CISA Certified Information Systems Auditor module Study Guide

The Number One Source of Exam and OntheJob Information

2009

Ed.

CISA

ExamESSENTIALS Study Guide

S T U D Y I N F O R M A T I O N F O R E X A M C A N D I D A T E S

CISA ExamESSENTIALS Guide

ExamREVIEW PRO & ExamREVIEW PRESS 2009

All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the

publisher.

Covering the 2009 Syllabus

Important – Please Read

Due to the variety of fonts installed on the users' systems, Acrobat may prompt you to download an additional language component (which is FREE from Adobe anyway).

If you receive a message saying that a Traditional Chinese language pack has to be downloaded in order to load this eBook, please click YES to have Acrobat download the update. The size of the update is about 7M. Don’t worry, this download is safe.

Table of Contents END USER LICENSE AGREEMENT 7

EXAM FORMAT 13

ABOUT THIS BOOK 14

EXAM TOPICS 15

EXAM REGISTRATION CONTACTS 19

STUDY PSYCHOLOGY & EXAM TACTICS 20

KEY EXAM STRATEGIES 21

STRATEGY ONE: KEYWORD OR KEY PHRASE MATCHING. 21 STRATEGY TWO: CHOICES GROUPING. 22 STRATEGY THREE: THINK TRICKY. 23

SECURITY THEORIES 25

THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM 27 DEFENSE IN DEPTH 27 VULNERABILITIES 28 SECURITY MEASURES 45 STANDARDS AND GUIDELINES 49

IS ORGANIZATION AND INFORMATION ASSETS PROTECTION 55

THE STAKEHOLDERS 56 THE BOARD 57 THE AUDIT MANAGER 58 AUDIT PERSONNEL 59

IS CONTROLS 61

THE IMPORTANCE OF THE USE OF CONTROLS 61 CLASSIFICATION OF CONTROLS 62 GENERAL CONTROLS VS APPLICATION CONTROLS 63

ACCESS CONTROL AND THE AUDITING PROCESS 66

ACCESS CONTROL MODELS 66 ACLS VERSUS CAPABILITIES 68 WHAT IS ORANGE BOOK, BY THE WAY? 69 TYPES OF ACCESS CONTROL 70 THE AAA CONCEPT 71 ESTABLISHING ACCOUNTABILITY THROUGH EVENT LOGGING 74 THE AUDIT PROCESS 75 THE SARBANES–OXLEY ACT AND THE COSO FRAMEWORK 76 WHAT IS AUDITING, BY THE WAY? 79 THE ROLE OF AN AUDITOR 82 THE AUDIT PROCESS FLOW 83 OVERALL STRATEGIES 88 AUDIT PLANNING 90 RECOMMENDED TYPES OF AUDIT 100 EXAMPLE AUDIT OBJECTIVES AND PROCEDURES 103 AUDIT FIELDWORKS 111 AUDIT PROGRAM 115 AUDIT REPORT 116 AUDIT FOLLOWUP 118 AUDIT ASSESSMENT 120

IT STRATEGIC PLANNING 121

IT STRATEGIC PLANNING DEFINED 121 THE ROLE OF IS AUDITING IN THE PLANNING PROCESS 122 INHOUSE OR OUTSOURCE? 123 AVOIDING CONFLICTS OF INTERESTS 124

PROTECTION OF INFORMATION ASSETS THROUGH SECURITY POLICY 126

INFORMATION ASSETS DEFINED 126 DATA CLASSIFICATIONS AND LAYER OF RESPONSIBILITIES 129 SECURITY POLICY 131 SECURITY MODELS AND MODES OF OPERATIONS 138 EXAMPLE POLICY 141 CONSEQUENCES OF VIOLATIONS 143 EVALUATION 144 ORGANIZATION SPECIFIC CLASSIFICATION SCHEME 145 CHANGE CONTROL 146

BUSINESS CONTINUITY PLANNING 148

DEFINITION 148 BCP VS BPCP VS DRP 149 BCP PHASES 150 STAKEHOLDERS AND CRISIS COMMUNICATIONS 151

THE RISK ASSESSMENT FLOW 153 RISK VS THREAT AND VULNERABILITY 158 IDENTIFYING RISKS 159 LOSS CALCULATIONS 161 BUSINESS IMPACT ANALYSIS DEFINED 164 BIA GOALS AND STEPS 165 BIA CHECKLIST 166 PREPARING FOR EMERGENCY 168 MANAGING RECOVERY 170 TESTING THE PLAN 172 USER ACCEPTANCE 174 PLAN MAINTENANCE 174 INCIDENT HANDLING 177

RISK MANAGEMENT 180

RISK MANAGEMENT DEFINED 181 THE RISK MANAGEMENT STEPS 181 IS AUDITING AND RISK MANAGEMENT 183 RISKBASED AUDITING 184 RISK MANAGEMENT READINGS 185

PROJECT MANAGEMENT 187

PROJECT MANAGEMENT DEFINED 187 PROJECT MANAGEMENT AND AUDIT 188

CHANGE MANAGEMENT 190

CHANGE MANAGEMENT DEFINED 190 CHANGE MANAGEMENT STRATEGIES 192 CHANGE MANAGEMENT VS CHANGE CONTROL VSCONFIGURATION MANAGEMENT 194 CHANGE CONTROL 196

APPLICATION PROGRAM DEVELOPMENT 203

GENERAL GUIDELINES 203 SYSTEM CHANGE CONTROL 204 SOFTWARE DEVELOPMENT PROCESSES AND MODELS 205 BUY VSMAKE: ACQUISITION MANAGEMENT METHODS 208

TECHNICAL READINGS 211

　 SECTION 1: TOPICS ON SECURITY THEORY 211　 SECTION 2: TOPICS ON HACKING, ATTACKING, DEFENDING AND AUDITING. 211　 SECTION 3: TOPICS ON ENCRYPTION AND VPN. 211

　 SECTION 4: TOPICS ON RESPONDING TO ATTACKS 211　 SECTION 5: TOPICS ON VIRUSES. 211

EXCELLENT PUBLIC RESOURCES 302

SAMPLE IS AUDIT QUESTIONNAIRE 307

END OF STUDY GUIDE 308

7

Notes:

End User License Agreement

The CISA ExamESSENTIALS Guide (the "Book") is a certification study product provided by ExamREVIEW Press (including ExamREVIEW.NET and SystemREVIEW.NET, being referred to as “ExamREVIEW.NET” in this document), subject to your compliance with the terms and conditions set forth below.

PLEASE READ THIS DOCUMENT CAREFULLY BEFORE ACCESSING OR USING THE BOOK. BY ACCESSING OR USING THE BOOK, YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS SET FORTH BELOW. IF YOU DO NOT WISH TO BE BOUND BY THESE TERMS AND CONDITIONS, YOU MAY NOT ACCESS OR USE THE BOOK. EXAMREVIEW.NET MAY MODIFY THIS AGREEMENT AT ANY TIME, AND SUCH MODIFICATIONS SHALL BE EFFECTIVE IMMEDIATELY UPON POSTING OF THE MODIFIED AGREEMENT ON THE CORPORATE SITE OF EXAMREVIEW.NET. YOU AGREE TO REVIEW THE AGREEMENT PERIODICALLY TO BE AWARE OF SUCH MODIFICATIONS AND YOUR CONTINUED ACCESS OR USE OF THE BOOK SHALL BE DEEMED YOUR CONCLUSIVE ACCEPTANCE OF THE MODIFIED AGREEMENT.

1. Copyright and Licenses.

License Grant This Agreement entitles you to install and use one copy of the Book. In addition, you may make one archival copy of the Book. The archival copy must be on a storage medium other than a hard drive, and may only be used for the reinstallation of the Book. This Agreement does not permit the installation or use of multiple copies of the Book, or the installation of the Book on more than one computer at any given time, on a system that allows shared used of applications, on a multi-user network, or on any configuration or system of computers that allows multiple users. Multiple copy use or

8

Notes:

installation is only allowed if you obtain an appropriate licensing agreement for each user and each copy of the Book. For further information regarding multiple-copy licensing of the Book, please contact: [email protected]

Restrictions on Transfer Without first obtaining the express written consent of ExamREVIEW.NET, you may not assign your rights and obligations under this Agreement, or redistribute, encumber, sell, rent, lease, sublicense, or otherwise transfer your rights to the Book.

Restrictions on Use You may not use, copy, or install the Book on any system with more than one computer, or permit the use, copying, or installation of the Book by more than one user or on more than one computer. If you hold multiple, validly licensed copies, you may not use, copy, or install the Book on any system with more than the number of computers permitted by license, or permit the use, copying, or installation by more users, or on more computers than the number permitted by license.

You may not decompile, "reverse-engineer", disassemble, or otherwise attempt to derive the source code for the Book.

Restrictions on Alteration You may not modify the Book or create any derivative work of the Book or its accompanying documentation. Derivative works include but are not limited to translations. You may not alter any files or libraries in any portion of the Book. You may not reproduce the database portion or create any tables or reports relating to the database portion.

9

Notes:

Restrictions on Copying You may not copy any part of the Book except to the extent that licensed use inherently demands the creation of a temporary copy stored in computer memory and not permanently affixed on storage medium. You may make one archival copy which must be stored on a medium other than a computer hard drive.

TRADEMARKS.

CISA ExamESSENTIALS Guide /or any other names of ExamREVIEW.NET or its publications, products, content or services referenced herein or on the Book are the exclusive trademarks or servicemarks of ExamREVIEW.NET. Other product and company names mentioned in the Book may be the trademarks of their respective owners.

2. Use of the Book.

You understand that, except for information, products or services clearly identified as being supplied by ExamREVIEW.NET, ExamREVIEW.NET does not operate, control or endorse any information, products or services on the Internet in any way. Except for ExamREVIEW.NET explicitly identified information, products or services, all information, products and services offered through the Book or on the Internet generally are offered by third parties, that are not affiliated with ExamREVIEW.NET.

YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE BOOK AND THE INTERNET. EXAMREVIEW.NET PROVIDES THE BOOK AND RELATED INFORMATION "AS IS" AND DOES NOT MAKE ANY EXPRESS OR IMPLIED WARRANTIES, REPRESENTATIONS OR ENDORSEMENTS WHATSOEVER (INCLUDING WITHOUT LIMITATION WARRANTIES OF TITLE OR NONINFRINGEMENT, OR THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE) WITH REGARD TO THE BOOK, ANY INFORMATION OR SERVICE PROVIDED THROUGH THE BOOK, AND EXAMREVIEW.NET SHALL NOT BE LIABLE FOR ANY COST OR DAMAGE ARISING EITHER DIRECTLY OR INDIRECTLY FROM ANY SUCH. IT IS SOLELY YOUR

10

Notes:

RESPONSIBILITY TO EVALUATE THE ACCURACY, COMPLETENESS AND USEFULNESS OF ALL OPINIONS, ADVICE, AND OTHER INFORMATION PROVIDED THROUGH THE BOOK.

LIMITATION OF LIABILITY

IN NO EVENT WILL EXAMREVIEW.NET BE LIABLE FOR (I) ANY INCIDENTAL, CONSEQUENTIAL, OR INDIRECT DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE) ARISING OUT OF THE USE OF OR INABILITY TO USE THE BOOK. EVEN IF EXAMREVIEW.NET OR ITS AUTHORIZED REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (II) ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN THE BOOK. BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IN SUCH STATES, EXAMREVIEW.NET LIABILITY IS LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW.

ExamREVIEW.NET makes no representations whatsoever about any other web site which are referenced in the book. When you access a nonExamREVIEW.NET web site, please understand that it is independent from ExamREVIEW.NET, and that ExamREVIEW.NET has no control over the content on that web site. In addition, a link to a ExamREVIEW.NET web site does not mean that ExamREVIEW.NET endorses or accepts any responsibility for the content, or the use, of such web site.

3. Indemnification.

You agree to indemnify, defend and hold harmless ExamREVIEW.NET, its officers, directors, employees, agents, licensors, suppliers and any third party information providers to the Book from and against all losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from any violation of this Agreement (including negligent or wrongful conduct) by you or any other person using the Book.

4. Third Party Rights.

11

Notes:

The provisions of paragraphs 2 (Use of the Book), and 3 (Indemnification) are for the benefit of ExamREVIEW.NET and its officers, directors, employees, agents, licensors, suppliers, and any third party information providers to the Book. Each of these individuals or entities shall have the right to assert and enforce those provisions directly against you on its own behalf.

5. Termination.

This Agreement may be terminated by either party without notice at any time for any reason. The provisions of paragraphs 1 (Copyright, Licenses and Idea Submissions), 2 (Use of the Book), 3 (Indemnification), 4 (Third Party Rights) and 6 (Miscellaneous) shall survive any termination of this Agreement.

6. Miscellaneous.

This Agreement shall all be governed and construed in accordance with the laws of Hong Kong applicable to agreements made and to be performed in Hong Kong. You agree that any legal action or proceeding between ExamREVIEW.NET and you for any purpose concerning this Agreement or the parties' obligations hereunder shall be brought exclusively in a court of competent jurisdiction sitting in Hong Kong. Any cause of action or claim you may have with respect to the Book must be commenced within one (1) year after the claim or cause of action arises or such claim or cause of action is barred. ExamREVIEW.NET's failure to insist upon or enforce strict performance of any provision of this Agreement shall not be construed as a waiver of any provision or right. Neither the course of conduct between the parties nor trade practice shall act to modify any provision of this Agreement. ExamREVIEW.NET may assign its rights and duties under this Agreement to any party at any time without notice to you.

Any rights not expressly granted herein are reserved.

12

Notes:

Every effort has been made to ensure the accuracy of this book. If you have comments, questions, or ideas regarding this book, please let us know by emailing to this address: [email protected]

This electronic book was originally created as a print book. For simplicity, the electronic version of this book has been modified as little as possible from its original form.

13

Notes:

Exam Format The following question formats are used in the CISA exams:

Text Based Multiple-choice: The examinee selects one option that best answers the question or completes a statement.

Multiple-response: The examinee selects multiple options that best answers the question or completes a statement.

Sample Directions (Scenario): Read the statement or question and from the response options, select only the option(s) that represent the BEST possible answer(s).

There are no fill in the blank questions. There are no graphical questions.

You will mostly be asked to pick one choice as the answer. However, some questions will require you to pick multiple items – something like “i and ii”, “i, iii & v” …etc.

q For international candidates, it takes about two months to receive the results.

q As of 2004 all CISA exams are paper and pencil based.

14

Notes:

About this book The CISA exam has a lot of questions that ask for your "best decisions" - of the hundreds of questions you will encounter in the exam, a significant portion of them requires that you pick the best possible options. These best options are often based on expert advices and best practices not found in the standard exam text books.

Our CISA ExamESSENTIALS Guide goes the expert-advice way. Instead of giving you the hard facts, we give you information that covers the best practices. With this information, you will always be able to make the most appropriate expert judgment in the exam.

If you are looking for the hard facts, visit the following ISACA link:

http://www.isaca.org/TemplateRedirect.cfm?Template=/ContentManagemen t/ContentDisplay.cfm&ContentID=15262

* In case this link no longer works, refer to the Standards section of ISACA’s web site.

This is the place where most “official” IS auditing standards and guidelines are listed. In the exam you will encounter certain questions that test your memorization skills – you will have to get these hard facts “fully loaded” into your memory. We believe that the official published material is the best source of information in this regard.

15

Notes:

Our guide focuses on the best business practice and expert advice side of the exam.

Exam Topics

The official exam objectives can be found from the CISA exam page:

http://www.isaca.org/cisaexam

I personally do not recommend that you spend too much time on these objectives. The reasons are:

l many of them simply require nothing but basic common sense – you will be able to answer the corresponding questions easily anyway

l the list is way too detailed – if you go through them one by one, it will take you a year or so to finish

l many of the objectives are heavily overlapped

l to me, they look confusing

16

Notes:

Instead, I prefer to focus on the following areas (because they often involve topics that do not have fixed answers but instead require the “best possible” options):

l Access control models.

l The auditing process.

l IT strategic planning.

l Protection Policy for Information Assets

l Business Continuity Planning.

l Risk management.

l Project Management.

l Change Management.

Why do we choose these topics? Firstly, according to many recent CISA “graduates”, these are the topics that frequently give them surprises. Secondly, if you watch closely what ISACA at present offers together with the Big 5 accounting firms, you should notice that these topics are always emphasized.

17

Notes:

Most candidates fail the exam because they focused too much on the IT side of the exam, with little or no preparation on the auditing related disciplines. Remember, a large number of the CISA exam candidates are from the accounting profession where business auditing is a major daily duty.

The exam is about 40% TECHNOLOGY and 60% BUSINESS PRACTICE.

Tech gurus do not really have an edge because no in-depth nor advanced technologies are tested here. Instead, the “practical business people” with sufficient technology knowledge rule.

The tech questions are easy because they are (and are bound to be) straight forward. The business practice related questions are difficult because business rationales are never straight forward – too many factors come into play and therefore making every scenario highly complicated.

And remember, technology does not mean IT technology alone. It also means Physical Security Technology as well as Biometrics, and many more. As of the time of this writing the state of biometrics technology is very sophisticated and accurate, but is highly expensive. Other potential barriers include user acceptance, enrollment time and throughput. Still, it is gaining ground, especially in environment where security is CRITICAL.

Take a look at the security measures your company has implemented and critically assess their features and effectiveness. This will help.

18

Notes:

!!! Biometrics is an important topic. Check out the various forms of biometrics technology described in this web page: http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm

19

Notes:

Exam Registration Contacts

The CISA exam is offered throughout the world twice a year (in June and in December). The best way to register for the exam is to request for the exam bulletin from the ISACA Certification Department via email at [email protected] or by phone at +1.847.253.1545.

I do recommend that you register early. As I remember, there is an early bird discount available …

20

Notes:

Study Psychology & Exam Tactics

ü Always plan ahead!

ü Always maintain a positive attitude.

ü Prepare systematically using ExamReview materials.

ü Ensure you have enough sleep! Health is essential for maintaining a fighting spirit.

ü Arrive at the test center in time to have a margin of safety.

ü Dress yourself in a manner with emphasis on comfort. Always have a coat ready just in case the A/C is way too powerful.

ü Read the exam instructions carefully before answering the first question.

21

Notes:

Key exam strategies

To be successful in the CISA exam, you must know how the questions are structured. The official saying is that the CISA examination will require the candidates to answer questions and to make judgments based on the information learned in courses and on their own professional experiences. Based on our experiences, however, tackling CISA questions involve several major strategies:

Strategy One: Keyword or key phrase matching.

Example: Which of the following would be included in an information security strategic plan?

A. Specifications for planned hardware purchases

B. Analysis of future business objectives

C. Target dates for information security projects

D. Annual budgetary targets for the security department

22

Notes:

The key phrase here is "strategic plan". As we all know, a strategic plan is a very high level thing. Look at the choices, only choice B has a high level element, which is "business objective". Therefore, B is the correct answer.

Strategy Two: Choices grouping.

Example: The MOST important responsibility of an information security manager in an organization is:

A. recommending and monitoring security policies.

B. promoting security awareness within the organization.

C. establishing procedures for security policies.

D. administering physical and logical access controls.

When you try to classify or group the choices, you will find that choice B, C and D can be classified into one group – a group of implementation activities. Choice A, on the other hand, takes place way before the implementation phase. Therefore, choice A is the answer.

23

Notes:

Strategy Three: Think tricky.

You need to know how to pick the BEST answer out of several technically possible answers. To do this you need to think tricky – the questions are always written with trickiness in mind (believe me, this is exactly the case with most ISACA exam questions).

As an example, you are asked to evaluate the following statements:

• In the context of information security, the term Granularity refers to the level of detail to which a trusted system can authenticate users.

• In the context of information security, the term Granularity refers to the level of detail to which imperfections of a trusted system can be measured.

• In the context of information security, the term Granularity refers to the level of detail to which packets can be filtered.

• In the context of information security, the term Granularity refers to the level of detail to which an access control system can be adjusted.

Which statement is the BEST one?

24

Notes:

To pick the BEST choice, you must keep in mind that Granularity is a term which could be applied to a multitude of usage within the context of IT security. It can be for packet filtering, and it can also be for user access. The last statement said "access control system" without specifying its exact type. It is therefore representative of almost all possible types of access control system. You know what, this is exactly the type of answer expected. Kinda tricky, isn't it?

25

Notes:

Security Theories

A security stance is a default position on security matters. The 2 primary security stances are:

i, "Everything not explicitly permitted is forbidden" (default deny). This improves security at the cost of functionality. A good approach to use if you have lots of security threats. You may find this approach helpful basing on the principle of least privilege (sometimes also known as the principle of least authority - POLA), that every module of a computing environment should be able to access only such resources that are necessary to its legitimate purpose. Do keep in mind, an over restrictive system can sacrifice usability. The lack of flexibility can also hinder usability.

ii, "Everything not explicitly forbidden is permitted" (default permit). This allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non-existent or negligible. Many earlier Windows systems give Everyone full control, which is no good security- wise.

26

Notes:

Proper balance of security risks is needed for implementing practical computing systems.

There are two different approaches to security in computing. One focuses mainly on external threats, and generally treats the computer system itself as a trusted system. The other regards the computer system itself as largely an untrusted system, and redesigns it to make it more secure in a number of ways. Most current real-world computer security efforts focus on external threats, and generally treat the computer system itself as a trusted system. Some observers consider this to be a disastrous mistake, and point out that this distinction is the cause of much of the insecurity of current computer systems - once an attacker has subverted one part of a system without fine-grained security, he or she usually has access to most or all of the features of that system. In other words, this security stance tends to produce insecure systems.

