGING RECOVERY 170
TESTING THE PLAN 172
USER ACCEPTANCE 174
PLAN MAINTENANCE 174
INCIDENT HANDLING 177
RISK MANAGEMENT 180
RISK MANAGEMENT DEFINED 181
THE RISK MANAGEMENT STEPS 181
IS AUDITING AND RISK MANAGEMENT 183
RISKBASED AUDITING 184
RISK MANAGEMENT READINGS 185
PROJECT MANAGEMENT 187
PROJECT MANAGEMENT DEFINED 187
PROJECT MANAGEMENT AND AUDIT 188
CHANGE MANAGEMENT 190
CHANGE MANAGEMENT DEFINED 190
CHANGE MANAGEMENT STRATEGIES 192
CHANGE MANAGEMENT VS CHANGE CONTROL VS CONFIGURATION MANAGEMENT 194
CHANGE CONTROL 196
APPLICATION PROGRAM DEVELOPMENT 203
GENERAL GUIDELINES 203
SYSTEM CHANGE CONTROL 204
SOFTWARE DEVELOPMENT PROCESSES AND MODELS 205
BUY VS MAKE: ACQUISITION MANAGEMENT METHODS 208
TECHNICAL READINGS 211
EXCELLENT PUBLIC RESOURCES 302
SAMPLE IS AUDIT QUESTIONNAIRE 307
END OF STUDY GUIDE 308
End User License Agreement
The CISA ExamESSENTIALS Guide (the "Book") is a certification study product provided by
ExamREVIEW Press (including ExamREVIEW.NET and SystemREVIEW.NET, being referred to as
“ExamREVIEW.NET” in this document), subject to your compliance with the terms and conditions set
forth below.
PLEASE READ THIS DOCUMENT CAREFULLY BEFORE ACCESSING OR USING THE BOOK.
BY ACCESSING OR USING THE BOOK, YOU AGREE TO BE BOUND BY THE TERMS AND
CONDITIONS SET FORTH BELOW. IF YOU DO NOT WISH TO BE BOUND BY THESE
TERMS AND CONDITIONS, YOU MAY NOT ACCESS OR USE THE BOOK.
EXAMREVIEW.NET MAY MODIFY THIS AGREEMENT AT ANY TIME, AND SUCH
MODIFICATIONS SHALL BE EFFECTIVE IMMEDIATELY UPON POSTING OF THE
MODIFIED AGREEMENT ON THE CORPORATE SITE OF EXAMREVIEW.NET. YOU AGREE
TO REVIEW THE AGREEMENT PERIODICALLY TO BE AWARE OF SUCH MODIFICATIONS
AND YOUR CONTINUED ACCESS OR USE OF THE BOOK SHALL BE DEEMED YOUR
CONCLUSIVE ACCEPTANCE OF THE MODIFIED AGREEMENT.
1. Copyright and Licenses.
License Grant
This Agreement entitles you to install and use one copy of the Book. In addition, you
may make one archival copy of the Book. The archival copy must be on a storage
medium other than a hard drive, and may only be used for the reinstallation of the Book.
This Agreement does not permit the installation or use of multiple copies of the Book,
or the installation of the Book on more than one computer at any given time, on a
system that allows shared used of applications, on a multi-user network, or on any
configuration or system of computers that allows multiple users. Multiple copy use or
7
Notes:
installation is only allowed if you obtain an appropriate licensing agreement for each user
and each copy of the Book. For further information regarding multiple-copy licensing
of the Book, please contact: michael@ExamREVIEW.NET
Restrictions on Transfer
Without first obtaining the express written consent of ExamREVIEW.NET, you may
not assign your rights and obligations under this Agreement, or redistribute, encumber,
sell, rent, lease, sublicense, or otherwise transfer your rights to the Book.
Restrictions on Use
You may not use, copy, or install the Book on any system with more than one computer,
or permit the use, copying, or installation of the Book by more than one user or on more
than one computer. If you hold multiple, validly licensed copies, you may not use, copy,
or install the Book on any system with more than the number of computers permitted
by license, or permit the use, copying, or installation by more users, or on more
computers than the number permitted by license.
Restrictions on Alteration
You may not modify the Book or create any derivative work of the Book or its
accompanying documentation. Derivative works include but are not limited to
translations. You may not alter any files or libraries in any portion of the Book. You
may not reproduce the database portion or create any tables or reports relating to the
database portion.
Notes:
Restrictions on Copying
You may not copy any part of the Book except to the extent that licensed use inherently
demands the creation of a temporary copy stored in computer memory and not
permanently affixed on storage medium. You may make one archival copy which must
be stored on a medium other than a computer hard drive.
TRADEMARKS.
CISA ExamESSENTIALS Guide /or any other names of ExamREVIEW.NET or its publications,
products, content or services referenced herein or on the Book are the exclusive trademarks or
servicemarks of ExamREVIEW.NET. Other product and company names mentioned in the Book may
be the trademarks of their respective owners.
2. Use of the Book.
You understand that, except for information, products or services clearly identified as being supplied
by ExamREVIEW.NET, ExamREVIEW.NET does not operate, control or endorse any information,
products or services on the Internet in any way. Except for ExamREVIEW.NET explicitly identified
information, products or services, all information, products and services offered through the Book or
on the Internet generally are offered by third parties, that are not affiliated with ExamREVIEW.NET.
YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE BOOK AND
THE INTERNET. EXAMREVIEW.NET PROVIDES THE BOOK AND RELATED
INFORMATION "AS IS" AND DOES NOT MAKE ANY EXPRESS OR IMPLIED WARRANTIES,
REPRESENTATIONS OR ENDORSEMENTS WHATSOEVER (INCLUDING WITHOUT
LIMITATION WARRANTIES OF TITLE OR NONINFRINGEMENT, OR THE IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE) WITH
REGARD TO THE BOOK, ANY INFORMATION OR SERVICE PROVIDED THROUGH THE
BOOK, AND EXAMREVIEW.NET SHALL NOT BE LIABLE FOR ANY COST OR DAMAGE
ARISING EITHER DIRECTLY OR INDIRECTLY FROM ANY SUCH. IT IS SOLELY YOUR
9
Notes:
RESPONSIBILITY TO EVALUATE THE ACCURACY, COMPLETENESS AND USEFULNESS
OF ALL OPINIONS, ADVICE, AND OTHER INFORMATION PROVIDED THROUGH THE
BOOK.
LIMITATION OF LIABILITY
IN NO EVENT WILL EXAMREVIEW.NET BE LIABLE FOR (I) ANY INCIDENTAL,
CONSEQUENTIAL, OR INDIRECT DAMAGES (INCLUDING, BUT NOT LIMITED TO,
DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR
INFORMATION, AND THE LIKE) ARISING OUT OF THE USE OF OR INABILITY TO USE
THE BOOK. EVEN IF EXAMREVIEW.NET OR ITS AUTHORIZED REPRESENTATIVES HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (II) ANY CLAIM
ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN THE BOOK.
BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION
MAY NOT APPLY TO YOU. IN SUCH STATES, EXAMREVIEW.NET LIABILITY IS LIMITED
TO THE GREATEST EXTENT PERMITTED BY LAW.
ExamREVIEW.NET makes no representations whatsoever about any other web site which are
referenced in the book. When you access a nonExamREVIEW.NET web site, please understand that it
is independent from ExamREVIEW.NET, and that ExamREVIEW.NET has no control over the
content on that web site. In addition, a link to a ExamREVIEW.NET web site does not mean that
ExamREVIEW.NET endorses or accepts any responsibility for the content, or the use, of such web site.
3. Indemnification.
You agree to indemnify, defend and hold harmless ExamREVIEW.NET, its officers, directors,
employees, agents, licensors, suppliers and any third party information providers to the Book from and
against all losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from
any violation of this Agreement (including negligent or wrongful conduct) by you or any other person
using the Book.
4. Third Party Rights.
10
Notes:
The provisions of paragraphs 2 (Use of the Book), and 3 (Indemnification) are for the benefit of
ExamREVIEW.NET and its officers, directors, employees, agents, licensors, suppliers, and any third
party information providers to the Book. Each of these individuals or entities shall have the right to
assert and enforce those provisions directly against you on its own behalf.
5. Termination.
This Agreement may be terminated by either party without notice at any time for any reason. The
provisions of paragraphs 1 (Copyright, Licenses and Idea Submissions), 2 (Use of the Book), 3
(Indemnification), 4 (Third Party Rights) and 6 (Miscellaneous) shall survive any termination of this
Agreement.
6. Miscellaneous.
This Agreement shall all be governed and construed in accordance with the laws of Hong Kong
applicable to agreements made and to be performed in Hong Kong. You agree that any legal action or
proceeding between ExamREVIEW.NET and you for any purpose concerning this Agreement or the
parties' obligations hereunder shall be brought exclusively in a court of competent jurisdiction sitting
in Hong Kong. Any cause of action or claim you may have with respect to the Book must be
commenced within one (1) year after the claim or cause of action arises or such claim or cause of
action is barred. ExamREVIEW.NET's failure to insist upon or enforce strict performance of any
provision of this Agreement shall not be construed as a waiver of any provision or right. Neither the
course of conduct between the parties nor trade practice shall act to modify any provision of this
Agreement. ExamREVIEW.NET may assign its rights and duties under this Agreement to any party at
any time without notice to you.
Any rights not expressly granted herein are reserved.
11
Notes:
Every effort has been made to ensure the accuracy of this book. If you have
comments, questions, or ideas regarding this book, please let us know by
emailing to this address: michael@ExamREVIEW.NET
This electronic book was originally created as a print book. For simplicity, the
electronic version of this book has been modified as little as possible from its
original form.
12
Notes:
Exam Format
The following question formats are used in the CISA exams:
Text Based Multiple-choice: The examinee selects one option that best
answers the question or completes a statement.
Sample Directions (Scenario): Read the statement or question and from the
response options, select only the option(s) that represent the BEST possible
answer(s).
There are no fill in the blank questions. There are no graphical questions.
You will mostly be asked to pick one choice as the answer. However, some
questions will require you to pick multiple items – something like “i and ii”, “i,
iii & v” …etc.
13
Notes:
About this book
The CISA exam has a lot of questions that ask for your "best decisions" - of the
hundreds of questions you will encounter in the exam, a significant portion of
them requires that you pick the best possible options. These best options are
often based on expert advices and best practices not found in the standard
exam text books.
If you are looking for the hard facts, visit the following ISACA link:
http://www.isaca.org/TemplateRedirect.cfm?Template=/ContentManagemen
t/ContentDisplay.cfm&ContentID=15262
* In case this link no longer works, refer to the Standards section of ISACA’s
web site.
This is the place where most “official” IS auditing standards and guidelines are
listed. In the exam you will encounter certain questions that test your
memorization skills – you will have to get these hard facts “fully loaded” into
your memory. We believe that the official published material is the best source
of information in this regard.
14
Notes:
Our guide focuses on the best business practice and expert advice side
of the exam.
Exam Topics
The official exam objectives can be found from the CISA exam page:
http://www.isaca.org/cisaexam
I personally do not recommend that you spend too much time on these
objectives. The reasons are:
l many of them simply require nothing but basic common sense – you will
be able to answer the corresponding questions easily anyway
l the list is way too detailed – if you go through them one by one, it will take
you a year or so to finish
15
Notes:
Instead, I prefer to focus on the following areas (because they often involve
topics that do not have fixed answers but instead require the “best possible”
options):
l IT strategic planning.
l Risk management.
l Project Management.
l Change Management.
16
Notes:
Most candidates fail the exam because they focused too much on the IT side of
the exam, with little or no preparation on the auditing related disciplines.
Remember, a large number of the CISA exam candidates are from the
accounting profession where business auditing is a major daily duty.
The exam is about 40% TECHNOLOGY and 60% BUSINESS
PRACTICE.
Tech gurus do not really have an edge because no in-depth nor advanced
technologies are tested here. Instead, the “practical business people” with
sufficient technology knowledge rule.
The tech questions are easy because they are (and are bound to be)
straight forward. The business practice related questions are difficult
because business rationales are never straight forward – too many factors
come into play and therefore making every scenario highly complicated.
And remember, technology does not mean IT technology alone. It also means
Physical Security Technology as well as Biometrics, and many more. As of the
time of this writing the state of biometrics technology is very sophisticated and
accurate, but is highly expensive. Other potential barriers include user
acceptance, enrollment time and throughput. Still, it is gaining ground,
especially in environment where security is CRITICAL.
Take a look at the security measures your company has implemented and
critically assess their features and effectiveness. This will help.
17
Notes:
!!! Biometrics is an important topic. Check out the various forms of biometrics
technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm
18
Notes:
Exam Registration Contacts
The CISA exam is offered throughout the world twice a year (in June and in
December). The best way to register for the exam is to request for the exam
bulletin from the ISACA Certification Department via email at
certification@isaca.org or by phone at +1.847.253.1545.
19
Notes:
Study Psychology & Exam Tactics
ü Read the exam instructions carefully before answering the first question.
20
Notes:
Key exam strategies
To be successful in the CISA exam, you must know how the questions are
structured. The official saying is that the CISA examination will require the
candidates to answer questions and to make judgments based on the
information learned in courses and on their own professional experiences.
Based on our experiences, however, tackling CISA questions involve several
major strategies:
Notes:
The key phrase here is "strategic plan". As we all know, a strategic plan is a very
high level thing. Look at the choices, only choice B has a high level element,
which is "business objective". Therefore, B is the correct answer.
When you try to classify or group the choices, you will find that choice B, C and
D can be classified into one group – a group of implementation activities.
Choice A, on the other hand, takes place way before the implementation phase.
Therefore, choice A is the answer.
22
Notes:
Strategy Three: Think tricky.
You need to know how to pick the BEST answer out of several technically
possible answers. To do this you need to think tricky – the questions are always
written with trickiness in mind (believe me, this is exactly the case with most
ISACA exam questions).
As an example, you are asked to evaluate the following statements:
23
Notes:
To pick the BEST choice, you must keep in mind that Granularity is a term
which could be applied to a multitude of usage within the context of IT security.
It can be for packet filtering, and it can also be for user access. The last
statement said "access control system" without specifying its exact type. It is
therefore representative of almost all possible types of access control system.
You know what, this is exactly the type of answer expected. Kinda tricky, isn't it?