The 'trusted systems' approach has been predominant in the design of many earlier software products, due to the long-standing emphasizes on functionality and 'ease of use' over security.

27

Notes:

The computer system itself as largely an untrusted system

The “untrusted system” approach seeks to enforce the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way, even if an attacker has subverted one part of the system, fine-grained security ensures that it is just as difficult for them to subvert the rest. Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. Where formal correctness proofs are not possible, rigorous use of code review and unit testing measures can be used to try to make modules as secure as possible.

Defense in depth

From a technical perspective, design with the above mentioned technique often make use of the concept of "defense in depth", where more than one subsystem needs to be compromised to compromise the security of the system and the information it holds.

28

Notes:

A typical defense in depth approach divides the key security elements into layers for creating a cohesive defense strategy. To ensure effective IT security, you must design, implement, and manage IT security controls for each layer of this layered model. As an example: you may divide your controls into the layers of network, hardware, software, and data.

From a broader perspective, an important principle of the Defense in Depth strategy is that in order to achieve Information Assurance you need to maintain a balanced focus on the critical elements of People, Technology and Operations.

In any case, security should not be view as an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable in the long term, that full audit trails should be kept of system activity so that when a security breach occurs, the mechanism and extent of the breach can be determined. In fact, storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks.

Vulnerabilities

To understand the techniques for securing a computer system, it is important to first understand the various types of attacks that can be made against it. These threats can typically be classified into the following categories:

29

Notes:

l You may think of salami attack as a concept that can be applied to scenarios with and without relation to computing. In general, a salami attack is said to have taken place when tiny amounts of assets are systematically acquired from a very large number of sources. Since the process takes place below the threshold of perception and detection, an ongoing accumulation of assets bit by bit is made possible. An example: the digits representing currency on a financial institution’s computer could be modified in such a way that values to the right of the pennies field are automatically rounded down. The salami concept can apply in information gathering - aggregating small amounts of information from many sources with an attempt to derive an overall picture of an organization.

l Bribes and extortion can occur! With promises or threats that cause your staff to violate their trust, information security can be at risk big time! This is more a HR issue but still you need to think of ways to safeguard security assuming bribery is not entirely impossible.

l Software flaws such as buffer overflows, are often exploited to gain control of a computer, or to cause it to operate in an unexpected manner.

30

Notes:

NOTE: Buffer overflow (buffer overrun) is supposed to be a programming error which may result in memory access exception - that is, a process make attempt to store data beyond the fixed boundaries of a buffer area. With careless programming, this kind of access attempt can be triggered by ill-intented codes. Stack-based buffer overflows and heap-based buffer overflows are the 2 popular types of attack of this nature. Techniques such as Static code analysis can help preventing such attack. You should also always opt for the use of safe libraries.

l Many development methodologies rely on testing to ensure the quality of any code released; this process often fails to discover extremely unusual potential exploits. The term "exploit" generally refers to small programs designed to take advantage of a software flaw that has been discovered, either remote or local.

NOTE: As a pre-attack activity, footprinting refers to the technique of collecting information about systems thru techniques such as Ping Sweeps, TCP Scans, OS Identification, Domain Queries and DNS Interrogation. Tools involved may include samspade, nslookup, traceroute, neotrace and the like. Passive fingerprinting, on the other hand, is based primarily on sniffer traces from your remote system. Rather than proactively querying a remote system, you capture

31

Notes:

packets that pass-by instead.

l Any data that is transmitted over an IP network is at some risk of being eavesdropped or even modified. Voice over IP has the same security issues as running regular applications which rely on IP for transmission.

NOTE: The OSI model is a layered model which gives abstract description for network protocol design. It is a seven layer model, and IP runs at layer 3, even though the TCP/IP suite itself has its own 4 layer structure. TCP runs at OSI layer 4, which is on top of IP, for providing connection oriented service in between the sender and the recipient.

TCP is supposed to provide guaranteed delivery. Every single TCP segment contains a TCP header with the source and destination port, a sequence number that identifies the first byte of data, and an acknowledgment number that indicates an acknowledgment by the recipient. There are also 6 flag bits, which are URG, ACK, PSH, RST, SYN and FIN. Keep in mind, TCP does not make any assumptions about the underlying IP network.

32

Notes:

You can perceive ports as the actual endpoints of every TCP connection. Examples of well known ports include http port 80, SSL port 443 and others.

ICMP is quite special. It runs at the IP layer mostly for sending one- way informational messages to a networked host. "ping" is an utility which uses ICMP.

The 4 TCP areas that hackers usually look at for determining the operating system may include TTL (the Time To Live on the outbound packet), Window Size, DF (the Don't Fragment bit) and the TOS (the Type of Service). Thru analyzing these and compare with the database of signatures there is a chance you can tell what the remote operating system is.

l Non-IP based networks are also highly hack-able. Sniffing was pretty common on the Ethernet (and also on IP networks).

Packet sniffer (another name for protocol analyzer) can be deployed to intercept and log netowrk traffic that passes through the network. It can capture unicast, multicast and broadcast traffic provided that you put your network adapter into promiscuous mode. You may sniff to analyze network problems, or to gain information for

33

Notes:

launching a network attack.

Wireshark (formerly Ethereal) is a free protocol analyzer you may use for network troubleshooting and sniffing. The functionality it offers is similar to tcpdump but it provides a GUI for ease of use.

l Even machines that operate as a closed system can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware such as TEMPEST.

l Wireless networks are highly hack-able.

NOTE: In the world of WLAN, a BSS refers to a set of wireless stations which communicate with each others. The 2 types of BSS are independent BSS and infrastructure BSS. The former is an ad-hoc network that has no access points. The latter requires the use of access points. Both of them are not too secure by default.

WEP is the original encryption standard for WLAN. It uses key lengths in the range of 128-and 256-bit, but is still considered way less secure than WPA. WPA deploys a pre-shared Shared Key for establishing a 8-63 character passphrase.

Accidental association could be a form of attack that takes place when one's computer latches on to an access point that belongs to a

34

Notes:

neighboring and overlapping network. Sometimes this can happen accidentally - that is, the user has no intent to crack into the overlapping network at all.

Access points exposed to non-filtered traffic can be vulnerable. Broadcast traffic like OSPF, RIP and HSRP ... etc can be corrupted through the injection of bogus reconfiguration commands.

You should always have your access points arranged in such a way that radio coverage is available only to your desired area. Wireless signal that "spills" outside of your desired area could be sniffed.

To further secure your WLAN you should always change the default SSID as most hackers know most default names of most equipments. Avoid using dictionary word to form your SSID. Use something hard to guess.

l A computer system is no more secure than the human systems responsible for its operation. Malicious individuals have regularly penetrated well-designed, secure computer systems by taking advantage of the carelessness of trusted individuals, or by deliberately deceiving them. The availability of the internet makes penetration even easier as everything is now connected. Attacking web servers had become an exciting yet enjoyable challenge by hackers.

35

Notes:

NOTE: In a web infrastructure you have router, firewall and a web server. Web server serves requests through port 80 and 443 (SSL). Different servers work slightly differently, thus having different vulnerabilities. Scanning tools may, through the active ports and obtaining response, to identify the target servers and carry out possible attacks. This is especially true for web server software that has too many ports other than the required ports opened.

IIS can be extremely vulnerable if you simply follow the default installation options. Windows and IIS always install and configure superfluous services that are unpatched, which are the easy targets.

Another problem is that IIS uses a few built-in default accounts that are weakly protected. You should change the defaults - change the account names and the passwords whenever possible. Close all unnecessary ports too.

Part of the reason why IIS is so vulnerable is that it runs on Windows, which is not a very secure platform by design.

Null sessions are no good - they allow attacker to extract system critical information such as user account names. NT, 2000 and Windows Server 2003 domain controllers are believed to be susceptible to enumeration via null sessions. One way to prevent this is to block UDP port 137 and 138, TCP port 139 and 445. You want to do this via a firewall at the edge of the network.

36

Notes:

Another vulnerability on Windows is the inter-process communications (IPC) mechanism. It is a mechanism that allows a process to communicate with another. This can take place on different computers that are connected through a network, that is why it can be bad - real bad.

l Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access.

l Denial of service (DoS) attacks are not primarily a means to gain unauthorized access or control of a system. They are instead designed to render it unusable. Attackers can deny service to individual victims, such as by deliberately guessing a wrong password 3 consecutive time and thus causing the victim account to be locked, or they may overload the capabilities of a machine or network and block all users altogether. These types of attack are, in practice, very hard to prevent, because the behavior of whole networks needs to be analyzed, not only of small pieces of code. Distributed denial of service (DDoS) is even worse - a large number of compromised hosts are used to flood a target system with network requests, thus attempting to render it unusable through resource exhaustion.

37

Notes:

l Many computer manufacturers used to preinstall backdoors on their systems to provide technical support for customers. With the existences of backdoors, it is possible to bypass normal authentication while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program or could be in the form of an existing "legitimate" program, or executable file.

NOTE: A backdoor refers to a generally undocumented means of getting into a system, mostly for programming and maintenance/troubleshooting needs. Most real world programs have backdoors.

On Windows some backdoor programs may get themselves installed to start when the system boots. You want to know if there are services that are somewhat configured to automatically start - they may be Trojan horse or backdoor program.

l A specific form of backdoors is rootkit, which replaces system binaries of the operating system to hide the presence of other programs, users, services and open ports.

38

Notes:

NOTE: rootkit originally describes those recompiled Unix tools that would hide any trace of the intruder. You can say that the only purpose of rootkit is to hide evidence from system administrators so there is no way to detect malicious special privilege access attempts.

l To some, secrecy means security so closed source software solutions are preferable. In the modern days this may not always be true. With the open source model, people may freely revise and inspect codes so back doors and other hidden tricks / defects can hardly go undetected.

l Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a blend of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered malware based on the intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, adware, and other unwanted software.

39

Notes:

NOTE: As a common type of Trojan horses, a legitimate software might have been corrupted with malicious code which runs when the program is used. The key is that the user has to invoke the program in order to trigger the malicious code. In other words, a trojan horse simply cannot operate autonomously. You would also want to know that most but not all trojan horse payloads are harmful - a few of them are harmless. Most trojan horse programs are spread through e- mails. Some earlier trojan horse programs were bundled in "Root Kits". For example, the Linux Root Kit version 3 (lrk3) which was released in December 96 had tcp wrapper trojans included and enhanced in the kit.

Keystroke logging (in the form of spyware) was originally a function of diagnostic tool deployed by software developers for capturing user's keystrokes. This is done for determining the sources of error or for measuring staff productivity. Imagine if someone uses it to capture user input of critical business data such as CC info ... You may want to use anti spyware applications to detect and clean them up. Web-based on-screen keyboards may be a viable option for web applications.

40

Notes:

NOTE: The majority of malware and viruses exploit known vulnerabilities in popular OS. They typically come out within days after a vulnerability is announced. One way to protect your computers against these threats is to keep your OS and software security updates as current as possible through applying service packs, patches and hot fixes.

l The best-known types of malware are viruses and worms, which are known for the manner in which they spread, rather than any other particular behavior. Originally, the term computer virus was used for a program which infected other executable software, while a worm transmitted itself over a network to infect computers. More recently, the words are often used interchangeably.

NOTE: Nonresident viruses proactively and immediately search for victims to infect and then transfer control to the infected application program. Resident viruses don't do that. Instead, they wait in memory on execution and infect new victims that are invoked on the system. Modern anti virus software can fight against both. Examples of modern AV software includes Norton AV, PC Tools AV, AVG Pro, F-Prot, and NOD32.

Note that viruses that are capable of rewriting themselves dynamically to avoid getting detected are metamorphic. The core of

41

Notes:

the payload of these viruses is a metamorphic engine.

l Direct access attacks may be conducted through the use of common consumer devices. For example, someone gaining physical access to a computer can install all manner of devices to compromise security, including operating system modifications, software worms, keyboard loggers, and covert listening devices. The attacker can also easily download large quantities of data onto backup media or portable devices.

To secure a system, one should aim at reducing vulnerabilities. For example, in order to harden a Linux system you would first disable any unnecessary services/ports, and then have the rlogin service disabled. Unnecessary TCP/UDP ports should be closely monitored. Similar things could be done on Windows.

Computer code is regarded by some as just a form of mathematics. It is theoretically possible to prove the correctness of computer programs

42

Notes:

though the likelihood of actually achieving this in large-scale practical systems is regarded as unlikely in the extreme by most with practical experience in the industry. In practice, only a small fraction of computer program code is mathematically proven, or even goes through comprehensive information technology audits or inexpensive but extremely valuable computer security audits.

On the other hand, it is technically possible to protect messages in transit by means of cryptography. You may also work at preventing information leakage. Information Leakage Detection and Prevention (ILD&P or ILDP) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders.

Audit questions related to cryptography may include:

l Does your organization use cryptographic technology to protect sensitive information during transmission? Does the technology you use provide a digital signature capability for messages containing sensitive information?

l Does your organization use cryptographic technology to protect sensitive information stored in the system and in archives?

43

Notes:

l Does your organization have a policy that clearly states when information is to be encrypted?

In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. In some worst case scenarios, administrators are like cow boys who often go wild. Relevant questions to ask in this regard may include:

l How many system administrators does your organization have? l Do your system administrators work full-time as system administrators?

What if they also work for someone else... l Are your system administrators contractor employees? How much

control you want them to be able to exercise? l Is there segregation of duties among system administrators? l Does each system administrator have a delegate and/or backup person?

What can they perform on the systems? l Are program modifications approved by the configuration control

function required to be installed by system administrators? l Is there consistency in the implementation of security procedures by

system administrators in the organization?

44

Notes:

Technically speaking, all Social Engineering techniques are based on flaws in human logic known as cognitive biases. These bias flaws are used in various combinations to create attack techniques. For example, pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information to establish legitimacy in the mind of the target. Phishing, on the other hand, applies to email appearing to come from a legitimate business requesting "verification" of information and warning of some dire consequence if it is not done. Sadly, social engineering and direct computer access attacks can only be effectively prevented by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Social engineering attacks in particular are very difficult to foresee and prevent.

Remember, in the real world the most security comes from operating systems where security is not an add-on but a built-in (such as the IBM OS/400).

45

Notes:

Security measures

A state of computer "security" is the conceptual ideal, attained by the use of the processes of Prevention, Detection, and Response.

Prevention: User account access controls and cryptography can protect systems files and data, respectively. Firewalls are by far the most common prevention systems from a network security perspective as they can shield access to internal network services, and block certain kinds of attacks through packet filtering.

NOTE: Stateful firewall can determine whether an IP packet belongs to a new connection or is actually part of an existing connection. Packet filter does not care about this at all.

To prevent messages from being intercepted during transmission over the network, technologies like IPSec and SSL should be considered.

46

Notes:

NOTE: IPsec is different from SSL in that it runs at layer 3, so it can protect both TCP and UDP traffic. SSL operates from the transport layer up so less flexibility can be offered. The goal of SSL is to provide endpoint authentication as well as communications privacy via cryptography.

Symmetric key algorithms use trivially related (or even identical) cryptographic keys for decryption and also encryption. They use much less computational power, but would require the use of a shared secret key on each end. The storage and exchange of such shared secret can be a source of security risk. Asymmetric key algorithms use different keys so they don't have to worry about the shared secret but they consume way more CPU power.

RSA is an example of asymmetric algorithm. With both a public key and a private key, it is used primarily for public key encryption. It is, in fact, suitable for both signing and encryption. However, adaptive chosen ciphertext attack can be used against RSA encrypted messages. Also, timing attacks can be used against RSA's signature scheme.

In addition to message encryption, you may want to enforce non- repudiation. You may use a public key certificate (one that incorporates a digital signature) to bind a public key with an identity. In a PKI, the signature is typically of a Certificate Authority.

In a typical PKI a hash function is often used to turn data into a smaller number which serves as a digital sort of fingerprint. In

47

Notes:

cryptography, a good hash function allows for "one-way" operation, meaning there is almost no way to calculate the data input value. SHA is one example. It has several variants, which are SHA-1, SHA- 224, SHA-256, SHA-384, and SHA-512. They are designed by the NSA and published thru the NIST. MD5 is another example. It uses a 128-bit hash value to create a hash that is typically a 32 character hex number.

Detection: Intrusion Detection Systems are designed to detect network attacks in progress and assist in post-attack forensics, while audit trails and logs serve a similar function for individual systems.

NOTE: A typical IDS has a few components, such as sensors which detect and generate security events, a console interface for you to monitor events and alerts plus managing the setup, and an engine which records and analyzes the logged events. These components work together such that a suspected intrusion may be evaluated and signaled (through an alert or an alarm). One may, however, flood an IDS with way too many traffic such that the IDS is too busy keeping up with the pace.

48

Notes:

Response: "Response" is necessarily defined by the assessed security requirements of an individual system and may cover the range from simple upgrade of protections to notification of legal authorities, counter-attacks, and the like.

Example audit questions:

l Does your organization have an Internet access policy?

l How are network services accessed by members of your organization?

l Is back door access by unapproved means possible?

l Does your organization have a firewall? If so, how is it configured? What services are accessible by external users inside and outside of this firewall?

l Does your organization have an IDS? If so, who defines the IDS knowledge base?

l Who has external remote access to your organization’s systems?

l Is your network’s internal architecture hidden from untrusted external users?

49

Notes:

l Do you have any established session control practices in place?

Standards and guidelines

ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Their IS auditing and control standards are followed by many.

Apart from guidelines published by ISACA, you may also refer to the SoGP. The Standard of Good Practice (SoGP) is a detailed documentation of best practices for information security. It is published and revised biannually by the Information Security Forum (ISF), an international best-practices organization. The Standard is developed from research based on the actual practices of and incidents experienced by major organizations. Its relatively frequent update cycle of two years also allows it to keep up with technological developments and emerging threats. In fact, the Standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO 17799 or COBIT.

50

Notes:

One of the most widely used security standards today is ISO 17799 which started in 1995. This standard consists of two basic parts. BS 7799 part 1 and BS 7799 part 2 both of which were created by (British Standards Institute) BSI. Recently this standard has become ISO 27001. The National Institute of Standards and Technology (NIST) has released several special papers addressing cyber security. Three of these special papers are very relevant to cyber security: the 800-12 titled “Computer Security Handbook”; 800-14 titled “Generally Accepted Principals and Practices for Securing Information Technology;” and the 800-26 titled “Security Self-Assessment Guide for Information Technology Systems”.

ISO 17799 states that information security is characterized by integrity, confidentiality, and availability. The ISO 17799 standard is arranged into eleven control areas; security policy, organizing information security, asset management, human resources security, physical and environmental security, communication and operations, access controls, information systems acquisition/development/maintenance, incident handling, business continuity management, compliance.

The Sarbanes–Oxley Act of 2002 (commonly called SOX or SarBox) is a United States federal law passed in response to a number of major corporate

51

Notes:

and accounting scandals. One major provision of the act is the creation of the Public Company Accounting Oversight Board (PCAOB). The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework (which will be addressed later) in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. Since the financial reporting processes of most organizations are driven by IT systems, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."

Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. IT systems are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and would therefore have to be assessed, along with other important process for compliance with Sarbanes-Oxley Act.

52

Notes:

The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes- Oxley legislation. These five areas and their impacts for the IT Department are Risk Assessment, Control Environment, Control Activities, Monitoring, and Information & Communication.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative. Formed in 1985, its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.

The Federal Information Security Management Act (FISMA) is a US federal law enacted way back in 2002. It imposes a mandatory set of processes that have to be followed for information systems operated by a government agency or by a contractor which works on behalf of the agency. The Federal Information Processing Standards (FIPS), on the other hand, are a set of publicly announced standards developed by the US government for use by

53

Notes:

non-military government agencies and their contractors. FIPS 46 in particular covers some major Data Encryption Standards, while FIPS 140 covers security requirements for cryptography modules.

ISO 27001 sets out the requirements for information security management systems. On the other hand, ISO 27002 offers a code of practice for information security management.

British Standard 7799 Part 3 provides guidelines for information security risk management. COBIT links IT initiatives to business requirements, organises IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered. ITIL (or ISO/IEC 20000 series) focuses on the service processes of IT and considers the central role of the user.

Trusted Computer System Evaluation Criteria (TCSEC) has classification on the various security requirements based on the evaluation of functionality, effectiveness and assurance of operating systems for the government and military sectors. TCSEC was introduced in 1985 and retired in 2000.

54

Notes:

Information Technology Security Evaluation Criteria (ITSEC) is the first single standard for evaluating security attributes of computer systems by the countries in Europe.

Common Criteria (also known as ISO/IEC 15408) combines and aligns existing and emerging evaluation criteria with a collaborative effort among national security standards organisations of Canada, France, Germany, Japan, Netherlands, Spain, UK and US. Common Criteria Evaluation and Validation Scheme (CCEVS) establishes a national program for the evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation.

ISO/IEC 13335 (IT Security Management) offers a series of guidelines for technical security control measures. On the other hand, the Payment Card Industry Data Security Standard offers 12 core security requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.

55

Notes:

IS Organization and Information Assets Protection

There must be a proper Information Management Policy in place and integrated with the Information Security Policy. This policy should clearly define information as an asset of the business unit that needs protection, and that local business managers are the owners of information who are ultimately held responsible. In fact, to get the staff really serious about information security, it is necessary to define roles and responsibilities of those involved in the ownership and classification of information.

No organization on earth has unlimited resources. You just cannot protect everything to the fullest extent. Therefore it is important for you to classify the information assets and then allocate resources accordingly. You also need to know whether it is cost effective to protect a certain information asset – what if the protection measure itself costs even more to implement? However, you must assess the cost element accurately and comprehensively. Some costs may not be easily quantified even though they could hurt big time when things go wrong (legal cost as an example).

56

Notes:

The stakeholders

A critical factor in protecting information assets is laying the foundation for effective information security management. In fact, commercial, competitive and legislative pressures from around the business environment often require the implementation of proper security policies and related logical access controls. Security failures are often costly to business. Losses may be suffered as a result of the failures or costs may be incurred when recovering from the security incident, followed by more costs to secure the systems and prevent repeated failures. Job positions within an organization that have information security responsibilities may include and not limited to the following:

l Executive management (Senior management, Directors …etc)

l Security committee

l Data owners

l Process owners

l IT developers

l Security specialists

l Auditors

57

Notes:

l Users

The board

The board of directors and senior management are responsible for ensuring that the organization's system of internal controls is operating effectively. An “audit committee” should be appointed to oversee audit functions and to report on audit matters periodically to the board. FYI, in order to comply with the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to appoint outside directors as audit committee members. On the other hand, all members of a stock-issuing institution’s audit committee must be members of the board of directors and be independent.

The ability of the audit function to achieve desired objectives depends largely on the independence of audit personnel. This is especially true if the auditors are internal auditors rather than outside auditors.

The board of directors should ensure that written guidelines for conducting IT audits have been adopted, and should assign responsibility for the internal audit

58

Notes:

function (IT audit is commonly conducted in-house by the internal audit function) to a member of management who has sufficient audit expertise and is independent of the other business operations of the organization. In general, the position of the auditor within the organizational structure, the reporting authority for audit results, and the auditor’s responsibilities should indicate the degree of auditor independence within the organization. The board should do its best to ensure that the audit department does not participate in activities that may compromise, or appear to compromise, its independence. These activities may include preparing reports or records, developing procedures, or performing other operational duties normally reviewed by auditors. Keep in mind, the auditor’s independence may also be determined by analyzing the reporting process and verifying that management does not interfere with the candor of the findings and recommendations.

The audit manager

The audit manager is responsible for implementing board-approved audit directives. This manager should oversee the audit function and provides leadership and direction in communicating and monitoring audit policies, practices, programs, and processes conducted by the internal audit staff. The extent of external audit work (if any) should be clearly defined in a separate and formal engagement letter. This letter should discuss the scope of the audit, the

59

Notes:

objectives, resource requirements, audit timeframe, and resulting reports. Expect a bunch of meetings, coordination, collaboration, and conflicts between the outside guys and the insiders.

Audit personnel

The auditors, whether internal or external, should in any case be granted the authority to access records and staff necessary to perform auditing and reporting. In fact, for any audit effort to be successful, a reporting line MUST be identified to the highest level of the organization. The auditor's right of access to information must be clearly identified early in the process. Management should be required to respond formally, and in a timely manner, to significant adverse audit findings by taking appropriate corrective action. The auditors in turn should discuss their findings and recommendations periodically with the audit committee.

Personnel performing IT audits should have information systems knowledge commensurate with the scope and sophistication of the organization’s IT environment and possess sufficient analytical skills to determine and report the

60

Notes:

root cause of deficiencies (they don't have to be CISA certified - although certification is a "plus").

Sometimes the audit function will be requested to take a role in the development, acquisition, conversion, and testing of major applications. It is necessary that such participation be independent and objective. Auditors can determine and should recommend appropriate controls to project management. However, such recommendations should not pre-approve the controls. At the most they should only guide the developers in considering appropriate control standards and structures throughout their project.

61

Notes:

IS Controls

The importance of the use of controls

According to the internal control principle (GASSP), information security forms the core of an organization's information internal control system, that "the internal control standards define the minimum level of quality acceptable for internal control systems in operation and constitute the criteria against which systems are to be evaluated. These internal control standards apply to all operations and administrative functions but are not intended to limit or interfere with duly granted authority related to development of legislation, rule- making, or other discretionary policymaking in an organization or agency."

There are many ways to classify controls. From an IS perspective, some said they may be generally classified as physical, technical, or administrative in nature. Some said that they can be further classified as either preventive or detective. Three other types of controls, namely deterrent, corrective, and recovery, may further supplement such classification.

62

Notes:

Classification of controls

l Examples of physical controls include locks, security guards, badges, alarms, and similar measures to control access to computers, related equipment, and the processing facility itself.

l Technical controls refer to safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. They are sometimes referred to as logical controls.

l Administrative controls refer to management constraints, operational procedures, accountability procedures, and supplemental administrative controls established for providing an acceptable level of protection for computing resources.

l Preventive controls attempt to avoid the occurrence of unwanted events. Detective controls, on the other hand, attempt to identify unwanted events after they have occurred. Deterrent controls attempt to discourage individuals from intentionally violating information security policies or procedures by making it difficult or even undesirable to perform unauthorized activities. Corrective controls, on the other hand, attempt to

63

Notes:

remedy the circumstances that allowed the unauthorized activity and return conditions to what they were before the violation.

l Recovery controls attempt to restore lost resources or capabilities and help the organization recover losses caused by a security violation.

General Controls VS Application Controls

From a broader perspective, you can view controls as either General Controls or Application Controls. General controls are about the overall information- processing environment. They include:

l Organizational Controls (in particular the segregation of duties controls).

l Data Center and Network Operations Controls

l Hardware & Software Acquisition and Maintenance Controls

l Access Security Controls

l Application System Acquisition, Development, and Maintenance Controls

64

Notes:

Application controls, on the other hand, cover the processing of individual applications and help ensure the completeness and accuracy of transaction processing, authorization, and validity. They typically include:

l Data Capture Controls to ensure that all transactions are properly recorded in the application system

l Data Validation Controls to ensure that all transactions are properly valued.

l Processing Controls to ensure the proper processing of transactions.

l Output Controls to ensure that computer output is not distributed to unauthorized users.

l Error Controls to ensure that errors are corrected and properly resubmitted at the correct point in processing.

Keep in mind that different types of network model often require the use of different combinations of control. You must have basic foundation knowledge on networking in order to pick the correct answers. Know LAN networking and WAN networking. Know distributed computing and client server

65

Notes:

computing. Know server computing and thin client computing. Don’t attempt to take the exam until you are completely familiar with these basic concepts.

Tests of controls refer to audit procedures that are performed to evaluate the effectiveness of either the design or the operation of the internal controls in question. A CISM plans and implements the needed controls. A CISA, on the other hand, tests these controls.

66

Notes:

Access Control and the Auditing Process

Access control protects your systems and resources from unauthorized access. An access control model is a framework that dictates how subjects access objects. The most popular models are: mandatory access control, discretionary access control and role-based access control. Even though these models are often associated with IT technology, try to think of them as security management principles – they can be applied to disciplines other than IT.

Access Control Models

The decision of what access control models to implement is based on organizational policy and on two generally accepted standards of practice, which are separation of duties and least privilege. Controls (in the context of Access Control) may be characterized as either mandatory or discretionary. With mandatory controls, only administrators may make decisions that bear on or derive from the predefined policy. Access controls that are not based on

67

Notes:

established policy may be characterized as discretionary controls (or need-to- know controls).

With the Discretionary model, the creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most common implementation is through access control lists. Discretionary access control is required for the Orange Book “C” Level.

Mandatory controls are prohibitive and permissive. With the Mandatory model, control is based on security labels and categories. Access decisions are based on clearance level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level.

With the Role-Based model, access rights are assigned to roles – not directly to users. Roles are usually tighter controlled than groups - a user can only have one role.

68

Notes:

ACLs VERSUS Capabilities

The two fundamental means of enforcing privilege separation and controlling access are access control lists (ACLs) and capabilities. The semantics of ACLs have been proven to be insecure in many situations. It has also been shown that ACL's promise of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities. This does not mean practical flaws exist in all ACL-based systems, but only that the designers of certain utilities must take responsibility to ensure that they do not introduce flaws.

For various historical reasons, capabilities have been mostly restricted to research operating systems and commercial OSes still use ACLs. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object- oriented design. A reason for the lack of adoption of capabilities may be that ACLs appeared to offer a quick fix for security without pervasive redesign of the operating system and hardware.

69

Notes:

What is Orange Book, by the way?

Orange Book refers to the US Department of Defense Trusted Computer System Evaluation Criteria. Although originally written for military systems, the security classifications are now broadly used within the computer industry.

The Orange Book security categories range from D (Minimal Protection) to A (Verified Protection):

D - Minimal Protection - Any system that does not comply to any other category, or has failed to receive a higher classification.

C - Discretionary Protection - applies to Trusted Computer Bases (TCBs) with optional object (i.e. file, directory, devices etc.) protection.

B - Mandatory Protection - specifies that the TCB protection systems should be mandatory, not discretionary.

A - Verified Protection - the highest security division.

Further information on the Orange Book categories can be found here: http://www.dynamoo.com/orange/summary.htm

70

Notes:

Types of Access Control

To ensure that access controls adequately protect all of an organization’s resources, it is recommended that you first categorize the resources that need protection.

In an access control model, there are subject and object:

l Subject: Entity requiring access to an object – user, process. (Active).

l Object: Entity to which access is requested – file, process. (Passive).

Access control information can be viewed as a matrix with rows representing the subjects, and columns representing the objects.

Access control consists of the following primary areas:

l Identification

l Authentication

l Authorization

71

Notes:

l Accountability

The AAA concept

The three “As” are often being referred to as the AAA concept. The general types of authentication are:

l Something a person knows (eg. password)

l Something a person has (eg. ID card)

l Something a person is (eg. role and title)

Strong authentication requires two of the above and is known as two-factor authentication.

Authentication is the first line of defense. Questions you may ask here:

l What password rules are enforced, in particular in terms of length and alphanumeric combinations?

l How often are users required to change their passwords?

72

Notes:

l Does your system use a password cracker to identify nonsecure passwords?

l Does your organization keep a password history file?

l Do users have unique authentication for different types of access?

l Does your organization use authentication other than reusable passwords? Any policy for use of such authentication?

Authorization determines if you can carry out the requested actions. Access criteria types include and not limited to:

l Roles

l Groups

l Physical or logical location

l Time of day

l Transaction type

l … etc

73

Notes:

A common practice is to have all access criteria default to “no access” at the very beginning, although this may not be always true in modern days OS for usability sake (for example, in earlier Windows everyone has full control by default).

Authentication deals with how one’s user account is established. There are also issues dealing with how such account should be handled and protected (i.e. user account management) . Some questions you may ask include:

l Is logoff at the end of the day required?

l Are there automatic session timeouts?

l Can a user use a password to lock the screen?

l Does an unsuccessful logon indicate the cause of failure?

l Under what circumstances are accounts locked?

l Is the user informed about the last successful/unsuccessful logon attempt?

74

Notes:

Establishing Accountability through event logging

Accountability determines who is responsible for a particular action taken. To properly establish accountability, audit trail and logging facility must be available. As an example, here is a list of what should be logged in a networked environment:

• System startup

• System shutdown

• File system full

• Hardware failures

• Logins: failed and successful / local or remote

• Account creation: failed and successful;

• Account modification: failed and successful; assigning, changing or removing rights and privileges

• Account removal: failed and successful

75

Notes:

• Account disabled

• Password/security information copied: failed and successful

• System configuration change: failed and successful

• Operating system patch applied

• Network connections: failed and successful

• Audit logs modification: failed and successful

• Object access: failed and successful

The audit process

You need to know the fundamentals of auditing – not just IS auditing, but auditing in general.

Most CISA study text books in the market fail to give a complete and clear picture of the auditing process as a whole. We will fill this gap here.

76

Notes:

At the end of this e-book there is a sample IS Audit Questionnaire. Go through that Questionnaire and you will understand exactly what are expected to be accomplished by an IS audit.

Note that several information technology audit related laws and regulations have been introduced since 1977. These include the Gramm Leach Bliley Act, the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, the London Stock Exchange Combined Code, King II, and the Foreign Corrupt Practices Act. You are expected to understand what they are for.

* Health Insurance Portability and Accountability Act (HIPAA)

* Gramm-Leach-Bliley Act (GLBA)

* Sarbanes-Oxley Act (SOX)

* Foreign Corrupt Practices Act (FCPA)

The Sarbanes–Oxley Act and the COSO framework

77

Notes:

The Sarbanes–Oxley Act of 2002 (commonly called SOX or SarBox) is a United States federal law passed in response to a number of major corporate and accounting scandals. One major provision of the act is the creation of the Public Company Accounting Oversight Board (PCAOB). The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure.

Since the financial reporting processes of most organizations are driven by IT systems, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."

Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. IT systems

78

Notes:

are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and would therefore have to be assessed, along with other important process for compliance with Sarbanes-Oxley Act.

The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes- Oxley legislation. These five areas and their impacts for the IT Department are Risk Assessment, Control Environment, Control Activities, Monitoring, and Information & Communication.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative. Formed in 1985, its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.

79

Notes:

What is auditing, by the way?

“An audit is a management instrument which can identify the improvement potential of business processes (process audit) or of the management system as a whole (system audit). At the same time, audits allow the supervision of already started measures. Audits therefore help

to improve the effectiveness of management systems and consequently the whole company organization” 1 .

An audit:

o compares your actual process against your documented process

o reports to what extent you are following your document process.

o acts as a verification exercise - if you think you are following your documented process but you do not verify this with an audit, there is a very good chance that you are not actually following your own processes.

o the audit process is not a process of criticizing anyone or anything in any way

1 http://www.experteam.de/starte/leistungen/Themen/SWQualitaetsmanagement/Auditierung.html

80

Notes:

“Every successful audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and the auditor” 2 .

A Security Audit refers to the process or event with the security policy or standards as a basis to determine the overall state of the existing protection and to verify whether existing protection has been performed properly. It needs to target at and focus on finding out whether the current environment is securely protected in accordance with the defined security policy. A security audit would therefore require a complete inventory list and audit checklists, which may cover different areas of IT such as web application, network architecture, wireless network, etc. It would practically involve the use of security audit tools and different review techniques for revealing the security loopholes.

In the context of IT security, an audit is not the same as an assessment. Security Risk Assessment is a process of evaluating security risks related to the use of information technology. It is conducted at the very beginning for identifying what security measures are required and when there is a change to the information asset or its environment. On the other hand, a Security Audit is a

2 http://www.auditnet.org/process.htm

81

Notes:

repetitive checking process to ensure that these security measures are properly implemented from time to time. You may safely conclude that Security Audit is performed more frequently than Security Risk Assessment.

The success of every audit is based on careful planning and preparation. It is directly dependent on the knowledge and degree of experience of the auditors. Consistent reprocessing of the audit results and the supervised implementation of defined correction and improvement measures ensure the benefits for the audited organization and its processes.

In the context of IT:

Formerly called an Electronic data processing (EDP) audit, an IT audit refers to the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. Obtained evidence evaluation can be used to ensure whether the organization's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organization's objectives.

82

Notes:

NOTE: Auditing allows one to define the sequence of steps which occurred prior to a security incident. Traceability is the key. In practice, good IS security procedures often specify the use of software and/or other mechanisms which comes with some sort of automatic auditing facility for providing traceability.

Gathering reliable information to perform an IT audit requires a review of all of the available written documents on each area of control as well as each critical asset element, in addition to interviews.

The role of an auditor

The role of an auditor is to review the integrity of the subject in question. The auditor does not participate in the creation or implementation of the subject. He is merely an observer, an examiner and a reviewer.

One major duty of an IS Auditor is to audit the access control mechanisms currently in place.

83

Notes:

Keep in mind, auditor's active participation in the procedure being audited would be a potential conflict of interest. That is why a former programmer of the developer team shouldn’t be assigned to audit the work of the developer team at present.

An auditor acts for the best interest of the client. He/she must place the responsibilities to be extremely fair and honest ahead of his/her own interest. This is what FIDUCIARY RESPONSIBILITY is all about.

The Audit process flow

Information Security Auditing covers topics from auditing the physical security of data centers to the auditing logical security of databases and highlights key components to look for and different methods for auditing these areas. To be effective and efficient, one should be adequately educated about the organization and its critical business operations through the following activities:

l Meet with IT management to determine possible areas of concern

l Review the current IT organization chart

84

Notes:

l Review job descriptions of involved employees

l Research all operating systems, software applications and equipment operating within the organization

l Review the overall IT policies and procedures

l Evaluate the organization's IT budget and systems planning documentation

l Review the organization's disaster recovery plan

Following is a list of objectives one as an IS auditor should review for identifying audit risks in the operating environment and assessing the controls in place that may mitigate those risks.

l Personnel procedures and responsibilities

l Change management processes are in place and properly followed

l Appropriate back up procedures are in place to minimize downtime and prevent loss of important data

l The workplace has adequate physical security controls to prevent unauthorized access Information Assets

85

Notes:

l Adequate environmental controls are in place to ensure equipments are protected from natural disasters

Below is the audit flow chart developed by UNISA of Australia. Different types of audit conducted in different industries may have variations to this “model flow”, and this chart is shown here to give you an idea of how the pros conduct a planned audit in the real world.

86

Notes:

87

Notes:

88

Notes:

Overall Strategies

General Principles for Developing an Audit Strategy include:

In order to have an appropriate auditing strategy and to avoid unnecessary auditing, you must have a clear understanding of the reasons for auditing. Additionally, in order to prevent unnecessary audit information from cluttering the meaningful information, it is important to audit the minimum number of statements, users, or objects required to get the targeted information.

General Principles for Auditing Suspicious IS Activity:

Audit generally, then specifically. In other words, enable general audit options at first, then use more specific audit options. This will help the auditor gather the evidence required to make concrete conclusions regarding the origins of suspicious activity. Remember to protect the audit trail so that audit information cannot be added, changed, or deleted without being audited.

General Principles for Auditing Normal IS Activity:

89

Notes:

This refers to the process of gathering historical information about particular IS activities. In order to avoid cluttering the meaningful information with useless audit information, you should audit only the targeted activities. After you have collected the required information, archive audit records that are of interest and purge the audit trail of this information.

NOTE: Effective audit trails in the practical world should at the least document each action requested, detect any changes made or attempted, and create a log of all the missed attempts. The log should be consistent and patterned by items such as user session and date/time, plus showing the command issued and the files affected. The log should be stored in a hidden location, using some sort of separately identifiable encrypted formats.

You should log the activities of both the regular users and the power users (administrators …etc). Regular users tend to make careless mistakes, while power users are capable of making intentional errors.

90

Notes:

NOTE: An Administrator's Log provides a history of the actions taken by the administrator, who has been charged with responsibility to authorize the access and use of corporate data and application. Through this log, actions of the administrator can be thoroughly audited to assure that corporate policy and procedure have not been unintentionally tampered with.

Audit Planning

An important part of the process for managing an audit function involves planning, an activity that covers both audit administration and assignment. One of the first tasks you must do at this planning stage is to develop a working budget. You as the IT audit manager must know the capabilities of the audit staff assigned to the project. In addition to budgeted time needed to perform the audit, you should also budget time needed to train the audit staff and allow time for any error correction purposes.

While planning the audit, you should decide what level of the risk of reaching an incorrect conclusion based on the audit findings that is acceptable.

91

Notes:

There are 2 types of possible risk here:

l The Risk of Incorrect Acceptance – the risk that a material misstatement is assessed as unlikely, when in fact the population is materially misstated.

l The Risk of Incorrect Rejection – the risk that a material misstatement is assessed as likely, when in fact the population is not materially misstated.

The more effective and extensive the audit work is, the less the risk that a weakness will go undetected and you will issue an inappropriate report. Such audit risk is dependent on the assessed levels of inherent risk, control risk, and detection risk (Control risk is determined by evaluating an organization’s internal control structure. You can implement compliance testing procedures when the effectiveness of an organization’s internal controls is evaluated. The level of detection risk is further determined by the assessment of inherent risk and the assessment of control risk following compliance testing). In fact, these risks can be quite accurately determined when performing a risk assessment of the organization.

There should also be a risk assessment process that describes and analyzes the risks inherent in the existing IT operation. You should update the risk assessment as necessary to reflect changes to internal control or work processes,

92

Notes:

and to incorporate new operations (if any). In fact, the level of risk should be one of the most significant factors considered when determining the frequency and depth of audit activities.

When assessing materiality, you should consider the aggregate level of error acceptable to management, the IT audit committee, and the appropriate regulatory agencies. You need to consider the potential for the cumulative effect of small errors or weaknesses to become material. While establishing materiality, you may audit non-financial items such as physical access controls, logical access controls, and systems for personnel management, manufacturing control, design, quality control, and password generation...etc etc.

The audit plan should detail the audit function’s budgeting and planning processes. The plan should describe audit goals, schedules, staffing needs, and reporting. The audit plan should ideally be defined by combining the results of the risk assessment and the resources required to yield the timing and frequency of planned audits. The audit committee should formally approve this audit plan. The auditors should in turn report the status of planned versus actual audits regularly.