24
Notes:
Security Theories
25
Notes:
Proper balance of security risks is needed for implementing practical
computing systems.
The 'trusted systems' approach has been predominant in the design of many
earlier software products, due to the long-standing emphasizes on functionality
and 'ease of use' over security.
26
Notes:
The computer system itself as largely an untrusted system
Defense in depth
27
Notes:
A typical defense in depth approach divides the key security elements into
layers for creating a cohesive defense strategy. To ensure effective IT
security, you must design, implement, and manage IT security controls for
each layer of this layered model. As an example: you may divide your
controls into the layers of network, hardware, software, and data.
In any case, security should not be view as an all or nothing issue. The
designers and operators of systems should assume that security breaches are
inevitable in the long term, that full audit trails should be kept of system
activity so that when a security breach occurs, the mechanism and extent of
the breach can be determined. In fact, storing audit trails remotely, where
they can only be appended to, can keep intruders from covering their tracks.
Vulnerabilities
28
Notes:
l You may think of salami attack as a concept that can be applied to
scenarios with and without relation to computing. In general, a salami
attack is said to have taken place when tiny amounts of assets are
systematically acquired from a very large number of sources. Since the
process takes place below the threshold of perception and detection, an
ongoing accumulation of assets bit by bit is made possible. An example:
the digits representing currency on a financial institution’s computer
could be modified in such a way that values to the right of the pennies
field are automatically rounded down. The salami concept can apply in
information gathering - aggregating small amounts of information from
many sources with an attempt to derive an overall picture of an
organization.
l Bribes and extortion can occur! With promises or threats that cause
your staff to violate their trust, information security can be at risk big
time! This is more a HR issue but still you need to think of ways to
safeguard security assuming bribery is not entirely impossible.
29
Notes:
NOTE: Buffer overflow (buffer overrun) is supposed to be a programming
error which may result in memory access exception - that is, a
process make attempt to store data beyond the fixed boundaries of a
buffer area. With careless programming, this kind of access attempt
can be triggered by ill-intented codes. Stack-based buffer overflows
and heap-based buffer overflows are the 2 popular types of attack of
this nature. Techniques such as Static code analysis can help
preventing such attack. You should also always opt for the use of
safe libraries.
Notes:
packets that pass-by instead.
NOTE: The OSI model is a layered model which gives abstract description
for network protocol design. It is a seven layer model, and IP runs at
layer 3, even though the TCP/IP suite itself has its own 4 layer
structure. TCP runs at OSI layer 4, which is on top of IP, for
providing connection oriented service in between the sender and the
recipient.
31
Notes:
You can perceive ports as the actual endpoints of every TCP
connection. Examples of well known ports include http port 80, SSL
port 443 and others.
ICMP is quite special. It runs at the IP layer mostly for sending one-
way informational messages to a networked host. "ping" is an utility
which uses ICMP.
The 4 TCP areas that hackers usually look at for determining the
operating system may include TTL (the Time To Live on the
outbound packet), Window Size, DF (the Don't Fragment bit) and
the TOS (the Type of Service). Thru analyzing these and compare
with the database of signatures there is a chance you can tell what the
remote operating system is.
l Non-IP based networks are also highly hack-able. Sniffing was pretty
common on the Ethernet (and also on IP networks).
Notes:
launching a network attack.
33
Notes:
neighboring and overlapping network. Sometimes this can happen
accidentally - that is, the user has no intent to crack into the
overlapping network at all.
You should always have your access points arranged in such a way
that radio coverage is available only to your desired area. Wireless
signal that "spills" outside of your desired area could be sniffed.
To further secure your WLAN you should always change the default
SSID as most hackers know most default names of most equipments.
Avoid using dictionary word to form your SSID. Use something hard
to guess.
34
Notes:
NOTE: In a web infrastructure you have router, firewall and a web server.
Web server serves requests through port 80 and 443 (SSL). Different
servers work slightly differently, thus having different vulnerabilities.
Scanning tools may, through the active ports and obtaining response,
to identify the target servers and carry out possible attacks. This is
especially true for web server software that has too many ports other
than the required ports opened.
Another problem is that IIS uses a few built-in default accounts that
are weakly protected. You should change the defaults - change the
account names and the passwords whenever possible. Close all
unnecessary ports too.
35
Notes:
Another vulnerability on Windows is the inter-process
communications (IPC) mechanism. It is a mechanism that allows a
process to communicate with another. This can take place on
different computers that are connected through a network, that is
why it can be bad - real bad.
36
Notes:
l Many computer manufacturers used to preinstall backdoors on their
systems to provide technical support for customers. With the existences
of backdoors, it is possible to bypass normal authentication while
intended to remain hidden to casual inspection. The backdoor may take
the form of an installed program or could be in the form of an existing
"legitimate" program, or executable file.
37
Notes:
NOTE: rootkit originally describes those recompiled Unix tools that would
hide any trace of the intruder. You can say that the only purpose of
rootkit is to hide evidence from system administrators so there is no
way to detect malicious special privilege access attempts.
38
Notes:
NOTE: As a common type of Trojan horses, a legitimate software might
have been corrupted with malicious code which runs when the
program is used. The key is that the user has to invoke the program
in order to trigger the malicious code. In other words, a trojan horse
simply cannot operate autonomously. You would also want to know
that most but not all trojan horse payloads are harmful - a few of
them are harmless. Most trojan horse programs are spread through e-
mails. Some earlier trojan horse programs were bundled in "Root
Kits". For example, the Linux Root Kit version 3 (lrk3) which was
released in December 96 had tcp wrapper trojans included and
enhanced in the kit.
39
Notes:
NOTE: The majority of malware and viruses exploit known vulnerabilities in
popular OS. They typically come out within days after a vulnerability
is announced. One way to protect your computers against these
threats is to keep your OS and software security updates as current as
possible through applying service packs, patches and hot fixes.
l The best-known types of malware are viruses and worms, which are
known for the manner in which they spread, rather than any other
particular behavior. Originally, the term computer virus was used for a
program which infected other executable software, while a worm
transmitted itself over a network to infect computers. More recently,
the words are often used interchangeably.
Notes:
the payload of these viruses is a metamorphic engine.
Notes:
though the likelihood of actually achieving this in large-scale practical
systems is regarded as unlikely in the extreme by most with practical
experience in the industry. In practice, only a small fraction of computer
program code is mathematically proven, or even goes through
comprehensive information technology audits or inexpensive but extremely
valuable computer security audits.
42
Notes:
l Does your organization have a policy that clearly states when
information is to be encrypted?
Notes:
Technically speaking, all Social Engineering techniques are based on flaws
in human logic known as cognitive biases. These bias flaws are used in
various combinations to create attack techniques. For example, pretexting is
the act of creating and using an invented scenario (the pretext) to persuade a
target to release information or perform an action and is usually done over
the telephone. It's more than a simple lie as it most often involves some
prior research or set up and the use of pieces of known information to
establish legitimacy in the mind of the target. Phishing, on the other hand,
applies to email appearing to come from a legitimate business requesting
"verification" of information and warning of some dire consequence if it is
not done. Sadly, social engineering and direct computer access attacks can
only be effectively prevented by non-computer means, which can be
difficult to enforce, relative to the sensitivity of the information. Social
engineering attacks in particular are very difficult to foresee and prevent.
Remember, in the real world the most security comes from operating
systems where security is not an add-on but a built-in (such as the IBM
OS/400).
44
Notes:
Security measures
Prevention:
User account access controls and cryptography can protect systems files and
data, respectively. Firewalls are by far the most common prevention systems
from a network security perspective as they can shield access to internal
network services, and block certain kinds of attacks through packet filtering.
45
Notes:
NOTE: IPsec is different from SSL in that it runs at layer 3, so it can protect
both TCP and UDP traffic. SSL operates from the transport layer up
so less flexibility can be offered. The goal of SSL is to provide
endpoint authentication as well as communications privacy via
cryptography.
46
Notes:
cryptography, a good hash function allows for "one-way" operation,
meaning there is almost no way to calculate the data input value.
SHA is one example. It has several variants, which are SHA-1, SHA-
224, SHA-256, SHA-384, and SHA-512. They are designed by the
NSA and published thru the NIST. MD5 is another example. It uses
a 128-bit hash value to create a hash that is typically a 32 character
hex number.
Detection:
Intrusion Detection Systems are designed to detect network attacks in
progress and assist in post-attack forensics, while audit trails and logs serve
a similar function for individual systems.
NOTE: A typical IDS has a few components, such as sensors which detect
and generate security events, a console interface for you to monitor
events and alerts plus managing the setup, and an engine which
records and analyzes the logged events. These components work
together such that a suspected intrusion may be evaluated and
signaled (through an alert or an alarm). One may, however, flood an
IDS with way too many traffic such that the IDS is too busy keeping
up with the pace.
47
Notes:
Response:
"Response" is necessarily defined by the assessed security requirements of
an individual system and may cover the range from simple upgrade of
protections to notification of legal authorities, counter-attacks, and the like.
l Does your organization have an IDS? If so, who defines the IDS
knowledge base?
48
Notes:
l Do you have any established session control practices in place?
Apart from guidelines published by ISACA, you may also refer to the SoGP.
The Standard of Good Practice (SoGP) is a detailed documentation of best
practices for information security. It is published and revised biannually by the
Information Security Forum (ISF), an international best-practices organization.
The Standard is developed from research based on the actual practices of and
incidents experienced by major organizations. Its relatively frequent update
cycle of two years also allows it to keep up with technological developments
and emerging threats. In fact, the Standard is used as the default governing
document for information security behavior by many major organizations, by
itself or in conjunction with other standards such as ISO 17799 or COBIT.
49
Notes:
One of the most widely used security standards today is ISO 17799 which
started in 1995. This standard consists of two basic parts. BS 7799 part 1 and
BS 7799 part 2 both of which were created by (British Standards Institute) BSI.
Recently this standard has become ISO 27001. The National Institute of
Standards and Technology (NIST) has released several special papers
addressing cyber security. Three of these special papers are very relevant to
cyber security: the 800-12 titled “Computer Security Handbook”; 800-14 titled
“Generally Accepted Principals and Practices for Securing Information
Technology;” and the 800-26 titled “Security Self-Assessment Guide for
Information Technology Systems”.
50
Notes:
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework (which will be addressed later) in
management/auditor assessment of controls. Auditors have also looked to the
IT Governance Institute's "COBIT: Control Objectives of Information and
Related Technology" for more appropriate standards of measure. Since the
financial reporting processes of most organizations are driven by IT systems, it
is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing
Standard 2" states:
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.
51
Notes:
The SEC identifies the COSO framework by name as a methodology for
achieving compliance. The COSO framework defines five areas, which when
implemented, can help support the requirements as set forth in the Sarbanes-
Oxley legislation. These five areas and their impacts for the IT Department are
Risk Assessment, Control Environment, Control Activities, Monitoring, and
Information & Communication.
Notes:
non-military government agencies and their contractors. FIPS 46 in particular
covers some major Data Encryption Standards, while FIPS 140 covers security
requirements for cryptography modules.
ISO 27001 sets out the requirements for information security management
systems. On the other hand, ISO 27002 offers a code of practice for
information security management.
British Standard 7799 Part 3 provides guidelines for information security risk
management. COBIT links IT initiatives to business requirements, organises IT
activities into a generally accepted process model, identifies the major IT
resources to be leveraged and defines the management control objectives to be
considered. ITIL (or ISO/IEC 20000 series) focuses on the service processes
of IT and considers the central role of the user.
53
Notes:
Information Technology Security Evaluation Criteria (ITSEC) is the first single
standard for evaluating security attributes of computer systems by the countries
in Europe.
54
Notes:
IS Organization and Information Assets
Protection
55
Notes:
The stakeholders
l Security committee
l Data owners
l Process owners
l IT developers
l Security specialists
l Auditors
56
Notes:
l Users
The board
The board of directors and senior management are responsible for ensuring
that the organization's system of internal controls is operating effectively. An
“audit committee” should be appointed to oversee audit functions and to
report on audit matters periodically to the board. FYI, in order to comply with
the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to
appoint outside directors as audit committee members. On the other hand, all
members of a stock-issuing institution’s audit committee must be members of
the board of directors and be independent.
The ability of the audit function to achieve desired objectives depends largely
on the independence of audit personnel. This is especially true if the auditors
are internal auditors rather than outside auditors.
The board of directors should ensure that written guidelines for conducting IT
audits have been adopted, and should assign responsibility for the internal audit
57
Notes:
function (IT audit is commonly conducted in-house by the internal audit
function) to a member of management who has sufficient audit expertise and is
independent of the other business operations of the organization. In general,
the position of the auditor within the organizational structure, the reporting
authority for audit results, and the auditor’s responsibilities should indicate the
degree of auditor independence within the organization. The board should do
its best to ensure that the audit department does not participate in activities that
may compromise, or appear to compromise, its independence. These activities
may include preparing reports or records, developing procedures, or
performing other operational duties normally reviewed by auditors. Keep in
mind, the auditor’s independence may also be determined by analyzing the
reporting process and verifying that management does not interfere with the
candor of the findings and recommendations.
Notes:
objectives, resource requirements, audit timeframe, and resulting reports. Expect
a bunch of meetings, coordination, collaboration, and conflicts between the outside guys and the
insiders.
Audit personnel
The auditors, whether internal or external, should in any case be granted the
authority to access records and staff necessary to perform auditing and
reporting. In fact, for any audit effort to be successful, a reporting line MUST
be identified to the highest level of the organization. The auditor's right of
access to information must be clearly identified early in the process.
Management should be required to respond formally, and in a timely manner,
to significant adverse audit findings by taking appropriate corrective action. The
auditors in turn should discuss their findings and recommendations periodically
with the audit committee.
59
Notes:
root cause of deficiencies (they don't have to be CISA certified - although
certification is a "plus").
60
Notes:
IS Controls
There are many ways to classify controls. From an IS perspective, some said
they may be generally classified as physical, technical, or administrative in nature.
Some said that they can be further classified as either preventive or detective.
Three other types of controls, namely deterrent, corrective, and recovery, may
further supplement such classification.
61
Notes:
Classification of controls
62
Notes:
remedy the circumstances that allowed the unauthorized activity and return
conditions to what they were before the violation.