93

Notes:

For successful audits, you need to know:

o the audit objectives

o the audit methodology

o the resource allocation

At the planning portion of the audit, an auditor should perform the following:

1. notify the client of the audit

2. discuss the scope and objectives of the examination with organization management in a formal meeting

3. gather information on important processes

4. evaluate existing controls

5. plan the remaining audit steps

Controls that deserve your attention may include:

94

Notes:

l Interception Controls: Interception can be deterred by physical access controls at data centers and offices. Note that encryption also helps to secure wireless networks. You should continually evaluate your client’s encryption policies and procedures. In particular, you should verify that management has controls in place over the data encryption management process. Access to keys should require dual control, keys should be composed of two separate components and should be maintained on a computer that is not accessible to programmers or outsiders.

l Availability Controls: The network should have redundant paths between resources. Automatic fallback / Hot standby / Fault Tolerance mechanisms should also be put in place.

l Access/entry point Controls: Controls at the point where the network connects with external network for limiting the traffic that pass through the network, such as firewalls, intrusion prevention systems, and antivirus software.

A firewall acts as a choke point in the network where all passing-by traffics are inspected. A proxy firewall acts as a middleman between the two parties so there is no direct connection between them. It works by making a copy of each incoming packet, changing the source address and then transmitting it to the final destination.

95

Notes:

Application level proxies inspect the entire packet and make filtering decisions based on both the header information and the actual packet content. They allow for the greatest level of control at the expense of resource consumption. Circuit level proxies make filtering decisions based on basic information such as packet header information, IP addresses, ports, and protocol type. They are less secure. Routers can achieve basic protection by filtering IP address through the use of access control lists. They are never intended for providing serious firewalling service.

l Logical Security Controls: The key points in auditing logical security include Passwords, Account Termination Procedures, Special Privileged User Accounts, and Remote Access.

l Application Security Controls: Application Security centers around the main functions of Programming, Processing and Access. When it comes to programming it is important to ensure proper physical and password protection exists around servers and mainframes for the development and update of key systems. With processing it is important that procedures and monitoring of a few different aspects such as the input of falsified or erroneous data, incomplete processing, duplicate transactions and untimely processing are in place. With access it is important to realize that maintaining network security against unauthorized access is one of the major focuses nowadays as threats can come from both internal and external sources.

96

Notes:

Talking about application security, you would also need to know the different methods of software system testing.

l With Black box testing, the tester has no previous knowledge on the test object's internal structure and would not examine the codes involved. The test is therefore unbiased. However, since the tester is independent of the designer, it is almost impossible to ensure that all existent "paths" of the system are fully tested. On the contrary, White box testing (also known as clear box testing/glass box testing/structural testing) uses an internal perspective of the system to design test cases. Test cases are therefore designed and implemented based on full knowledge of the test object's internal structure. The tester has to know the codes inside and out in order to test accurately. Bias is therefore possible to exist.

l Stress testing is a common way to test and determine the stability of a given system. It involves testing beyond normal operational capacity in order to observe system performance under stress. Emphasis is on robustness, availability, and error handling during heavy workload.

l A use case is a technique commonly used for capturing functional requirements of systems. It allows you to describe the sequences of events that, when taken together, can lead to the completion of a particular set of system activities for achieving a particular purpose.

l Boundary value analysis is a special software testing design technique for determining test cases that cover specifically those off-by-one errors (logical errors which involve the discrete

97

Notes:

equivalent of a boundary condition). This type of analysis is valuable as the boundaries of input ranges to a software program are often liable to defects.

<< For an in-depth list of controls from a technical perspective, refer to the earlier section on IS Control >>

Audit sampling, which is often desirable due to practical needs, refers to the application of an audit procedure to usually less than 100% of the population so you may evaluate audit evidence within a class of transactions for the purpose of forming a conclusion concerning the population. Sampling may be done statistically through Random Sampling or Systematic Sampling, or non- statistically through Haphazard Sampling or Judgmental Sampling. Do note that sample size is a factor that may affect the level of sampling risk - the smaller the sample size the more likely you will end up with more errors.

You should also make decisions about the nature, extent, and timing of evidence to be gathered. The types of evidence may include:

l Observed processes, such as a physical entrance security system in operation.

98

Notes:

l Documentary audit evidence, such as activity and control logs.

l Representations, such as written policies and procedures.

l Analysis, such as comparison of error rates between applications and transactions.

The outcomes of the audit planning stage should include:

o Announcement Letter – have the client informed of the audit through an announcement or engagement letter. Such a letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.

o Initial Meeting - at this meeting the client describes the unit or system to be reviewed, the organization, available resources and other relevant information. The client also identifies issues or areas of special concern that should be addressed.

o Preliminary Survey - the auditor gathers relevant information about the target unit in order to obtain a general overview of operations.

o Control Review - the auditor reviews the target unit's existing control structure. To save time, the auditor uses a variety of tools and

99

Notes:

techniques to gather and analyze information about the operation. One primary objective here is to determine the areas of highest risk and design tests to be performed in the fieldwork section.

o Audit Program – the preparation of the audit program which outlines the fieldwork necessary to achieve the audit objectives.

Keep in mind:

“The IS auditor should consider whether his or her organizational status is appropriate for the nature of the planned audit. Where this is not considered to be the case, the hiring of an

independent third party to manage or perform this audit should be considered by the appropriate level of management” 3 .

In fact, you may audit your audit program and policy through asking questions like:

l Is there a mandatory auditing policy in place?

3 http://www.isaca.org/standard/guide1.htm

100

Notes:

l What information is audited?

l Is the audited information analyzed and reported on promptly and regularly?

l Are IT security personnel trained in audit analysis?

l Are the contents of audit logs protected from unauthorized access, modification, and/or deletion?

l Is there a policy stating how long the captured audit logs are to be retained?

Recommended types of audit

INFOSEC recommends a number of types of audit which deserve your serious attention.

You want to have a FIREWALL AUDIT to ensure that the firewall and the associated systems have all been properly configured to enforce the security policy with the minimal and optimal security protection. The firewall should be audited for its configuration and also for its physical access control.

101

Notes:

You want to conduct an INTERNAL NETWORK AUDIT to discover any vulnerability that could be exploited by authorized internal users, and to identify any weaknesses and strengths in the controls of the internal systems and networks. The topology of internal network infrastructure should also be reviewed. The audit test should include an internal network scan to check for any security holes on specified times or pre-agreed periods. The scanning on critical hosts or workstations should be included as part of the test effort.

You want to have an EXTERNAL NETWORK AUDIT for identifying security weaknesses of the systems and networks from outside such as the Internet. This can help to anticipate external attacks that might cause security breaches by scanning and launching attacks from the outside Internet to the internal network at specified and pre-agreed time and locations.

You want to have a PHONE LINE AUDIT for identifying undocumented or uncontrolled modems connecting internal computers directly to the telephone network. This aims at eliminating any unauthorized or inappropriate modem connection and configuration to your internal network and systems.

102

Notes:

You want to perform SECURITY POLICY, GUIDELINES & PROCEDURES REVIEW to review or develop the existing security policy, guidelines and procedures. You want to focus on the high-level overall organization-wide security policy, or on specific systems, networks or areas that are under concerns.

You want to perform HOST SECURITY AUDIT for assessing the operating system level security of different the computer server platforms. Misconfiguration of the operating systems may open up security holes that may not be known by your system administrators and the goal of this audit is to sort them all out.

You want to perform an INTERNET SECURITY AUDIT to identify those security weaknesses of the systems and networks that are in connection with the Internet. It is sort of a combination of the internal network and external network security audit with major focus on the Internet gateway.

You want to perform a REMOTE ACCESS SECURITY AUDIT. The goal is to deal with those vulnerabilities that are associated with remote access services

103

Notes:

via communication links such as dial-up connections and/or broadband connections.

You want to perform a WIRELESS NETWORK SECURITY AUDIT to deal with vulnerabilities that are associated with wireless network. You also want to perform a WEB APPLICATION SECURITY AUDIT which deals with vulnerabilities relevant to your web applications.

Example Audit Objectives and Procedures

FYI, below is an example document detailing the objectives and procedures of a proposed network audit:

Objective:

To assess whether access from the internal network to the Internet and from the Internet to the internal network are controlled.

104

Notes:

Criteria:

The Internet policy should convey to all staff the intent of the controls to be implemented by the firewall.

Procedures:

a) Obtain a copy of the Internet Policy.

b) Identify the process that was used to develop the policy. Ascertain whether the process considered the value of and degree of reliance on the firewall and the severity, probability, and extent of the potential for direct and indirect harm.

c) Assess whether the policy:

* identifies the specific assets that the firewall is intended to protect and the objectives of that protection (integrity, availability, and confidentiality);

* describes the organizational structure and associated responsibilities and accountability of personnel who will be charged with implementing the policy, monitoring compliance with the policy and adhering to the policy;

* supports the legitimate use and flow of data and

105

Notes:

information; and

* documents what information passing through the firewall will be monitored (limit organizational liability, reduce abuse, support prosecution for abuse); and

* is consistent both in tone and in principle with other organizational policies and accepted practice (e.g availability of Internet access for nonbusiness use)

d) Ascertain whether legal counsel has reviewed the policy to ensure consistency with requirements and limitations imposed externally (laws, regulations etc.).

e) Determine whether management approval of the policy has been sought and granted and the date of the most recent review of the policy by management.

f) Identify how the Internet policy was/is communicated to users and how awareness is maintained. Select a sample of users and discuss their understanding of their responsibilities related to Internet use and how to report problems.

g) Determine whether standards and procedures have been defined to specify the means by which the policy is implemented.

106

Notes:

h) Assess whether the standards and procedures specify who is responsible and empowered to do each function required for the proper operation of the firewall.

i) Assess whether the security policy:

* is easy to read and locate relevant sections;

* is versioned and dated;

* is carefully worded with all ambiguous terms precisely defined;

* sets out acceptable conditions of use as well as unacceptable conditions of use;

* is widely communicated to affected persons; and

* is reviewed at regular intervals.

j) Consider whether the following issues are addressed in the policy document:

* Scope of the policy in relation to other internal and external networks with which it may be connected.

* Basic philosophy that may be used for making non deterministic decisions.

107

Notes:

* Governing policies, such as Federal and Provincial Law, contractual terms and conditions, or other policies internal to the Company.

* Identification of the person who has ultimate authority to interpret and apply the policy to a particular situation.

* Allowance for the policy to be temporarily waived by a person of authority under certain conditions or guidelines.

* Formal definition of how the people affected by the policy will be informed of its contents.

* Frequency and necessity for reviews of the policy.

* Outline of the assets that must be protected, and from what threats.

* Security incident handling principles.

* Guidelines for liability of personnel with regard to security breaches to discourage people from hiding details of a breach that they may have (somewhat innocently) been involved in.

108

Notes:

* Guidelines regarding investigation of incidents and courses of action that could be taken by decisionmakers based upon details of the security breach, including referral to law enforcement agencies, as well as internal investigation and disciplinary principles.

k) Consider whether the rights and responsibilities of users are addressed in the policy document, including:

* Account use, by both the account holder and the resource provider. Special conditions may apply to the use of normal user accounts, and public access accounts (like anonymous ftp), and these conditions could be expressed here.

* Software and data access and use, including sources of data and software.

* Disclosure of information which is potentially harmful, such as password information or configuration information.

* Etiquette, including acceptable forms of expression (e.g. nonoffensive expression expected for unsolicited electronic mail), and unacceptable practices (such as the forging of electronic mail and news articles).

* Password use and format.

109

Notes:

* Rights to privacy, and the circumstances under which the resource provider may intrude on the files held under or activities practiced by an account.

* Other miscellaneous guidelines regarding reasonable practices, such as the use of CPU cycles and temporary general access storage areas. Copyright issues may also be discussed here.

l) Consider whether the rights and responsibilities of resource providers are addressed in the policy document, including:

* physical security guidelines;

* privacy guidelines; and

* configuration guidelines, including:

allocation of responsibility;

network connection guidelines;

authentication guidelines;

authority to hold and grant account guidelines;

110

Notes:

auditing and monitoring guidelines;

password format, enforcement and lifetime guidelines; and

login banners.

You may also perform audit using a wide range of computer tools. For example, you may perform vulnerability scans using an automated vulnerability scanning tool to quickly identify known vulnerabilities on the target hosts or devices. However, since a large amount of system requests will be generated from the automated vulnerability scanning tool, the system and network performance of the target groups will likely be impacted during the vulnerability scanning process. You must therefore devise a plan to minimize possible service interruption during the scanning process. Also noted that some of the potential vulnerabilities identified by the automated scanning tool may not represent real vulnerabilities in the practical real world context. therefore, you should realize that false positives is not impossible and professional judgment must be exercised from time to time.

111

Notes:

While network vulnerability scanning is a good method to collect vulnerability information within a short period of time, it is non-intrusive and would not attempt to exploit the identified vulnerability. A penetration testing may need to be adopted if more in-depth findings are desired.

Penetration testing may be performed internally or externally. It involves using automated tools to scan the network or system to create a complete map of connected workstations and servers, as well as to identify vulnerabilities from either inside or outside the network and system under study by attempting to penetrate them. Sometimes penetration testing may also involve user interviews and the use of different hacking techniques to test the system or network. The level of details and types of hacking would have to be thoroughly planned and agreed upon on prior to proceeding.

In any case, PLAN THEIR USE EARLY PRIOR TO MOVING ON TO THE FIELDWORKS.

Audit Fieldworks

112

Notes:

During the audit process, the fieldwork concentrates on transaction testing and informal communications. At this stage the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described.

Remember, you do NOT audit every piece of items. With the help of statistical sampling techniques, you determine (mostly in a random manner) which piece of item to work on.

One major purpose of fieldwork is to accumulate sufficient, competent, relevant, and useful evidence to support the audit comments and recommendations:

o Audit evidence is sufficient when it is factual and is convincing enough for an informed person to reach the same conclusion.

o Evidence is competent if it consistently produces the same outcomes.

The activities at this stage often include:

113

Notes:

o Transaction Testing - procedures usually include testing the major controls and the accuracy and propriety of the transactions. Various techniques including sampling are used to enhance productivity.

o Advice & Informal Communications - the auditor may discuss any significant findings with the client. The client may, in return, offer insights and work with the auditor to determine the best method of resolving the finding. Most of the time these communications are oral. Written forms of communication usually indicate the existence of serious problems.

o Audit Summary - the auditor summarizes the audit findings, conclusions, and recommendations necessary for preparing the audit report discussion draft.

o Working Papers – sort of “scratch paper” that are kept for supporting the audit opinion. They are comprehensive in nature.

In field work IT auditors may use computer-assisted audit techniques (CAATs) to improve audit coverage by reducing the cost of testing and sampling procedures that otherwise would be performed manually. CAATs typically include tools and techniques such as generalized audit software, utility software, test data, application software tracing and mapping, and audit expert systems.

114

Notes:

Whatever the source, audit software programs should remain under the strict control of the audit department.

You use CAATs to test application controls as well as perform substantive tests on sample items. Types of CAATs include Generalized Audit Software (GAS), Custom Audit Software (CAS), Test Data, Parallel Simulation and Integrated Test Facility. Through the use of CAATs, you will be able to obtain evidence to support their final conclusions developed on the audit.

Audit evidence needs to be sufficient, reliable, relevant, and useful in order for you to form an opinion and to support their findings and conclusions. You need to devise procedures to gather and organize audit evidence. You should select the most appropriate procedure for the audit objective. Possible options include:

l Inquiry and/or Observation

l Inspection

l Confirmation

l Reperformance

115

Notes:

l Monitoring

Working papers is the formal collection of auditors notes, documents, flowcharts, correspondence, results of observations, plans and results of tests, the audit plan, minutes of meetings, computerized records, data files or application results, and evaluations that document the auditor activity for the entire audit period. They are essential to support the auditor’s findings and recommendations in the audit report.

To conclude the fieldwork stage, a list of significant findings from which the auditor will prepare a draft of the audit report is produced.

Audit Program

An audit program acts as the link between the preliminary survey and the field work. In the preliminary survey the auditors identify operating objectives, risks, operating conditions and control procedures. In field work they gather evidence about the effectiveness of control systems based on observations, documentation, verification and other audit procedures.

116

Notes:

For a list of popular audit programs you may refer to this hyperlink:

http://www.auditnet.org/asapind.htm

Audit Report

This is the principal product of the audit process - you express your opinions, present the audit findings, and discuss recommendations for improvements.

According to IS Auditing Standard 070 (Reporting), The IT auditor should provide a report in an appropriate form, upon the completion of the audit. The report should state the scope, objectives, period of coverage, and the nature, timing, and extent of the audit work performed. The report should state the findings, conclusions, and recommendations and any reservations, qualifications or limitations of scope that IT auditor has with respect to the audit.”

It is always advisable for you to first discuss the rough draft with your client prior to issuing the final report:

1. When the fieldwork is completed, the auditor drafts the report and gives it to the audit management for a thorough review. A discussion draft is prepared for the unit's operating management and is submitted for the client's review before the exit conference.

117

Notes:

2. When audit management has approved the discussion draft, the auditor meets with the unit's management team to discuss the findings, recommendations, and text of the draft. At this meeting (which is known as the Exit Conference), the client is given the chance to comment on the draft. The ultimate goal is for the group to reach an agreement on the audit findings (and to maintain a friendly relationship with the client).

3. After an agreement is made, the auditor prepares a formal draft which takes into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is produced and rendered to the audit management as well as the client. The approval of the client and the Audit Director is required for release of the report to any third party.

4. The client should be given the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after the report has been issued, the first page of the final report should include a letter requesting the client's written response to the report recommendations.

118

Notes:

You should discuss the draft of the audit report with management to give management the chance to correct any weaknesses or deficiencies before they are reported and/or even released to the public. You may do this in the form of a Management Comment Letter.

5. In the response, the client should explain how report findings will be resolved. An implementation timetable should also be included. It is technically acceptable for the client to respond with a decision not to implement an audit recommendation and to bear the risks associated with an audit finding.

6. Finally, the client may comment on the performance of the audit. This feedback can be very beneficial to the audit team.

Audit FollowUp

Within a period defined by the client, the auditor will perform a follow-up review to verify the resolution of the report findings:

119

Notes:

1. Follow-up Review - the client response letter is reviewed and the actions taken to resolve the audit report findings may be tested. Unresolved findings will be discussed in the follow-up report.

2. Follow-up Report - lists the actions taken by the client to resolve the original report findings. Any unresolved findings will be mentioned as well. It is a recommended practice to have a discussion draft of each report with unresolved findings circulated to the client before the followup report is issued (again, this is for reaching agreement and maintaining friendly relationship).

To keep things going properly, you should use a process that enables yourself to track the status of client management's actions on significant findings and recommendations.

Note:

If after issuing the audit report it is found that some procedures had been omitted, you may need to review the available audit alternatives in order to compensate for the omission. If unfortunately the omitted procedures actually present material bearing on the audit outcome, the worst case scenario is that you will have to issue a new report and have the old one cancelled.

120

Notes:

Audit Assessment

Upon completion, your audit work should be evaluated by a partner or senior manager based on a number of criteria, including:

l Audit Completeness and Pertinence

l Accuracy

l Appropriate Conclusions, Findings and Recommendations

l Follow-up to Findings and Recommendations

121

Notes:

IT Strategic Planning

IT Strategic Planning defined

Strategic planning is an important activity for information technology organizations. IT Strategic Planning is closely related to IT governance, which comprises the body of issues addressed in considering how IT is applied within the enterprise.

The key goal of the IT strategic planning process is to translate your organization’s vision into detailed short and long-term IT plans and processes that match the company’s business plan and ensure that employees, clients, suppliers, and partners can easily and securely interact and collaborate:

o IT strategic plans must be aligned with institutional mission, plans, and priorities. An IT plan must also be flexible to adapt to changes. Most importantly, IT strategic planning must occur as part of a process that ensures that the best ideas are put forward and a process that creates investment on the part of stakeholders.

o Strategic IT planning must include setting long-term goals, identifying performance goals, selecting the portfolio of IT investments to support

122

Notes:

those goals and continuously measuring the performance of IT investments. It must be tightly coupled with the organization’s strategic planning and it must be an intrinsic and integrated part of the budget process.

Remember, IT is a serious (and expensive) investment. Management often measures investment from a monetary standpoint. Investment MUST produces returns (in the form of savings or profit increases).

The role of IS Auditing in the planning process

The IS auditor should consider the following options in establishing the overall objectives of any audit associated with IT governance and the IT strategic planning process. These options, as mentioned by ISACA 4 , should include:

o Reporting on the system of governance and/or its effectiveness

o Inclusion or exclusion of financial information systems

4 http://www.isaca.org/standard/guide1.htm

123

Notes:

o Inclusion or exclusion of non-financial information systems

ISACA (above) further defines the following points that should be considered by the auditor when reviewing the IT strategic planning process:

o There is a clear definition of IT mission and vision

o There is a strategic information technology planning methodology in place

o The methodology correlates business goals and objectives to IT business goals and objectives

o This planning process is periodically updated (at least once per year)

o This plan identifies major IT initiatives and resources needed

o The level of the individuals involved in this process is appropriate

Inhouse or Outsource?

124

Notes:

Note that one major duty of the IS auditors is to validate the acquisition or development of the business application systems. From a security standpoint, you need to tell if doing it in house is more secure (and is easier to control) than buying it off the shelf. A tradeoff is involved in the decision, and different answers are expected in different circumstances. The general guideline is that doing it in house allows for more control over the development process and can allow you to build in more security features. However, this can be costly as you need to recruit, train and manage your IT team to do the job.

Also, when your own development team is involved you must clearly define the roles and responsibilities of each team member. Certain roles must not be overlapped, and certain duties must be clearly separated.

Avoiding conflicts of interests

“The principle of separation of duties is that an organization should carefully separate duties, so that people involved with checking for inappropriate use are not also capable of making such inappropriate use. No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work”.

125

Notes:

The general guidelines here are:

l you don’t test nor QC your own work.

l creation and daily administration must NOT be performed by the same individual

Other examples include:

l development VS production

l security VS audit

l account payable VS accounts receivable

l encryption key management VS changing of keys

126

Notes:

Protection of Information Assets through Security Policy

Information Assets defined

Information Assets which are mostly of an intellectual nature are the vital business resources that require protection commensurate with their value. Mechanisms shall be in place to protect these assets from intentional (or unintentional) modification, destruction, unauthorized disclosure, or other malfeasance. The end goal is to make sure that confidentiality, integrity, and availability of these assets are adequately maintained.

Confidentiality - Protecting sensitive information from unauthorized modification or disclosure.

Integrity - Safeguarding the accuracy and completeness of information and computer software.

Availability - Ensuring that all systems, networks, applications and information are available and accessible by authorized users when they are required.

127

Notes:

Assets - Protection from damage, loss or misuse of all computer and communications equipment, including computing and communications premises, data storage media, application/system computer programs and documentation.

According to INFOSEC, values of information assets may be expressed in terms of tangible values such as replacement costs of IT facilities, hardware, media, supplies, documentation, and IT staff supporting the systems; intangible values such as goodwill and replacement costs of data; Information values; and Data classification of the information stored, processed, or transmitted by the asset.

When we talk about the protection of information assets, we are dealing with two issues here:

1. The policy for offering protection

2. The technology that is in use for offering protection

128

Notes:

NOTE: Practically speaking, copy protection is also a significant issue. If the software you use (which is part of your information assets) has a serial number you may be held liable for the illegal copies spawned from the original copy running on your computer system.

You need to have an idea of what it takes to shape a proper set of Information Assets Protection policy. Then you know how to go head with an audit. Questions you may ask here:

l Does your organization have a written security policy?

l Does the policy identify all individuals responsible for implementing that policy and what their duties are?

l Does the policy identify the steps to be taken if there is a security breach?

l Does the policy identify what information it is most important to protect?

l Does the policy identify enforcement procedures that identify the penalties associated with a security breach?

129

Notes:

l Is the policy known by all individuals who have the responsibility for implementing that policy?

l Has a security plan been developed based on the security policy?

Data classifications and Layer of responsibilities

The purpose of data classification is to indicate the level of confidentiality, integrity and availability that is required for each type of information.

The US Classifications are:

Commercial Military Confidential Top Secret Private Secret Sensitive Confidential Public Sensitive but unclassified

Public

The Data Owners are the senior managers who are ultimately responsible for protection and use of data. They often determine the data classification. The Data Custodians, on the other hand, are responsible for maintenance and

130

Notes:

protection of data, such as making backups and performing restores. The IT guys in the IT department are usually of this role.

NOTE: Before you give classified information to anyone, you as the holder of the information MUST do whatever you can to ensure that the person to whom you are giving the information possess the proper level of security clearance has the “need-to-know”.

131

Notes:

Security Policy

Policy is issued top down. It is signed by the top person in the organization, and that compliance is mandatory. On the other hand, procedures tell the steps needed for attaining compliance.

The overall objective of a security policy is to control human behavior in an attempt to reduce the risk to information assets by accidental or deliberate actions. Top management should set a clear policy direction and demonstrate support for the maintenance of information security through the commitment to developing an information security policy across the organization. Such policy should apply to ALL business units and entities with access to information assets owned by or entrusted to the organization.

A Baseline IT Security Policy is a top-level directive statement that sets the minimum standards of a security specification for all departments of the organization. It states clearly what aspects are of paramount importance to a department. In other words, it provides the basic rules which must be observed as mandatory. On the other hand, security guidelines serve to introduce general concepts relating to Information Technology Security as well as elaborate

132

Notes:

interpretations on the Baseline IT Security Policy. It also provides some guidelines and considerations for defining detailed security requirements.

Support from the top management is a MUST! Therefore, the policy document MUST be approved by management and be communicated to all employees. It should EMPHASIS management commitment and set out the organization.　

Once defined and implemented, the policy owner should be held responsible for its maintenance and review according to a de fined periodic review process (update & maintenance of the policy is kind of a hands-on job). Such process should ensure that a review takes place in response to any changes affecting the basis of the original risk assessment.

Ownership of critical information and systems should be assigned to capable individuals, with responsibilities clearly defined and accepted. Responsibilities of these owners should include:

a) determining business (and the relevant information security) requirements.

b) ensuring information and systems are protected in line with their importance to the organization.

133

Notes:

c) determining which users are authorized to access particular information and systems.

d) ‘signing-off’ access privileges for each user or set of users.

e) defining information interchange agreements.

f) developing service level agreements.

g) ‘signing-off’ specifications for business requirements.

h) authorizing new or significantly changed systems.

i) ensuring users are aware of their security responsibilities and are able to fulfill them.

j) being involved with security audits/reviews.

These responsibilities should be clearly documented. Responsibilities for protecting information and systems should be communicated to ‘owners’ and accepted by them.

134

Notes:

Do keep in mind, ALL USERS, NOT just the owners, have a responsibility to ensure the protection of information and computing assets!

And for the purpose of the exam, remember that the necessary components that fit together for effective security management practices are:

l Data classification

l Operational activities

l Safeguard selection

l Separation of duties

l Management security responsibilities

l Guidelines and procedures

l Risk assessment

l Policies and standards

l Security awareness.

135

Notes:

The above are concerns at a broader level. On the other hand, at the actual admin level questions you may ask concerning the hand-son management, enforcement and implementation of security procedures may include:

l How many system administrators does your organization have?

l Do your system administrators work full-time as system administrators?

l Are your system administrators contractor employees?

l Is there segregation of duties among system administrators?

l Does each system administrator have a backup person?

l Are program modifications approved by the configuration control function required to be installed by system administrators?

l Is there consistency in the implementation of security procedures by system administrators in the organization?

136

Notes:

To ensure successful implementation of security policies and procedures, security awareness training, the factors of Awareness, Training and Education must be considered. Note that:

• Systems development staff needs skills to design systems in a disciplined manner and develop security controls.

• IT staff needs skills to run computer installations and networks correctly and apply security controls. Beware of potential segregation of duties issue though*.

• Business users needs skills to use systems correctly and apply security controls

• Information security specialists needs skills to understand the business, run security projects, communicate effectively, and perform specialist security activities.

General questions you may ask concerning user training may include:

l Is there a formal information security training program within your organization?

137

Notes:

l Are new employees required to receive security awareness training within a specified number of days after hiring?

l Are employees required to get updated security training at regular intervals?

* The risk of IT staff disrupting the running of the network either in error or by malicious intent should be reduced by the following measures:

a) segregating the duties of staff running the network from those developing/designing the network.

b) ensuring all network and external staff sign non-disclosure/confidentiality agreements.

c) minimizing reliance on key individuals by automating tasks as well as ensuring complete and accurate documentation.

d) organizing duties in such a way as to minimize the risk of theft, fraud, error and unauthorized changes to information.

e) screening applicants for positions that involve running the network through taking up references and checking career history.

138

Notes:

Security Models and Modes of Operations

A model is a symbolic representation of a policy. It maps the desires of the policy into a set of rules to be followed by a computer system. It defines the dos and donts to achieve the goals of the security policies. Even though these are mostly theoretical information of not much practical value, the exam will have quite a few questions on them.

The Bell-LaPadula Model was developed by the military in the 1970s to address leakage of classified information. Main goal is confidentiality. A system using the Bell-LaPadula model would be classified as a multi-level security system. The Bell-LaPadula is a state machine model, and could also be categorized as an information flow model.

The Biba Model is also a state machine model. It is similar to Bell-LaPadula except that it addresses data integrity rather than data confidentiality. The data integrity focus is characterized by three goals:

l Protection from modification by unauthorized users.

l Protection from unauthorized modification by authorized users.

139

Notes:

l Internally and externally consistent.

The Clark-Wilson model takes a different approach to protecting integrity. Users cannot access objects directly, but must go through programs that control their access.

The various information flow models have one thing in common: they have each object assigned a security class or value. Information is constrained to flow only in the directions permitted by the security policy.

Based on the above mentioned models, several modes of operations can be developed for defining the security conditions under which the system actually functions.

l With the Dedicated Security Mode, all users have the clearance and the “need to know” to all the data within the system.

140

Notes:

l With the System-High Security Mode, all users have clearance and authorization to access the information in the system, but not necessarily a need to know.

l With the Compartmented Security Mode, all users have the clearance to all information on the system but might not have need to know and formal access approval. Users can access a compartment of data only.

l The Multilevel Security Mode permits two or more classification levels of information to be processed at the same time. Users, however, do not have clearance for all of the information being processed.

Under Limited Access, the minimum user clearance is “not cleared” and the maximum data classification is “sensitive but unclassified”. Under Controlled Access, there is a limited amount of trust placed on system hardware and software.

Some questions you may ask when auditing user account related issues:

l What is the procedure for establishing accounts? What level of supervisor approval is required?

141

Notes:

l Who has root/admin access to your systems?

l Can accounts be accessed remotely? If so, by whom? What kind of justification is required before remote access is permitted?

l What is the procedure for forgotten passwords?

l What is the procedure for closing accounts when an employee is terminated?

l What is the procedure for monitoring inactive accounts?

l What is the technical process by which accounts are established?

Example Policy

The role of the CIO and his/her peers involves developing and publishing policy in consultation with Business Units and Service Providers as well as promoting the development of the various supporting standards and Guidelines.

Below is an example of the terms included in a real life security policy:

142

Notes:

1. Sample company information technology assets must not be used for private commercial purposes.

2. Users must not breach copyright, nor use facilities for illegal purposes.

3. Users must protect Sample company and vendor intellectual property.

4. Users, external suppliers and clients must, on request, sign a confidentiality agreement in respect of the use of IT facilities, documentation and data, including non-disclosure of Sample company information to third parties.

5. All users must abide by Sample company acceptable use policies for e-mail and Internet and not download, transmit, distribute or store any harassing or obscene messages and files, or any objectionable material via a Sample company PC or network. This includes the use of insulting, sexist, racist, obscene, suggestive or any other inappropriate language.

6. All users are personally accountable for their own logon-id and password. Passwords must not be disclosed nor shared.

7. The Standards and Guidelines supporting this policy form part of the Policy.

8. Users are responsible for meeting published information technology standards, guidelines and acceptable use policies.

143

Notes:

9. Appropriate levels of security and encryption will be used when communicating electronically with external parties. All items for encryption must be authorized and copies of encryption keys must be lodged with the IT Security Officer.

10. Any variations or departures from the IT Security Policy must be endorsed by the Chief Information Officer and must be available for audit.

11. Sample company reserves the right to monitor usage and electronically record security breaches to ensure compliance is maintained.

12. All Sample company PC's will be loaded with Virus Checking software. Users must not disable or change the configuration settings of this software unless directed to do so by an appropriate Technology Group staff member.

13. Authorization must be obtained from the appropriate Technology Group before any form of communications equipment, including modems, are attached to the Sample company IT Network.

Consequences of violations

In order for a security policy to be effective, the CONSEQUENCES OF SECURITY POLICY VIOLATIONS must be clearly defined upfront. In

144

Notes:

fact, any security exposures, misuse or non-compliance must be reported as soon as an occurrence is identified. Failure to comply with the Information Technology Security Policy and supporting sub-policies, for internal staff may lead to disciplinary procedures, for external suppliers and consultants may lead to the suspension of contracts and withdrawal of access to the organization’s information systems …etc.

Evaluation

Broadly known as the “Orange” Book, the US Dept of Defense has developed TCSEC (Trusted Computer Systems Evaluation Criteria) to provide a graded classification for computer system security. The graded classification hierarchy has four levels:

A – Verified Protection

B – Mandatory Protection

C – Discretionary Protection

D – Minimal Security

145

Notes:

The evaluation criteria involve four main areas: Security, Policy, Accountability and Assurance and Testing. Note that the red book is an interpretation of the Orange book for networks and network components. The Red Book TNI ratings are:

l None

l C1 – Minimum

l C2 – Fair

l B2 – Good

Organization specific classification scheme

There may be a need for an organization specific security classification scheme that applies across your organization, which should be used to determine varying levels of the importance of information or systems and the sensitivity of information or systems. Such security classification scheme should take account of the possible business impact of a loss of confidentiality, integrity or availability of information, and be used to classify information held in electronic or paper form, software and hardware. It should be applied to business applications, computer installations, networks and systems under

146

Notes:

development, with the purpose of explaining how to resolve conflicting classifications.

A comprehensive security classification scheme should require critical information and systems to be distinguished from other information and systems, that information and systems are protected in line with their classification. It has to be sign-off’ by the relevant business owners, and that its security classifications have to be reviewed whenever changes are made.

Change control

Change control is an important element – it describes the procedures for making and controlling changes to information. Put it this way, change control procedures restrict the way people make changes to information assets.

The five general procedures for implementing change control are:

‧ Applying to introduce a change

147

Notes:

‧ Cataloging the intended change

‧ Scheduling the change

‧ Implementing the change

‧ Reporting the change to appropriate parties

Change Control is critical to software development as well. Refer to the section on Change Management for more information.

148

Notes:

Business Continuity Planning

“According to a recent Gartner Group document, a business continuance plan should include: a disaster recovery plan, which specifies an organization's planned strategies for post-failure procedures; a business resumption plan, which specifies a means of maintaining essential services at the crisis location; a business recovery plan, which specifies a means of recovering business functions at an alternate location; and a contingency plan, which specifies a means of dealing with external events that can seriously impact the organization”.

Definition

Business continuity is a term that describes the processes and procedures an organization puts in place to ensure that essential functions can continue during and after a disaster. Business continuity planning seeks to prevent interruption of mission-critical services, and to reestablish full functioning as swiftly and smoothly as possible.

From a practical standpoint, you must understand that it may not be practical for any but the largest business functions to maintain full functioning throughout a disaster crisis. You cannot afford to keep everything running non- stop due to the high cost involved. In fact, the very first step in business

149

Notes:

continuity planning is deciding which of the organization's functions are essential, and apportioning the available budget accordingly.

BCP vs BPCP vs DRP

Should it be called Business Continuity Planning (BCP)? Business Process Contingency Planning (BPCP)? Or Disaster Recovery Planning (DRP)? Traditionally, planning for the restoration and continuation of IT infrastructure services to support mission-critical business processes was referred to simply as DRP. Still, at the end of the day their objectives are very similar. Contingency planning is a popular term to use. So is disaster recovery planning.

One DRP related term is Fault Tolerance. Fault-tolerance (also known as graceful degradation) is the property that enables a system to continue operating properly in the event of the failure of some of its components. Fault - tolerance is particularly sought-after in high-availability or life-critical systems. With fault tolerance mechanism in place you subject to way less disruption when things go wrong.

150

Notes:

BCP Phases

The phases of development for any BCP (Business Continuity Planning) program should include:

l Initiation

l Business impact analysis

l Strategy development

l Plan development

l Implementation

l Testing

l Maintenance

The four most important elements of a BCP are:

l Scope plan initiation

l Business impact Analysis – includes vulnerability assessment

151

Notes:

l Business continuity plan development

l Plan approval and implementation

The key phrase in business continuity is "reduce risk", which means to prepare for any event that could jeopardize your business ability to operate. If disaster strikes, companies have everything to lose - critical data, profits, and information…etc, all of which are critical to the running of any company.

BCP should not be a pure IT call. In fact, it should be considered as a business call. It should be developed by a team representing ALL functional areas of the organization.

BCP is in fact a project. Managing a BCP is like managing a project. A formal project needs to be established, and activities should commence only when the project has been approved by the Board of Directors of the organization.

Stakeholders and crisis communications

You will need to take into account the various stakeholders in the equation. Below are the stakeholders that will most likely be involved:

152

Notes:

l Internal (corporate and business unit level) groups

l External groups (customers, vendors, suppliers, public, INSURANCE COMPANIES)

l External agencies (local, state, national governments, emergency responders, regulators, etc.)

l Media (print, radio, television, Internet)

Important points to remember regarding the arrangement with these stakeholders for handling emergencies shall include:

l A list of important contacts must be maintained all the time by several key people in the organization. One of these key people must be available offsite (imagine what can happen if all the key people get buried in the destructed building).

l Determine the chain of command structure – who should be in charge if, let’s say, the president may never be available again?

l Each business unit should have at least one person assigned to keep a list of contacts of all the staff within the unit – during a tragedy there is a need

153

Notes:

to find out who is still missing. There is also a need to keep the family members of the staff fully informed on what is happening.

l A crisis communication plan must always be in place. Communications must be properly maintained with the outside world during the tragedy. You will need help from various external agencies. In fact, get in touch with these agencies regularly to determine how you all can work together in the case of emergency. You will also want to let your customers know that everything is under control and there is no need for them to worry too much.

l It will be very ugly if the person in charge of the organization is the last one who is informed of the tragedy. When something goes wrong, the CEO is often the target of the media. Do NOT upset the media. Do NOT upset the reporters.

The Risk Assessment Flow

As said previously, Security Risk Assessment can be defined as a process of evaluating security risks related to the use of information technology. It is conducted at the very beginning for identifying what security measures are required and when there is a change to the information asset or its environment. Assessing security risk should therefore be treated as the initial step to evaluate

154

Notes:

and identify risks and consequences associated with vulnerabilities. It provides a basis for company management to establish an effective security program. Based on the assessment results, you develop security policies and guidelines, assign security responsibilities and implement technical security protections. You then perform cyclic compliance reviews and re-assessment to assure that security controls are properly put into place to meet users' security requirements, and to cope with the rapid environmental changes of all kinds. You would need to rely on continuous feedback and monitoring to achieve this.

Security risk assessment has to be treated as an on-going activity. It should be conducted at least once every two years to explore the risks in your information systems. Do understand that a security risk assessment can only give a snapshot of the risks at a particular time. Therefore, for mission-critical information system, you should conduct security risk assessment more frequently.

High-level Assessment emphasizes on the analysis of overall infrastructure or design of a system in a more strategic and systematic approach. Comprehensive Assessment is typically conducted periodically for the security assurance of all information systems or selected information systems of a particular department. Pre-production Assessment is commonly conducted on new information systems before they are rolled out.

155

Notes:

Prior to conducting risk assessment you should get yourself started with building up a solid knowledge base. You need to the current and historical internal environment, the current and historical external environment, internal and external dependencies and vulnerabilities, threat profiles, as well as countermeasure choices and related costs.

Throughout the different stages of security risk assessment a large amount of data and system configurations will have to be collected where some of them may contain sensitive Therefore, you must ensure all the collected data are stored securely. The use of file encryption tools and lockable cabinet/room should be planned early.

The kinds of information that are often desired for performing an assessment as per recommended by INFOSEC include:

l Security requirements and objectives

l Information available to the public or found in the web pages

l Physical assets such as hardware equipment

156

Notes:

l Systems such as operating systems, network management systems

l Contents such as databases and files

l Applications and servers information

l Network such as supported protocols and network services offered

l Access controls process, application operation process, etc.

l Identification and authentication mechanisms requirements

l Documented or informal policies and guidelines

According to INFOSEC, the assessment process of a system should include the identification and analysis of a number of elements, including:

l all assets of and processes related to the system

l threats that could affect the confidentiality, integrity or availability of the system

l system vulnerabilities to the threats

l potential impacts and risks from the threat activity

157

Notes:

l protection requirements to control the risks

l selection of appropriate security measures and analysis of the risk relationships

You may collect these information through using General control review, System review, and Vulnerability identification. With General Control Review you identify threats arisen from the existing general security processes by examining the systems through interviews, site visits, documentation review, and observation etc. System Review focuses on system elements such as System files or logs, Running processes, Access control files, User listing, Configuration Settings, Security Patch level ...etc. Vulnerability Identification would often involve using automated tools such as Vulnerability Scanning and Penetration Testing over the network.

One important element to consider when preparing your risk assessment is to estimate the potential losses to which a business is exposed. The objective of the loss potential estimate is to identify critical aspects of the business operation and to place a monetary value on the loss estimate. The second step of the risk analysis is to evaluate the threats to the business. The third step in the risk analysis is to combine the estimates of the value of potential loss and probability of loss to develop an estimate of annual loss expectancy (ALE). The

158

Notes:

purpose is to pinpoint the significant threats as a guide to the selection of security measures and to develop a yardstick for determining the amount of money that is reasonable to spend on each of them.

Risk VS Threat and Vulnerability

The traditional definition of risk:

Risk is the product of threat and vulnerability. This model of risk is appropriate for assets where applicable threat data can be well predicted from historical events.

One way to represent this is:

Risk = Threat x Vulnerability

Note that this model of risk assumes that we have knowledge of our vulnerabilities and our threats.