From a broader perspective, you can view controls as either General Controls
or Application Controls. General controls are about the overall information-
processing environment. They include:
63
Notes:
Application controls, on the other hand, cover the processing of individual
applications and help ensure the completeness and accuracy of transaction
processing, authorization, and validity. They typically include:
l Data Capture Controls to ensure that all transactions are properly recorded
in the application system
l Data Validation Controls to ensure that all transactions are properly valued.
Keep in mind that different types of network model often require the use of
different combinations of control. You must have basic foundation knowledge
on networking in order to pick the correct answers. Know LAN networking
and WAN networking. Know distributed computing and client server
64
Notes:
computing. Know server computing and thin client computing. Don’t attempt
to take the exam until you are completely familiar with these basic concepts.
65
Notes:
Access Control and the Auditing Process
Access control protects your systems and resources from unauthorized access.
An access control model is a framework that dictates how subjects access
objects. The most popular models are: mandatory access control, discretionary
access control and role-based access control. Even though these models are
often associated with IT technology, try to think of them as security
management principles – they can be applied to disciplines other than IT.
66
Notes:
established policy may be characterized as discretionary controls (or need-to-
know controls).
With the Discretionary model, the creator of a file is the ‘owner’ and can grant
ownership to others. Access control is at the discretion of the owner. Most
common implementation is through access control lists. Discretionary access
control is required for the Orange Book “C” Level.
Mandatory controls are prohibitive and permissive. With the Mandatory model,
control is based on security labels and categories. Access decisions are based on
clearance level of the data and clearance level of the user, and, classification of
the object. Rules are made by management, configured by the administrators
and enforced by the operating system. Mandatory access control is required for
the Orange Book “B” Level.
With the Role-Based model, access rights are assigned to roles – not directly to
users. Roles are usually tighter controlled than groups - a user can only have
one role.
67
Notes:
ACLs VERSUS Capabilities
68
Notes:
What is Orange Book, by the way?
D - Minimal Protection - Any system that does not comply to any other
category, or has failed to receive a higher classification.
69
Notes:
Types of Access Control
l Identification
l Authentication
l Authorization
70
Notes:
l Accountability
The three “As” are often being referred to as the AAA concept. The general
types of authentication are:
Authentication is the first line of defense. Questions you may ask here:
Notes:
l Does your system use a password cracker to identify nonsecure passwords?
Authorization determines if you can carry out the requested actions. Access
criteria types include and not limited to:
l Roles
l Groups
l Time of day
l Transaction type
l … etc
72
Notes:
A common practice is to have all access criteria default to “no access” at the
very beginning, although this may not be always true in modern days OS for
usability sake (for example, in earlier Windows everyone has full control by
default).
Authentication deals with how one’s user account is established. There are also
issues dealing with how such account should be handled and protected (i.e. user
account management) . Some questions you may ask include:
73
Notes:
Establishing Accountability through event logging
· System startup
· System shutdown
· Hardware failures
Notes:
· Account disabled
You need to know the fundamentals of auditing – not just IS auditing, but
auditing in general.
Most CISA study text books in the market fail to give a complete and clear
picture of the auditing process as a whole. We will fill this gap here.
75
Notes:
At the end of this e-book there is a sample IS Audit Questionnaire. Go
through that Questionnaire and you will understand exactly what are
expected to be accomplished by an IS audit.
Note that several information technology audit related laws and regulations
have been introduced since 1977. These include the Gramm Leach Bliley Act,
the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability
Act, the London Stock Exchange Combined Code, King II, and the Foreign
Corrupt Practices Act. You are expected to understand what they are for.
76
Notes:
The Sarbanes–Oxley Act of 2002 (commonly called SOX or SarBox) is a
United States federal law passed in response to a number of major corporate
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework in management/auditor
assessment of controls. Auditors have also looked to the IT Governance
Institute's "COBIT: Control Objectives of Information and Related
Technology" for more appropriate standards of measure.
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
77
Notes:
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.
78
Notes:
What is auditing, by the way?
“An audit is a management instrument which can identify the improvement potential of
business processes (process audit) or of the management system as a whole (system audit). At
the same time, audits allow the supervision of already started measures. Audits therefore help
to improve the effectiveness of management systems and consequently the whole company
organization”1.
An audit:
1 http://www.experteam.de/starte/leistungen/Themen/SWQualitaetsmanagement/Auditierung.html
79
Notes:
“Every successful audit is based on sound planning and an atmosphere of constructive
involvement and communication between the client and the auditor”2.
A Security Audit refers to the process or event with the security policy or
standards as a basis to determine the overall state of the existing protection and
to verify whether existing protection has been performed properly. It needs to
target at and focus on finding out whether the current environment is securely
protected in accordance with the defined security policy. A security audit would
therefore require a complete inventory list and audit checklists, which may
cover different areas of IT such as web application, network architecture,
wireless network, etc. It would practically involve the use of security audit tools
and different review techniques for revealing the security loopholes.
2 http://www.auditnet.org/process.htm
80
Notes:
repetitive checking process to ensure that these security measures are properly
implemented from time to time. You may safely conclude that Security Audit is
performed more frequently than Security Risk Assessment.
81
Notes:
NOTE: Auditing allows one to define the sequence of steps which occurred
prior to a security incident. Traceability is the key. In practice, good
IS security procedures often specify the use of software and/or other
mechanisms which comes with some sort of automatic auditing
facility for providing traceability.
The role of an auditor is to review the integrity of the subject in question. The
auditor does not participate in the creation or implementation of the subject.
He is merely an observer, an examiner and a reviewer.
82
Notes:
Keep in mind, auditor's active participation in the procedure being audited
would be a potential conflict of interest. That is why a former programmer of
the developer team shouldn’t be assigned to audit the work of the developer
team at present.
An auditor acts for the best interest of the client. He/she must place the
responsibilities to be extremely fair and honest ahead of his/her own
interest. This is what FIDUCIARY RESPONSIBILITY is all about.
Information Security Auditing covers topics from auditing the physical security
of data centers to the auditing logical security of databases and highlights key
components to look for and different methods for auditing these areas. To be
effective and efficient, one should be adequately educated about the
organization and its critical business operations through the following activities:
Notes:
l Review job descriptions of involved employees
Notes:
l Adequate environmental controls are in place to ensure equipments are
protected from natural disasters
Below is the audit flow chart developed by UNISA of Australia. Different types
of audit conducted in different industries may have variations to this “model
flow”, and this chart is shown here to give you an idea of how the pros conduct
a planned audit in the real world.
85
Notes:
86
Notes:
87
Notes:
Overall Strategies
Audit generally, then specifically. In other words, enable general audit options at
first, then use more specific audit options. This will help the auditor gather the
evidence required to make concrete conclusions regarding the origins of
suspicious activity. Remember to protect the audit trail so that audit
information cannot be added, changed, or deleted without being audited.
88
Notes:
This refers to the process of gathering historical information about particular IS
activities. In order to avoid cluttering the meaningful information with useless
audit information, you should audit only the targeted activities. After you have
collected the required information, archive audit records that are of interest and
purge the audit trail of this information.
NOTE: Effective audit trails in the practical world should at the least
document each action requested, detect any changes made or
attempted, and create a log of all the missed attempts. The log should
be consistent and patterned by items such as user session and
date/time, plus showing the command issued and the files affected.
The log should be stored in a hidden location, using some sort of
separately identifiable encrypted formats.
You should log the activities of both the regular users and the power users
(administrators …etc). Regular users tend to make careless mistakes, while
power users are capable of making intentional errors.
89
Notes:
NOTE: An Administrator's Log provides a history of the actions taken by the
administrator, who has been charged with responsibility to authorize the
access and use of corporate data and application. Through this log,
actions of the administrator can be thoroughly audited to assure that
corporate policy and procedure have not been unintentionally tampered
with.
Audit Planning
While planning the audit, you should decide what level of the risk of reaching
an incorrect conclusion based on the audit findings that is acceptable.
90
Notes:
There are 2 types of possible risk here:
The more effective and extensive the audit work is, the less the risk that a
weakness will go undetected and you will issue an inappropriate report. Such
audit risk is dependent on the assessed levels of inherent risk, control risk, and
detection risk (Control risk is determined by evaluating an organization’s
internal control structure. You can implement compliance testing procedures
when the effectiveness of an organization’s internal controls is evaluated. The
level of detection risk is further determined by the assessment of inherent risk
and the assessment of control risk following compliance testing). In fact, these
risks can be quite accurately determined when performing a risk assessment of
the organization.
There should also be a risk assessment process that describes and analyzes the
risks inherent in the existing IT operation. You should update the risk
assessment as necessary to reflect changes to internal control or work processes,
91
Notes:
and to incorporate new operations (if any). In fact, the level of risk should be
one of the most significant factors considered when determining the frequency
and depth of audit activities.
When assessing materiality, you should consider the aggregate level of error
acceptable to management, the IT audit committee, and the appropriate
regulatory agencies. You need to consider the potential for the cumulative
effect of small errors or weaknesses to become material. While establishing
materiality, you may audit non-financial items such as physical access controls,
logical access controls, and systems for personnel management, manufacturing
control, design, quality control, and password generation...etc etc.
The audit plan should detail the audit function’s budgeting and planning
processes. The plan should describe audit goals, schedules, staffing needs, and
reporting. The audit plan should ideally be defined by combining the results of
the risk assessment and the resources required to yield the timing and frequency
of planned audits. The audit committee should formally approve this audit plan.
The auditors should in turn report the status of planned versus actual audits
regularly.
92
Notes:
For successful audits, you need to know:
o the audit objectives
At the planning portion of the audit, an auditor should perform the following:
93
Notes:
l Interception Controls: Interception can be deterred by physical access
controls at data centers and offices. Note that encryption also helps to
secure wireless networks. You should continually evaluate your client’s
encryption policies and procedures. In particular, you should verify that
management has controls in place over the data encryption management
process. Access to keys should require dual control, keys should be
composed of two separate components and should be maintained on a
computer that is not accessible to programmers or outsiders.
A firewall acts as a choke point in the network where all passing-by traffics are inspected. A
proxy firewall acts as a middleman between the two parties so there is no direct connection
between them. It works by making a copy of each incoming packet, changing the source address
and then transmitting it to the final destination.
94
Notes:
Application level proxies inspect the entire packet and make filtering decisions based on both
the header information and the actual packet content. They allow for the greatest level of control
at the expense of resource consumption. Circuit level proxies make filtering decisions based on
basic information such as packet header information, IP addresses, ports, and protocol type.
They are less secure. Routers can achieve basic protection by filtering IP address through the use
of access control lists. They are never intended for providing serious firewalling service.
95
Notes:
Talking about application security, you would also need to know the different methods of
software system testing.
l With Black box testing, the tester has no previous knowledge on the test object's internal
structure and would not examine the codes involved. The test is therefore unbiased.
However, since the tester is independent of the designer, it is almost impossible to ensure
that all existent "paths" of the system are fully tested. On the contrary, White box testing
(also known as clear box testing/glass box testing/structural testing) uses an internal
perspective of the system to design test cases. Test cases are therefore designed and
implemented based on full knowledge of the test object's internal structure. The tester has
to know the codes inside and out in order to test accurately. Bias is therefore possible to
exist.
l Stress testing is a common way to test and determine the stability of a given system. It
involves testing beyond normal operational capacity in order to observe system performance
under stress. Emphasis is on robustness, availability, and error handling during heavy
workload.
l A use case is a technique commonly used for capturing functional requirements of systems.
It allows you to describe the sequences of events that, when taken together, can lead to the
completion of a particular set of system activities for achieving a particular purpose.
l Boundary value analysis is a special software testing design technique for determining test
cases that cover specifically those off-by-one errors (logical errors which involve the discrete
96
Notes:
equivalent of a boundary condition). This type of analysis is valuable as the boundaries of
input ranges to a software program are often liable to defects.
Audit sampling, which is often desirable due to practical needs, refers to the
application of an audit procedure to usually less than 100% of the population so
you may evaluate audit evidence within a class of transactions for the purpose
of forming a conclusion concerning the population. Sampling may be done
statistically through Random Sampling or Systematic Sampling, or non-
statistically through Haphazard Sampling or Judgmental Sampling. Do note that
sample size is a factor that may affect the level of sampling risk - the smaller the
sample size the more likely you will end up with more errors.
You should also make decisions about the nature, extent, and timing of
evidence to be gathered. The types of evidence may include:
Notes:
l Documentary audit evidence, such as activity and control logs.
o Initial Meeting - at this meeting the client describes the unit or system
to be reviewed, the organization, available resources and other relevant
information. The client also identifies issues or areas of special concern
that should be addressed.
o Control Review - the auditor reviews the target unit's existing control
structure. To save time, the auditor uses a variety of tools and
98
Notes:
techniques to gather and analyze information about the operation. One
primary objective here is to determine the areas of highest risk and
design tests to be performed in the fieldwork section.
Keep in mind:
“The IS auditor should consider whether his or her organizational status is appropriate for the
nature of the planned audit. Where this is not considered to be the case, the hiring of an
independent third party to manage or perform this audit should be considered by the
appropriate level of management”3.
In fact, you may audit your audit program and policy through asking questions
like:
3 http://www.isaca.org/standard/guide1.htm
99
Notes:
l What information is audited?
l Is there a policy stating how long the captured audit logs are to be retained?
You want to have a FIREWALL AUDIT to ensure that the firewall and the
associated systems have all been properly configured to enforce the security
policy with the minimal and optimal security protection. The firewall should be
audited for its configuration and also for its physical access control.
100
Notes:
You want to conduct an INTERNAL NETWORK AUDIT to discover any
vulnerability that could be exploited by authorized internal users, and to
identify any weaknesses and strengths in the controls of the internal systems
and networks. The topology of internal network infrastructure should also be
reviewed. The audit test should include an internal network scan to check for
any security holes on specified times or pre-agreed periods. The scanning on
critical hosts or workstations should be included as part of the test effort.
101
Notes:
You want to perform SECURITY POLICY, GUIDELINES &
PROCEDURES REVIEW to review or develop the existing security policy,
guidelines and procedures. You want to focus on the high-level overall
organization-wide security policy, or on specific systems, networks or areas that
are under concerns.
You want to perform HOST SECURITY AUDIT for assessing the operating
system level security of different the computer server platforms.