159

Notes:

Threat is typically defined as an event (such as a flood, tornado, computer virus outbreak …etc.) of low probability yet highly damaging that really catches your attention. The chance of the event occurring is a probability that the event has happened. There is no time constraint. The event will likely happen over some defined period of time. There exists a probability that describes the frequency of such an event. Vulnerability, on the other hand, is usually defined as a weakness that is exploited in some very negative way by the threat.

You perform Threat Analysis to identify the threats and to determine the likelihood of their occurrence and their potential to harm systems or assets. System error or control logs are usually good sources of data for this.

Social threats are directly related to human factors, which can be intentional or unintentional. Technical threats are usually caused by technical problems. Environmental threats are usually caused by environmental disasters.

Identifying Risks

The key part of the BCP Process is the assessment of the potential risks to the business which could result from disasters or emergency situations. You MUST consider ALL the possible incidents and the impact that follows. Examples of

160

Notes:

the risks that are possible for any organization on earth include (and not limited to):

o Environmental Disasters

o Deliberate Disruption (e.g. terrorist attack)

o Loss of Utilities and Services

o Equipment or System Failure

o Serious Information Security Incidents

Risk results may be analyzed using Qualitative & Quantitative Methods and/or Matrix Approach. With Qualitative method you use descriptive, word scales or rankings of significance/severity based on experience and judgment. It is more subjective in nature. On the contrary, Quantitative method uses numerical information to arrive at percentages or numerical values. Generally speaking, a qualitative method is better for initial screening while a quantitative method is more ideal for detailed and specific analysis on some critical elements and for further analysis on high-risk areas. A matrix approach would involve documenting and estimating the three major needs of security protection, which are confidentiality, integrity and availability, in three different levels

161

Notes:

of severity (high, medium, low). The risk level would be ranked based on the criticality of each risk elements. The idea is that risk interpretation should be limited to the most significant risks so as to reduce the overall effort and complexity.

Loss Calculations

The 3 major models are:

l Single Loss Expectancy (SLE)

l Annualized Loss Expectancy (ALE)

l Cumulative Loss Expectancy (CLE)

The Single Loss Expectancy model is the model upon which the Annualized Loss Expectancy and Cumulative Loss Expectancy models are based. This simple (and less accurate) model has its roots in accounting, with the purpose of determining how much value in terms of dollars will be lost, and is often used to express the results in a financial impact analysis.

162

Notes:

The Annualized Loss Expectancy Model of risk comes closer (relatively) to painting an accurate picture of risk by adding the probability of an event happening over a single year’s time. To reach an answer, you need to first calculate the Single Loss Expectancy to determine this value. Then you obtain the product of the Single Loss Expectancy and the value of the asset to produce the Annualized Loss Expectancy. The formula looks like this:

Single Loss Annualized Rate Annualized Loss

Expectancy x of Occurrence = Expectancy

The Cumulative Loss Model approaches risks by taking into account all of the bad things that are likely to happen to your business over the next year. You will need to look at each threat, the probability of each threat against your business, and then derive an expected loss. You can take all of the threats, and compute the annual rate of each threat occurring. This is a relatively complicated model and is less emphasized in the exam.

163

Notes:

From a CISA point of view, of particular importance when considering business risks and the impact of potential emergencies is the disruption to, and availability of, IT services and communications that are supposed to run 24 x7.

As an IS auditor, some of the more important issues that should be considered when assessing the level of risk associated with IT services and communications include:

o Specification of IT and Communications Systems and Business Dependencies

o Key IT, Communications and Information Processing Systems

o Key IT Personnel and Emergency Contact Information

o Key IT and Communications Suppliers and Maintenance Engineers

o Existing IT Recovery Procedures

164

Notes:

At the end of the day you want to know how one may continue IT function should something goes seriously wrong. Contingency planning is therefore a critical factor to consider. Questions you should ask may include:

l Does your organization have a contingency plan for dealing with natural and manmade disasters? If so, who maintains the contingency plan and who is responsible for its implementation?

l Does your organization have an uninterrupted power source (UPS) to increase the possibility of an orderly shutdown without loss of data?

l Does the contingency plan identify and prioritize the resources that are most important to protect in an emergency?

l Is the contingency plan tested periodically?

Business Impact Analysis defined

The BIA is an evaluation of the strengths and weaknesses of your company’s disaster preparedness and the impact an interruption would have on your business.

165

Notes:

Every BIA should include an exploratory component to reveal any vulnerabilities, and a planning component to develop strategies for minimizing risk. A well done BIA should be capable of identifying costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, and loss of profits …etc.

The result of analysis is a business impact analysis report, which describes the potential risks specific to the organization studied. It should quantify the importance of business components and suggest appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance.

BIA goals and steps

As part of the risk assessment effort, business impact analysis has 3 primary goals:

l Criticality Prioritization: Critical business units must be identified and prioritized.

l Downtime Escalation: Estimate the maximum tolerable downtime.

166

Notes:

l Resource Requirements: Identify resource requirements for the critical processes.

Business impact analysis generally involves 4 steps:

1. Gathering the needed assessment materials

2. The vulnerability assessment

3. Analyzing the information compiled

4. Documenting the results and presenting recommendations to management.

BIA checklist

You will need inputs from both the top management and the line managers.

- Determine the business areas

- For each business area, determine the business processes and identify the essential processes.

167

Notes:

- For the business processes, estimate the costs of failure

What are the costs of non-performance?

What are the costs of late performance?

What is the max tolerable delay in performance?

- Determine attributes for the business processes

Description of process

Frequency of process

Manpower requirements (numbers, skills, who do what)

- Establish communication facilities required

- Establish IT facilities required

- Establish non-IT facilities required

- Establish clerical requirements

- For the business processes, establish the minimum resources required to operate.

168

Notes:

Priorities essential business processes – this is VERY IMPORTANT. One key assumption behind every BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster.

- Summarize the requirements for the business processes

Determine the minimum acceptable backup plan

Determine the minimum acceptable recovery configuration

Determine the time scales

- Consider alternative backup/recovery solutions (cost/benefit analysis, Hot site VS Cold site)

- Determine the Backup and Business Recovery Strategy

Preparing for emergency

169

Notes:

To minimize the effects of potential emergencies, focus must be placed on those business activities that are keys to the continued viability of the business, such as:

o Back-up and Recovery Strategies

o Key BCP Personnel and Supplies

o Key Documents and Procedures

Backup is critical. Key questions here include:

l Does your organization have backup policies and procedures?

l How often are system and user backups performed?

l Who is authorized to perform backups?

l Are backup media stored in a secure location offsite?

170

Notes:

l Are backup media tested regularly for restorability/recoverability of files?

l Can an operational capability be restored within acceptable time constraints?

l What are the policies and procedures regarding archived data?

The key personnel and the IT staff should be well trained to tackle through emergency situation and incidents. Ask these questions:

l Have users and system administrators received training on how to carry out their respective responsibilities when an incident occurs? Do they receive awareness reminders and periodic refresher training?

l Does your organization maintain a knowledge base of past incidents and “lessons learned” for future use?

Managing recovery

171

Notes:

One critical part of handling any serious emergency situation is in the management of the Disaster Recovery Phase. Remember, the priority during recovery is ALWAYS the safety and well being of the employees and other involved persons. LIFE is the most important asset. Other priorities include the minimization of the emergency itself, the removal or minimization of the threat of further injury or damage and the re-establishment of external services (power, telecom …etc).

The Business Recovery Phase will then follow directly on from the Disaster Recovery Phase. This Phase involves the restoration of normal business operations. From a business perspective, this is the most critical phase of the whole BCP exercise as the efficiency and effectiveness of the procedures here could have a direct bearing on the organization’s ability to survive the emergency.

For a business to truly recover, from an IS standpoint these are items that are critical:

o Power and Other Utilities

o Premises, Fixtures and Furniture

172

Notes:

o Communications Systems

o IT Systems

o Production and Other Equipments

o Information and Documentation

Testing the plan

The effectiveness of the BCP in emergency situations can only be assessed if rigorous testing is carried out in realistic conditions. Therefore, the BCP should be tested within a realistic environment with simulating conditions applicable in an actual emergency. All persons who will be involved with recovering a particular business process during emergency should be REQUIRED to participate in the testing process.

The BCP test itself should be carefully planned as well. The objectives and scope of the tests are outlined below:

o Develop Objectives and Scope of Tests

173

Notes:

o Setting the Test Environment

o Prepare Test Data

o Identify Who is to Conduct the Tests

o Identify Who is to Control and Monitor the Tests

o Prepare Feedback Questionnaires

o Prepare Budget for Testing Phase

o Training Core Testing Team for each Business Unit

The following activities must be emphasized during the test:

1. Test each part of the Business Recovery Process

2. Test Accuracy of Employee and Vendor Emergency Contact Numbers

3. Assess Test Results

The test process gives IS auditors a good chance to see if the IS controls relevant to BCP actually work as planned.

174

Notes:

User Acceptance

About user acceptance testing - each user should create a test script designed to validate the accuracy and performance of its application in a contingency environment. The test scripts should be defined in such a way that a clear indication of whether or not they can do business as usual as stated in their recovery requirements must be made available.

Users should be asked to provide their views on the testing process and on the results of the test. The users should also provide comments regarding improvements and modifications that they would like to see as a result of the test. Upon completion a user sign-off sheet should be provided for this purpose and must be signed off by a manager of the business.

Plan maintenance

In today’s world, the pace of change will never slow down but will continue to increase. It is necessary for the BCP to keep pace with these changes in order for it to be useful in the event of a disruptive emergency.

175

Notes:

To ensure that the BCP is regularly updated, the following must be established:

o Change Control Procedures for Updating the Plan

o Responsibilities for Maintenance of Each Part of the Plan

o Test All Changes to Plan

o Advise Person Responsible for BCP Training

The IS auditor, when appropriate, should assist in the process by checking whether the controls and procedures for the update process are properly implemented and followed.

For your interest, take a look at the following fragment of a real world audit report with BCP involved:

Has the Department Adequately Planned For the Actions It Must Take In the Event Of A Disaster To Minimize the Loss of Computer Operations?

176

Notes:

An organization needs good business continuity planning in order to quickly recover critical operations after a disaster. Business continuity planning addresses an organization's ability to continue functioning when normal operations are disrupted. By necessity, it includes planning for contingencies and disaster recovery, and is focused on the computer functions that are most necessary to continued agency operations. Continuity planning enables an organization to minimize the loss of communications and important computer operations during an emergency.

The Department has done little business continuity planning for its critical computer programs. Department management have implemented some sound practices, such as a system for backing up critical data. However, the Department doesn't meet many other planning standards. We found problems such as the following:

Ø The Department hasn't conducted a risk analysis to assess possible disaster scenarios or threats

Ø The existing continuity plan doesn't assign roles and responsibilities to

177

Notes:

specific staff, and is limited in the recovery instructions it gives

Ø The Department hasn't made any arrangements for off-site processing for its critical computer programs.

Incident Handling

The major activities involved in the planning and preparation of an incident handling mechanism should as a minimum include:

l Security Incident Handling Plan

l Reporting Procedure

l Escalation Procedure

l Security Incident Response Procedure

l Training and Education

l Incident Monitoring Measure

178

Notes:

There has to be a proper reporting procedure in place so that in case an incident occurs, all parties involved would know whom they should report to, and in what way, and what should be noted and reported. Such reporting procedure should have a clearly identified point of contact, and comprises simple but well-defined steps to follow. It should be widely published to all concerned staff for their information and reference. You should ensure that all related staff are familiar with the reporting procedure and are capable of reporting security incident instantly.

There must also be a comprehensive Escalation Procedure established. Such procedure would define the way to escalate the incident to management and relevant parties for ensuring that important decisions are promptly taken. You need to put in place an important contact list for addressing legal, technical, and managerial issues that should be prepared to facilitate different stages of security incident handling. You should set out the points of contact with the corresponding contact information as well as the various levels for notification basing on the type and severity of the impact caused by the incident.

The system or functional area's manager must establish a security incident response procedure for guiding the security incident response team through the

179

Notes:

incident handling process. Moreover, a sufficient level of security measures for incident monitoring must be implemented to protect the system during normal operation as well as to monitor potential security incidents. For example, you want to install firewall device and apply authentication and access control measures to protect important system and data resources. You also want to install intrusion detection tool to proactively monitor, detect and respond to system intrusions or hacking. It may be a good idea to also install anti-virus tool and malicious code detection and repair software to detect and remove computer virus and malicious codes, and prevent them from affecting the system operation.

180

Notes:

Risk Management

“Risk is a concept that auditors and managers use to express their concerns about the probable effects of an uncertain environment. Because the future cannot be predicted with certainty, auditors and managers have to consider a range of possible events that could take place” 5 .

“Risk management is a discipline for dealing with uncertainty” 6 .

As mentioned by David McNamee in his article “Management Control Concepts”, uncertainty and randomness exist in nature, that risk is not something to be worried or concerned about but something to be managed. In fact, managing a range of risks is required for both survival and success in nowadays environment.

Every organization can and should use risk management strategies and tools to protect vital assets.

5 http://www.mc2consulting.com/riskart2.htm

6 http://www.nonprofitrisk.org/tutorials/rm_tutorial/2.htm

181

Notes:

The discipline of risk management aims at helping an organization to identify, assess and control risks that may be present in operations, service delivery, staffing, and governance activities.

Good risk management can reduce legal costs and lawsuit altogether. Remember, legal cost is one of the worst nightmares an organization can ever have.

Risk management defined

The risk management process provides a framework for identifying risks and deciding what to do about them. Since not all risks are created equal, risk management does not simply identify risks but also to weigh various risks and make decisions about which risks deserve immediate attention.

The risk management steps

The steps involved in proper risk management shall include:

182

Notes:

o Context establishment - begin a risk management program by setting goals and identifying any potential barriers or impediments to the implementation of the program.

o Risks identification - categorize risks according to the major categories of assets of the organization in question.

o Risks evaluation and prioritization - establish a list of risk related action items in priority order.

o Strategies selection and implementation – use risk management techniques to address virtually every risk your organization is facing. Such techniques should include:

v Avoidance - do not offer programs that pose too great a risk.

v Modification – modify an activity to make it safer for all involved.

v Retention - make conscious decisions to retain risk.

v Sharing - share risk with another organization through contractual arrangement, such as insurance contracts and risk management service contracts.

183

Notes:

o Program update – keep the risk management techniques and plans periodically reviewed and updated to make certain that they remain the most appropriate strategy.

Always remember, people are the heart and soul of your organization that are irreplaceable. Risks associated with people’s life always deserve the most attention.

IS Auditing and Risk Management

IS auditors may participate in assessing and controlling new systems and technologies that are emerging in the business world. By applying a risk and audit framework for assessment and control, new methods of systems planning, development, deployment and operation can be introduced in a relatively “safe” manner. Questions you may ask here:

l Has an overall risk assessment been performed on critical information assets? If so, how recently was it performed or updated?

l Have risks previously identified been corrected? Are there remaining vulnerabilities that have not been addressed?

184

Notes:

Riskbased Auditing

When performing audit assignments, there are usually two different approaches: the checklist approach VS the risk-based approach.

Auditing using checklists is basically auditing without an appreciation of why the auditor is doing some particular task, and can be seen as auditing without an understanding of the risks involved in the business process.

On the other hand, with risk-based auditing, the auditor must have a thorough understanding of the business process as well as the risks and controls in the system for achieving the organization's goals. The risk-based audit plan is specifically tuned to spend more time on the areas of highest risk and greatest importance to the goals. Less time will be spent on areas of lower importance and lower risk.

185

Notes:

Risk Management Readings

Below is a list of HIGHLY RECOMMENDED REFERENCE READINGS. I strongly recommend that you go through all of them:

The New Risk Management

http://www.intekworld.com/Newsletters/vol3/10oct04/riskmanagement .htm

Failure in Risk Management

http://www.findarticles.com/p/articles/mi_m3937/is_2000_Jan/ai_6219 7034

Assessing Internet Security Risk, Part One: What is Risk Assessment?

http://www.securityfocus.com/infocus/1591

186

Notes:

Trends: Rethinking risks

http://www.cioinsight.com/article2/0,1397,1458270,00.asp?kc=CTNKT0 209KTX1K0100481

187

Notes:

Project Management

“Project Management is a decision-making and strategic risk. It is defined as the application of knowledge, skills, tools, and techniques to project activities in order to meet or exceed

stakeholder needs and expectations from a project” 7 .

Project Management defined

Project management is not simply a technical subject. Instead, it is a business one. It involves balancing the competing demands of:

v scope

v time

v cost

v quality

v different stakeholders

7 http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAuditPage!OpenDocument

188

Notes:

To be precise, Project Management is the defining, planning, scheduling, and controlling of the tasks that must be completed to reach your goal and the FAIR allocation of the resources to perform those tasks. On the other hand, a Project Performance audit is an audit for helping you to understand the current capability of your project management processes or staff, benchmark your business against best practice, and help you focus improvement to maximum effect.

Project Management and Audit

Remember, controlling the project is important because things never work out exactly as planned. To meet your goal, it's important that you be on top of changes. This is where the audit function fits in.

To truly appreciate the relationship between IS audit and Project Management, I recommend that you read the following REAL LIFE Project Management audit documents that have been used by real world government organizations / NGOs:

189

Notes:

The Canadian Passport Office IRIS Project

http://www.ppt.gc.ca/publications/iris_oct99.aspx

Template - PM Audit Checklist

http://www.auditnet.org/docs/PM- AuditQuestionnaire.pdf#search='PROJECT%20MANAGEMENT%20AUD IT'

Also, read the following document in-depth. This is an excellent article that describes the complex relationship between Project Management, Risk Management and the Auditing function:

http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAudi tE-businessrisksProjectMgmt!OpenDocument

By going through these documents, you will be able to tell exactly the role of the audit function in a project management context.

190

Notes:

Change Management

Change Management Defined

You can think of Change Management as

v The task of managing change

v An area of professional practice

v A body of knowledge

One meaning of managing change refers to the making of changes in a planned and managed or systematic fashion, with the aim of more effectively implementing new methods and systems in an ongoing organization. These changes may be of the type which the organization exercises little or no control, or of the type that is well-planned.

191

Notes:

As an “Area of Professional Practice”, we see many independent consultants who acknowledge that they are change agents that manage change for their clients, that their practices are change management practices. And stemming from the view of change management as an area of professional practice, there arises the third definition of change management: the subject matter of change management as a body of knowledge.

In fact, at the heart of change management we have the change problem - some future state to be realized, some current state to be left behind, and some process for getting from the one to the other. At the conceptual level, the change problem is a matter of moving from one state to another. At the practical level, changes and the change problems they present are problems of adaptation, that they require the organization to adjust itself to an ever-changing set of circumstances.

Change management auditing, with respect to the IT control environment within an organization, is aimed at limiting unauthorized changes and errors and disruption from changes to essential IT assets, including computer applications and system platforms. A change management control system is therefore made available for setting out procedures to analyze, implement, and review changes to information technology infrastructure.

192

Notes:

Change Management strategies

Generally speaking, there is no single strategy in regards to change management. One may adopt a general or what is called a "grand strategy", but for any given initiative some mix of strategies is the best option.

Four strategies have been outlined in Fred Nickols’s article “Change Management 101”:

193

Notes:

Strategy Description

Rational-Empirical

People are rational and will follow their self-

interest — once it is revealed to them. Change

is based on the communication of information

and the proffering of incentives.

Normative-Reeducative

People are social beings and will adhere to

cultural norms and values. Change is based on

redefining and reinterpreting existing norms and

values, and developing commitments to new

ones.

Power-Coercive

People are basically compliant and will

generally do what they are told or can be made

to do. Change is based on the exercise of

authority and the imposition of sanctions.

Environmental-Adaptive

People oppose loss and disruption but they

adapt readily to new circumstances. Change is

based on building a new organization and

gradually transferring people from the old one

to the new one.

194

Notes:

The proper mix of strategies to be used can be determined by the following factors:

v Degree of Resistance

v The Stakes

v The Time Frame

v Expertise

v Dependency

Along the journey of making changes, there is a need to control the change process and the elements within it. Change control is often perceived as a part of the Change Management process where the audit function may fit in.

Change Management VS Change Control VS Configuration Management

195

Notes:

If we play with the textual definitions, one may argue that Change Management and Change Control are two totally different disciplines. In fact, in the field of Project Management, there tend to be differing understandings of these terms or expressions. The problems are compounded where participants are unfamiliar with project work and do not recognize the implicit context.

The term Change Management is normally used to mean the achievement of change in human behavior as part of an overall business solution. The term Change Control, which is often being referred to as "Change Management", refers to the management process for requesting reviewing, approving, carrying out and controlling changes to the project's deliverables.

Change Control is usually applied once the first version of a deliverable has been completed and agreed.

Sometimes people associate Change Control with Configuration Management, which is the technical and administrative control of the multiple versions or editions of a specific deliverable (particularly where the component has been changed after it was initially completed):

196

Notes:

“Configuration Management is the identification and maintenance of the configuration of a software product, throughout the product's life, and including both successive and parallel

product versions, for the purpose of systematically controlling changes and thereby maintaining the product's integrity and traceability” 8 .

Change Control

“Change Control is a technique for the management of modifications to existing application software. Compared with the reactive-ness of Incident Reporting, Change Control recognizes the

need for adaptation to externally imposed change, and looks for opportunities for internally instigated change. It is concerned not only with adaptation of an application's existing functions,

but also with its extension to include new functions” 9 .