Misconfiguration of the operating systems may open up security holes that may
not be known by your system administrators and the goal of this audit is to sort
them all out.
102
Notes:
via communication links such as dial-up connections and/or broadband
connections.
Objective:
To assess whether access from the internal network to the
Internet and from the Internet to the internal network
are controlled.
103
Notes:
Criteria:
The Internet policy should convey to all staff the intent
of the controls to be implemented by the firewall.
Procedures:
a) Obtain a copy of the Internet Policy.
b) Identify the process that was used to develop the
policy. Ascertain whether the process considered the
value of and degree of reliance on the firewall and the
severity, probability, and extent of the potential for
direct and indirect harm.
c) Assess whether the policy:
* identifies the specific assets that the firewall is
intended to protect and the objectives of that protection
(integrity, availability, and confidentiality);
* describes the organizational structure and associated
responsibilities and accountability of personnel who will
be charged with implementing the policy, monitoring
compliance with the policy and adhering to the policy;
* supports the legitimate use and flow of data and
104
Notes:
information; and
* documents what information passing through the firewall
will be monitored (limit organizational liability, reduce
abuse, support prosecution for abuse); and
* is consistent both in tone and in principle with other
organizational policies and accepted practice (e.g
availability of Internet access for nonbusiness use)
d) Ascertain whether legal counsel has reviewed the
policy to ensure consistency with requirements and
limitations imposed externally (laws, regulations etc.).
e) Determine whether management approval of the policy
has been sought and granted and the date of the most
recent review of the policy by management.
f) Identify how the Internet policy was/is communicated
to users and how awareness is maintained. Select a sample
of users and discuss their understanding of their
responsibilities related to Internet use and how to
report problems.
g) Determine whether standards and procedures have been
defined to specify the means by which the policy is
implemented.
105
Notes:
h) Assess whether the standards and procedures specify
who is responsible and empowered to do each function
required for the proper operation of the firewall.
i) Assess whether the security policy:
* is easy to read and locate relevant sections;
* is versioned and dated;
* is carefully worded with all ambiguous terms precisely
defined;
* sets out acceptable conditions of use as well as
unacceptable conditions of use;
* is widely communicated to affected persons; and
* is reviewed at regular intervals.
j) Consider whether the following issues are addressed in
the policy document:
* Scope of the policy in relation to other internal and
external networks with which it may be connected.
* Basic philosophy that may be used for making non
deterministic decisions.
106
Notes:
* Governing policies, such as Federal and Provincial Law,
contractual terms and conditions, or other policies
internal to the Company.
* Identification of the person who has ultimate authority
to interpret and apply the policy to a particular
situation.
* Allowance for the policy to be temporarily waived by a
person of authority under certain conditions or
guidelines.
* Formal definition of how the people affected by the
policy will be informed of its contents.
* Frequency and necessity for reviews of the policy.
* Outline of the assets that must be protected, and from
what threats.
* Security incident handling principles.
* Guidelines for liability of personnel with regard to
security breaches to discourage people from hiding
details of a breach that they may have (somewhat
innocently) been involved in.
107
Notes:
* Guidelines regarding investigation of incidents and
courses of action that could be taken by decisionmakers
based upon details of the security breach, including
referral to law enforcement agencies, as well as internal
investigation and disciplinary principles.
k) Consider whether the rights and responsibilities of
users are addressed in the policy document, including:
* Account use, by both the account holder and the
resource provider. Special conditions may apply to the
use of normal user accounts, and public access accounts
(like anonymous ftp), and these conditions could be
expressed here.
* Software and data access and use, including sources of
data and software.
* Disclosure of information which is potentially harmful,
such as password information or configuration
information.
* Etiquette, including acceptable forms of expression
(e.g. nonoffensive expression expected for unsolicited
electronic mail), and unacceptable practices (such as the
forging of electronic mail and news articles).
* Password use and format.
108
Notes:
* Rights to privacy, and the circumstances under which
the resource provider may intrude on the files held under
or activities practiced by an account.
* Other miscellaneous guidelines regarding reasonable
practices, such as the use of CPU cycles and temporary
general access storage areas. Copyright issues may also
be discussed here.
l) Consider whether the rights and responsibilities of
resource providers are addressed in the policy document,
including:
* physical security guidelines;
* privacy guidelines; and
* configuration guidelines, including:
allocation of responsibility;
network connection guidelines;
authentication guidelines;
authority to hold and grant account guidelines;
109
Notes:
auditing and monitoring guidelines;
password format, enforcement and lifetime guidelines;
and
login banners.
You may also perform audit using a wide range of computer tools. For example,
you may perform vulnerability scans using an automated vulnerability scanning
tool to quickly identify known vulnerabilities on the target hosts or devices.
However, since a large amount of system requests will be generated from the
automated vulnerability scanning tool, the system and network performance of
the target groups will likely be impacted during the vulnerability scanning
process. You must therefore devise a plan to minimize possible service
interruption during the scanning process. Also noted that some of the potential
vulnerabilities identified by the automated scanning tool may not represent real
vulnerabilities in the practical real world context. therefore, you should realize
that false positives is not impossible and professional judgment must be
exercised from time to time.
110
Notes:
While network vulnerability scanning is a good method to collect vulnerability
information within a short period of time, it is non-intrusive and would not
attempt to exploit the identified vulnerability. A penetration testing may need to
be adopted if more in-depth findings are desired.
Audit Fieldworks
111
Notes:
During the audit process, the fieldwork concentrates on transaction testing and
informal communications. At this stage the auditor determines whether the
controls identified during the preliminary review are operating properly and in
the manner described.
Remember, you do NOT audit every piece of items. With the help of statistical
sampling techniques, you determine (mostly in a random manner) which piece
of item to work on.
112
Notes:
o Transaction Testing - procedures usually include testing the major
controls and the accuracy and propriety of the transactions. Various
techniques including sampling are used to enhance productivity.
o Working Papers – sort of “scratch paper” that are kept for supporting
the audit opinion. They are comprehensive in nature.
113
Notes:
Whatever the source, audit software programs should remain under the strict
control of the audit department.
You use CAATs to test application controls as well as perform substantive tests
on sample items. Types of CAATs include Generalized Audit Software (GAS),
Custom Audit Software (CAS), Test Data, Parallel Simulation and Integrated
Test Facility. Through the use of CAATs, you will be able to obtain evidence to
support their final conclusions developed on the audit.
Audit evidence needs to be sufficient, reliable, relevant, and useful in order for
you to form an opinion and to support their findings and conclusions. You
need to devise procedures to gather and organize audit evidence. You should
select the most appropriate procedure for the audit objective. Possible options
include:
l Inspection
l Confirmation
l Reperformance
114
Notes:
l Monitoring
To conclude the fieldwork stage, a list of significant findings from which the
auditor will prepare a draft of the audit report is produced.
Audit Program
An audit program acts as the link between the preliminary survey and the field
work. In the preliminary survey the auditors identify operating objectives, risks,
operating conditions and control procedures. In field work they gather evidence
about the effectiveness of control systems based on observations,
documentation, verification and other audit procedures.
115
Notes:
For a list of popular audit programs you may refer to this hyperlink:
http://www.auditnet.org/asapind.htm
Audit Report
This is the principal product of the audit process - you express your opinions,
present the audit findings, and discuss recommendations for improvements.
According to IS Auditing Standard 070 (Reporting), The IT auditor should provide a report
in an appropriate form, upon the completion of the audit. The report should state the scope,
objectives, period of coverage, and the nature, timing, and extent of the audit work performed.
The report should state the findings, conclusions, and recommendations and any reservations,
qualifications or limitations of scope that IT auditor has with respect to the audit.”
It is always advisable for you to first discuss the rough draft with your client
prior to issuing the final report:
1. When the fieldwork is completed, the auditor drafts the report and gives
it to the audit management for a thorough review. A discussion draft is
prepared for the unit's operating management and is submitted for the
client's review before the exit conference.
116
Notes:
2. When audit management has approved the discussion draft, the auditor
meets with the unit's management team to discuss the findings,
recommendations, and text of the draft. At this meeting (which is
known as the Exit Conference), the client is given the chance to
comment on the draft. The ultimate goal is for the group to reach an
agreement on the audit findings (and to maintain a friendly relationship
with the client).
117
Notes:
You should discuss the draft of the audit report with management
to give management the chance to correct any weaknesses or
deficiencies before they are reported and/or even released to the
public. You may do this in the form of a Management Comment
Letter.
5. In the response, the client should explain how report findings will be
resolved. An implementation timetable should also be included. It is
technically acceptable for the client to respond with a decision not to
implement an audit recommendation and to bear the risks associated
with an audit finding.
6. Finally, the client may comment on the performance of the audit. This
feedback can be very beneficial to the audit team.
Audit FollowUp
Within a period defined by the client, the auditor will perform a follow-up
review to verify the resolution of the report findings:
118
Notes:
1. Follow-up Review - the client response letter is reviewed and the actions
taken to resolve the audit report findings may be tested. Unresolved
findings will be discussed in the follow-up report.
2. Follow-up Report - lists the actions taken by the client to resolve the
original report findings. Any unresolved findings will be mentioned as
well. It is a recommended practice to have a discussion draft of each
report with unresolved findings circulated to the client before the follow-
up report is issued (again, this is for reaching agreement and maintaining
friendly relationship).
To keep things going properly, you should use a process that enables yourself
to track the status of client management's actions on significant findings and
recommendations.
Note:
If after issuing the audit report it is found that some procedures had been
omitted, you may need to review the available audit alternatives in order to
compensate for the omission. If unfortunately the omitted procedures actually
present material bearing on the audit outcome, the worst case scenario is that
you will have to issue a new report and have the old one cancelled.
119
Notes:
Audit Assessment
l Accuracy
120
Notes:
IT Strategic Planning
121
Notes:
those goals and continuously measuring the performance of IT
investments. It must be tightly coupled with the organization’s strategic
planning and it must be an intrinsic and integrated part of the budget
process.
The IS auditor should consider the following options in establishing the overall
objectives of any audit associated with IT governance and the IT strategic
planning process. These options, as mentioned by ISACA4, should include:
o Reporting on the system of governance and/or its effectiveness
4 http://www.isaca.org/standard/guide1.htm
122
Notes:
o Inclusion or exclusion of non-financial information systems
ISACA (above) further defines the following points that should be considered
by the auditor when reviewing the IT strategic planning process:
o There is a clear definition of IT mission and vision
o This planning process is periodically updated (at least once per year)
Inhouse or Outsource?
123
Notes:
Note that one major duty of the IS auditors is to validate the acquisition or
development of the business application systems. From a security standpoint,
you need to tell if doing it in house is more secure (and is easier to control) than
buying it off the shelf. A tradeoff is involved in the decision, and different
answers are expected in different circumstances. The general guideline is that
doing it in house allows for more control over the development process and
can allow you to build in more security features. However, this can be costly as
you need to recruit, train and manage your IT team to do the job.
Also, when your own development team is involved you must clearly define the
roles and responsibilities of each team member. Certain roles must not be
overlapped, and certain duties must be clearly separated.
124
Notes:
The general guidelines here are:
l development VS production
l security VS audit
125
Notes:
Protection of Information Assets through
Security Policy
Information Assets which are mostly of an intellectual nature are the vital
business resources that require protection commensurate with their value.
Mechanisms shall be in place to protect these assets from intentional (or
unintentional) modification, destruction, unauthorized disclosure, or other
malfeasance. The end goal is to make sure that confidentiality, integrity, and
availability of these assets are adequately maintained.
126
Notes:
Assets - Protection from damage, loss or misuse of all computer and
communications equipment, including computing and communications
premises, data storage media, application/system computer programs and
documentation.
When we talk about the protection of information assets, we are dealing with
two issues here:
127
Notes:
NOTE: Practically speaking, copy protection is also a significant issue. If the
software you use (which is part of your information assets) has a
serial number you may be held liable for the illegal copies spawned
from the original copy running on your computer system.
You need to have an idea of what it takes to shape a proper set of Information
Assets Protection policy. Then you know how to go head with an audit.
Questions you may ask here:
l Does the policy identify all individuals responsible for implementing that
policy and what their duties are?
l Does the policy identify the steps to be taken if there is a security breach?
l Does the policy identify enforcement procedures that identify the penalties
associated with a security breach?
128
Notes:
l Is the policy known by all individuals who have the responsibility for
implementing that policy?
The Data Owners are the senior managers who are ultimately responsible for
protection and use of data. They often determine the data classification. The
Data Custodians, on the other hand, are responsible for maintenance and
129
Notes:
protection of data, such as making backups and performing restores. The IT
guys in the IT department are usually of this role.
NOTE: Before you give classified information to anyone, you as the holder of the
information MUST do whatever you can to ensure that the person to
whom you are giving the information possess the proper level of security
clearance has the “need-to-know”.
130
Notes:
Security Policy
Policy is issued top down. It is signed by the top person in the organization,
and that compliance is mandatory. On the other hand, procedures tell the steps
needed for attaining compliance.
131
Notes:
interpretations on the Baseline IT Security Policy. It also provides some
guidelines and considerations for defining detailed security requirements.
Once defined and implemented, the policy owner should be held responsible
for its maintenance and review according to a de fined periodic review process
(update & maintenance of the policy is kind of a hands-on job). Such process
should ensure that a review takes place in response to any changes affecting the
basis of the original risk assessment.
b) ensuring information and systems are protected in line with their importance
to the organization.
132
Notes:
c) determining which users are authorized to access particular information and
systems.
i) ensuring users are aware of their security responsibilities and are able to fulfill
them.
j) being involved with security audits/reviews.
133
Notes:
Do keep in mind, ALL USERS, NOT just the owners, have a
responsibility to ensure the protection of information and computing
assets!
And for the purpose of the exam, remember that the necessary components
that fit together for effective security management practices are:
l Data classification
l Operational activities
l Safeguard selection
l Separation of duties
l Risk assessment
l Security awareness.
134
Notes:
The above are concerns at a broader level. On the other hand, at the actual
admin level questions you may ask concerning the hand-son management,
enforcement and implementation of security procedures may include:
135
Notes:
To ensure successful implementation of security policies and procedures,
security awareness training, the factors of Awareness, Training and Education
must be considered. Note that:
· Business users needs skills to use systems correctly and apply security
controls
General questions you may ask concerning user training may include:
136
Notes:
l Are new employees required to receive security awareness training within a
specified number of days after hiring?
* The risk of IT staff disrupting the running of the network either in error or by malicious
intent should be reduced by the following measures:
a) segregating the duties of staff running the network from those developing/designing the
network.
d) organizing duties in such a way as to minimize the risk of theft, fraud, error and
unauthorized changes to information.
e) screening applicants for positions that involve running the network through taking up
references and checking career history.
137
Notes:
Security Models and Modes of Operations
The Bell-LaPadula Model was developed by the military in the 1970s to address
leakage of classified information. Main goal is confidentiality. A system using
the Bell-LaPadula model would be classified as a multi-level security system.
The Bell-LaPadula is a state machine model, and could also be categorized as an
information flow model.
Notes:
l Internally and externally consistent.
The various information flow models have one thing in common: they have
each object assigned a security class or value. Information is constrained to flow
only in the directions permitted by the security policy.
l With the Dedicated Security Mode, all users have the clearance and the
“need to know” to all the data within the system.
139
Notes:
l With the System-High Security Mode, all users have clearance and
authorization to access the information in the system, but not necessarily a
need to know.
l With the Compartmented Security Mode, all users have the clearance to all
information on the system but might not have need to know and formal
access approval. Users can access a compartment of data only.
Under Limited Access, the minimum user clearance is “not cleared” and the
maximum data classification is “sensitive but unclassified”. Under Controlled
Access, there is a limited amount of trust placed on system hardware and
software.
Some questions you may ask when auditing user account related issues:
140
Notes:
l Who has root/admin access to your systems?
Example Policy
The role of the CIO and his/her peers involves developing and publishing
policy in consultation with Business Units and Service Providers as well as
promoting the development of the various supporting standards and
Guidelines.
141
Notes:
1. Sample company information technology assets must not be used for private
commercial purposes.
2. Users must not breach copyright, nor use facilities for illegal purposes.
5. All users must abide by Sample company acceptable use policies for e-mail
and Internet and not download, transmit, distribute or store any harassing or
obscene messages and files, or any objectionable material via a Sample
company PC or network. This includes the use of insulting, sexist, racist,
obscene, suggestive or any other inappropriate language.
6. All users are personally accountable for their own logon-id and password.
Passwords must not be disclosed nor shared.
7. The Standards and Guidelines supporting this policy form part of the Policy.
8. Users are responsible for meeting published information technology
standards, guidelines and acceptable use policies.
142
Notes:
9. Appropriate levels of security and encryption will be used when
communicating electronically with external parties. All items for encryption
must be authorized and copies of encryption keys must be lodged with the IT
Security Officer.
10. Any variations or departures from the IT Security Policy must be endorsed
by the Chief Information Officer and must be available for audit.
11. Sample company reserves the right to monitor usage and electronically
record security breaches to ensure compliance is maintained.
12. All Sample company PC's will be loaded with Virus Checking software.
Users must not disable or change the configuration settings of this software
unless directed to do so by an appropriate Technology Group staff member.
Consequences of violations
Notes:
fact, any security exposures, misuse or non-compliance must be reported as
soon as an occurrence is identified. Failure to comply with the Information
Technology Security Policy and supporting sub-policies, for internal staff may
lead to disciplinary procedures, for external suppliers and consultants may lead
to the suspension of contracts and withdrawal of access to the organization’s
information systems …etc.
Evaluation
Broadly known as the “Orange” Book, the US Dept of Defense has developed
TCSEC (Trusted Computer Systems Evaluation Criteria) to provide a graded
classification for computer system security. The graded classification hierarchy
has four levels:
A – Verified Protection
B – Mandatory Protection
C – Discretionary Protection
D – Minimal Security
144
Notes:
The evaluation criteria involve four main areas: Security, Policy, Accountability
and Assurance and Testing. Note that the red book is an interpretation of the
Orange book for networks and network components. The Red Book TNI
ratings are:
l None
l C1 – Minimum
l C2 – Fair
l B2 – Good
Notes:
development, with the purpose of explaining how to resolve conflicting
classifications.
Change control
Notes:
‧ Cataloging the intended change
147
Notes:
Business Continuity Planning
“According to a recent Gartner Group document, a business continuance plan should include:
a disaster recovery plan, which specifies an organization's planned strategies for post-failure
procedures; a business resumption plan, which specifies a means of maintaining essential
services at the crisis location; a business recovery plan, which specifies a means of recovering
business functions at an alternate location; and a contingency plan, which specifies a means of
dealing with external events that can seriously impact the organization”.
Definition
From a practical standpoint, you must understand that it may not be practical
for any but the largest business functions to maintain full functioning
throughout a disaster crisis. You cannot afford to keep everything running non-
stop due to the high cost involved. In fact, the very first step in business
148
Notes:
continuity planning is deciding which of the organization's functions are
essential, and apportioning the available budget accordingly.
149
Notes:
BCP Phases
l Initiation
l Strategy development
l Plan development
l Implementation
l Testing
l Maintenance
Notes:
l Business continuity plan development
The key phrase in business continuity is "reduce risk", which means to prepare
for any event that could jeopardize your business ability to operate. If disaster
strikes, companies have everything to lose - critical data, profits, and
information…etc, all of which are critical to the running of any company.
You will need to take into account the various stakeholders in the equation.
Below are the stakeholders that will most likely be involved:
151
Notes:
l Internal (corporate and business unit level) groups
l A list of important contacts must be maintained all the time by several key
people in the organization. One of these key people must be available off-
site (imagine what can happen if all the key people get buried in the
destructed building).
l Each business unit should have at least one person assigned to keep a list
of contacts of all the staff within the unit – during a tragedy there is a need
152
Notes:
to find out who is still missing. There is also a need to keep the family
members of the staff fully informed on what is happening.
l It will be very ugly if the person in charge of the organization is the last one
who is informed of the tragedy. When something goes wrong, the CEO is
often the target of the media. Do NOT upset the media. Do NOT upset
the reporters.
Notes:
and identify risks and consequences associated with vulnerabilities. It provides a
basis for company management to establish an effective security program.
Based on the assessment results, you develop security policies and guidelines,
assign security responsibilities and implement technical security protections.
You then perform cyclic compliance reviews and re-assessment to assure that
security controls are properly put into place to meet users' security requirements,
and to cope with the rapid environmental changes of all kinds. You would need
to rely on continuous feedback and monitoring to achieve this.
154
Notes:
Prior to conducting risk assessment you should get yourself started with
building up a solid knowledge base. You need to the current and historical
internal environment, the current and historical external environment, internal
and external dependencies and vulnerabilities, threat profiles, as well as
countermeasure choices and related costs.
The kinds of information that are often desired for performing an assessment
as per recommended by INFOSEC include:
Notes:
l Systems such as operating systems, network management systems
Notes:
l protection requirements to control the risks
You may collect these information through using General control review,
System review, and Vulnerability identification. With General Control Review
you identify threats arisen from the existing general security processes by
examining the systems through interviews, site visits, documentation review,
and observation etc. System Review focuses on system elements such as System
files or logs, Running processes, Access control files, User listing, Configuration
Settings, Security Patch level ...etc. Vulnerability Identification would often
involve using automated tools such as Vulnerability Scanning and Penetration
Testing over the network.
Notes:
purpose is to pinpoint the significant threats as a guide to the selection of
security measures and to develop a yardstick for determining the amount of
money that is reasonable to spend on each of them.
Note that this model of risk assumes that we have knowledge of our
vulnerabilities and our threats.
158
Notes:
Threat is typically defined as an event (such as a flood, tornado, computer virus
outbreak …etc.) of low probability yet highly damaging that really catches your
attention. The chance of the event occurring is a probability that the event has
happened. There is no time constraint. The event will likely happen over some
defined period of time. There exists a probability that describes the frequency
of such an event. Vulnerability, on the other hand, is usually defined as a
weakness that is exploited in some very negative way by the threat.
You perform Threat Analysis to identify the threats and to determine the
likelihood of their occurrence and their potential to harm systems or assets.
System error or control logs are usually good sources of data for this.
Social threats are directly related to human factors, which can be intentional or
unintentional. Technical threats are usually caused by technical problems.
Environmental threats are usually caused by environmental disasters.
Identifying Risks
The key part of the BCP Process is the assessment of the potential risks to the
business which could result from disasters or emergency situations. You MUST
consider ALL the possible incidents and the impact that follows. Examples of
159
Notes:
the risks that are possible for any organization on earth include (and not limited
to):
o Environmental Disasters
Risk results may be analyzed using Qualitative & Quantitative Methods and/or
Matrix Approach. With Qualitative method you use descriptive, word scales or
rankings of significance/severity based on experience and judgment. It is more
subjective in nature. On the contrary, Quantitative method uses numerical
information to arrive at percentages or numerical values. Generally speaking, a
qualitative method is better for initial screening while a quantitative method is
more ideal for detailed and specific analysis on some critical elements and for
further analysis on high-risk areas. A matrix approach would involve
documenting and estimating the three major needs of security protection,
which are confidentiality, integrity and availability, in three different levels
160
Notes:
of severity (high, medium, low). The risk level would be ranked based on the
criticality of each risk elements. The idea is that risk interpretation should be
limited to the most significant risks so as to reduce the overall effort and
complexity.
Loss Calculations
The Single Loss Expectancy model is the model upon which the Annualized
Loss Expectancy and Cumulative Loss Expectancy models are based. This
simple (and less accurate) model has its roots in accounting, with the purpose
of determining how much value in terms of dollars will be lost, and is often
used to express the results in a financial impact analysis.
161
Notes:
The Annualized Loss Expectancy Model of risk comes closer (relatively) to
painting an accurate picture of risk by adding the probability of an event
happening over a single year’s time. To reach an answer, you need to first
calculate the Single Loss Expectancy to determine this value. Then you obtain
the product of the Single Loss Expectancy and the value of the asset to
produce the Annualized Loss Expectancy. The formula looks like this:
The Cumulative Loss Model approaches risks by taking into account all of the
bad things that are likely to happen to your business over the next year. You
will need to look at each threat, the probability of each threat against your
business, and then derive an expected loss. You can take all of the threats, and
compute the annual rate of each threat occurring. This is a relatively
complicated model and is less emphasized in the exam.
162
Notes:
From a CISA point of view, of particular importance when considering
business risks and the impact of potential emergencies is the disruption to, and
availability of, IT services and communications that are supposed to run 24 x7.
163
Notes:
At the end of the day you want to know how one may continue IT function
should something goes seriously wrong. Contingency planning is therefore a
critical factor to consider. Questions you should ask may include:
l Does the contingency plan identify and prioritize the resources that
are most important to protect in an emergency?
Notes:
Every BIA should include an exploratory component to reveal any
vulnerabilities, and a planning component to develop strategies for minimizing
risk. A well done BIA should be capable of identifying costs linked to failures,
such as loss of cash flow, replacement of equipment, salaries paid to catch up
with a backlog of work, and loss of profits …etc.
The result of analysis is a business impact analysis report, which describes the
potential risks specific to the organization studied. It should quantify the
importance of business components and suggest appropriate fund allocation
for measures to protect them. The possibilities of failures are likely to be
assessed in terms of their impacts on safety, finances, marketing, legal
compliance, and quality assurance.
As part of the risk assessment effort, business impact analysis has 3 primary
goals:
165
Notes:
l Resource Requirements: Identify resource requirements for the critical
processes.
BIA checklist
You will need inputs from both the top management and the line managers.
- For each business area, determine the business processes and identify
the essential processes.
166
Notes:
- For the business processes, estimate the costs of failure
What are the costs of non-performance?
Description of process
Frequency of process
167
Notes:
Priorities essential business processes – this is VERY IMPORTANT. One key
assumption behind every BIA is that every component of the organization is
reliant upon the continued functioning of every other component, but that
some are more crucial than others and require a greater allocation of funds in
the wake of a disaster.
168
Notes:
To minimize the effects of potential emergencies, focus must be placed on
those business activities that are keys to the continued viability of the business,
such as:
169
Notes:
l Are backup media tested regularly for restorability/recoverability of
files?
The key personnel and the IT staff should be well trained to tackle through
emergency situation and incidents. Ask these questions:
Managing recovery
170
Notes:
One critical part of handling any serious emergency situation is in the
management of the Disaster Recovery Phase. Remember, the priority during
recovery is ALWAYS the safety and well being of the employees and other
involved persons. LIFE is the most important asset. Other priorities include
the minimization of the emergency itself, the removal or minimization of the
threat of further injury or damage and the re-establishment of external services
(power, telecom …etc).
The Business Recovery Phase will then follow directly on from the Disaster
Recovery Phase. This Phase involves the restoration of normal business
operations. From a business perspective, this is the most critical phase of the
whole BCP exercise as the efficiency and effectiveness of the procedures here
could have a direct bearing on the organization’s ability to survive the
emergency.
For a business to truly recover, from an IS standpoint these are items that are
critical:
o Power and Other Utilities
171
Notes:
o Communications Systems
o IT Systems
The BCP test itself should be carefully planned as well. The objectives and
scope of the tests are outlined below:
o Develop Objectives and Scope of Tests
172
Notes:
o Setting the Test Environment
o Prepare Test Data
The test process gives IS auditors a good chance to see if the IS controls
relevant to BCP actually work as planned.
173
Notes:
User Acceptance
About user acceptance testing - each user should create a test script designed
to validate the accuracy and performance of its application in a contingency
environment. The test scripts should be defined in such a way that a clear
indication of whether or not they can do business as usual as stated in their
recovery requirements must be made available.
Users should be asked to provide their views on the testing process and on the
results of the test. The users should also provide comments regarding
improvements and modifications that they would like to see as a result of the
test. Upon completion a user sign-off sheet should be provided for this
purpose and must be signed off by a manager of the business.
Plan maintenance
In today’s world, the pace of change will never slow down but will continue to
increase. It is necessary for the BCP to keep pace with these changes in order
for it to be useful in the event of a disruptive emergency.
174
Notes:
To ensure that the BCP is regularly updated, the following must be established:
For your interest, take a look at the following fragment of a real world audit
report with BCP involved:
Has the Department Adequately Planned For the Actions It Must Take In the Event Of
A Disaster To Minimize the Loss of Computer Operations?