To know what change control exactly is, take a look at the following fragment of an audit report extracted from a real world case:

8 http://www.anu.edu.au/people/Roger.Clarke/SOS/ChgeCtl90.html

9 Ibid.

197

Notes:

Does the Department Adequately Manage the Maintenance and Updating of Its Critical Software?

Because of the dynamic nature of computer software, it's important to have a well organized system to manage the process of making changes. Large and complex computer programs are constantly in flux. As a result, computers programs remain works in progress long after they are put into daily use. However, if changes to the software aren't well organized and closely managed, the software can quickly become unreliable.

The Department places the responsibility for managing changes on the users, where it belongs. System changes are approved and monitored by several steering groups made up of users of the system from across the state, as well as representatives from the Department's programming staff. While programmers make the actual changes, users decide which changes need to be made and set priorities for the programmers.

Overall, the change control process needs to be better organized and

198

Notes:

documented. The system of user groups the Department uses to control the process is well designed. However, change control as a whole could be improved by adding more organization and better documentation. Specifically, the Department could improve its system by:

Ø developing written change control policies

Ø developing a policy requiring the system supervisor to approve in writing incorporation of software changes into the production software

Ø in the case of significant changes, requiring formal user acceptance tests before the final changes are allowed to be incorporated into the production software

Ø requiring staff to update user operation manuals when changes are made to the software

Change control is often being perceived as a means of prolonging the life of an application that must be increasingly a proactive measure driven by business needs and initiated by functional managers. The IS auditors help to check and

199

Notes:

find out whether the proper IS control mechanisms needed by the change control process are in place and are properly followed.

Refer to the summary below for several more related terms:

In the context of IT, the term configuration management (configuration control) often refers to:

i, the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures and test documentation of an automated information system, throughout the development and operational life of a system; and

ii, the control of changes, including the recording thereof, that are made to the hardware, software, firmware, and documentation throughout the system lifecycle.

Revision control (also known as version control) refers to the management of multiple revisions of the same unit of information. It is most commonly used in system engineering and software development to manage ongoing development

200

Notes:

of digital documents like application source code. Changes are identified by incrementing an associated number or letter code, termed the "revision number", "revision level", or simply "revision" and associated historically with the person making the change.

Release Management is the discipline within software engineering of managing software releases. A release manager serves as a liaison between varying business units to guarantee smooth and timely delivery of software products or updates. He also holds the keys to production systems and takes responsibility for their quality and availability.

Key points to follow:

• Prior to changes being applied to the live environment, change requests should be documented through a change request form and accepted only from authorized individuals. All changes have to be approved by the application ‘owner’, and that the possible impact of changes should be assessed in terms of overall risk and on other components of the application. Additionally, all changes should be tested and should be reviewed to ensure that they do not compromise security controls. Back- out positions should be established so that the changes can be backed- out if they fail.

201

Notes:

• Application changes should be performed by individuals who are capable of making changes correctly and securely and be supervised by a specialist. It must also be signed-off by the application owner.

• Arrangements should be made to ensure that once changes have been applied, version control is maintained and that details of changes are communicated to relevant individuals. Additionally, checks must be performed on a regular basis to confirm that only intended changes have been made, such as using code comparison programs or checking ‘before and after’ contents of key records such as within customer master files.

From a pure software development point of view, Release Management is closely related to Change Control.

Questions you may ask concerning configuration management:

l Does your organization have a configuration control plan?

202

Notes:

l Does your organization have a configuration control function or the equivalent to direct activities in this area? If so, does the configuration control function approve and record all changes to hardware, software, and firmware?

l Does your organization have network and system diagrams and a list of all system resources?

l Are only authorized individuals allowed to move and install computer equipment?

203

Notes:

Application Program Development

Basic knowledge on database system, data modeling, procedural programming and object oriented programming is required under this knowledge domain.

Security is an issue that must be addressed in each phase of the development effort, not just at the end of development. Therefore, separation of duties has to be practiced all the time, and a programmer should never have direct access to codes that are in the production stage. Remember, separation of duties is always the correct answer!

General guidelines

Program development security is particular important when there is proprietary software under development. The general guidelines are:

204

Notes:

l Allow only the applications programmers to have access to application programs under development, and nothing else.

l Allow only systems programmers to have access to system programs under development, and nothing else.

l Allow only librarians to have write access to system and application libraries, and nothing else.

l Allow access to live data only through programs that are in the application libraries, and nothing else.

l Proper change controls must be in place if changes to program codes are regularly required.

System change control

Changes must be authorized, tested and recorded. Changes can be approved only if they do not affect the security level of the system.

The change control sub-phases include:

205

Notes:

- Request control

- Change control

- Release control

The change control process includes the following steps:

- Make a formal request of change

- Analyze the request

- Record the change request

- Submit the change request for approval

- Develop the change

Software development processes and models

System development life cycle (SDLC) refers to the process of developing information systems through investigation, analysis, design, implementation and

206

Notes:

maintenance. It is a systems approach to problem solving and is made up of several phases, including:

l Software concept

l Requirements analysis

l Architectural design

l Coding and debugging

l System testing

The Waterfall Model as a popular version of the systems development life cycle model for software engineering includes the following phases:

- System requirements

- Software requirements

- Analysis

- Program design

207

Notes:

- Coding

- Testing

- Operations & Maintenance

The waterfall model describes a development method that is linear and sequential. It offers distinct goals for each phase of development. The advantage is that it allows for departmentalization and managerial control. For example, a schedule can be set with deadlines for each stage of development and a product can proceed through the development process step by step without much complexity. The disadvantage is that it does not allow for much reflection or revision. That means, once an application is in the testing stage, it is very difficult to go back and change something that was not well-thought out in the concept stage.

The spiral model is a development model that combines elements of both design and prototyping-in-stages in an effort to combine advantages of both the top-down approach and the bottom-up methodology. Under this model, each phase starts with a design goal and ends with the client reviewing the progress thus far. Analysis and engineering efforts are applied at each phase of the project, with an eye toward the overall end goal of the project.

208

Notes:

The Chaos model is a structure of software development that extends the spiral model and the waterfall model. It notes that the phases of the life cycle apply to all levels of projects, from the whole project to individual lines of code. In fact, this model has several tie-ins with the chaos theory:

l It helps explain why software is so unpredictable.

l It explains why high-level concepts like architecture cannot be treated independently of low-level lines of code.

l It provides a hook for explaining what to do next in terms of the chaos strategy.

Buy VS Make: Acquisition Management Methods

It is very common for an organization to purchase off-the-shelf or tailor made software from the outside. Because of this, it is important to investigate the acquisition process used by the organization so as to comply with the defined security guidelines and procedures. In fact, part of that contract/outsourcing process should include making sure that the security vendor’s service levels are spelled out satisfactorily. A recommended way is to devise an evaluation matrix

209

Notes:

that lists the requirements of the organization and rates each service provider on how well they achieve each requirement.

If acquisition is conducted through bidding, certain controls of the bidding process should be in place. Here are the general guidelines:

• A formal bidding process should be open and fair, encourage competition, and provide the purchasing entity with the best product at the lowest possible price.

• Develop a checklist for the review of various requirements for formal bids, including insurance, bonding, specifications, and evaluation and award.

• Establish a system to monitor compliance with the bid tabulation procedure, including the rules and controls for accepting bid changes after the bids are opened.

• Develop and implement an effective filing system for bid files.

• Require that all purchase specifications clearly state the bid evaluation criteria and ascertain that the staff use only the evaluation criteria included in the purchase specifications.

• Criteria for bids should be laid out in the request for proposal.

210

Notes:

• Formal bidders list should be maintained.

• Bids should be opened and recorded by someone not involved in the bid evaluation process. Retain the bid envelope that shows the dates and times of bid receipt and opening, and file it with the other bid documents.

211

Notes:

Technical Readings There are 5 sections included in this part of the study guide. They cover the majority of technical topics that will be tested in the CISA/CISM exams. By going through all of them your readiness of the real exams can be reasonably assured.

q Section 1: Topics on security theory.

q Section 2: Topics on Hacking, attacking, defending and auditing.

q Section 3: Topics on encryption and VPN.

q Section 4: Topics on responding to attacks

q Section 5: Topics on viruses.

As a reminder: Biometrics is an important topic. Check out the various forms of biometrics technology described in this web page: http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their drawbacks and their impacts.

212

Notes:

Slide 1

Copyright 2005/06. All rights reserved. 1

Technical Readings

for CISA/CISM candidates

Covering the technical elements of the 2005/06 objectives

213

Notes:

Slide 2


What is included in this study guide?

n There are 5 sections included in this part of the study guide. They cover the majority of technical topics that will be tested in the CISA/CISM exams. By going through all of them your readiness of the real exams can be reasonably assured.

q Section 1: Topics on security theory. q Section 2: Topics on Hacking, attacking, defending and auditing. q Section 3: Topics on encryption and VPN. q Section 4: Topics on responding to attacks q Section 5: Topics on viruses.

214

Notes:

Slide 3


What is included? cont’d

n Basically, we did all the homework for you! We: q reviewed the major preparation products available in the

market and identified the missing critical information q collected and summarized these missing pieces and presents

them to you in an easytofollow style

215

Notes:

Slide 4


Before you begin…

n Make sure you have enough time – based on past experience, it takes an average student 3 full days at the least to go through all the sections.

216

Notes:

Slide 5


Before you begin…

n Copyright Information q Some contents of this product are extracted and recompiled

from the various Linux Security HOWTO document which is copyrighted by Kevin Fenzi and Dave Wreski, and distributed under the following terms: n Linux HOWTO documents may be reproduced and distributed in

whole or in part, in any medium, physical or electronic, as long as this copyright notice is retained on all copies. All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents are covered under this copyright notice.

n Information presented in this product is platform independent. Content has been modified to fulfill the purpose of this product.

217

Notes:

Slide 6


Section 1

Security Theory

218

Notes:

Slide 7


Section 1 – Issue 1

n Why Do We Need Security? q In the everchanging world of global data communications,

inexpensive Internet connections, and fastpaced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure. As your data goes from point A to point B on the Internet, for example, it may pass through several other points along the way, giving other users the opportunity to intercept, and even alter, it. Even other users on your system may maliciously transform your data into something you did not intend.

q Unauthorized access to your system may be obtained by intruders, also known as "crackers", who then use advanced knowledge to impersonate you, steal information from you, or even deny you access to your own resources.

219

Notes:

Slide 8



n How Secure Is Secure? q First, keep in mind that no computer system can ever be completely secure. All you can do is make it increasingly difficult for someone to compromise your system. For the average home user, not much is required to keep the casual cracker at bay. However, for highprofile users (banks, telecommunications companies, etc), much more work is required.

220

Notes:

Slide 9


Section 1 – Issue 2 cont’d

n How Secure Is Secure? q Another factor to take into account is that the more secure

your system is, the more intrusive your security becomes. You need to decide where in this balancing act your system will still usable, and yet secure for your purposes. For instance, you could require everyone dialing into your system to use a callback modem to call them back at their home number. This is more secure, but if someone is not at home, it makes it difficult for them to login. You could also setup your system with no network or connection to the Internet, but this limits its usefulness.

221

Notes:

Slide 10



q If you are a medium to largesized site, you should establish a security policy stating how much security is required by your site and what auditing is in place to check it.

222

Notes:

Slide 11



n What Are You Trying to Protect? q Before you attempt to secure your system, you should determine what level of threat you have to protect against, what risks you should or should not take, and how vulnerable your system is as a result. You should analyze your system to know what you're protecting, why you're protecting it, what value it has, and who has responsibility for your data and other assets.

223

Notes:

Slide 12



q Risk is the possibility that an intruder may be successful in attempting to access your computer. Can an intruder read or write files, or execute programs that could cause damage? Can they delete critical data? Can they prevent you or your company from getting important work done? Don't forget: someone gaining access to your account, or your system, can also impersonate you. Additionally, having one insecure account on your system can result in your entire network being compromised. If you allow a single user to login using a .rhosts file, or to use an insecure service such as tftp, you risk an intruder getting 'his foot in the door'. Once the intruder has a user account on your system, or someone else's system, it can be used to gain access to another system, or another account.

q Threat is typically from someone with motivation to gain unauthorized access to your network or computer. You must decide whom you trust to have access to your system, and what threat they could pose.

224

Notes:

Slide 13



n Types of intruders: q The Curious This type of intruder is basically interested

in finding out what type of system and data you have. q The Malicious This type of intruder is out to either bring

down your systems, or deface your web page, or otherwise force you to spend time and money recovering from the damage he has caused.

q The HighProfile Intruder This type of intruder is trying to use your system to gain popularity and infamy. He might use your highprofile system to advertise his abilities.

225

Notes:

Slide 14



q The Competition This type of intruder is interested in what data you have on your system. It might be someone who thinks you have something that could benefit him, financially or otherwise.

q The Borrowers This type of intruder is interested in setting up shop on your system and using its resources for their own purposes. He typically will run chat or irc servers, porn archive sites, or even DNS servers.

q The Leapfrogger This type of intruder is only interested in your system to use it to get into other systems. If your system is wellconnected or a gateway to a number of internal hosts, you may well see this type trying to compromise your system.

226

Notes:

Slide 15



n Vulnerability q It describes how wellprotected your computer is from

another network, and the potential for someone to gain unauthorized access. What's at stake if someone breaks into your system? Of course the concerns of a dynamic PPP home user will be different from those of a company connecting their machine to the Internet, or another large network.

q How much time would it take to retrieve/recreate any data that was lost? An initial time investment now can save ten times more time later if you have to recreate data that was lost. Have you checked your backup strategy, and verified your data lately?

227

Notes:

Slide 16



n Developing A Security Policy q Create a simple, generic policy for your system that your users can readily understand and follow. It should protect the data you're safeguarding as well as the privacy of the users. Some things to consider adding are: who has access to the system (Can my friend use my account?), who's allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system.

228

Notes:

Slide 17



q A generallyaccepted security policy starts with the phrase That which is not permitted is prohibited

n This means that unless you grant access to a service for a user, that user shouldn't be using that service until you do grant access. Make sure the policies work on your regular user account. Saying, "Ah, I can't figure out this permissions problem, I'll just do it as root" can lead to security holes that are very obvious, and even ones that haven't been exploited yet.

n rfc1244 is a document that describes how to create your own network security policy.

n rfc1281 is a document that shows an example security policy with detailed descriptions of each step.

n Finally, you might want to look at the COAST policy archive at ftp://coast.cs.purdue.edu/pub/doc/policy to see how a reallife security policy looks like. There are policy files for public download.

229

Notes:

Slide 18



n Means of Securing Your Site q What would happen to your reputation if an intruder deleted some of your

users' data? Or defaced your web site? Or published your company's corporate project plan for next quarter? If you are planning a network installation, there are many factors you must take into account before adding a single machine to your network.

q Even if you have a single dialup PPP account, or just a small site, this does not mean intruders won't be interested in your systems. Large, highprofile sites are not the only targets many intruders simply want to exploit as many sites as possible, regardless of their size. Additionally, they may use a security hole in your site to gain access to other sites you're connected to.

q Intruders have a lot of time on their hands, and can avoid guessing how you've obscured your system just by trying all the possibilities. There are also a number of reasons an intruder may be interested in your systems, which we will discuss later.

230

Notes:

Slide 19



n Host Security q Perhaps the area of security on which administrators

concentrate most is hostbased security. This typically involves making sure your own system is secure, and hoping everyone else on your network does the same. Choosing good passwords, securing your host's local network services, keeping good accounting records, and upgrading programs with known security exploits are among the things the local security administrator is responsible for doing. Although this is absolutely necessary, it can become a daunting task once your network becomes larger than a few machines.

231

Notes:

Slide 20



n Local Network Security q Network security is as necessary as local host security. With hundreds, thousands, or more computers on the same network, you can't rely on each one of those systems being secure. Ensuring that only authorized users can use your network, building firewalls, using strong encryption, and ensuring there are no "rogue" (that is, unsecured) machines on your network are all part of the network security administrator's duties.

232

Notes:

Slide 21



n Security Through Obscurity q One type of security that must be discussed is "security

through obscurity". This means, for example, moving a service that has known security vulnerabilities to a non standard port in hopes that attackers won't notice it's there and thus won't exploit it. Rest assured that they can determine that it's there and will exploit it. Security through obscurity is no security at all. Simply because you may have a small site, or a relatively low profile, does not mean an intruder won't be interested in what you have.

233

Notes:

Slide 22



n Physical Security q The first layer of security you need to take into account is the physical security of your computer systems. Who has direct physical access to your machine? Should they? Can you protect your machine from their tampering? Should you?

q How much physical security you need on your system is very dependent on your situation, and/or budget.

234

Notes:

Slide 23



q If you are a home user, you probably don't need a lot (although you might need to protect your machine from tampering by children or annoying relatives). If you are in a lab, you need considerably more, but users will still need to be able to get work done on the machines. Many of the following sections will help out. If you are in an office, you may or may not need to secure your machine offhours or while you are away. At some companies, leaving your console unsecured is a termination offense.

q Obvious physical security methods such as locks on doors, cables, locked cabinets, and video surveillance are all good ideas, but beyond the scope of this document. :)

235

Notes:

Slide 24



n Computer locks q Many modern PC cases include a "locking" feature. Usually this will be a socket on the front of the case that allows you to turn an included key to a locked or unlocked position. Case locks can help prevent someone from stealing your PC, or opening up the case and directly manipulating/stealing your hardware. They can also sometimes prevent someone from rebooting your computer from their own floppy or other hardware.

236

Notes:

Slide 25



q These case locks do different things according to the support in the motherboard and how the case is constructed. On many PC's they make it so you have to break the case to get the case open. On some others, they will not let you plug in new keyboards or mice. Check your motherboard or case instructions for more information. This can sometimes be a very useful feature, even though the locks are usually very lowquality and can easily be defeated by attackers with locksmithing.

q Some machines (most notably SPARCs and macs) have a dongle on the back that, if you put a cable through, attackers would have to cut the cable or break the case to get into it. Just putting a padlock or combo lock through these can be a good deterrent to someone stealing your machine.

237

Notes:

Slide 26


Section 2

Hacking, attacking, defending and auditing

238

Notes:

Slide 27



n To be able to defend and audit, you should know how to hack (think like a hacker)

239

Notes:

Slide 28



n Packet Sniffers q One of the most common ways intruders gain access to more

systems on your network is by employing a packet sniffer on a already compromised host. This "sniffer" just listens on the Ethernet port for things like passwd and login and su in the packet stream and then logs the traffic after that. This way, attackers gain passwords for systems they are not even attempting to break into. Cleartext passwords are very vulnerable to this attack.

q Example: Host A has been compromised. Attacker installs a sniffer. Sniffer picks up admin logging into Host B from Host C. It gets the admin's personal password as they login to B. Then, the admin does a su to fix a problem. They now have the root password for Host B. Later the admin lets someone telnet from his account to Host Z on another site. Now the attacker has a password/login on Host Z.

240

Notes:

Slide 29



q In this day and age, the attacker doesn't even need to compromise a system to do this: they could also bring a laptop or pc into a building and tap into your net.

q Using ssh or other encrypted password methods thwarts this attack. Things like APOP for POP accounts also prevents this attack. (Normal POP logins are very vulnerable to this, as is anything that sends cleartext passwords over the network.)

241

Notes:

Slide 30



n SATAN, ISS, and Other Network Scanners q There are a number of different software packages out there that do port

and servicebased scanning of machines or networks. SATAN, ISS, SAINT, and Nessus are some of the more wellknown ones. This software connects to the target machine (or all the target machines on a network) on all the ports they can, and try to determine what service is running there. Based on this information, you can tell if the machine is vulnerable to a specific exploit on that server. n SATAN (Security Administrator's Tool for Analyzing Networks) is a port scanner

with a web interface. It can be configured to do light, medium, or strong checks on a machine or a network of machines. It's a good idea to get SATAN and scan your machine or network, and fix the problems it finds. Make sure you get the copy of SATAN from metalab or a reputable FTP or web site. There was a Trojan copy of SATAN that was distributed out on the net. Note that SATAN has not been updated in quite a while, and some of the other tools below might do a better job.

242

Notes:

Slide 31



n ISS (Internet Security Scanner) is another portbased scanner. It is faster than Satan, and thus might be better for large networks. However, SATAN tends to provide more information.

n Abacus is a suite of tools developed by Psionic to provide hostbased security and intrusion detection.

243

Notes:

Slide 32



n SAINT is a updated version of SATAN. It is webbased and has many more uptodate tests than SATAN.

n Nessus is a free security scanner. It has a graphical interface for ease of use. It is also designed with a very nice plugin setup for newly updated portscanning tests.

244

Notes:

Slide 33



n Security scanners are often used in the process of security auditing as well as footprinting. q Footprinting is the first step in information gathering of hackers to perform a successful attack, one needs to gather information – information on all aspects of the perspective organization’s security posture, profile of their Intranet, remote access capabilities, and intranet/extranet presence…etc.

245

Notes:

Slide 34



n Footprinting relies on info gathering. These are popular sources of such info: q American Registry for Internet Numbers q CERT®/CC Finding Site Contacts q InterNIC q Network Operations Centers List q Network Solutions q US Security and Exchange

q Enumeration is also an information gathering technique, but is an intrusive one! n It is the process of extracting valid user accounts, poorly protected File Shares or other resources from a target system. q This process is usually logged.

246

Notes:

Slide 35



q Security auditing to be performed before anything had happened typically involves the use of Security Scanners and other tools to test the security level of the network.