175
Notes:
An organization needs good business continuity planning in order to quickly
recover critical operations after a disaster. Business continuity planning
addresses an organization's ability to continue functioning when normal
operations are disrupted. By necessity, it includes planning for contingencies
and disaster recovery, and is focused on the computer functions that are most
necessary to continued agency operations. Continuity planning enables an
organization to minimize the loss of communications and important
computer operations during an emergency.
The Department has done little business continuity planning for its critical
computer programs. Department management have implemented some
sound practices, such as a system for backing up critical data. However, the
Department doesn't meet many other planning standards. We found
problems such as the following:
176
Notes:
specific staff, and is limited in the recovery instructions it gives
Incident Handling
l Reporting Procedure
l Escalation Procedure
177
Notes:
There has to be a proper reporting procedure in place so that in case an
incident occurs, all parties involved would know whom they should report to,
and in what way, and what should be noted and reported. Such reporting
procedure should have a clearly identified point of contact, and comprises
simple but well-defined steps to follow. It should be widely published to all
concerned staff for their information and reference. You should ensure that all
related staff are familiar with the reporting procedure and are capable of
reporting security incident instantly.
Notes:
incident handling process. Moreover, a sufficient level of security measures for
incident monitoring must be implemented to protect the system during normal
operation as well as to monitor potential security incidents. For example, you
want to install firewall device and apply authentication and access control
measures to protect important system and data resources. You also want to
install intrusion detection tool to proactively monitor, detect and respond to
system intrusions or hacking. It may be a good idea to also install anti-virus tool
and malicious code detection and repair software to detect and remove
computer virus and malicious codes, and prevent them from affecting the
system operation.
179
Notes:
Risk Management
“Risk is a concept that auditors and managers use to express their concerns about the probable
effects of an uncertain environment. Because the future cannot be predicted with certainty,
auditors and managers have to consider a range of possible events that could take place”5.
Every organization can and should use risk management strategies and tools to
protect vital assets.
5 http://www.mc2consulting.com/riskart2.htm
6 http://www.nonprofitrisk.org/tutorials/rm_tutorial/2.htm
180
Notes:
The discipline of risk management aims at helping an organization to identify,
assess and control risks that may be present in operations, service delivery,
staffing, and governance activities.
Good risk management can reduce legal costs and lawsuit altogether.
Remember, legal cost is one of the worst nightmares an organization can ever
have.
The risk management process provides a framework for identifying risks and
deciding what to do about them. Since not all risks are created equal, risk
management does not simply identify risks but also to weigh various risks and
make decisions about which risks deserve immediate attention.
181
Notes:
o Context establishment - begin a risk management program by setting
goals and identifying any potential barriers or impediments to the
implementation of the program.
182
Notes:
o Program update – keep the risk management techniques and plans
periodically reviewed and updated to make certain that they remain the
most appropriate strategy.
Always remember, people are the heart and soul of your organization that are
irreplaceable. Risks associated with people’s life always deserve the most
attention.
Notes:
Riskbased Auditing
When performing audit assignments, there are usually two different approaches:
the checklist approach VS the risk-based approach.
On the other hand, with risk-based auditing, the auditor must have a thorough
understanding of the business process as well as the risks and controls in the
system for achieving the organization's goals. The risk-based audit plan is
specifically tuned to spend more time on the areas of highest risk and greatest
importance to the goals. Less time will be spent on areas of lower importance
and lower risk.
184
Notes:
Risk Management Readings
http://www.intekworld.com/Newsletters/vol3/10oct04/riskmanagement
.htm
http://www.findarticles.com/p/articles/mi_m3937/is_2000_Jan/ai_6219
7034
185
Notes:
Trends: Rethinking risks
http://www.cioinsight.com/article2/0,1397,1458270,00.asp?kc=CTNKT0
209KTX1K0100481
186
Notes:
Project Management
v scope
v time
v cost
v quality
v different stakeholders
7 http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAuditPage!OpenDocument
187
Notes:
To be precise, Project Management is the defining, planning, scheduling, and
controlling of the tasks that must be completed to reach your goal and the
FAIR allocation of the resources to perform those tasks. On the other hand, a
Project Performance audit is an audit for helping you to understand the current
capability of your project management processes or staff, benchmark your
business against best practice, and help you focus improvement to maximum
effect.
Remember, controlling the project is important because things never work out
exactly as planned. To meet your goal, it's important that you be on top of
changes. This is where the audit function fits in.
To truly appreciate the relationship between IS audit and Project Management,
I recommend that you read the following REAL LIFE Project Management
audit documents that have been used by real world government organizations /
NGOs:
188
Notes:
The Canadian Passport Office IRIS Project
http://www.ppt.gc.ca/publications/iris_oct99.aspx
http://www.auditnet.org/docs/PM-
AuditQuestionnaire.pdf#search='PROJECT%20MANAGEMENT%20AUD
IT'
Also, read the following document in-depth. This is an excellent article that
describes the complex relationship between Project Management, Risk
Management and the Auditing function:
http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAudi
tE-businessrisksProjectMgmt!OpenDocument
By going through these documents, you will be able to tell exactly the role of
the audit function in a project management context.
189
Notes:
Change Management
v A body of knowledge
190
Notes:
As an “Area of Professional Practice”, we see many independent consultants
who acknowledge that they are change agents that manage change for their
clients, that their practices are change management practices. And stemming
from the view of change management as an area of professional practice, there
arises the third definition of change management: the subject matter of change
management as a body of knowledge.
In fact, at the heart of change management we have the change problem - some
future state to be realized, some current state to be left behind, and some
process for getting from the one to the other. At the conceptual level, the
change problem is a matter of moving from one state to another. At the
practical level, changes and the change problems they present are problems of
adaptation, that they require the organization to adjust itself to an ever-changing
set of circumstances.
191
Notes:
Change Management strategies
192
Notes:
Strategy Description
People are rational and will follow their self-
interest — once it is revealed to them. Change
Rational-Empirical
is based on the communication of information
and the proffering of incentives.
People are social beings and will adhere to
cultural norms and values. Change is based on
Normative-Reeducative redefining and reinterpreting existing norms and
values, and developing commitments to new
ones.
People are basically compliant and will
generally do what they are told or can be made
Power-Coercive
to do. Change is based on the exercise of
authority and the imposition of sanctions.
People oppose loss and disruption but they
adapt readily to new circumstances. Change is
Environmental-Adaptive based on building a new organization and
gradually transferring people from the old one
to the new one.
193
Notes:
The proper mix of strategies to be used can be determined by the following
factors:
v Degree of Resistance
v The Stakes
v Expertise
v Dependency
Along the journey of making changes, there is a need to control the change
process and the elements within it. Change control is often perceived as a part
of the Change Management process where the audit function may fit in.
194
Notes:
If we play with the textual definitions, one may argue that Change Management
and Change Control are two totally different disciplines. In fact, in the field of
Project Management, there tend to be differing understandings of these terms
or expressions. The problems are compounded where participants are
unfamiliar with project work and do not recognize the implicit context.
Change Control is usually applied once the first version of a deliverable has
been completed and agreed.
195
Notes:
“Configuration Management is the identification and maintenance of the configuration of a
software product, throughout the product's life, and including both successive and parallel
product versions, for the purpose of systematically controlling changes and thereby maintaining
the product's integrity and traceability”8.
Change Control
To know what change control exactly is, take a look at the following fragment
of an audit report extracted from a real world case:
8 http://www.anu.edu.au/people/Roger.Clarke/SOS/ChgeCtl90.html
9 Ibid.
196
Notes:
Does the Department Adequately Manage the Maintenance and Updating of Its Critical
Software?
The Department places the responsibility for managing changes on the users,
where it belongs. System changes are approved and monitored by several
steering groups made up of users of the system from across the state, as well
as representatives from the Department's programming staff. While
programmers make the actual changes, users decide which changes need to be
made and set priorities for the programmers.
Notes:
documented. The system of user groups the Department uses to control the
process is well designed. However, change control as a whole could be
improved by adding more organization and better documentation.
Specifically, the Department could improve its system by:
Notes:
find out whether the proper IS control mechanisms needed by the change
control process are in place and are properly followed.
ii, the control of changes, including the recording thereof, that are made to the
hardware, software, firmware, and documentation throughout the system
lifecycle.
Notes:
of digital documents like application source code. Changes are identified by
incrementing an associated number or letter code, termed the "revision
number", "revision level", or simply "revision" and associated historically with
the person making the change.
Notes:
· Application changes should be performed by individuals who are
capable of making changes correctly and securely and be supervised by a
specialist. It must also be signed-off by the application owner.
201
Notes:
l Does your organization have a configuration control function or the
equivalent to direct activities in this area? If so, does the configuration
control function approve and record all changes to hardware, software, and
firmware?
l Does your organization have network and system diagrams and a list of all
system resources?
202
Notes:
Application Program Development
General guidelines
203
Notes:
l Allow only the applications programmers to have access to application
programs under development, and nothing else.
l Allow access to live data only through programs that are in the application
libraries, and nothing else.
Notes:
- Request control
- Change control
- Release control
Notes:
maintenance. It is a systems approach to problem solving and is made up of
several phases, including:
l Software concept
l Requirements analysis
l Architectural design
l System testing
The Waterfall Model as a popular version of the systems development life cycle
model for software engineering includes the following phases:
- System requirements
- Software requirements
- Analysis
- Program design
206
Notes:
- Coding
- Testing
Notes:
The Chaos model is a structure of software development that extends the spiral
model and the waterfall model. It notes that the phases of the life cycle apply to
all levels of projects, from the whole project to individual lines of code. In fact,
this model has several tie-ins with the chaos theory:
Notes:
that lists the requirements of the organization and rates each service provider
on how well they achieve each requirement.
· Require that all purchase specifications clearly state the bid evaluation
criteria and ascertain that the staff use only the evaluation criteria
included in the purchase specifications.
· Criteria for bids should be laid out in the request for proposal.
209
Notes:
· Formal bidders list should be maintained.
210
Notes:
Technical Readings
There are 5 sections included in this part of the study guide. They cover the
majority of technical topics that will be tested in the CISA/CISM exams. By
going through all of them your readiness of the real exams can be reasonably
assured.
211
Notes:
Slide 1
Technical Readings
for CISA/CISM candidates
Covering the technical elements of the 2005/06 objectives
212
Notes:
Slide 2
n There are 5 sections included in this part of the study
guide. They cover the majority of technical topics that will
be tested in the CISA/CISM exams. By going through all
of them your readiness of the real exams can be
reasonably assured.
q Section 1: Topics on security theory.
q Section 2: Topics on Hacking, attacking, defending and auditing.
q Section 3: Topics on encryption and VPN.
q Section 4: Topics on responding to attacks
q Section 5: Topics on viruses.
213
Notes:
Slide 3
n Basically, we did all the homework for you! We:
q reviewed the major preparation products available in the
market and identified the missing critical information
q collected and summarized these missing pieces and presents
them to you in an easytofollow style
214
Notes:
Slide 4
n Make sure you have enough time – based on
past experience, it takes an average student
3 full days at the least to go through all the
sections.
215
Notes:
Slide 5
n Copyright Information
q Some contents of this product are extracted and recompiled
from the various Linux Security HOWTO document which is
copyrighted by Kevin Fenzi and Dave Wreski, and distributed
under the following terms:
n Linux HOWTO documents may be reproduced and distributed in
whole or in part, in any medium, physical or electronic, as long as
this copyright notice is retained on all copies. All translations,
derivative works, or aggregate works incorporating any Linux
HOWTO documents are covered under this copyright notice.
n Information presented in this product is
platform independent. Content has been
modified to fulfill the purpose of this product.
216
Notes:
Slide 6
Section 1
Security Theory
217
Notes:
Slide 7
Section 1 – Issue 1
n Why Do We Need Security?
q In the everchanging world of global data communications,
inexpensive Internet connections, and fastpaced software
development, security is becoming more and more of an
issue. Security is now a basic requirement because global
computing is inherently insecure. As your data goes from
point A to point B on the Internet, for example, it may pass
through several other points along the way, giving other
users the opportunity to intercept, and even alter, it. Even
other users on your system may maliciously transform your
data into something you did not intend.
q Unauthorized access to your system may be obtained by
intruders, also known as "crackers", who then use
advanced knowledge to impersonate you, steal information
from you, or even deny you access to your own resources.
218
Notes:
Slide 8
Section 1 – Issue 2
n How Secure Is Secure?
q First, keep in mind that no computer system can
ever be completely secure. All you can do is make
it increasingly difficult for someone to compromise
your system. For the average home user, not
much is required to keep the casual cracker at
bay. However, for highprofile users (banks,
telecommunications companies, etc), much more
work is required.
219
Notes:
Slide 9
n How Secure Is Secure?
q Another factor to take into account is that the more secure
your system is, the more intrusive your security becomes.
You need to decide where in this balancing act your
system will still usable, and yet secure for your purposes.
For instance, you could require everyone dialing into your
system to use a callback modem to call them back at their
home number. This is more secure, but if someone is not
at home, it makes it difficult for them to login. You could
also setup your system with no network or connection to
the Internet, but this limits its usefulness.
220
Notes:
Slide 10
q If you are a medium to largesized site, you
should establish a security policy stating how
much security is required by your site and what
auditing is in place to check it.
221
Notes:
Slide 11
Section 1 – Issue 3
n What Are You Trying to Protect?
q Before you attempt to secure your system, you
should determine what level of threat you have to
protect against, what risks you should or should
not take, and how vulnerable your system is as a
result. You should analyze your system to know
what you're protecting, why you're protecting it,
what value it has, and who has responsibility for
your data and other assets.
222
Notes:
Slide 12
q Threat is typically from someone with motivation to gain unauthorized
access to your network or computer. You must decide whom you trust
to have access to your system, and what threat they could pose.
223
Notes:
Slide 13
Section 1 – Issue 4
n Types of intruders:
q The Curious This type of intruder is basically interested
in finding out what type of system and data you have.
q The Malicious This type of intruder is out to either bring
down your systems, or deface your web page, or otherwise
force you to spend time and money recovering from the
damage he has caused.
q The HighProfile Intruder This type of intruder is trying
to use your system to gain popularity and infamy. He might
use your highprofile system to advertise his abilities.
224
Notes:
Slide 14
q The Competition This type of intruder is interested in
what data you have on your system. It might be someone
who thinks you have something that could benefit him,
financially or otherwise.
q The Borrowers This type of intruder is interested in
setting up shop on your system and using its resources for
their own purposes. He typically will run chat or irc servers,
porn archive sites, or even DNS servers.
q The Leapfrogger This type of intruder is only interested
in your system to use it to get into other systems. If your
system is wellconnected or a gateway to a number of
internal hosts, you may well see this type trying to
compromise your system.
225
Notes:
Slide 15
Section 1 – Issue 5
n Vulnerability
q It describes how wellprotected your computer is from
another network, and the potential for someone to gain
unauthorized access. What's at stake if someone breaks
into your system? Of course the concerns of a dynamic
PPP home user will be different from those of a company
connecting their machine to the Internet, or another large
network.
q How much time would it take to retrieve/recreate any data
that was lost? An initial time investment now can save ten
times more time later if you have to recreate data that was
lost. Have you checked your backup strategy, and verified
your data lately?
226
Notes:
Slide 16
Section 1 – Issue 6
n Developing A Security Policy
q Create a simple, generic policy for your system
that your users can readily understand and follow.
It should protect the data you're safeguarding as
well as the privacy of the users. Some things to
consider adding are: who has access to the
system (Can my friend use my account?), who's
allowed to install software on the system, who
owns what data, disaster recovery, and
appropriate use of the system.
227
Notes:
Slide 17
q A generallyaccepted security policy starts with the phrase
That w hich is not permitted is prohibited
n This means that unless you grant access to a service for a user, that user
shouldn't be using that service until you do grant access. Make sure the
policies work on your regular user account. Saying, "Ah, I can't figure out
this permissions problem, I'll just do it as root" can lead to security holes
that are very obvious, and even ones that haven't been exploited yet.
n rfc1244 is a document that describes how to create your own network
security policy.
n rfc1281 is a document that shows an example security policy with
detailed descriptions of each step.
n Finally, you might want to look at the COAST policy archive at
ftp://coast.cs.purdue.edu/pub/doc/policy to see how a reallife security
policy looks like. There are policy files for public download.
228
Notes:
Slide 18
Section 1 – Issue 7
n Means of Securing Your Site
q What would happen to your reputation if an intruder deleted some of your
users' data? Or defaced your web site? Or published your company's
corporate project plan for next quarter? If you are planning a network
installation, there are many factors you must take into account before adding
a single machine to your network.
q Even if you have a single dialup PPP account, or just a small site, this does
not mean intruders won't be interested in your systems. Large, highprofile
sites are not the only targets many intruders simply want to exploit as
many sites as possible, regardless of their size. Additionally, they may use a
security hole in your site to gain access to other sites you're connected to.
q Intruders have a lot of time on their hands, and can avoid guessing how
you've obscured your system just by trying all the possibilities. There are
also a number of reasons an intruder may be interested in your systems,
which we will discuss later.
229
Notes:
Slide 19
Section 1 – Issue 8
n Host Security
q Perhaps the area of security on which administrators
concentrate most is hostbased security. This typically
involves making sure your own system is secure, and
hoping everyone else on your network does the same.
Choosing good passwords, securing your host's local
network services, keeping good accounting records, and
upgrading programs with known security exploits are
among the things the local security administrator is
responsible for doing. Although this is absolutely necessary,
it can become a daunting task once your network becomes
larger than a few machines.
230
Notes:
Slide 20
Section 1 – Issue 9
n Local Network Security
q Network security is as necessary as local host
security. With hundreds, thousands, or more
computers on the same network, you can't rely on
each one of those systems being secure.
Ensuring that only authorized users can use your
network, building firewalls, using strong
encryption, and ensuring there are no "rogue"
(that is, unsecured) machines on your network are
all part of the network security administrator's
duties.
231
Notes:
Slide 21
Section 1 – Issue 10
n Security Through Obscurity
q One type of security that must be discussed is "security
through obscurity". This means, for example, moving a
service that has known security vulnerabilities to a non
standard port in hopes that attackers won't notice it's there
and thus won't exploit it. Rest assured that they can
determine that it's there and will exploit it. Security through
obscurity is no security at all. Simply because you may
have a small site, or a relatively low profile, does not mean
an intruder won't be interested in what you have.
232
Notes:
Slide 22
Section 1 – Issue 11
n Physical Security
q The first layer of security you need to take into
account is the physical security of your computer
systems. Who has direct physical access to your
machine? Should they? Can you protect your
machine from their tampering? Should you?
q How much physical security you need on your
system is very dependent on your situation,
and/or budget.
233
Notes:
Slide 23
234
Notes:
Slide 24
Section 1 – Issue 12
n Computer locks
q Many modern PC cases include a "locking"
feature. Usually this will be a socket on the front
of the case that allows you to turn an included key
to a locked or unlocked position. Case locks can
help prevent someone from stealing your PC, or
opening up the case and directly
manipulating/stealing your hardware. They can
also sometimes prevent someone from rebooting
your computer from their own floppy or other
hardware.
235
Notes:
Slide 25
q These case locks do different things according to the support in
the motherboard and how the case is constructed. On many PC's
they make it so you have to break the case to get the case open.
On some others, they will not let you plug in new keyboards or
mice. Check your motherboard or case instructions for more
information. This can sometimes be a very useful feature, even
though the locks are usually very lowquality and can easily be
defeated by attackers with locksmithing.
q Some machines (most notably SPARCs and macs) have a
dongle on the back that, if you put a cable through, attackers
would have to cut the cable or break the case to get into it. Just
putting a padlock or combo lock through these can be a good
deterrent to someone stealing your machine.
236
Notes:
Slide 26
Section 2
Hacking, attacking, defending and auditing
237
Notes:
Slide 27
Section 2 – Issue 1
n To be able to defend and audit, you should
know how to hack (think like a hacker)J
238
Notes:
Slide 28
Section 2 – Issue 2
n Packet Sniffers
q One of the most common ways intruders gain access to more
systems on your network is by employing a packet sniffer on a
already compromised host. This "sniffer" just listens on the
Ethernet port for things like passwd and login and su in the
packet stream and then logs the traffic after that. This way,
attackers gain passwords for systems they are not even
attempting to break into. Cleartext passwords are very
vulnerable to this attack.
q Example: Host A has been compromised. Attacker installs a
sniffer. Sniffer picks up admin logging into Host B from Host C. It
gets the admin's personal password as they login to B. Then, the
admin does a su to fix a problem. They now have the root
password for Host B. Later the admin lets someone telnet from
his account to Host Z on another site. Now the attacker has a
password/login on Host Z.
239
Notes:
Slide 29
q In this day and age, the attacker doesn't even
need to compromise a system to do this: they
could also bring a laptop or pc into a building and
tap into your net.
q Using ssh or other encrypted password methods
thwarts this attack. Things like APOP for POP
accounts also prevents this attack. (Normal POP
logins are very vulnerable to this, as is anything
that sends cleartext passwords over the network.)
240
Notes:
Slide 30
Section 2 – Issue 3
n SATAN, ISS, and Other Network Scanners
q There are a number of different software packages out there that do port
and servicebased scanning of machines or networks. SATAN, ISS, SAINT,
and Nessus are some of the more wellknown ones. This software connects
to the target machine (or all the target machines on a network) on all the
ports they can, and try to determine what service is running there. Based on
this information, you can tell if the machine is vulnerable to a specific exploit
on that server.
n SATAN (Security Administrator's Tool for Analyzing Networks) is a port scanner
with a web interface. It can be configured to do light, medium, or strong checks on a
machine or a network of machines. It's a good idea to get SATAN and scan your
machine or network, and fix the problems it finds. Make sure you get the copy of
SATAN from metalab or a reputable FTP or web site. There was a Trojan copy of
SATAN that was distributed out on the net. Note that SATAN has not been updated
in quite a while, and some of the other tools below might do a better job.
241
Notes:
Slide 31
n ISS (Internet Security Scanner) is another portbased
scanner. It is faster than Satan, and thus might be better
for large networks. However, SATAN tends to provide
more information.
n Abacus is a suite of tools developed by Psionic to
provide hostbased security and intrusion detection.
242
Notes:
Slide 32
n SAINT is a updated version of SATAN. It is webbased
and has many more uptodate tests than SATAN.
n Nessus is a free security scanner. It has a graphical
interface for ease of use. It is also designed with a very
nice plugin setup for newly updated portscanning tests.
243
Notes:
Slide 33
n Security scanners are often used in the
process of security auditing as well as
footprinting.
q Footprinting is the first step in information
gathering of hackers to perform a successful
attack, one needs to gather information –
information on all aspects of the perspective
organization’s security posture, profile of their
Intranet, remote access capabilities, and
intranet/extranet presence…etc.
244
Notes:
Slide 34
n Footprinting relies on info gathering. These are popular
sources of such info:
q American Registry for Internet Numbers
q CERT®/CC Finding Site Contacts
q InterNIC
q Network Operations Centers List
q Network Solutions
q US Security and Exchange
q Enumeration is also an information gathering technique,
but is an intrusive one!
n It is the process of extracting valid user accounts, poorly
protected File Shares or other resources from a target system.
q This process is usually logged.
245
Notes:
Slide 35
q Security auditing to be performed before anything
had happened typically involves the use of
Security Scanners and other tools to test the
security level of the network.
246
Notes:
Slide 36
q Security auditing to be performed after things had
gone wrong typically involves the examination of
the audit trail.
n However, the presence of Rootkits and Cover Tracks
may hinder this process.
q Rootkits are tools used by hackers to hide their presence on
compromised systems. They are mostly collections of
trojaned binaries that replace the common commands.
q Cover tracks can wipe out the audit logs. Examples include
Wipe and Zap.
247
Notes:
Slide 37
Section 2 – Issue 4
n Detecting Port Scans
q There are some tools designed to alert you to probes by SATAN
and ISS and other scanning software. However, if you liberally
use tcp_wrappers, and look over your log files regularly, you
should be able to notice such probes. Even on the lowest setting,
SATAN still leaves traces in the logs on a stock Red Hat system.
q There are also "stealth" port scanners. A packet with the TCP
ACK bit set (as is done with established connections) will likely
get through a packetfiltering firewall. The returned RST packet
from a port that _had no established session_ can be taken as
proof of life on that port. I don't think TCP wrappers will detect
this.
248
Notes:
Slide 38
Section 2 – Issue 5
n Denial of Service Attacks
q A "Denial of Service" (DoS) attack is one where the
attacker tries to make some resource too busy to answer
legitimate requests, or to deny legitimate users access to
your machine.
q Denial of service attacks have increased greatly in recent
years.
249
Notes:
Slide 39
q There is no fixed format of DoS. In fact, there are
many types of DoS attacks that are based on tons
of different methods. A Denial of Service Attack
can be based on crashing routers which makes a
network inaccessible, crashing DNS servers
which prevents the use of Domain Names,
congesting hosts with requests…etc etc – it can
be anything that stops things from working.
q A DoS Attack is ALWAYS used in conjunction
with an another attack.
250
Notes:
Slide 40
q SYN Flooding SYN flooding is a network denial
of service attack. It takes advantage of a
"loophole" in the way TCP connections are
created.
n Sometimes known as Synk4
n Systems which fall prey to the Syn Flooding attack will
have difficulty accepting any new incoming network
connections. Therefore, legitimate users attempting to
connect to the server will not be able to do so.
251
Notes:
Slide 41
q Pentium "F00F" Bug It was recently discovered
that a series of assembly codes sent to a genuine
Intel Pentium processor would reboot the machine.
This affects every machine with a Pentium
processor (not clones, not Pentium Pro or PII), no
matter what operating system it's running.
252
Notes:
Slide 42
q Ping Flooding / Smurf / Fraggle Ping flooding is a
simple bruteforce denial of service attack. The attacker
sends a "flood" of ICMP packets to your machine. If they
are doing this from a host with better bandwidth than yours,
your machine will be unable to send anything on the
network.
n A variation on this attack, called "smurfing", sends ICMP
packets to a host with your machine's return IP, allowing them
to flood you less detectably.
n Smurf attacks are network amplification attacks.
n Fraggle attack is similar to Smurf attack except that it
uses UDP echo packets, not ICMP echos.
253
Notes:
Slide 43
254
Notes:
Slide 44
q Land / LaTierra The Land attack uses IP
spoofing in combination with the opening of a
TCP connection. Both the source and destination
IP addresses are modified to be the same the
address of the destination host. It misleads the
machine to continue sending ACK packets and
thus remaining in the loop. The LaTierra attack is
similar except that LaTierra sends the TCP packet
to more than one port and more than once.
255
Notes:
Slide 45
q Blast – a small and quick TCP service stress test
tool that can spot potential weaknesses in your
network servers.
n It can be used as a tool for generating DoS attack!
q Bonk – an attack that modifies the frag offset.
n Also known as “teardrop reversed”
256
Notes:
Slide 46
n There are many ways to protect oneself
against DoS attacks. The most popular ways
are:
q patching the networking code of the OS kernel
q configuring the network with protective devices
such as firewalls.
257
Notes:
Slide 47
Section 2 – Issue 6
n Firewalls
q Firewalls are a means of controlling what
information is allowed into and out of your
local network. Typically the firewall host is
connected to the Internet and your local LAN,
and the only access from your LAN to the
Internet is through the firewall. This way the
firewall can control what passes back and
forth from the Internet and your LAN.
258
Notes:
Slide 48
q There are a number of types of firewalls and
methods of setting them up.
n Linux machines make pretty good firewalls. Firewall code
can be built right into 2.0 and higher kernels. The user
space tools ipfwadm for 2.0 kernels and ipchains for 2.2
kernels, allows you to change, on the fly, the types of
network traffic you allow. You can also log particular types
of network traffic.
n Windows 2000 provides simple packet filtering functions.
n Windows XP provides Internet Connection Firewall.
259
Notes:
Slide 49
260
Notes:
Slide 50
q The National Institute of Standards and Technology
have put together an excellent document on firewalls.
Although dated 1995, it is still quite good
(http://csrc.nist.gov/).