247

Notes:

Slide 36



q Security auditing to be performed after things had gone wrong typically involves the examination of the audit trail. n However, the presence of Rootkits and Cover Tracks may hinder this process. q Rootkits are tools used by hackers to hide their presence on compromised systems. They are mostly collections of trojaned binaries that replace the common commands.

q Cover tracks can wipe out the audit logs. Examples include Wipe and Zap.

248

Notes:

Slide 37



n Detecting Port Scans q There are some tools designed to alert you to probes by SATAN

and ISS and other scanning software. However, if you liberally use tcp_wrappers, and look over your log files regularly, you should be able to notice such probes. Even on the lowest setting, SATAN still leaves traces in the logs on a stock Red Hat system.

q There are also "stealth" port scanners. A packet with the TCP ACK bit set (as is done with established connections) will likely get through a packetfiltering firewall. The returned RST packet from a port that _had no established session_ can be taken as proof of life on that port. I don't think TCP wrappers will detect this.

249

Notes:

Slide 38



n Denial of Service Attacks q A "Denial of Service" (DoS) attack is one where the

attacker tries to make some resource too busy to answer legitimate requests, or to deny legitimate users access to your machine.

q Denial of service attacks have increased greatly in recent years.

250

Notes:

Slide 39



q There is no fixed format of DoS. In fact, there are many types of DoS attacks that are based on tons of different methods. A Denial of Service Attack can be based on crashing routers which makes a network inaccessible, crashing DNS servers which prevents the use of Domain Names, congesting hosts with requests…etc etc – it can be anything that stops things from working.

q A DoS Attack is ALWAYS used in conjunction with an another attack.

251

Notes:

Slide 40



q SYN Flooding SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are created. n Sometimes known as Synk4 n Systems which fall prey to the Syn Flooding attack will have difficulty accepting any new incoming network connections. Therefore, legitimate users attempting to connect to the server will not be able to do so.

252

Notes:

Slide 41



q Pentium "F00F" Bug It was recently discovered that a series of assembly codes sent to a genuine Intel Pentium processor would reboot the machine. This affects every machine with a Pentium processor (not clones, not Pentium Pro or PII), no matter what operating system it's running.

253

Notes:

Slide 42



q Ping Flooding / Smurf / Fraggle Ping flooding is a simple bruteforce denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. n A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably.

n Smurf attacks are network amplification attacks. n Fraggle attack is similar to Smurf attack except that it uses UDP echo packets, not ICMP echos.

254

Notes:

Slide 43



q Ping o' Death The Ping o' Death attack sends ICMP ECHO REQUEST packets that are too large to fit in the kernel data structures intended to store them. Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping o' Death." This one has long been fixed, and is no longer anything to worry about.

q Teardrop / New Tear One of the most recent exploits involves a bug present in the IP fragmentation code on Linux and Windows platforms. n Teardrop is an attack that exploits the vulnerability found in some implementations of the packet reassembly.

n New Tear is a new teardrop type exploit which mainly affects NT4 and Win95.

255

Notes:

Slide 44



q Land / LaTierra The Land attack uses IP spoofing in combination with the opening of a TCP connection. Both the source and destination IP addresses are modified to be the same the address of the destination host. It misleads the machine to continue sending ACK packets and thus remaining in the loop. The LaTierra attack is similar except that LaTierra sends the TCP packet to more than one port and more than once.

256

Notes:

Slide 45



q Blast – a small and quick TCP service stress test tool that can spot potential weaknesses in your network servers. n It can be used as a tool for generating DoS attack!

q Bonk – an attack that modifies the frag offset. n Also known as “teardrop reversed”

257

Notes:

Slide 46



n There are many ways to protect oneself against DoS attacks. The most popular ways are: q patching the networking code of the OS kernel q configuring the network with protective devices such as firewalls.

258

Notes:

Slide 47



n Firewalls q Firewalls are a means of controlling what information is allowed into and out of your local network. Typically the firewall host is connected to the Internet and your local LAN, and the only access from your LAN to the Internet is through the firewall. This way the firewall can control what passes back and forth from the Internet and your LAN.

259

Notes:

Slide 48



q There are a number of types of firewalls and methods of setting them up. n Linux machines make pretty good firewalls. Firewall code can be built right into 2.0 and higher kernels. The user space tools ipfwadm for 2.0 kernels and ipchains for 2.2 kernels, allows you to change, on the fly, the types of network traffic you allow. You can also log particular types of network traffic.

n Windows 2000 provides simple packet filtering functions. n Windows XP provides Internet Connection Firewall.

260

Notes:

Slide 49


Section 2 – Issue 6 cont’d n Webopedia classifies firewall techniques as below: “ q Packet filter: Looks at each packet entering or leaving the network and

accepts or rejects it based on userdefined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

q Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.

q Circuitlevel gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

q Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

”

261

Notes:

Slide 50



q The National Institute of Standards and Technology have put together an excellent document on firewalls. Although dated 1995, it is still quite good (http://csrc.nist.gov/).

262

Notes:

Slide 51



n BIOS Security q The BIOS is the lowest level of software that configures or

manipulates your x86based hardware. All boot methods access the BIOS to determine how to boot up your machine. Other hardware has similar software (OpenFirmware on Macs and new Suns, Sun boot PROM, etc...). You can use your BIOS to prevent attackers from rebooting your machine and manipulating your system.

q Many PC BIOSs let you set a boot password. This doesn't provide all that much security (the BIOS can be reset, or removed if someone can get into the case), but might be a good deterrent (i.e. it will take time and leave traces of tampering). This might slow attackers down.

263

Notes:

Slide 52



q Many x86 BIOSs also allow you to specify various other good security settings. Check your BIOS manual or look at it the next time you boot up. For example, some BIOSs disallow booting from floppy drives and some require passwords to access some BIOS features.

q Note: If you have a server machine, and you set up a boot password, your machine will not boot up unattended. Keep in mind that you will need to come in and supply the password in the event of a power failure.

264

Notes:

Slide 53



n DLL Injection q a method of inserting malicious code into another running process's so that access to some otherwise restricted piece of information is possible.

265

Notes:

Slide 54



n Back Door q an easy route back into an already compromised system that was put in place by the current attacker or a previous attacker. It may be a program that binds itself to a specific port and listens for the attacker to connect to it, or a pre tested exploit that is configured by the attacker for future reuse.

266

Notes:

Slide 55



n Privilege escalation q the stage of penetration that occurs AFTER an attacker has already gained access to a system.

q It aims at gaining administrator level privileges on the system.

267

Notes:

Slide 56



n War dialing q attack through the phone system. q War dialers were originally developed by and for phone phreaks seeking free longdistance service. n They are well suited to the task of scanning and finding

modems for possible network entry. n Examples include:

q Telesweep Secure q PhoneSweep q THCScan

268

Notes:

Slide 57



n Purloining and Pilfering q Often being refer to as image and bandwidth theft. q Digital watermarking is one way to protect against image theft.

269

Notes:

Slide 58


Section 3

Encryption and VPN

270

Notes:

Slide 59



n VPNs Virtual Private Networks q VPN's are a way to establish a "virtual" network on top of some

alreadyexisting network. This virtual network often is encrypted and passes traffic only to and from some known entities that have joined the network. VPNs are often used to connect someone working at home over the public Internet to an internal company network.

q VPNs use authenticated links to ensure that only authorized users can connect to your network, and they use encryption to ensure that data that travels over the Internet can't be intercepted and used by others. VPN technology also allows a corporation to connect to its branch offices or to other companies over a public network while maintaining secure communications.

q In Windows 2000, VPNs are built using PPTP or L2TP.

271

Notes:

Slide 60



n PointtoPoint Tunneling Protocol (PPTP) provides data encryption using Microsoft PointtoPoint Encryption.

n Layer Two Tunneling Protocol (L2TP) provides data encryption, authentication, and integrity using IPSec. q PPTP is suitable for NonWindows 2000 computers. q L2TP is suitable for Windows 2000 or Windows XP clients.

n If you want to try out configuring a VPN with Windows 2000, read the MS KB article 308208.

272

Notes:

Slide 61



n According to Webopedia, "As the Internet and other forms of electronic communication become more prevalent, electronic security is becoming increasingly important. Cryptography is used to protect email messages, credit card information, and corporate data. One of the most popular cryptography systems used on the Internet is Pretty Good Privacy because it's effective and free. Cryptography systems can be broadly classified into symmetrickey systems that use a single key that both the sender and recipient have, and publickey systems that use two keys, a public key known to everyone and a private key that only the recipient of messages uses."

273

Notes:

Slide 62



n CA q Certification authorities are responsible for managing certificate requests and issuing certificates to participating IPSec network peers. These services provide centralized key management for the participating peers and simplify administration.

274

Notes:

Slide 63



n Digital signatures q Digital signatures are enabled by public key cryptography and

are providing a means to digitally authenticate devices and individual users.

q In public key cryptography, each user has a keypair containing both a public and a private key. Anything encrypted with one of the keys can be decrypted with the other.

q In simple terms, a signature is formed when data is encrypted with a user's private key. The receiver verifies the signature by decrypting the message with the sender's public key.

q The fact that the message could be decrypted using the sender's public key shows that the holder of the private key must have created the message.

275

Notes:

Slide 64



q How can you know with a high degree of certainty that it really does belong to the sender, and not to someone pretending to be the sender? n Use digital certificates. A digital certificate contains information to identify a user or device, such as the name, serial number, company, department or IP address. It also contains a copy of the entity's public key.

276

Notes:

Slide 65



n Since the certificate is itself signed by a certification authority, it is trust worthy.

n To be able to validate the CA's signature, the receiver must know the CA's public key. This is usually handled outofband or through an operation done at installation.

q Without digital signatures, one must manually exchange public secrets between each pair of peers that use IPSec to protect communications between them.

277

Notes:

Slide 66



n Legal issues q Be careful when deploying cryptography technology

overseas. According toWebopedia, "PGP is such an effective encryption tool that the U.S. government actually brought a lawsuit against Zimmerman for putting it in the public domain and hence making it available to enemies of the U.S. After a public outcry, the U.S. lawsuit was dropped, but it is still illegal to use PGP in many other countries."

q By the way, if you want to learn more about PGP, refer to its official home page at PGPI.ORG.

278

Notes:

Slide 67


Section 4

Responding to attacks

279

Notes:

Slide 68



n Security Compromise Underway. q Spotting a security compromise under way can be a tense

undertaking. How you react can have large consequences. q If the compromise you are seeing is a physical one, odds

are you have spotted someone who has broken into your home, office or lab. You should notify your local authorities. In a lab, you might have spotted someone trying to open a case or reboot a machine. Depending on your authority and procedures, you might ask them to stop, or contact your local security people.

280

Notes:

Slide 69



n Detecting Physical Security Compromises q The first thing to always note is when your machine was rebooted.

The only times your machine should reboot is when you take it down for OS upgrades, hardware swapping, or the like. If your machine has rebooted without you doing it, that may be a sign that an intruder has compromised it. Many of the ways that your machine can be compromised require the intruder to reboot or power off your machine.

q Check for signs of tampering on the case and computer area. Although many intruders clean traces of their presence out of logs, it's a good idea to check through them all and note any discrepancy.

q It is also a good idea to store log data at a secure location, such as a dedicated log server within your wellprotected network. Once a machine has been compromised, log data becomes of little use as it most likely has also been modified by the intruder.

281

Notes:

Slide 70



q The syslog daemon can be configured to automatically send log data to a central syslog server, but this is typically sent unencrypted, allowing an intruder to view data as it is being transferred. This may reveal information about your network that is not intended to be public. There are syslog daemons available that encrypt the data as it is being sent.

q Also be aware that faking syslog messages is easy with an exploit program having been published. Syslog even accepts net log entries claiming to come from the local host without indicating their true origin.

282

Notes:

Slide 71



q Some things to check for in your logs: n Short or incomplete logs. n Logs containing strange timestamps. n Logs with incorrect permissions or ownership. n Records of reboots or restarting of services. n missing logs. n su entries or logins from strange places.

283

Notes:

Slide 72



q If you have detected a local user trying to compromise your security, the first thing to do is confirm they are in fact who you think they are. Check the site they are logging in from. Is it the site they normally log in from? No? Then use a nonelectronic means of getting in touch. For instance, call them on the phone or walk over to their office/house and talk to them. If they agree that they are on, you can ask them to explain what they were doing or tell them to cease doing it. If they are not on, and have no idea what you are talking about, odds are this incident requires further investigation. Look into such incidents , and have lots of information before making any accusations.

q If you have detected a network compromise, the first thing to do (if you are able) is to disconnect your network. If they are connected via modem, unplug the modem cable; if they are connected via Ethernet, unplug the Ethernet cable. This will prevent them from doing any further damage, and they will probably see it as a network problem rather than detection.

284

Notes:

Slide 73



q If you are unable to disconnect the network (if you have a busy site, or you do not have physical control of your machines), the next best step is to use something like tcp_wrappers or ipfwadm to deny access from the intruder's site.

q If you can't deny all people from the same site as the intruder, locking the user's account will have to do. Note that locking an account is not an easy thing. You have to keep in mind .rhosts files, FTP access, and a host of possible backdoors.

q After you have done one of the above (disconnected the network, denied access from their site, and/or disabled their account), you need to kill all their user processes and log them off.

q You should monitor your site well for the next few minutes, as the attacker will try to get back in. Perhaps using a different account, and/or from a different network address.

285

Notes:

Slide 74



n Security Compromise has already happened q So you have either detected a compromise that has

already happened or you have detected it and locked (hopefully) the offending attacker out of your system. Now what? n Closing the Hole q If you are able to determine what means the attacker used to get

into your system, you should try to close that hole. For instance, perhaps you see several FTP entries just before the user logged in. Disable the FTP service and check and see if there is an updated version, or if any of the lists know of a fix.

q Check all your log files, and make a visit to your security lists and pages and see if there are any new common exploits you can fix.

286

Notes:

Slide 75



n Assessing the Damage q The first thing is to assess the damage. What has been compromised? If you are running an integrity checker like Tripwire, you can use it to perform an integrity check; it should help to tell you what has been compromised. If not, you will have to look around at all your important data.

q Since systems are getting easier and easier to install, you might consider saving your config files, wiping your disk(s), reinstalling, then restoring your user files and your config files from backups. This will ensure that you have a new, clean system. If you have to restore files from the compromised system, be especially cautious of any binaries that you restore, as they may be Trojan horses placed there by the intruder.

287

Notes:

Slide 76



q Reinstallation should be considered mandatory upon an intruder obtaining root access. Additionally, you'd like to keep any evidence there is, so having a spare disk in the safe may make sense.

q Then you have to worry about how long ago the compromise happened, and whether the backups hold any damaged work. More on backups later.

288

Notes:

Slide 77



n Backups, Backups, Backups! q Having regular backups is a godsend for security matters. If your system is compromised, you can restore the data you need from backups. Of course, some data is valuable to the attacker too, and they will not only destroy it, they will steal it and have their own copies; but at least you will still have the data.

289

Notes:

Slide 78



q You should check several backups back into the past before restoring a file that has been tampered with. The intruder could have compromised your files long ago, and you could have made many successful backups of the compromised file!

q Of course, there are also a raft of security concerns with backups. Make sure you are storing them in a secure place. Know who has access to them. (If an attacker can get your backups, they can have access to all your data without you ever knowing it.)

290

Notes:

Slide 79



n Tracking Down the Intruder. q Ok, you have locked the intruder out, and recovered your system, but you're not quite done yet. While it is unlikely that most intruders will ever be caught, you should report the attack.

q You should report the attack to the admin contact at the site from which the attacker attacked your system. You can look up this contact with whois or the Internic database. You might send them an email with all applicable log entries and dates and times. If you spotted anything else distinctive about your intruder, you might mention that too. After sending the email, you should (if you are so inclined) follow up with a phone call. If that admin in turn spots your attacker, they might be able to talk to the admin of the site where they are coming from and so on.

291

Notes:

Slide 80



q Good crackers often use many intermediate systems, some (or many) of which may not even know they have been compromised. Trying to track a cracker back to their home system can be difficult. Being polite to the admins you talk to can go a long way to getting help from them.

q You should also notify any security organizations you are a part of ( CERT or similar), as well as your system vendor.

292

Notes:

Slide 81


Section 5

Virus

293

Notes:

Slide 82



n Computer virus a computer program which reproduces itself through legitimate processes in computer programs and operating systems. It can alter the behavior of a program or operating system without the knowledge of computer users. q It itself is written withmalicious purposes in mind.

294

Notes:

Slide 83



n To know the CURRENT LATEST info on the various viruses, visit the following web sites: q WildList Organization International, the world's premier source of information on which viruses are spreading In the Wild (http://www.wildlist.org/ ).

q The Virus Bulletin, an international antivirus publication that keeps track of the occurrence of computer viruses (http://www.virusbtn.com/ ).

295

Notes:

Slide 84



n Virus experts in general prefer to categorize viruses by: q their behaviors q the affected operating system platforms q the type of programming languages used to develop them

296

Notes:

Slide 85



n A majority of early viruses are Program Viruses that infected programs which ended in the .com and .exe file extensions. q They infect executable files by placing their programming instructions inside the other programs.

q They do NOT infect .BAT files, since .BAT files are simply text based scripts. They can be embedded into .BAT files for execution though.

q They cannot bypass antivirus software.

297

Notes:

Slide 86



n Script viruses mostly affect scripting languages like Microsoft Visual Basic and JavaScript became commonplace.

n Macro viruses mostly affect business software, such as MS Office. Macros let users automate a series of commands inside documents or spreadsheets. Macro instructions can easily be modified by viruses to perform erratic behaviors.

n All these viruses can be detected by nowadays’ anti virus software packages.

298

Notes:

Slide 87



n Boot sector viruses infected hidden startup programs built into diskette media and hard drives. q Since they start before the operating system is loaded, they can easily bypass the antivirus software.

299

Notes:

Slide 88



n To further spread viruses, virus writers developed Trojan horses – programs that trick users into starting them and then install malicious software.

n Hybrid viruses are another type of “latest inventions”. They can act in more than one way – as an example, an Internet worm may be able to infect program files.

300

Notes:

Slide 89



n Melissa q A very famous virus. q Appearing in March 1999, it spread quickly and caused massive troubles worldwide. In fact, Microsoft had to shut down four out of six incoming mail servers under the strain produced by Melissa.

301

Notes:

Slide 90


Congratulations!

n You have completed all the sections. n For the latest product information, please visit our web sites: q www.ExamREVIEW.NET

302

Notes:

Excellent public resources

Some of these web resources may have expired at the time you read this document. If so please do a web search through Yahoo or Googles using the resource title as the search subject. Good luck.

Know biometrics. Biometrics is an important topic. Check out the various forms of biometrics technology described in this web page: http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their drawbacks and their impacts.

Other recommended readings (primarily from NIST) include:

April 21, 2006: Draft Special Publication 800-92 Guide to Computer Security Log Management

Adobe PDF (1,939 KB)

303

Notes:

http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf

This document provides detailed information on developing, implementing, and maintaining effective log management practices throughout an enterprise. It includes guidance on establishing a centralized log management infrastructure, which includes hardware, software, networks, and media. It also discusses the log management processes that should be put in place at an organization-wide level, including the definition of roles and responsibilities, the creation of feasible logging policies, and the division of responsibilities between system- level and organization-level administrators. Guidance is also provided on log management at the individual system level, such as configuring log generating sources, supporting logging operations, performing log data analysis, and managing long-term data storage.

August 15, 2005: Draft NIST Special Publication 800-26 Revision 1, Guide for Information Security Program Assessments and System Reporting Form

Adobe pdf (1,153 KB)

304

Notes:

http://csrc.nist.gov/publications/drafts/Draft-sp800-26Rev1.pdf

This draft document brings the assessment process up to date with key standards and guidelines developed by NIST.

May 4, 2006: Draft Special Publication 800-80, Guide for Developing Performance Metrics for Information Security

Adobe PDF (762 KB)

http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf

This guide is intended to assist organizations in developing metrics for an information security program. The methodology links information security program performance to agency performance. It leverages agency-level strategic planning processes and uses security controls from NIST SP 800-53, Recommended Security Controls for Federal Information Systems, to characterize security performance.

305

Notes:

April 21, 2006: Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems

Adobe PDF (5,487 KB)

http://csrc.nist.gov/publications/drafts/SP800-53A-spd.pdf

The document provides a comprehensive listing of methods and procedures to assess the effectiveness of security controls in federal information systems. Assessment procedures have been developed for each security control and control enhancement in NIST Special Publication 800-53 with the rigor and intensity of assessments aligned with the impact levels in FIPS 199.

March 13, 2006: Draft Federal Information Processing Standard (FIPS) 186-3 - Digital Signature Standard (DSS)

Adobe PDF (474 KB)

306

Notes:

http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186- 3%20_March2006.pdf

The draft defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This draft includes requirements for obtaining the assurances necessary for valid digital signatures.

February 3, 2006: Draft Special Publication 800-88: Guidelines for Media Sanitization

Adobe PDF (526 KB)

http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf

This guide is intended to assist organizations and system owners in making practical sanitization decisions based on the level of sensitivity of their information.

307

Notes:

Sample IS Audit Questionnaire

308

Notes:

You may download the latest sample questionnaire via the web link below:

http://www.examreview.net/IT_Questionnaire.pdf

End of Study Guide