261
Notes:
Slide 51
Section 2 – Issue 7
n BIOS Security
q The BIOS is the lowest level of software that configures or
manipulates your x86based hardware. All boot methods
access the BIOS to determine how to boot up your
machine. Other hardware has similar software
(OpenFirmware on Macs and new Suns, Sun boot PROM,
etc...). You can use your BIOS to prevent attackers from
rebooting your machine and manipulating your system.
q Many PC BIOSs let you set a boot password. This doesn't
provide all that much security (the BIOS can be reset, or
removed if someone can get into the case), but might be a
good deterrent (i.e. it will take time and leave traces of
tampering). This might slow attackers down.
262
Notes:
Slide 52
q Many x86 BIOSs also allow you to specify various other
good security settings. Check your BIOS manual or look at
it the next time you boot up. For example, some BIOSs
disallow booting from floppy drives and some require
passwords to access some BIOS features.
q Note: If you have a server machine, and you set up a boot
password, your machine will not boot up unattended. Keep
in mind that you will need to come in and supply the
password in the event of a power failure.
263
Notes:
Slide 53
Section 2 – Issue 8
n DLL Injection
q a method of inserting malicious code into another
running process's so that access to some
otherwise restricted piece of information is
possible.
264
Notes:
Slide 54
Section 2 – Issue 9
n Back Door
q an easy route back into an already compromised
system that was put in place by the current
attacker or a previous attacker. It may be a
program that binds itself to a specific port and
listens for the attacker to connect to it, or a pre
tested exploit that is configured by the attacker for
future reuse.
265
Notes:
Slide 55
Section 2 – Issue 10
n Privilege escalation
q the stage of penetration that occurs AFTER an
attacker has already gained access to a system.
q It aims at gaining administrator level privileges on
the system.
266
Notes:
Slide 56
Section 2 – Issue 11
n War dialing
q attack through the phone system.
q War dialers were originally developed by and for
phone phreaks seeking free longdistance service.
n They are well suited to the task of scanning and finding
modems for possible network entry.
n Examples include:
q Telesweep Secure
q PhoneSweep
q THCScan
267
Notes:
Slide 57
Section 2 – Issue 12
n Purloining and Pilfering
q Often being refer to as image and bandwidth theft.
q Digital watermarking is one way to protect against
image theft.
268
Notes:
Slide 58
Section 3
Encryption and VPN
269
Notes:
Slide 59
Section 3 – Issue 1
n VPNs Virtual Private Networks
q VPN's are a way to establish a "virtual" network on top of some
alreadyexisting network. This virtual network often is encrypted
and passes traffic only to and from some known entities that
have joined the network. VPNs are often used to connect
someone working at home over the public Internet to an internal
company network.
q VPNs use authenticated links to ensure that only authorized
users can connect to your network, and they use encryption to
ensure that data that travels over the Internet can't be intercepted
and used by others. VPN technology also allows a corporation to
connect to its branch offices or to other companies over a public
network while maintaining secure communications.
q In Windows 2000, VPNs are built using PPTP or L2TP.
270
Notes:
Slide 60
n PointtoPoint Tunneling Protocol (PPTP) provides
data encryption using Microsoft PointtoPoint
Encryption.
n Layer Two Tunneling Protocol (L2TP) provides data
encryption, authentication, and integrity using IPSec.
q PPTP is suitable for NonWindows 2000 computers.
q L2TP is suitable for Windows 2000 or Windows XP clients.
n If you want to try out configuring a VPN with Windows
2000, read the MS KB article 308208.
271
Notes:
Slide 61
Section 3 – Issue 2
n According to W ebopedia, "As the Internet and other
forms of electronic communication become more
prevalent, electronic security is becoming increasingly
important. Cryptography is used to protect email
messages, credit card information, and corporate data.
One of the most popular cryptography systems used
on the Internet is Pretty Good Privacy because it's
effective and free. Cryptography systems can be
broadly classified into symmetrickey systems that use
a single key that both the sender and recipient have,
and publickey systems that use two keys, a public key
known to everyone and a private key that only the
recipient of messages uses."
272
Notes:
Slide 62
Section 3 – Issue 3
n CA
q Certification authorities are responsible for
managing certificate requests and issuing
certificates to participating IPSec network peers.
These services provide centralized key
management for the participating peers and
simplify administration.
273
Notes:
Slide 63
Section 3 – Issue 4
n Digital signatures
q Digital signatures are enabled by public key cryptography and
are providing a means to digitally authenticate devices and
individual users.
q In public key cryptography, each user has a keypair containing
both a public and a private key. Anything encrypted with one of
the keys can be decrypted with the other.
q In simple terms, a signature is formed when data is encrypted
with a user's private key. The receiver verifies the signature by
decrypting the message with the sender's public key.
q The fact that the message could be decrypted using the sender's
public key shows that the holder of the private key must have
created the message.
274
Notes:
Slide 64
q How can you know with a high degree of certainty
that it really does belong to the sender, and not to
someone pretending to be the sender?
n Use digital certificates. A digital certificate contains
information to identify a user or device, such as the
name, serial number, company, department or IP
address. It also contains a copy of the entity's public key.
275
Notes:
Slide 65
n Since the certificate is itself signed by a certification
authority, it is trust worthy.
n To be able to validate the CA's signature, the receiver
must know the CA's public key. This is usually handled
outofband or through an operation done at installation.
q Without digital signatures, one must manually
exchange public secrets between each pair of
peers that use IPSec to protect communications
between them.
276
Notes:
Slide 66
Section 3 – Issue 5
n Legal issues
q Be careful when deploying cryptography technology
overseas. According to W ebopedia, "PGP is such an
effective encryption tool that the U.S. government actually
brought a lawsuit against Zimmerman for putting it in the
public domain and hence making it available to enemies of
the U.S. After a public outcry, the U.S. lawsuit was dropped,
but it is still illegal to use PGP in many other countries."
q By the way, if you want to learn more about PGP, refer to
its official home page at PGPI.ORG.
277
Notes:
Slide 67
Section 4
Responding to attacks
278
Notes:
Slide 68
Section 4 – Issue 1
n Security Compromise Underway.
q Spotting a security compromise under way can be a tense
undertaking. How you react can have large consequences.
q If the compromise you are seeing is a physical one, odds
are you have spotted someone who has broken into your
home, office or lab. You should notify your local authorities.
In a lab, you might have spotted someone trying to open a
case or reboot a machine. Depending on your authority
and procedures, you might ask them to stop, or contact
your local security people.
279
Notes:
Slide 69
280
Notes:
Slide 70
q The syslog daemon can be configured to automatically
send log data to a central syslog server, but this is typically
sent unencrypted, allowing an intruder to view data as it is
being transferred. This may reveal information about your
network that is not intended to be public. There are syslog
daemons available that encrypt the data as it is being sent.
q Also be aware that faking syslog messages is easy with
an exploit program having been published. Syslog even
accepts net log entries claiming to come from the local host
without indicating their true origin.
281
Notes:
Slide 71
q Some things to check for in your logs:
n Short or incomplete logs.
n Logs containing strange timestamps.
n Logs with incorrect permissions or ownership.
n Records of reboots or restarting of services.
n missing logs.
n su entries or logins from strange places.
282
Notes:
Slide 72
283
Notes:
Slide 73
q If you are unable to disconnect the network (if you have a busy
site, or you do not have physical control of your machines), the
next best step is to use something like tcp_wrappers or ipfwadm
to deny access from the intruder's site.
q If you can't deny all people from the same site as the intruder,
locking the user's account will have to do. Note that locking an
account is not an easy thing. You have to keep in mind .rhosts
files, FTP access, and a host of possible backdoors.
q After you have done one of the above (disconnected the network,
denied access from their site, and/or disabled their account), you
need to kill all their user processes and log them off.
q You should monitor your site well for the next few minutes, as the
attacker will try to get back in. Perhaps using a different account,
and/or from a different network address.
284
Notes:
Slide 74
Section 4 – Issue 2
n Security Compromise has already happened
q So you have either detected a compromise that has
already happened or you have detected it and locked
(hopefully) the offending attacker out of your system. Now
what?
n Closing the Hole
q If you are able to determine what means the attacker used to get
into your system, you should try to close that hole. For instance,
perhaps you see several FTP entries just before the user logged in.
Disable the FTP service and check and see if there is an updated
version, or if any of the lists know of a fix.
q Check all your log files, and make a visit to your security lists and
pages and see if there are any new common exploits you can fix.
285
Notes:
Slide 75
n Assessing the Damage
q The first thing is to assess the damage. What has been
compromised? If you are running an integrity checker like
Tripwire, you can use it to perform an integrity check; it
should help to tell you what has been compromised. If not,
you will have to look around at all your important data.
q Since systems are getting easier and easier to install, you
might consider saving your config files, wiping your disk(s),
reinstalling, then restoring your user files and your config
files from backups. This will ensure that you have a new,
clean system. If you have to restore files from the
compromised system, be especially cautious of any binaries
that you restore, as they may be Trojan horses placed there
by the intruder.
286
Notes:
Slide 76
q Reinstallation should be considered mandatory upon an
intruder obtaining root access. Additionally, you'd like to
keep any evidence there is, so having a spare disk in the
safe may make sense.
q Then you have to worry about how long ago the
compromise happened, and whether the backups hold any
damaged work. More on backups later.
287
Notes:
Slide 77
n Backups, Backups, Backups!
q Having regular backups is a godsend for security matters. If
your system is compromised, you can restore the data you
need from backups. Of course, some data is valuable to the
attacker too, and they will not only destroy it, they will steal
it and have their own copies; but at least you will still have
the data.
288
Notes:
Slide 78
q You should check several backups back into the past before
restoring a file that has been tampered with. The intruder
could have compromised your files long ago, and you could
have made many successful backups of the compromised
file!
q Of course, there are also a raft of security concerns with
backups. Make sure you are storing them in a secure place.
Know who has access to them. (If an attacker can get your
backups, they can have access to all your data without you
ever knowing it.)
289
Notes:
Slide 79
n Tracking Down the Intruder.
q Ok, you have locked the intruder out, and recovered your
system, but you're not quite done yet. While it is unlikely
that most intruders will ever be caught, you should report
the attack.
q You should report the attack to the admin contact at the site
from which the attacker attacked your system. You can look
up this contact with whois or the Internic database. You
might send them an email with all applicable log entries and
dates and times. If you spotted anything else distinctive
about your intruder, you might mention that too. After
sending the email, you should (if you are so inclined) follow
up with a phone call. If that admin in turn spots your attacker,
they might be able to talk to the admin of the site where they
are coming from and so on.
290
Notes:
Slide 80
q Good crackers often use many intermediate systems, some
(or many) of which may not even know they have been
compromised. Trying to track a cracker back to their home
system can be difficult. Being polite to the admins you talk
to can go a long way to getting help from them.
q You should also notify any security organizations you are a
part of ( CERT or similar), as well as your system vendor.
291
Notes:
Slide 81
Section 5
Virus
292
Notes:
Slide 82
Section 5 – Issue 1
n Computer virus a computer program which
reproduces itself through legitimate
processes in computer programs and
operating systems. It can alter the behavior of
a program or operating system without the
knowledge of computer users.
q It itself is written with malicious purposes in
mind.
293
Notes:
Slide 83
Section 5 – Issue 2
n To know the CURRENT LATEST info on the
various viruses, visit the following web sites:
q WildList Organization International, the world's
premier source of information on which viruses
are spreading In the Wild (http://www.wildlist.org/ ).
q The Virus Bulletin, an international antivirus
publication that keeps track of the occurrence of
computer viruses (http://www.virusbtn.com/ ).
294
Notes:
Slide 84
Section 5 – Issue 3
n Virus experts in general prefer to categorize
viruses by:
q their behaviors
q the affected operating system platforms
q the type of programming languages used to
develop them
295
Notes:
Slide 85
Section 5 – Issue 4
n A majority of early viruses are Program
Viruses that infected programs which ended
in the .com and .exe file extensions.
q They infect executable files by placing their
programming instructions inside the other
programs.
q They do NOT infect .BAT files, since .BAT files
are simply text based scripts. They can be
embedded into .BAT files for execution though.
q They cannot bypass antivirus software.
296
Notes:
Slide 86
Section 5 – Issue 5
n Script viruses mostly affect scripting languages like
Microsoft Visual Basic and JavaScript became
commonplace.
n Macro viruses mostly affect business software, such
as MS Office. Macros let users automate a series of
commands inside documents or spreadsheets.
Macro instructions can easily be modified by viruses
to perform erratic behaviors.
n All these viruses can be detected by nowadays’ anti
virus software packages.
297
Notes:
Slide 87
Section 5 – Issue 6
n Boot sector viruses infected hidden startup
programs built into diskette media and hard
drives.
q Since they start before the operating system is
loaded, they can easily bypass the antivirus
software.
298
Notes:
Slide 88
Section 5 – Issue 7
n To further spread viruses, virus writers
developed Trojan horses – programs that
trick users into starting them and then install
malicious software.
n Hybrid viruses are another type of “latest
inventions”. They can act in more than one
way – as an example, an Internet worm may
be able to infect program files.
299
Notes:
Slide 89
Section 5 – Issue 8
n Melissa
q A very famous virus.
q Appearing in March 1999, it spread quickly and
caused massive troubles worldwide. In fact,
Microsoft had to shut down four out of six
incoming mail servers under the strain produced
by Melissa.
300
Notes:
Slide 90
Congratulations!
n You have completed all the sections.
n For the latest product information, please visit
our web sites:
q www.ExamREVIEW.NET
301
Notes:
Excellent public resources
Some of these web resources may have expired at the time you read this
document. If so please do a web search through Yahoo or Googles using the
resource title as the search subject. Good luck.
Notes:
http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf
303
Notes:
http://csrc.nist.gov/publications/drafts/Draft-sp800-26Rev1.pdf
This draft document brings the assessment process up to date with key
standards and guidelines developed by NIST.
304
Notes:
April 21, 2006: Draft Special Publication 800-53A, Guide for Assessing the
Security Controls in Federal Information Systems
http://csrc.nist.gov/publications/drafts/SP800-53A-spd.pdf
Notes:
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-
3%20_March2006.pdf
The draft defines methods for digital signature generation that can be used for
the protection of messages, and for the verification and validation of those
digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This
draft includes requirements for obtaining the assurances necessary for valid
digital signatures.
http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf
Notes:
Sample IS Audit Questionnaire
307
Notes:
You may download the latest sample questionnaire via the
web link below:
http://www.examreview.net/IT_Questionnaire.pdf
308
Notes: