CISA Certified Information Systems Auditor Module Study Guide

CISA
ExamESSENTIALS
Study Guide
2009
Ed.
The Number One Source of Exam and OntheJob Information
ST UD Y IN F ORMAT ION FO R EX AM CAND ID ATES
CISA ExamESSENTIALS Guide
Coveringthe2009Syllabus
ExamREVIEW PRO & ExamREVIEW PRESS
2009
All rights reserved. No part of the contents of this book may be reproduced or
transmitted in any form or by any means without the written permission of the
publisher.
ImportantPleaseRead
Duetothevarietyoffontsinstalledontheusers'
systems,Acrobatmaypromptyoutodownloadan
additionallanguagecomponent(whichisFREEfrom
Adobeanyway).
IfyoureceiveamessagesayingthataTraditional
Chineselanguagepackhastobedownloadedinorder
toloadthiseBook,pleaseclickYEStohaveAcrobat
downloadtheupdate.Thesizeoftheupdateisabout
7M.Dontworry,thisdownloadissafe.
Table of Contents
ENDUSERLICENSEAGREEMENT
EXAMFORMAT
13
ABOUTTHISBOOK
14
EXAMTOPICS
15
EXAMREGISTRATIONCONTACTS
19
STUDYPSYCHOLOGY&EXAMTACTICS
20
KEYEXAMSTRATEGIES
21
STRATEGYONE : KEYWORDORKEYPHRASEMATCHING.
STRATEGYTWO : CHOICESGROUPING.
STRATEGYTHREE: THINKTRICKY.
21
22
23
SECURITYTHEORIES
25
THECOMPUTERSYSTEMITSELFASLARGELYANUNTRUSTEDSYSTEM
DEFENSEINDEPTH
VULNERABILITIES
SECURITYMEASURES
STANDARDSANDGUIDELINES
27
27
28
45
49
ISORGANIZATIONANDINFORMATIONASSETSPROTECTION
55
THESTAKEHOLDERS
THEBOARD
THEAUDITMANAGER
AUDITPERSONNEL
56
57
58
59
ISCONTROLS
61
THEIMPORTANCEOFTHEUSEOFCONTROLS
CLASSIFICATIONOFCONTROLS
GENERALCONTROLSVS APPLICATIONCONTROLS
61
62
63
ACCESSCONTROLANDTHEAUDITINGPROCESS
66
ACCESS CONTROLMODELS
ACLSVERSUS CAPABILITIES
WHATISO RANGEBOOK, BYTHEWAY?
TYPESOFACCESSCONTROL
THEAAACONCEPT
ESTABLISHINGACCOUNTABILITYTHROUGHEVENTLOGGING
THEAUDITPROCESS
THESARBANESOXLEYACTANDTHECOSOFRAMEWORK
WHATISAUDITING, BYTHEWAY ?
THEROLEOFANAUDITOR
THEAUDITPROCESSFLOW
OVERALLSTRATEGIES
AUDITPLANNING
RECOMMENDEDTYPESOFAUDIT
EXAMPLEAUDITOBJECTIVESANDPROCEDURES
AUDITF IELDWORKS
AUDITPROGRAM
AUDITREPORT
AUDITFOLLOWUP
AUDITASSESSMENT
66
68
69
70
71
74
75
76
79
82
83
88
90
100
103
111
115
116
118
120
ITSTRATEGICPLANNING
121
IT STRATEGICPLANNINGDEFINED
THEROLEOFIS AUDITINGINTHEPLANNINGPROCESS
INHOUSEOROUT SOURCE?
AVOIDINGCONFLICTSOFINTERESTS
121
122
123
124
PROTECTIONOFINFORMATIONASSETSTHROUGHSECURITYPOLICY
126
INFORMATIONASSETSDEFINED
DATACLASSIFICATIONSANDLAYEROFRESPONSIBILITIES
SECURITYPOLICY
SECURITYMODELSANDMODESOFOPERATIONS
EXAMPLEPOLICY
CONSEQUENCESOFVIOLATIONS
EVALUATION
ORGANIZATIONSPECIFICCLASSIFICATIONSCHEME
CHANGECONTROL
126
129
131
138
141
143
144
145
146
BUSINESSCONTINUITYPLANNING
148
DEFINITION
BCPVSBPCP VSDRP
BCP PHASES
STAKEHOLDERSANDCRISISCOMMUNICATIONS
148
149
150
151
THERISKASSESSMENTFLOW
RISKVS THREATANDVULNERABILITY
IDENTIFYINGRISKS
LOSSCALCULATIONS
BUSINESSIMPACTANALYSISDEFINED
BIAGOALSANDSTEPS
BIACHECKLIST
PREPARINGFOREMERGENCY
MANAGINGRECOVERY
TESTINGTHEPLAN
USERACCEPTANCE
PLANMAINTENANCE
INCIDENTHANDLING
153
158
159
161
164
165
166
168
170
172
174
174
177
RISKMANAGEMENT
180
RISKMANAGEMENTDEFINED
THERISKMANAGEMENTSTEPS
IS AUDITINGANDRISKMANAGEMENT
RISKBASEDAUDITING
RISKMANAGEMENTREADINGS
181
181
183
184
185
PROJECTMANAGEMENT
187
PROJECTMANAGEMENTDEFINED
PROJECTMANAGEMENTANDAUDIT
187
188
CHANGEMANAGEMENT
190
CHANGEMANAGEMENTDEFINED
CHANGEMANAGEMENTSTRATEGIES
CHANGEMANAGEMENTVS CHANGECONTROLVS CONFIGURATIONMANAGEMENT
CHANGECONTROL
190
192
194
196
APPLICATIONPROGRAMDEVELOPMENT
203
GENERALGUIDELINES
SYSTEMCHANGECONTROL
SOFTWAREDEVELOPMENTPROCESSESANDMODELS
BUYVS MAKE: ACQUISITIONMANAGEMENTMETHODS
203
204
205
208
TECHNICALREADINGS
211
211
211
211
SECTION1: TOPICSONSECURITYTHEORY
SECTION2: TOPICSONHACKING,ATTACKING,DEFENDINGANDAUDITING.
SECTION3: TOPICSONENCRYPTIONANDVPN.
SECTION4: TOPICSONRESPONDINGTOATTACKS
SECTION5: TOPICSONVIRUSES .
211
211
EXCELLENTPUBLICRESOURCES
302
SAMPLEISAUDITQUESTIONNAIRE
307
ENDOFSTUDYGUIDE
308
End User License Agreement

The CISA ExamESSENTIALS Guide (the "Book") is a certification study product provided by
ExamREVIEWPress(includingExamREVIEW.NETandSystemREVIEW.NET,beingreferredtoas
ExamREVIEW.NETinthisdocument),subjecttoyourcompliancewiththetermsandconditionsset
forthbelow.
PLEASEREADTHISDOCUMENTCAREFULLYBEFOREACCESSINGORUSINGTHEBOOK.
BYACCESSINGORUSINGTHEBOOK,YOUAGREETOBEBOUNDBYTHETERMSAND
CONDITIONS SET FORTH BELOW. IF YOU DO NOT WISH TO BE BOUND BY THESE
TERMS AND CONDITIONS, YOU MAY NOT ACCESS OR USE THE BOOK.
EXAMREVIEW.NET MAY MODIFY THIS AGREEMENT AT ANY TIME, AND SUCH
MODIFICATIONS SHALL BE EFFECTIVE IMMEDIATELY UPON POSTING OF THE
MODIFIEDAGREEMENTONTHECORPORATESITEOFEXAMREVIEW.NET.YOUAGREE
TOREVIEWTHEAGREEMENTPERIODICALLYTOBEAWAREOFSUCHMODIFICATIONS
AND YOUR CONTINUED ACCESS OR USE OF THE BOOK SHALL BE DEEMED YOUR
CONCLUSIVEACCEPTANCEOFTHEMODIFIEDAGREEMENT.
1.CopyrightandLicenses.
License Grant
This Agreement entitles you to install and use one copy of the Book. In addition, you
may make one archival copy of the Book. The archival copy must be on a storage
medium other than a hard drive, and may only be used for the reinstallation of the Book.
This Agreement does not permit the installation or use of multiple copies of the Book,
or the installation of the Book on more than one computer at any given time, on a
system that allows shared used of applications, on a multi-user network, or on any
configuration or system of computers that allows multiple users. Multiple copy use or
7
Notes:
installation is only allowed if you obtain an appropriate licensing agreement for each user
and each copy of the Book. For further information regarding multiple-copy licensing
of the Book, please contact: michael@ExamREVIEW.NET
Restrictions on Transfer
Without first obtaining the express written consent of ExamREVIEW.NET, you may
not assign your rights and obligations under this Agreement, or redistribute, encumber,
sell, rent, lease, sublicense, or otherwise transfer your rights to the Book.
Restrictions on Use
You may not use, copy, or install the Book on any system with more than one computer,
or permit the use, copying, or installation of the Book by more than one user or on more
than one computer. If you hold multiple, validly licensed copies, you may not use, copy,
or install the Book on any system with more than the number of computers permitted
by license, or permit the use, copying, or installation by more users, or on more
computers than the number permitted by license.
You may not decompile, "reverse-engineer", disassemble, or otherwise attempt to derive
the source code for the Book.
Restrictions on Alteration
You may not modify the Book or create any derivative work of the Book or its
accompanying documentation. Derivative works include but are not limited to
translations. You may not alter any files or libraries in any portion of the Book. You
may not reproduce the database portion or create any tables or reports relating to the
database portion.
Notes:
Restrictions on Copying
You may not copy any part of the Book except to the extent that licensed use inherently
demands the creation of a temporary copy stored in computer memory and not
permanently affixed on storage medium. You may make one archival copy which must
be stored on a medium other than a computer hard drive.
TRADEMARKS.
CISA ExamESSENTIALS Guide /or any other names of ExamREVIEW.NET or its publications,
products, content or services referenced herein or on the Book are the exclusive trademarks or
servicemarksofExamREVIEW.NET.OtherproductandcompanynamesmentionedintheBookmay
bethetrademarksoftheirrespectiveowners.
2.UseoftheBook.
Youunderstandthat,exceptforinformation,productsorservicesclearly identifiedasbeingsupplied
byExamREVIEW.NET, ExamREVIEW.NET does not operate, controlor endorse any information,
productsorservicesonthe Internetinanyway.Except for ExamREVIEW.NETexplicitly identified
information,productsorservices, allinformation,products andservicesoffered throughtheBookor
ontheInternetgenerallyareofferedbythirdparties,thatarenotaffiliatedwithExamREVIEW.NET.
YOUASSUME TOTALRESPONSIBILITY AND RISK FOR YOURUSE OF THE BOOK AND
THE INTERNET. EXAMREVIEW.NET PROVIDES THE BOOK AND RELATED
INFORMATION"ASIS"ANDDOESNOTMAKEANYEXPRESSORIMPLIEDWARRANTIES,
REPRESENTATIONS OR ENDORSEMENTS WHATSOEVER (INCLUDING WITHOUT
LIMITATION WARRANTIES OF TITLE OR NONINFRINGEMENT, OR THE IMPLIED
WARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE)WITH
REGARD TO THE BOOK, ANY INFORMATION OR SERVICE PROVIDED THROUGH THE
BOOK, AND EXAMREVIEW.NET SHALL NOT BE LIABLE FOR ANY COST OR DAMAGE
ARISING EITHER DIRECTLY OR INDIRECTLY FROM ANY SUCH. IT IS SOLELY YOUR
9
Notes:
RESPONSIBILITY TO EVALUATE THE ACCURACY, COMPLETENESS AND USEFULNESS

OF ALL OPINIONS, ADVICE, AND OTHER INFORMATION PROVIDED THROUGH THE
BOOK.
LIMITATIONOFLIABILITY
IN NO EVENT WILL EXAMREVIEW.NET BE LIABLE FOR (I) ANY INCIDENTAL,
CONSEQUENTIAL, OR INDIRECT DAMAGES (INCLUDING, BUT NOT LIMITED TO,
DAMAGESFOR LOSSOF PROFITS, BUSINESS INTERRUPTION, LOSSOFPROGRAMS OR
INFORMATION, AND THE LIKE) ARISING OUT OF THE USE OF OR INABILITY TOUSE
THEBOOK.EVENIFEXAMREVIEW.NETORITSAUTHORIZEDREPRESENTATIVESHAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (II) ANY CLAIM
ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN THE BOOK.
BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITYFORCONSEQUENTIALORINCIDENTALDAMAGES,THEABOVELIMITATION
MAYNOTAPPLYTOYOU.INSUCHSTATES,EXAMREVIEW.NET LIABILITYIS LIMITED
TOTHEGREATESTEXTENTPERMITTEDBYLAW.
ExamREVIEW.NET makes no representations whatsoever about any other web site which are
referencedinthebook.WhenyouaccessanonExamREVIEW.NETwebsite,pleaseunderstandthatit
is independent from ExamREVIEW.NET, and that ExamREVIEW.NET has no control over the
content on that web site. In addition, a link to a ExamREVIEW.NET web site does not mean that
ExamREVIEW.NETendorsesoracceptsanyresponsibilityforthecontent,ortheuse,ofsuchwebsite.
3.Indemnification.
You agree to indemnify, defend and hold harmless ExamREVIEW.NET, its officers, directors,
employees,agents,licensors,suppliersandanythirdpartyinformationproviderstotheBookfromand
against all losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from
anyviolationofthisAgreement(includingnegligentorwrongfulconduct)by youoranyotherperson
usingtheBook.
4.ThirdPartyRights.
10
Notes:
The provisions of paragraphs 2 (Use of the Book), and 3 (Indemnification) are for the benefit of
ExamREVIEW.NET anditsofficers,directors, employees, agents, licensors, suppliers,andanythird
party informationprovidersto theBook.Each ofthese individualsor entitiesshallhave the rightto
assertandenforcethoseprovisionsdirectlyagainstyouonitsownbehalf.
5.Termination.
This Agreement may be terminated by either party without notice at any time for any reason. The
provisions of paragraphs 1 (Copyright, Licenses and Idea Submissions), 2 (Use of the Book), 3
(Indemnification), 4 (ThirdPartyRights)and6(Miscellaneous) shallsurvive any terminationof this
Agreement.
6.Miscellaneous.
This Agreement shall all be governed and construed in accordance with the laws of Hong Kong
applicabletoagreementsmadeandtobeperformedinHongKong.Youagreethatanylegalactionor
proceeding between ExamREVIEW.NET and you for anypurpose concerning this Agreement orthe
parties'obligationshereundershallbebroughtexclusively inacourtofcompetent jurisdictionsitting
in Hong Kong. Any cause of action or claim you may have with respect to the Book must be
commenced within one (1) year after the claim or cause of action arises or such claim or cause of
action is barred. ExamREVIEW.NET's failure to insist upon or enforce strict performance of any
provisionofthisAgreementshallnotbeconstruedas awaiverofanyprovisionorright.Neither the
course of conduct between the parties nor trade practice shall act to modify any provision of this
Agreement.ExamREVIEW.NETmayassignitsrightsanddutiesunderthisAgreementtoanypartyat
anytimewithoutnoticetoyou.
Anyrightsnotexpresslygrantedhereinarereserved.
11
Notes:
Every effort has been made to ensure the accuracy of this book. If you have
comments, questions, or ideas regarding this book, please let us know by
emailing to this address: michael@ExamREVIEW.NET
This electronic book was originally created as a print book. For simplicity, the
electronic version of this book has been modified as little as possible from its
original form.
12
Notes:
Exam Format
The following question formats are used in the CISA exams:
Text Based Multiple-choice: The examinee selects one option that best
answers the question or completes a statement.
Multiple-response: The examinee selects multiple options that best answers
the question or completes a statement.
Sample Directions (Scenario): Read the statement or question and from the
response options, select only the option(s) that represent the BEST possible
answer(s).
There are no fill in the blank questions. There are no graphical questions.
You will mostly be asked to pick one choice as the answer. However, some
questions will require you to pick multiple items something like i and ii, i,
iii & v etc.
q For international candidates, it takes about two months to receive
the results.
q As of 2004 all CISA exams are paper and pencil based.
13
Notes:
About this book

The CISA exam has a lot of questions that ask for your "best decisions" - of the
hundreds of questions you will encounter in the exam, a significant portion of
them requires that you pick the best possible options. These best options are
often based on expert advices and best practices not found in the standard
exam text books.
Our CISA ExamESSENTIALS Guide goes the expert-advice way. Instead of
giving you the hard facts, we give you information that covers the best practices.
With this information, you will always be able to make the most appropriate
expert judgment in the exam.
If you are looking for the hard facts, visit the following ISACA link:
http://www.isaca.org/TemplateRedirect.cfm?Template=/ContentManagemen
t/ContentDisplay.cfm&ContentID=15262
* In case this link no longer works, refer to the Standards section of ISACAs
web site.
This is the place where most official IS auditing standards and guidelines are
listed. In the exam you will encounter certain questions that test your
memorization skills you will have to get these hard facts fully loaded into
your memory. We believe that the official published material is the best source
of information in this regard.
14
Notes:
Our guide focuses on the best business practice and expert advice side
of the exam.
Exam Topics
The official exam objectives can be found from the CISA exam page:
http://www.isaca.org/cisaexam
I personally do not recommend that you spend too much time on these
objectives. The reasons are:
l
many of them simply require nothing but basic common sense you will
be able to answer the corresponding questions easily anyway
the list is way too detailed if you go through them one by one, it will take
you a year or so to finish
many of the objectives are heavily overlapped
to me, they look confusing
15
Notes:
Instead, I prefer to focus on the following areas (because they often involve
topics that do not have fixed answers but instead require the best possible
options):
l
Access control models.
The auditing process.
IT strategic planning.
Protection Policy for Information Assets
Business Continuity Planning.
Risk management.
Project Management.
Change Management.
Why do we choose these topics? Firstly, according to many recent CISA

graduates, these are the topics that frequently give them surprises. Secondly,
if you watch closely what ISACA at present offers together with the Big 5
accounting firms, you should notice that these topics are always emphasized.
16
Notes:
Most candidates fail the exam because they focused too much on the IT side of
the exam, with little or no preparation on the auditing related disciplines.
Remember, a large number of the CISA exam candidates are from the
accounting profession where business auditing is a major daily duty.
The exam is about 40% TECHNOLOGY and 60% BUSINESS
PRACTICE.
Tech gurus do not really have an edge because no in-depth nor advanced
technologies are tested here. Instead, the practical business people with
sufficient technology knowledge rule.
The tech questions are easy because they are (and are bound to be)
straight forward. The business practice related questions are difficult
because business rationales are never straight forward too many factors
come into play and therefore making every scenario highly complicated.
And remember, technology does not mean IT technology alone. It also means
Physical Security Technology as well as Biometrics, and many more. As of the
time of this writing the state of biometrics technology is very sophisticated and
accurate, but is highly expensive. Other potential barriers include user
acceptance, enrollment time and throughput. Still, it is gaining ground,
especially in environment where security is CRITICAL.
Take a look at the security measures your company has implemented and
critically assess their features and effectiveness. This will help.
17
Notes:
!!! Biometrics is an important topic. Check out the various forms of biometrics
technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm
18
Notes:
Exam Registration Contacts

The CISA exam is offered throughout the world twice a year (in June and in
December). The best way to register for the exam is to request for the exam
bulletin from the ISACA Certification Department via email at
certification@isaca.org or by phone at +1.847.253.1545.
I do recommend that you register early. As I remember, there is an early bird
discount available
19
Notes:
Study Psychology & Exam Tactics

Always plan ahead!
Always maintain a positive attitude.
Prepare systematically using ExamReview materials.
Ensure you have enough sleep! Health is essential for maintaining a

fighting spirit.
Arrive at the test center in time to have a margin of safety.
Dress yourself in a manner with emphasis on comfort. Always have a coat
ready just in case the A/C is way too powerful.
Read the exam instructions carefully before answering the first question.
20
Notes:
Key exam strategies

To be successful in the CISA exam, you must know how the questions are
structured. The official saying is that the CISA examination will require the
candidates to answer questions and to make judgments based on the
information learned in courses and on their own professional experiences.
Based on our experiences, however, tackling CISA questions involve several
major strategies:
Strategy One: Keyword or key phrase matching.
Example: Which of the following would be included in an information security

strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for information security projects
D. Annual budgetary targets for the security department
21
Notes:
The key phrase here is "strategic plan". As we all know, a strategic plan is a very
high level thing. Look at the choices, only choice B has a high level element,
which is "business objective". Therefore, B is the correct answer.
Strategy Two: Choices grouping.
Example: The MOST important responsibility of an information security

manager in an organization is:
A. recommending and monitoring security policies.
B. promoting security awareness within the organization.
C. establishing procedures for security policies.
D. administering physical and logical access controls.
When you try to classify or group the choices, you will find that choice B, C and
D can be classified into one group a group of implementation activities.
Choice A, on the other hand, takes place way before the implementation phase.
Therefore, choice A is the answer.
22
Notes:
Strategy Three: Think tricky.
You need to know how to pick the BEST answer out of several technically
possible answers. To do this you need to think tricky the questions are always
written with trickiness in mind (believe me, this is exactly the case with most
ISACA exam questions).
As an example, you are asked to evaluate the following statements:
In the context of information security, the term Granularity refers to the
level of detail to which a trusted system can authenticate users.
level of detail to which imperfections of a trusted system can be
measured.
level of detail to which packets can be filtered.
level of detail to which an access control system can be adjusted.
Which statement is the BEST one?
23
Notes:
To pick the BEST choice, you must keep in mind that Granularity is a term
which could be applied to a multitude of usage within the context of IT security.
It can be for packet filtering, and it can also be for user access. The last
statement said "access control system" without specifying its exact type. It is
therefore representative of almost all possible types of access control system.
You know what, this is exactly the type of answer expected. Kinda tricky, isn't it?
24
Notes:
Security Theories
A security stance is a default position on security matters. The 2 primary
security stances are:
i, "Everything not explicitly permitted is forbidden" (default deny). This

improves security at the cost of functionality. A good approach to use if you
have lots of security threats. You may find this approach helpful basing on the
principle of least privilege (sometimes also known as the principle of least
authority - POLA), that every module of a computing environment should be
able to access only such resources that are necessary to its legitimate purpose.
Do keep in mind, an over restrictive system can sacrifice usability. The lack of
flexibility can also hinder usability.
ii, "Everything not explicitly forbidden is permitted" (default permit). This

allows greater functionality by sacrificing security. This is only a good approach
in an environment where security threats are non-existent or negligible. Many
earlier Windows systems give Everyone full control, which is no good securitywise.
25
Notes:
Proper balance of security risks is needed for implementing practical

computing systems.
There are two different approaches to security in computing. One focuses

mainly on external threats, and generally treats the computer system itself as a
trusted system. The other regards the computer system itself as largely an
untrusted system, and redesigns it to make it more secure in a number of ways.
Most current real-world computer security efforts focus on external threats, and
generally treat the computer system itself as a trusted system. Some observers
consider this to be a disastrous mistake, and point out that this distinction is the
cause of much of the insecurity of current computer systems - once an attacker
has subverted one part of a system without fine-grained security, he or she
usually has access to most or all of the features of that system. In other words,
this security stance tends to produce insecure systems.
The 'trusted systems' approach has been predominant in the design of many
earlier software products, due to the long-standing emphasizes on functionality
and 'ease of use' over security.
26
Notes:
The computer system itself as largely an untrusted system
The untrusted system approach seeks to enforce the principle of least

privilege to great extent, where an entity has only the privileges that are needed
for its function. That way, even if an attacker has subverted one part of the
system, fine-grained security ensures that it is just as difficult for them to
subvert the rest. Furthermore, by breaking the system up into smaller
components, the complexity of individual components is reduced, opening up
the possibility of using techniques such as automated theorem proving to prove
the correctness of crucial software subsystems. Where formal correctness
proofs are not possible, rigorous use of code review and unit testing measures
can be used to try to make modules as secure as possible.
Defense in depth
From a technical perspective, design with the above mentioned technique

often make use of the concept of "defense in depth", where more than one
subsystem needs to be compromised to compromise the security of the
system and the information it holds.
27
Notes:
A typical defense in depth approach divides the key security elements into
layers for creating a cohesive defense strategy. To ensure effective IT
security, you must design, implement, and manage IT security controls for
each layer of this layered model. As an example: you may divide your
controls into the layers of network, hardware, software, and data.
From a broader perspective, an important principle of the Defense in Depth strategy is
that in order to achieve Information Assurance you need to maintain a balanced focus on
the critical elements of People, Technology and Operations.
In any case, security should not be view as an all or nothing issue. The
designers and operators of systems should assume that security breaches are
inevitable in the long term, that full audit trails should be kept of system
activity so that when a security breach occurs, the mechanism and extent of
the breach can be determined. In fact, storing audit trails remotely, where
they can only be appended to, can keep intruders from covering their tracks.
Vulnerabilities
To understand the techniques for securing a computer system, it is

important to first understand the various types of attacks that can be made
against it. These threats can typically be classified into the following
categories:
28
Notes:
You may think of salami attack as a concept that can be applied to

scenarios with and without relation to computing. In general, a salami
attack is said to have taken place when tiny amounts of assets are
systematically acquired from a very large number of sources. Since the
process takes place below the threshold of perception and detection, an
ongoing accumulation of assets bit by bit is made possible. An example:
the digits representing currency on a financial institutions computer
could be modified in such a way that values to the right of the pennies
field are automatically rounded down. The salami concept can apply in
information gathering - aggregating small amounts of information from
many sources with an attempt to derive an overall picture of an
organization.
Bribes and extortion can occur! With promises or threats that cause
your staff to violate their trust, information security can be at risk big
time! This is more a HR issue but still you need to think of ways to
safeguard security assuming bribery is not entirely impossible.
Software flaws such as buffer overflows, are often exploited to gain

control of a computer, or to cause it to operate in an unexpected
manner.
29
Notes:
NOTE:
Buffer overflow (buffer overrun) is supposed to be a programming

error which may result in memory access exception - that is, a
process make attempt to store data beyond the fixed boundaries of a
buffer area. With careless programming, this kind of access attempt
can be triggered by ill-intented codes. Stack-based buffer overflows
and heap-based buffer overflows are the 2 popular types of attack of
this nature. Techniques such as Static code analysis can help
preventing such attack. You should also always opt for the use of
safe libraries.
Many development methodologies rely on testing to ensure the quality

of any code released this process often fails to discover extremely
unusual potential exploits. The term "exploit" generally refers to small
programs designed to take advantage of a software flaw that has been
discovered, either remote or local.
NOTE:
As a pre-attack activity, footprinting refers to the technique of

collecting information about systems thru techniques such as Ping
Sweeps, TCP Scans, OS Identification, Domain Queries and DNS
Interrogation. Tools involved may include samspade, nslookup,
traceroute, neotrace and the like. Passive fingerprinting, on the other
hand, is based primarily on sniffer traces from your remote system.
Rather than proactively querying a remote system, you capture
30
Notes:
packets that pass-by instead.
Any data that is transmitted over an IP network is at some risk of being

eavesdropped or even modified. Voice over IP has the same security
issues as running regular applications which rely on IP for transmission.
NOTE:
The OSI model is a layered model which gives abstract description

for network protocol design. It is a seven layer model, and IP runs at
layer 3, even though the TCP/IP suite itself has its own 4 layer
structure. TCP runs at OSI layer 4, which is on top of IP, for
providing connection oriented service in between the sender and the
recipient.
TCP is supposed to provide guaranteed delivery. Every single TCP
segment contains a TCP header with the source and destination port,
a sequence number that identifies the first byte of data, and an
acknowledgment number that indicates an acknowledgment by the
recipient. There are also 6 flag bits, which are URG, ACK, PSH,
RST, SYN and FIN. Keep in mind, TCP does not make any
assumptions about the underlying IP network.
31
Notes:
You can perceive ports as the actual endpoints of every TCP

connection. Examples of well known ports include http port 80, SSL
port 443 and others.
ICMP is quite special. It runs at the IP layer mostly for sending oneway informational messages to a networked host. "ping" is an utility
which uses ICMP.
The 4 TCP areas that hackers usually look at for determining the
operating system may include TTL (the Time To Live on the
outbound packet), Window Size, DF (the Don't Fragment bit) and
the TOS (the Type of Service). Thru analyzing these and compare
with the database of signatures there is a chance you can tell what the
remote operating system is.
Non-IP based networks are also highly hack-able. Sniffing was pretty
common on the Ethernet (and also on IP networks).
Packet sniffer (another name for protocol analyzer) can be deployed
to intercept and log netowrk traffic that passes through the network.
It can capture unicast, multicast and broadcast traffic provided that
you put your network adapter into promiscuous mode. You may
sniff to analyze network problems, or to gain information for
32
Notes:
launching a network attack.

Wireshark (formerly Ethereal) is a free protocol analyzer you may use
for network troubleshooting and sniffing. The functionality it offers
is similar to tcpdump but it provides a GUI for ease of use.
Even machines that operate as a closed system can be eavesdropped

upon via monitoring the faint electro-magnetic transmissions generated
by the hardware such as TEMPEST.
Wireless networks are highly hack-able.

NOTE:
In the world of WLAN, a BSS refers to a set of wireless stations

which communicate with each others. The 2 types of BSS are
independent BSS and infrastructure BSS. The former is an ad-hoc
network that has no access points. The latter requires the use of
access points. Both of them are not too secure by default.
WEP is the original encryption standard for WLAN. It uses key
lengths in the range of 128-and 256-bit, but is still considered way
less secure than WPA. WPA deploys a pre-shared Shared Key for
establishing a 8-63 character passphrase.
Accidental association could be a form of attack that takes place
when one's computer latches on to an access point that belongs to a
33
Notes:
neighboring and overlapping network. Sometimes this can happen

accidentally - that is, the user has no intent to crack into the
overlapping network at all.
Access points exposed to non-filtered traffic can be vulnerable.
Broadcast traffic like OSPF, RIP and HSRP ... etc can be corrupted
through the injection of bogus reconfiguration commands.
You should always have your access points arranged in such a way
that radio coverage is available only to your desired area. Wireless
signal that "spills" outside of your desired area could be sniffed.
To further secure your WLAN you should always change the default
SSID as most hackers know most default names of most equipments.
Avoid using dictionary word to form your SSID. Use something hard
to guess.
A computer system is no more secure than the human systems

responsible for its operation. Malicious individuals have regularly
penetrated well-designed, secure computer systems by taking advantage
of the carelessness of trusted individuals, or by deliberately deceiving
them. The availability of the internet makes penetration even easier as
everything is now connected. Attacking web servers had become an exciting yet
enjoyable challenge by hackers.
34
Notes:
NOTE:
In a web infrastructure you have router, firewall and a web server.

Web server serves requests through port 80 and 443 (SSL). Different
servers work slightly differently, thus having different vulnerabilities.
Scanning tools may, through the active ports and obtaining response,
to identify the target servers and carry out possible attacks. This is
especially true for web server software that has too many ports other
than the required ports opened.
IIS can be extremely vulnerable if you simply follow the default
installation options. Windows and IIS always install and configure
superfluous services that are unpatched, which are the easy targets.
Another problem is that IIS uses a few built-in default accounts that
are weakly protected. You should change the defaults - change the
account names and the passwords whenever possible. Close all
unnecessary ports too.
Part of the reason why IIS is so vulnerable is that it runs on
Windows, which is not a very secure platform by design.
Null sessions are no good - they allow attacker to extract system
critical information such as user account names. NT, 2000 and
Windows Server 2003 domain controllers are believed to be
susceptible to enumeration via null sessions. One way to prevent this
is to block UDP port 137 and 138, TCP port 139 and 445. You want
to do this via a firewall at the edge of the network.
35
Notes:
Another vulnerability on Windows is the inter-process

communications (IPC) mechanism. It is a mechanism that allows a
process to communicate with another. This can take place on
different computers that are connected through a network, that is
why it can be bad - real bad.
Social engineering is a collection of techniques used to manipulate

people into performing actions or divulging confidential information.
While similar to a confidence trick or simple fraud, the term typically
applies to trickery for information gathering or computer system access.
Denial of service (DoS) attacks are not primarily a means to gain

unauthorized access or control of a system. They are instead designed
to render it unusable. Attackers can deny service to individual victims,
such as by deliberately guessing a wrong password 3 consecutive time
and thus causing the victim account to be locked, or they may overload
the capabilities of a machine or network and block all users altogether.
These types of attack are, in practice, very hard to prevent, because the
behavior of whole networks needs to be analyzed, not only of small
pieces of code. Distributed denial of service (DDoS) is even worse - a
large number of compromised hosts are used to flood a target system
with network requests, thus attempting to render it unusable through
resource exhaustion.
36
Notes:
Many computer manufacturers used to preinstall backdoors on their

systems to provide technical support for customers. With the existences
of backdoors, it is possible to bypass normal authentication while
intended to remain hidden to casual inspection. The backdoor may take
the form of an installed program or could be in the form of an existing
"legitimate" program, or executable file.
NOTE:
A backdoor refers to a generally undocumented means of getting

into a system, mostly for programming and
maintenance/troubleshooting needs. Most real world programs have
backdoors.
On Windows some backdoor programs may get themselves installed
to start when the system boots. You want to know if there are
services that are somewhat configured to automatically start - they
may be Trojan horse or backdoor program.
A specific form of backdoors is rootkit, which replaces system binaries

of the operating system to hide the presence of other programs, users,
services and open ports.
37
Notes:
NOTE:
rootkit originally describes those recompiled Unix tools that would

hide any trace of the intruder. You can say that the only purpose of
rootkit is to hide evidence from system administrators so there is no
way to detect malicious special privilege access attempts.
To some, secrecy means security so closed source software solutions

are preferable. In the modern days this may not always be true. With
the open source model, people may freely revise and inspect codes so
back doors and other hidden tricks / defects can hardly go undetected.
Malware is software designed to infiltrate or damage a computer system

without the owner's informed consent. It is a blend of the words
"malicious" and "software". The expression is a general term used by
computer professionals to mean a variety of forms of hostile, intrusive,
or annoying software or program code. Software is considered malware
based on the intent of the creator rather than any particular features. It
includes computer viruses, worms, trojan horses, spyware, adware, and
other unwanted software.
38
Notes:
NOTE:
As a common type of Trojan horses, a legitimate software might

have been corrupted with malicious code which runs when the
program is used. The key is that the user has to invoke the program
in order to trigger the malicious code. In other words, a trojan horse
simply cannot operate autonomously. You would also want to know
that most but not all trojan horse payloads are harmful - a few of
them are harmless. Most trojan horse programs are spread through emails. Some earlier trojan horse programs were bundled in "Root
Kits". For example, the Linux Root Kit version 3 (lrk3) which was
released in December 96 had tcp wrapper trojans included and
enhanced in the kit.
Keystroke logging (in the form of spyware) was originally a function
of diagnostic tool deployed by software developers for capturing
user's keystrokes. This is done for determining the sources of error
or for measuring staff productivity. Imagine if someone uses it to
capture user input of critical business data such as CC info ... You
may want to use anti spyware applications to detect and clean them
up. Web-based on-screen keyboards may be a viable option for web
applications.
39
Notes:
NOTE:
The majority of malware and viruses exploit known vulnerabilities in

popular OS. They typically come out within days after a vulnerability
is announced. One way to protect your computers against these
threats is to keep your OS and software security updates as current as
possible through applying service packs, patches and hot fixes.
The best-known types of malware are viruses and worms, which are
known for the manner in which they spread, rather than any other
particular behavior. Originally, the term computer virus was used for a
program which infected other executable software, while a worm
transmitted itself over a network to infect computers. More recently,
the words are often used interchangeably.
NOTE:
Nonresident viruses proactively and immediately search for victims

to infect and then transfer control to the infected application
program. Resident viruses don't do that. Instead, they wait in
memory on execution and infect new victims that are invoked on the
system. Modern anti virus software can fight against both. Examples
of modern AV software includes Norton AV, PC Tools AV, AVG
Pro, F-Prot, and NOD32.
Note that viruses that are capable of rewriting themselves
dynamically to avoid getting detected are metamorphic. The core of
40
Notes:
the payload of these viruses is a metamorphic engine.
Direct access attacks may be conducted through the use of common

consumer devices. For example, someone gaining physical access to a
computer can install all manner of devices to compromise security,
including operating system modifications, software worms, keyboard
loggers, and covert listening devices. The attacker can also easily
download large quantities of data onto backup media or portable
devices.
To secure a system, one should aim at reducing vulnerabilities. For example,

in order to harden a Linux system you would first disable any unnecessary
services/ports, and then have the rlogin service disabled. Unnecessary
TCP/UDP ports should be closely monitored. Similar things could be done
on Windows.
Computer code is regarded by some as just a form of mathematics. It is
theoretically possible to prove the correctness of computer programs
41
Notes:
though the likelihood of actually achieving this in large-scale practical

systems is regarded as unlikely in the extreme by most with practical
experience in the industry. In practice, only a small fraction of computer
program code is mathematically proven, or even goes through
comprehensive information technology audits or inexpensive but extremely
valuable computer security audits.
On the other hand, it is technically possible to protect messages in transit by

means of cryptography. You may also work at preventing information
leakage. Information Leakage Detection and Prevention (ILD&P or ILDP)
is a computer security term referring to systems designed to detect and
prevent the unauthorized transmission of information from the computer
systems of an organization to outsiders.
Audit questions related to cryptography may include:

l
Does your organization use cryptographic technology to protect

sensitive information during transmission? Does the technology you
use provide a digital signature capability for messages containing
sensitive information?
Does your organization use cryptographic technology to protect
sensitive information stored in the system and in archives?
42
Notes:
Does your organization have a policy that clearly states when

information is to be encrypted?
In some systems, non-administrator users are over-privileged by design, in

the sense that they are allowed to modify internal structures of the system.
In some environments, users are over-privileged because they have been
inappropriately granted administrator or equivalent status. In some worst
case scenarios, administrators are like cow boys who often go wild. Relevant
questions to ask in this regard may include:
l
l
l
l
l
l
l
How many system administrators does your organization have?

Do your system administrators work full-time as system administrators?
What if they also work for someone else...
Are your system administrators contractor employees? How much
control you want them to be able to exercise?
Is there segregation of duties among system administrators?
Does each system administrator have a delegate and/or backup person?
What can they perform on the systems?
Are program modifications approved by the configuration control
function required to be installed by system administrators?
Is there consistency in the implementation of security procedures by
system administrators in the organization?
43
Notes:
Technically speaking, all Social Engineering techniques are based on flaws

in human logic known as cognitive biases. These bias flaws are used in
various combinations to create attack techniques. For example, pretexting is
the act of creating and using an invented scenario (the pretext) to persuade a
target to release information or perform an action and is usually done over
the telephone. It's more than a simple lie as it most often involves some
prior research or set up and the use of pieces of known information to
establish legitimacy in the mind of the target. Phishing, on the other hand,
applies to email appearing to come from a legitimate business requesting
"verification" of information and warning of some dire consequence if it is
not done. Sadly, social engineering and direct computer access attacks can
only be effectively prevented by non-computer means, which can be
difficult to enforce, relative to the sensitivity of the information. Social
engineering attacks in particular are very difficult to foresee and prevent.
Remember, in the real world the most security comes from operating
systems where security is not an add-on but a built-in (such as the IBM
OS/400).
44
Notes:
Security measures
A state of computer "security" is the conceptual ideal, attained by the use of

the processes of Prevention, Detection, and Response.
Prevention:
User account access controls and cryptography can protect systems files and
data, respectively. Firewalls are by far the most common prevention systems
from a network security perspective as they can shield access to internal
network services, and block certain kinds of attacks through packet filtering.
NOTE:
Stateful firewall can determine whether an IP packet belongs to a

new connection or is actually part of an existing connection. Packet
filter does not care about this at all.
To prevent messages from being intercepted during transmission over the

network, technologies like IPSec and SSL should be considered.
45
Notes:
NOTE:
IPsec is different from SSL in that it runs at layer 3, so it can protect

both TCP and UDP traffic. SSL operates from the transport layer up
so less flexibility can be offered. The goal of SSL is to provide
endpoint authentication as well as communications privacy via
cryptography.
Symmetric key algorithms use trivially related (or even identical)
cryptographic keys for decryption and also encryption. They use
much less computational power, but would require the use of a
shared secret key on each end. The storage and exchange of such
shared secret can be a source of security risk. Asymmetric key
algorithms use different keys so they don't have to worry about the
shared secret but they consume way more CPU power.
RSA is an example of asymmetric algorithm. With both a public key
and a private key, it is used primarily for public key encryption. It is,
in fact, suitable for both signing and encryption. However, adaptive
chosen ciphertext attack can be used against RSA encrypted
messages. Also, timing attacks can be used against RSA's signature
scheme.
In addition to message encryption, you may want to enforce nonrepudiation. You may use a public key certificate (one that
incorporates a digital signature) to bind a public key with an identity.
In a PKI, the signature is typically of a Certificate Authority.
In a typical PKI a hash function is often used to turn data into a
smaller number which serves as a digital sort of fingerprint. In
46
Notes:
cryptography, a good hash function allows for "one-way" operation,

meaning there is almost no way to calculate the data input value.
SHA is one example. It has several variants, which are SHA-1, SHA224, SHA-256, SHA-384, and SHA-512. They are designed by the
NSA and published thru the NIST. MD5 is another example. It uses
a 128-bit hash value to create a hash that is typically a 32 character
hex number.
Detection:
Intrusion Detection Systems are designed to detect network attacks in
progress and assist in post-attack forensics, while audit trails and logs serve
a similar function for individual systems.
NOTE:
A typical IDS has a few components, such as sensors which detect

and generate security events, a console interface for you to monitor
events and alerts plus managing the setup, and an engine which
records and analyzes the logged events. These components work
together such that a suspected intrusion may be evaluated and
signaled (through an alert or an alarm). One may, however, flood an
IDS with way too many traffic such that the IDS is too busy keeping
up with the pace.
47
Notes:
Response:
"Response" is necessarily defined by the assessed security requirements of
an individual system and may cover the range from simple upgrade of
protections to notification of legal authorities, counter-attacks, and the like.
Example audit questions:
l
Does your organization have an Internet access policy?
How are network services accessed by members of your organization?
Is back door access by unapproved means possible?
Does your organization have a firewall? If so, how is it configured? What

services are accessible by external users inside and outside of this firewall?
Does your organization have an IDS? If so, who defines the IDS
knowledge base?
Who has external remote access to your organizations systems?
Is your networks internal architecture hidden from untrusted external

users?
48
Notes:
Do you have any established session control practices in place?
Standards and guidelines
ISACA has become a pace-setting global organization for information

governance, control, security and audit professionals. Their IS auditing and
control standards are followed by many.
Apart from guidelines published by ISACA, you may also refer to the SoGP.
The Standard of Good Practice (SoGP) is a detailed documentation of best
practices for information security. It is published and revised biannually by the
Information Security Forum (ISF), an international best-practices organization.
The Standard is developed from research based on the actual practices of and
incidents experienced by major organizations. Its relatively frequent update
cycle of two years also allows it to keep up with technological developments
and emerging threats. In fact, the Standard is used as the default governing
document for information security behavior by many major organizations, by
itself or in conjunction with other standards such as ISO 17799 or COBIT.
49
Notes:
One of the most widely used security standards today is ISO 17799 which
started in 1995. This standard consists of two basic parts. BS 7799 part 1 and
BS 7799 part 2 both of which were created by (British Standards Institute) BSI.
Recently this standard has become ISO 27001. The National Institute of
Standards and Technology (NIST) has released several special papers
addressing cyber security. Three of these special papers are very relevant to
cyber security: the 800-12 titled Computer Security Handbook 800-14 titled
Generally Accepted Principals and Practices for Securing Information
Technology and the 800-26 titled Security Self-Assessment Guide for
Information Technology Systems.
ISO 17799 states that information security is characterized by integrity,

confidentiality, and availability. The ISO 17799 standard is arranged into eleven
control areas security policy, organizing information security, asset
management, human resources security, physical and environmental security,
communication and operations, access controls, information systems
acquisition/development/maintenance, incident handling, business continuity
management, compliance.
The SarbanesOxley Act of 2002 (commonly called SOX or SarBox) is a

United States federal law passed in response to a number of major corporate
50
Notes:
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework (which will be addressed later) in
management/auditor assessment of controls. Auditors have also looked to the
IT Governance Institute's "COBIT: Control Objectives of Information and
Related Technology" for more appropriate standards of measure. Since the
financial reporting processes of most organizations are driven by IT systems, it
is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing
Standard 2" states:
"The nature and characteristics of a company's use of information technology

in its information system affect the company's internal control over financial
reporting."
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.
51
Notes:
The SEC identifies the COSO framework by name as a methodology for

achieving compliance. The COSO framework defines five areas, which when
implemented, can help support the requirements as set forth in the SarbanesOxley legislation. These five areas and their impacts for the IT Department are
Risk Assessment, Control Environment, Control Activities, Monitoring, and
Information & Communication.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

is a U.S. private-sector initiative. Formed in 1985, its major objective is to
identify the factors that cause fraudulent financial reporting and to make
recommendations to reduce its incidence. COSO has established a common
definition of internal controls, standards, and criteria against which companies
and organizations can assess their control systems.
The Federal Information Security Management Act (FISMA) is a US federal

law enacted way back in 2002. It imposes a mandatory set of processes that
have to be followed for information systems operated by a government agency
or by a contractor which works on behalf of the agency. The Federal
Information Processing Standards (FIPS), on the other hand, are a set of
publicly announced standards developed by the US government for use by
52
Notes:
non-military government agencies and their contractors. FIPS 46 in particular

covers some major Data Encryption Standards, while FIPS 140 covers security
requirements for cryptography modules.
ISO 27001 sets out the requirements for information security management
systems. On the other hand, ISO 27002 offers a code of practice for
information security management.
British Standard 7799 Part 3 provides guidelines for information security risk
management. COBIT links IT initiatives to business requirements, organises IT
activities into a generally accepted process model, identifies the major IT
resources to be leveraged and defines the management control objectives to be
considered. ITIL (or ISO/IEC 20000 series) focuses on the service processes
of IT and considers the central role of the user.
Trusted Computer System Evaluation Criteria (TCSEC) has classification on

the various security requirements based on the evaluation of functionality,
effectiveness and assurance of operating systems for the government and
military sectors. TCSEC was introduced in 1985 and retired in 2000.
53
Notes:
Information Technology Security Evaluation Criteria (ITSEC) is the first single

standard for evaluating security attributes of computer systems by the countries
in Europe.
Common Criteria (also known as ISO/IEC 15408) combines and aligns

existing and emerging evaluation criteria with a collaborative effort among
national security standards organisations of Canada, France, Germany, Japan,
Netherlands, Spain, UK and US. Common Criteria Evaluation and Validation
Scheme (CCEVS) establishes a national program for the evaluation of
information technology products for conformance to the International
Common Criteria for Information Technology Security Evaluation.
ISO/IEC 13335 (IT Security Management) offers a series of guidelines for

technical security control measures. On the other hand, the Payment Card
Industry Data Security Standard offers 12 core security requirements, which
include security management, policies, procedures, network architecture,
software design and other critical measures.
54
Notes:
IS Organization and Information Assets

Protection
There must be a proper Information Management Policy in place and
integrated with the Information Security Policy. This policy should clearly
define information as an asset of the business unit that needs protection, and
that local business managers are the owners of information who are ultimately
held responsible. In fact, to get the staff really serious about information
security, it is necessary to define roles and responsibilities of those involved in
the ownership and classification of information.
No organization on earth has unlimited resources. You just cannot protect

everything to the fullest extent. Therefore it is important for you to classify the
information assets and then allocate resources accordingly. You also need to
know whether it is cost effective to protect a certain information asset what if
the protection measure itself costs even more to implement? However, you
must assess the cost element accurately and comprehensively. Some costs may
not be easily quantified even though they could hurt big time when things go
wrong (legal cost as an example).
55
Notes:
The stakeholders
A critical factor in protecting information assets is laying the foundation for
effective information security management. In fact, commercial, competitive
and legislative pressures from around the business environment often require
the implementation of proper security policies and related logical access
controls. Security failures are often costly to business. Losses may be suffered as
a result of the failures or costs may be incurred when recovering from the
security incident, followed by more costs to secure the systems and prevent
repeated failures. Job positions within an organization that have information
security responsibilities may include and not limited to the following:
l
Executive management (Senior management, Directors etc)
Security committee
Data owners
Process owners
IT developers
Security specialists
Auditors
56
Notes:
Users
The board
The board of directors and senior management are responsible for ensuring
that the organization's system of internal controls is operating effectively. An
audit committee should be appointed to oversee audit functions and to
report on audit matters periodically to the board. FYI, in order to comply with
the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to
appoint outside directors as audit committee members. On the other hand, all
members of a stock-issuing institutions audit committee must be members of
the board of directors and be independent.
The ability of the audit function to achieve desired objectives depends largely
on the independence of audit personnel. This is especially true if the auditors
are internal auditors rather than outside auditors.
The board of directors should ensure that written guidelines for conducting IT
audits have been adopted, and should assign responsibility for the internal audit
57
Notes:
function (IT audit is commonly conducted in-house by the internal audit

function) to a member of management who has sufficient audit expertise and is
independent of the other business operations of the organization. In general,
the position of the auditor within the organizational structure, the reporting
authority for audit results, and the auditors responsibilities should indicate the
degree of auditor independence within the organization. The board should do
its best to ensure that the audit department does not participate in activities that
may compromise, or appear to compromise, its independence. These activities
may include preparing reports or records, developing procedures, or
performing other operational duties normally reviewed by auditors. Keep in
mind, the auditors independence may also be determined by analyzing the
reporting process and verifying that management does not interfere with the
candor of the findings and recommendations.
The audit manager

The audit manager is responsible for implementing board-approved audit
directives. This manager should oversee the audit function and provides
leadership and direction in communicating and monitoring audit policies,
practices, programs, and processes conducted by the internal audit staff. The
extent of external audit work (if any) should be clearly defined in a separate and
formal engagement letter. This letter should discuss the scope of the audit, the
58
Notes:
objectives, resource requirements, audit timeframe, and resulting reports. Expect

a bunch of meetings, coordination, collaboration, and conflicts between the outside guys and the
insiders.
Audit personnel
The auditors, whether internal or external, should in any case be granted the
authority to access records and staff necessary to perform auditing and
reporting. In fact, for any audit effort to be successful, a reporting line MUST
be identified to the highest level of the organization. The auditor's right of
access to information must be clearly identified early in the process.
Management should be required to respond formally, and in a timely manner,
to significant adverse audit findings by taking appropriate corrective action. The
auditors in turn should discuss their findings and recommendations periodically
with the audit committee.
Personnel performing IT audits should have information systems knowledge

commensurate with the scope and sophistication of the organizations IT
environment and possess sufficient analytical skills to determine and report the
59
Notes:
root cause of deficiencies (they don't have to be CISA certified - although

certification is a "plus").
Sometimes the audit function will be requested to take a role in the

development, acquisition, conversion, and testing of major applications. It is
necessary that such participation be independent and objective. Auditors can
determine and should recommend appropriate controls to project management.
However, such recommendations should not pre-approve the controls. At the
most they should only guide the developers in considering appropriate control
standards and structures throughout their project.
60
Notes:
IS Controls
The importance of the use of controls
According to the internal control principle (GASSP), information security
forms the core of an organization's information internal control system, that
"the internal control standards define the minimum level of quality acceptable
for internal control systems in operation and constitute the criteria against
which systems are to be evaluated. These internal control standards apply to all
operations and administrative functions but are not intended to limit or
interfere with duly granted authority related to development of legislation, rulemaking, or other discretionary policymaking in an organization or agency."
There are many ways to classify controls. From an IS perspective, some said
they may be generally classified as physical, technical, or administrative in nature.
Some said that they can be further classified as either preventive or detective.
Three other types of controls, namely deterrent, corrective, and recovery, may
further supplement such classification.
61
Notes:
Classification of controls
l
Examples of physical controls include locks, security guards, badges,

alarms, and similar measures to control access to computers, related
equipment, and the processing facility itself.
Technical controls refer to safeguards incorporated in computer hardware,

operations or applications software, communications hardware and
software, and related devices. They are sometimes referred to as logical
controls.
Administrative controls refer to management constraints, operational

procedures, accountability procedures, and supplemental administrative
controls established for providing an acceptable level of protection for
computing resources.
Preventive controls attempt to avoid the occurrence of unwanted events.

Detective controls, on the other hand, attempt to identify unwanted events
after they have occurred. Deterrent controls attempt to discourage
individuals from intentionally violating information security policies or
procedures by making it difficult or even undesirable to perform
unauthorized activities. Corrective controls, on the other hand, attempt to
62
Notes:
remedy the circumstances that allowed the unauthorized activity and return
conditions to what they were before the violation.
l
Recovery controls attempt to restore lost resources or capabilities and help

the organization recover losses caused by a security violation.
General Controls VS Application Controls

From a broader perspective, you can view controls as either General Controls
or Application Controls. General controls are about the overall informationprocessing environment. They include:
Organizational Controls (in particular the segregation of duties controls).
Data Center and Network Operations Controls
Hardware & Software Acquisition and Maintenance Controls
Access Security Controls
Application System Acquisition, Development, and Maintenance Controls

63
Notes:
Application controls, on the other hand, cover the processing of individual

applications and help ensure the completeness and accuracy of transaction
processing, authorization, and validity. They typically include:
Data Capture Controls to ensure that all transactions are properly recorded
in the application system
Data Validation Controls to ensure that all transactions are properly valued.
Processing Controls to ensure the proper processing of transactions.
Output Controls to ensure that computer output is not distributed to

unauthorized users.
Error Controls to ensure that errors are corrected and properly

resubmitted at the correct point in processing.
Keep in mind that different types of network model often require the use of
different combinations of control. You must have basic foundation knowledge
on networking in order to pick the correct answers. Know LAN networking
and WAN networking. Know distributed computing and client server
64
Notes:
computing. Know server computing and thin client computing. Dont attempt
to take the exam until you are completely familiar with these basic concepts.
Tests of controls refer to audit procedures that are performed to evaluate

the effectiveness of either the design or the operation of the internal
controls in question. A CISM plans and implements the needed controls.
A CISA, on the other hand, tests these controls.
65
Notes:
Access Control and the Auditing Process

Access control protects your systems and resources from unauthorized access.
An access control model is a framework that dictates how subjects access
objects. The most popular models are: mandatory access control, discretionary
access control and role-based access control. Even though these models are
often associated with IT technology, try to think of them as security
management principles they can be applied to disciplines other than IT.
Access Control Models

The decision of what access control models to implement is based on
organizational policy and on two generally accepted standards of practice,
which are separation of duties and least privilege. Controls (in the context of
Access Control) may be characterized as either mandatory or discretionary.
With mandatory controls, only administrators may make decisions that bear on
or derive from the predefined policy. Access controls that are not based on
66
Notes:
established policy may be characterized as discretionary controls (or need-toknow controls).
With the Discretionary model, the creator of a file is the owner and can grant
ownership to others. Access control is at the discretion of the owner. Most
common implementation is through access control lists. Discretionary access
control is required for the Orange Book C Level.
Mandatory controls are prohibitive and permissive. With the Mandatory model,
control is based on security labels and categories. Access decisions are based on
clearance level of the data and clearance level of the user, and, classification of
the object. Rules are made by management, configured by the administrators
and enforced by the operating system. Mandatory access control is required for
the Orange Book B Level.
With the Role-Based model, access rights are assigned to roles not directly to
users. Roles are usually tighter controlled than groups - a user can only have
one role.
67
Notes:
ACLs VERSUS Capabilities

The two fundamental means of enforcing privilege separation and
controlling access are access control lists (ACLs) and capabilities. The
semantics of ACLs have been proven to be insecure in many situations. It
has also been shown that ACL's promise of giving access to an object to
only one person can never be guaranteed in practice. Both of these
problems are resolved by capabilities. This does not mean practical flaws
exist in all ACL-based systems, but only that the designers of certain utilities
must take responsibility to ensure that they do not introduce flaws.
For various historical reasons, capabilities have been mostly restricted to
research operating systems and commercial OSes still use ACLs.
Capabilities can, however, also be implemented at the language level, leading
to a style of programming that is essentially a refinement of standard objectoriented design. A reason for the lack of adoption of capabilities may be
that ACLs appeared to offer a quick fix for security without pervasive
redesign of the operating system and hardware.
68
Notes:
What is Orange Book, by the way?

Orange Book refers to the US Department of Defense Trusted Computer
System Evaluation Criteria. Although originally written for military systems, the
security classifications are now broadly used within the computer industry.
The Orange Book security categories range from D (Minimal Protection) to A
(Verified Protection):
D - Minimal Protection - Any system that does not comply to any other
category, or has failed to receive a higher classification.
C - Discretionary Protection - applies to Trusted Computer Bases (TCBs) with
optional object (i.e. file, directory, devices etc.) protection.
B - Mandatory Protection - specifies that the TCB protection systems should be
mandatory, not discretionary.
A - Verified Protection - the highest security division.
Further information on the Orange Book categories can be found here:
http://www.dynamoo.com/orange/summary.htm
69
Notes:
Types of Access Control

To ensure that access controls adequately protect all of an organizations
resources, it is recommended that you first categorize the resources that need
protection.
In an access control model, there are subject and object:

l
Subject: Entity requiring access to an object user, process. (Active).
Object: Entity to which access is requested file, process. (Passive).
Access control information can be viewed as a matrix with rows representing

the subjects, and columns representing the objects.
Access control consists of the following primary areas:

l
Identification
Authentication
Authorization
70
Notes:
Accountability
The AAA concept

The three As are often being referred to as the AAA concept. The general
types of authentication are:
l
Something a person knows (eg. password)
Something a person has (eg. ID card)
Something a person is (eg. role and title)
Strong authentication requires two of the above and is known as two-factor

authentication.
Authentication is the first line of defense. Questions you may ask here:
l
What password rules are enforced, in particular in terms of length and

alphanumeric combinations?
How often are users required to change their passwords?

71
Notes:
Does your system use a password cracker to identify nonsecure passwords?
Does your organization keep a password history file?
Do users have unique authentication for different types of access?
Does your organization use authentication other than reusable passwords?

Any policy for use of such authentication?
Authorization determines if you can carry out the requested actions. Access
criteria types include and not limited to:
l
Roles
Groups
Physical or logical location
Time of day
Transaction type
etc
72
Notes:
A common practice is to have all access criteria default to no access at the

very beginning, although this may not be always true in modern days OS for
usability sake (for example, in earlier Windows everyone has full control by
default).
Authentication deals with how ones user account is established. There are also
issues dealing with how such account should be handled and protected (i.e. user
account management) . Some questions you may ask include:
Is logoff at the end of the day required?
Are there automatic session timeouts?
Can a user use a password to lock the screen?
Does an unsuccessful logon indicate the cause of failure?
Under what circumstances are accounts locked?
Is the user informed about the last successful/unsuccessful logon attempt?
73
Notes:
Establishing Accountability through event logging

Accountability determines who is responsible for a particular action taken. To
properly establish accountability, audit trail and logging facility must be available.
As an example, here is a list of what should be logged in a networked
environment:
System startup
System shutdown
File system full
Hardware failures
Logins: failed and successful / local or remote
Account creation: failed and successful
Account modification: failed and successful assigning, changing or
removing rights and privileges
Account removal: failed and successful
74
Notes:
Account disabled
Password/security information copied: failed and successful
System configuration change: failed and successful
Operating system patch applied
Network connections: failed and successful
Audit logs modification: failed and successful
Object access: failed and successful
The audit process

You need to know the fundamentals of auditing not just IS auditing, but
auditing in general.
Most CISA study text books in the market fail to give a complete and clear
picture of the auditing process as a whole. We will fill this gap here.
75
Notes:
At the end of this e-book there is a sample IS Audit Questionnaire. Go

through that Questionnaire and you will understand exactly what are
expected to be accomplished by an IS audit.
Note that several information technology audit related laws and regulations
have been introduced since 1977. These include the Gramm Leach Bliley Act,
the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability
Act, the London Stock Exchange Combined Code, King II, and the Foreign
Corrupt Practices Act. You are expected to understand what they are for.
* Health Insurance Portability and Accountability Act (HIPAA)

* Gramm-Leach-Bliley Act (GLBA)
* Sarbanes-Oxley Act (SOX)
* Foreign Corrupt Practices Act (FCPA)
The SarbanesOxley Act and the COSO framework
76
Notes:
The SarbanesOxley Act of 2002 (commonly called SOX or SarBox) is a

United States federal law passed in response to a number of major corporate
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework in management/auditor
assessment of controls. Auditors have also looked to the IT Governance
Institute's "COBIT: Control Objectives of Information and Related
Technology" for more appropriate standards of measure.
Since the financial reporting processes of most organizations are driven by IT

systems, it is apparent that IT plays a vital role in internal control. As PCAOB's
"Auditing Standard 2" states:
"The nature and characteristics of a company's use of information technology

in its information system affect the company's internal control over financial
reporting."
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
77
Notes:
are deeply integrated in the initiating, authorizing, processing, and reporting of

financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.
The SEC identifies the COSO framework by name as a methodology for

achieving compliance. The COSO framework defines five areas, which when
implemented, can help support the requirements as set forth in the SarbanesOxley legislation. These five areas and their impacts for the IT Department are
Risk Assessment, Control Environment, Control Activities, Monitoring, and
Information & Communication.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

is a U.S. private-sector initiative. Formed in 1985, its major objective is to
identify the factors that cause fraudulent financial reporting and to make
recommendations to reduce its incidence. COSO has established a common
definition of internal controls, standards, and criteria against which companies
and organizations can assess their control systems.
78
Notes:
What is auditing, by the way?

An audit is a management instrument which can identify the improvement potential of
business processes (process audit) or of the management system as a whole (system audit). At
the same time, audits allow the supervision of already started measures. Audits therefore help
to improve the effectiveness of management systems and consequently the whole company
organization1.
An audit:
o compares your actual process against your documented process
o reports to what extent you are following your document process.
o acts as a verification exercise - if you think you are following your
documented process but you do not verify this with an audit, there is a
very good chance that you are not actually following your own processes.
o the audit process is not a process of criticizing anyone or anything in any
way
http://www.experteam.de/starte/leistungen/Themen/SWQualitaetsmanagement/Auditierung.html
79
Notes:
Every successful audit is based on sound planning and an atmosphere of constructive

involvement and communication between the client and the auditor2.
A Security Audit refers to the process or event with the security policy or
standards as a basis to determine the overall state of the existing protection and
to verify whether existing protection has been performed properly. It needs to
target at and focus on finding out whether the current environment is securely
protected in accordance with the defined security policy. A security audit would
therefore require a complete inventory list and audit checklists, which may
cover different areas of IT such as web application, network architecture,
wireless network, etc. It would practically involve the use of security audit tools
and different review techniques for revealing the security loopholes.
In the context of IT security, an audit is not the same as an assessment. Security

Risk Assessment is a process of evaluating security risks related to the use of
information technology. It is conducted at the very beginning for identifying
what security measures are required and when there is a change to the
information asset or its environment. On the other hand, a Security Audit is a
2
http://www.auditnet.org/process.htm
80
Notes:
repetitive checking process to ensure that these security measures are properly
implemented from time to time. You may safely conclude that Security Audit is
performed more frequently than Security Risk Assessment.
The success of every audit is based on careful planning and preparation. It is

directly dependent on the knowledge and degree of experience of the auditors.
Consistent reprocessing of the audit results and the supervised implementation
of defined correction and improvement measures ensure the benefits for the
audited organization and its processes.
In the context of IT:

Formerly called an Electronic data processing (EDP) audit, an IT audit refers to
the process of collecting and evaluating evidence of an organization's
information systems, practices, and operations. Obtained evidence evaluation
can be used to ensure whether the organization's information systems safeguard
assets, maintains data integrity, and is operating effectively and efficiently to
achieve the organization's objectives.
81
Notes:
NOTE:
Auditing allows one to define the sequence of steps which occurred

prior to a security incident. Traceability is the key. In practice, good
IS security procedures often specify the use of software and/or other
mechanisms which comes with some sort of automatic auditing
facility for providing traceability.
Gathering reliable information to perform an IT audit requires a review of all of

the available written documents on each area of control as well as each critical
asset element, in addition to interviews.
The role of an auditor

The role of an auditor is to review the integrity of the subject in question. The
auditor does not participate in the creation or implementation of the subject.
He is merely an observer, an examiner and a reviewer.
One major duty of an IS Auditor is to audit the access control

mechanisms currently in place.
82
Notes:
Keep in mind, auditor's active participation in the procedure being audited

would be a potential conflict of interest. That is why a former programmer of
the developer team shouldnt be assigned to audit the work of the developer
team at present.
An auditor acts for the best interest of the client. He/she must place the
responsibilities to be extremely fair and honest ahead of his/her own
interest. This is what FIDUCIARY RESPONSIBILITY is all about.
The Audit process flow

Information Security Auditing covers topics from auditing the physical security
of data centers to the auditing logical security of databases and highlights key
components to look for and different methods for auditing these areas. To be
effective and efficient, one should be adequately educated about the
organization and its critical business operations through the following activities:
Meet with IT management to determine possible areas of concern
Review the current IT organization chart

83
Notes:
Review job descriptions of involved employees
Research all operating systems, software applications and equipment

operating within the organization
Review the overall IT policies and procedures
Evaluate the organization's IT budget and systems planning

documentation
Review the organization's disaster recovery plan
Following is a list of objectives one as an IS auditor should review for

identifying audit risks in the operating environment and assessing the controls
in place that may mitigate those risks.
Personnel procedures and responsibilities
Change management processes are in place and properly followed
Appropriate back up procedures are in place to minimize downtime and

prevent loss of important data
The workplace has adequate physical security controls to prevent

unauthorized access Information Assets
84
Notes:
Adequate environmental controls are in place to ensure equipments are

protected from natural disasters
Below is the audit flow chart developed by UNISA of Australia. Different types
of audit conducted in different industries may have variations to this model
flow, and this chart is shown here to give you an idea of how the pros conduct
a planned audit in the real world.
85
Notes:
86
Notes:
87
Notes:
Overall Strategies
General Principles for Developing an Audit Strategy include:
In order to have an appropriate auditing strategy and to avoid unnecessary
auditing, you must have a clear understanding of the reasons for auditing.
Additionally, in order to prevent unnecessary audit information from cluttering
the meaningful information, it is important to audit the minimum number of
statements, users, or objects required to get the targeted information.
General Principles for Auditing Suspicious IS Activity:

Audit generally, then specifically. In other words, enable general audit options at
first, then use more specific audit options. This will help the auditor gather the
evidence required to make concrete conclusions regarding the origins of
suspicious activity. Remember to protect the audit trail so that audit
information cannot be added, changed, or deleted without being audited.
General Principles for Auditing Normal IS Activity:

88
Notes:
This refers to the process of gathering historical information about particular IS

activities. In order to avoid cluttering the meaningful information with useless
audit information, you should audit only the targeted activities. After you have
collected the required information, archive audit records that are of interest and
purge the audit trail of this information.
NOTE:
Effective audit trails in the practical world should at the least

document each action requested, detect any changes made or
attempted, and create a log of all the missed attempts. The log should
be consistent and patterned by items such as user session and
date/time, plus showing the command issued and the files affected.
The log should be stored in a hidden location, using some sort of
separately identifiable encrypted formats.
You should log the activities of both the regular users and the power users
(administrators etc). Regular users tend to make careless mistakes, while
power users are capable of making intentional errors.
89
Notes:
NOTE:
An Administrator's Log provides a history of the actions taken by the

administrator, who has been charged with responsibility to authorize the
access and use of corporate data and application. Through this log,
actions of the administrator can be thoroughly audited to assure that
corporate policy and procedure have not been unintentionally tampered
with.
Audit Planning
An important part of the process for managing an audit function involves
planning, an activity that covers both audit administration and assignment. One
of the first tasks you must do at this planning stage is to develop a working
budget. You as the IT audit manager must know the capabilities of the audit
staff assigned to the project. In addition to budgeted time needed to perform
the audit, you should also budget time needed to train the audit staff and allow
time for any error correction purposes.
While planning the audit, you should decide what level of the risk of reaching
an incorrect conclusion based on the audit findings that is acceptable.
90
Notes:
There are 2 types of possible risk here:

l
The Risk of Incorrect Acceptance the risk that a material misstatement is

assessed as unlikely, when in fact the population is materially misstated.
The Risk of Incorrect Rejection the risk that a material misstatement is

assessed as likely, when in fact the population is not materially misstated.
The more effective and extensive the audit work is, the less the risk that a
weakness will go undetected and you will issue an inappropriate report. Such
audit risk is dependent on the assessed levels of inherent risk, control risk, and
detection risk (Control risk is determined by evaluating an organizations
internal control structure. You can implement compliance testing procedures
when the effectiveness of an organizations internal controls is evaluated. The
level of detection risk is further determined by the assessment of inherent risk
and the assessment of control risk following compliance testing). In fact, these
risks can be quite accurately determined when performing a risk assessment of
the organization.
There should also be a risk assessment process that describes and analyzes the
risks inherent in the existing IT operation. You should update the risk
assessment as necessary to reflect changes to internal control or work processes,
91
Notes:
and to incorporate new operations (if any). In fact, the level of risk should be
one of the most significant factors considered when determining the frequency
and depth of audit activities.
When assessing materiality, you should consider the aggregate level of error
acceptable to management, the IT audit committee, and the appropriate
regulatory agencies. You need to consider the potential for the cumulative
effect of small errors or weaknesses to become material. While establishing
materiality, you may audit non-financial items such as physical access controls,
logical access controls, and systems for personnel management, manufacturing
control, design, quality control, and password generation...etc etc.
The audit plan should detail the audit functions budgeting and planning
processes. The plan should describe audit goals, schedules, staffing needs, and
reporting. The audit plan should ideally be defined by combining the results of
the risk assessment and the resources required to yield the timing and frequency
of planned audits. The audit committee should formally approve this audit plan.
The auditors should in turn report the status of planned versus actual audits
regularly.
92
Notes:
For successful audits, you need to know:

o the audit objectives
o the audit methodology
o the resource allocation
At the planning portion of the audit, an auditor should perform the following:
1. notify the client of the audit
2. discuss the scope and objectives of the examination with organization
management in a formal meeting
3. gather information on important processes
4. evaluate existing controls
5. plan the remaining audit steps
Controls that deserve your attention may include:

93
Notes:
Interception Controls: Interception can be deterred by physical access

controls at data centers and offices. Note that encryption also helps to
secure wireless networks. You should continually evaluate your clients
encryption policies and procedures. In particular, you should verify that
management has controls in place over the data encryption management
process. Access to keys should require dual control, keys should be
composed of two separate components and should be maintained on a
computer that is not accessible to programmers or outsiders.
Availability Controls: The network should have redundant paths between

resources. Automatic fallback / Hot standby / Fault Tolerance
mechanisms should also be put in place.
Access/entry point Controls: Controls at the point where the network

connects with external network for limiting the traffic that pass through
the network, such as firewalls, intrusion prevention systems, and antivirus
software.
A firewall acts as a choke point in the network where all passing-by traffics are inspected. A
proxy firewall acts as a middleman between the two parties so there is no direct connection
between them. It works by making a copy of each incoming packet, changing the source address
and then transmitting it to the final destination.
94
Notes:
Application level proxies inspect the entire packet and make filtering decisions based on both
the header information and the actual packet content. They allow for the greatest level of control
at the expense of resource consumption. Circuit level proxies make filtering decisions based on
basic information such as packet header information, IP addresses, ports, and protocol type.
They are less secure. Routers can achieve basic protection by filtering IP address through the use
of access control lists. They are never intended for providing serious firewalling service.
Logical Security Controls: The key points in auditing logical security

include Passwords, Account Termination Procedures, Special Privileged
User Accounts, and Remote Access.
Application Security Controls: Application Security centers around the

main functions of Programming, Processing and Access. When it comes to
programming it is important to ensure proper physical and password
protection exists around servers and mainframes for the development and
update of key systems. With processing it is important that procedures and
monitoring of a few different aspects such as the input of falsified or
erroneous data, incomplete processing, duplicate transactions and untimely
processing are in place. With access it is important to realize that
maintaining network security against unauthorized access is one of the
major focuses nowadays as threats can come from both internal and
external sources.
95
Notes:
Talking about application security, you would also need to know the different methods of
software system testing.
l
With Black box testing, the tester has no previous knowledge on the test object's internal
structure and would not examine the codes involved. The test is therefore unbiased.
However, since the tester is independent of the designer, it is almost impossible to ensure
that all existent "paths" of the system are fully tested. On the contrary, White box testing
(also known as clear box testing/glass box testing/structural testing) uses an internal
perspective of the system to design test cases. Test cases are therefore designed and
implemented based on full knowledge of the test object's internal structure. The tester has
to know the codes inside and out in order to test accurately. Bias is therefore possible to
exist.
Stress testing is a common way to test and determine the stability of a given system. It
involves testing beyond normal operational capacity in order to observe system performance
under stress. Emphasis is on robustness, availability, and error handling during heavy
workload.
A use case is a technique commonly used for capturing functional requirements of systems.
It allows you to describe the sequences of events that, when taken together, can lead to the
completion of a particular set of system activities for achieving a particular purpose.
Boundary value analysis is a special software testing design technique for determining test
cases that cover specifically those off-by-one errors (logical errors which involve the discrete
96
Notes:
equivalent of a boundary condition). This type of analysis is valuable as the boundaries of

input ranges to a software program are often liable to defects.
<< For an in-depth list of controls from a technical perspective, refer to

the earlier section on IS Control >>
Audit sampling, which is often desirable due to practical needs, refers to the
application of an audit procedure to usually less than 100% of the population so
you may evaluate audit evidence within a class of transactions for the purpose
of forming a conclusion concerning the population. Sampling may be done
statistically through Random Sampling or Systematic Sampling, or nonstatistically through Haphazard Sampling or Judgmental Sampling. Do note that
sample size is a factor that may affect the level of sampling risk - the smaller the
sample size the more likely you will end up with more errors.
You should also make decisions about the nature, extent, and timing of
evidence to be gathered. The types of evidence may include:
l
Observed processes, such as a physical entrance security system in

operation.
97
Notes:
Documentary audit evidence, such as activity and control logs.
Representations, such as written policies and procedures.
Analysis, such as comparison of error rates between applications and

transactions.
The outcomes of the audit planning stage should include:

o Announcement Letter have the client informed of the audit through
an announcement or engagement letter. Such a letter communicates the
scope and objectives of the audit, the auditors assigned to the project
and other relevant information.
o Initial Meeting - at this meeting the client describes the unit or system
to be reviewed, the organization, available resources and other relevant
information. The client also identifies issues or areas of special concern
that should be addressed.
o Preliminary Survey - the auditor gathers relevant information about the
target unit in order to obtain a general overview of operations.
o Control Review - the auditor reviews the target unit's existing control
structure. To save time, the auditor uses a variety of tools and
98
Notes:
techniques to gather and analyze information about the operation. One

primary objective here is to determine the areas of highest risk and
design tests to be performed in the fieldwork section.
o Audit Program the preparation of the audit program which outlines
the fieldwork necessary to achieve the audit objectives.
Keep in mind:
The IS auditor should consider whether his or her organizational status is appropriate for the
nature of the planned audit. Where this is not considered to be the case, the hiring of an
independent third party to manage or perform this audit should be considered by the
appropriate level of management3.
In fact, you may audit your audit program and policy through asking questions
like:
l
3
Is there a mandatory auditing policy in place?
http://www.isaca.org/standard/guide1.htm
99
Notes:
What information is audited?
Is the audited information analyzed and reported on promptly and

regularly?
Are IT security personnel trained in audit analysis?
Are the contents of audit logs protected from unauthorized access,

modification, and/or deletion?
Is there a policy stating how long the captured audit logs are to be retained?
Recommended types of audit

INFOSEC recommends a number of types of audit which deserve your serious
attention.
You want to have a FIREWALL AUDIT to ensure that the firewall and the
associated systems have all been properly configured to enforce the security
policy with the minimal and optimal security protection. The firewall should be
audited for its configuration and also for its physical access control.
100
Notes:
You want to conduct an INTERNAL NETWORK AUDIT to discover any

vulnerability that could be exploited by authorized internal users, and to
identify any weaknesses and strengths in the controls of the internal systems
and networks. The topology of internal network infrastructure should also be
reviewed. The audit test should include an internal network scan to check for
any security holes on specified times or pre-agreed periods. The scanning on
critical hosts or workstations should be included as part of the test effort.
You want to have an EXTERNAL NETWORK AUDIT for identifying

security weaknesses of the systems and networks from outside such as the
Internet. This can help to anticipate external attacks that might cause security
breaches by scanning and launching attacks from the outside Internet to the
internal network at specified and pre-agreed time and locations.
You want to have a PHONE LINE AUDIT for identifying undocumented or

uncontrolled modems connecting internal computers directly to the telephone
network. This aims at eliminating any unauthorized or inappropriate modem
connection and configuration to your internal network and systems.
101
Notes:
You want to perform SECURITY POLICY, GUIDELINES &

PROCEDURES REVIEW to review or develop the existing security policy,
guidelines and procedures. You want to focus on the high-level overall
organization-wide security policy, or on specific systems, networks or areas that
are under concerns.
You want to perform HOST SECURITY AUDIT for assessing the operating
system level security of different the computer server platforms.
Misconfiguration of the operating systems may open up security holes that may
not be known by your system administrators and the goal of this audit is to sort
them all out.
You want to perform an INTERNET SECURITY AUDIT to identify those

security weaknesses of the systems and networks that are in connection with
the Internet. It is sort of a combination of the internal network and external
network security audit with major focus on the Internet gateway.
You want to perform a REMOTE ACCESS SECURITY AUDIT. The goal is

to deal with those vulnerabilities that are associated with remote access services
102
Notes:
via communication links such as dial-up connections and/or broadband

connections.
You want to perform a WIRELESS NETWORK SECURITY AUDIT to deal

with vulnerabilities that are associated with wireless network. You also want to
perform a WEB APPLICATION SECURITY AUDIT which deals with
vulnerabilities relevant to your web applications.
Example Audit Objectives and Procedures

FYI, below is an example document detailing the objectives and procedures of
a proposed network audit:
Objective:
Toassesswhetheraccessfromtheinternalnetworktothe
InternetandfromtheInternettotheinternalnetwork
arecontrolled.
103
Notes:
Criteria:
TheInternetpolicyshouldconveytoallstafftheintent
ofthecontrolstobeimplementedbythefirewall.
Procedures:
a)ObtainacopyoftheInternetPolicy.
b)Identifytheprocessthatwasusedtodevelopthe
policy.Ascertainwhethertheprocessconsideredthe
valueofanddegreeofrelianceonthefirewallandthe
severity,probability,andextentofthepotentialfor
directandindirectharm.
c)Assesswhetherthepolicy:
*identifiesthespecificassetsthatthefirewallis
intendedtoprotectandtheobjectivesofthatprotection
(integrity,availability,andconfidentiality)
*describestheorganizationalstructureandassociated
responsibilitiesandaccountabilityofpersonnelwhowill
bechargedwithimplementingthepolicy,monitoring
compliancewiththepolicyandadheringtothepolicy
*supportsthelegitimateuseandflowofdataand
104
Notes:
informationand
*documentswhatinformationpassingthroughthefirewall
willbemonitored(limitorganizationalliability,reduce
abuse,supportprosecutionforabuse)and
*isconsistentbothintoneandinprinciplewithother
organizationalpoliciesandacceptedpractice(e.g
availabilityofInternetaccessfornonbusinessuse)
d)Ascertainwhetherlegalcounselhasreviewedthe
policytoensureconsistencywithrequirementsand
limitationsimposedexternally(laws,regulationsetc.).
e)Determinewhethermanagementapprovalofthepolicy
hasbeensoughtandgrantedandthedateofthemost
recentreviewofthepolicybymanagement.
f)IdentifyhowtheInternetpolicywas/iscommunicated
tousersandhowawarenessismaintained.Selectasample
ofusersanddiscusstheirunderstandingoftheir
responsibilitiesrelatedtoInternetuseandhowto
reportproblems.
g)Determinewhetherstandardsandprocedureshavebeen
definedtospecifythemeansbywhichthepolicyis
implemented.
105
Notes:
h)Assesswhetherthestandardsandproceduresspecify
whoisresponsibleandempoweredtodoeachfunction
requiredfortheproperoperationofthefirewall.
i)Assesswhetherthesecuritypolicy:
*iseasytoreadandlocaterelevantsections
*isversionedanddated
*iscarefullywordedwithallambiguoustermsprecisely
defined
*setsoutacceptableconditionsofuseaswellas
unacceptableconditionsofuse
*iswidelycommunicatedtoaffectedpersonsand
*isreviewedatregularintervals.
j)Considerwhetherthefollowingissuesareaddressedin
thepolicydocument:
*Scopeofthepolicyinrelationtootherinternaland
externalnetworkswithwhichitmaybeconnected.
*Basicphilosophythatmaybeusedformakingnon
deterministicdecisions.
106
Notes:
*Governingpolicies,suchasFederalandProvincialLaw,
contractualtermsandconditions,orotherpolicies
internaltotheCompany.
*Identificationofthepersonwhohasultimateauthority
tointerpretandapplythepolicytoaparticular
situation.
*Allowanceforthepolicytobetemporarilywaivedbya
personofauthorityundercertainconditionsor
guidelines.
*Formaldefinitionofhowthepeopleaffectedbythe
policywillbeinformedofitscontents.
*Frequencyandnecessityforreviewsofthepolicy.
*Outlineoftheassetsthatmustbeprotected,andfrom
whatthreats.
*Securityincidenthandlingprinciples.
*Guidelinesforliabilityofpersonnelwithregardto
securitybreachestodiscouragepeoplefromhiding
detailsofabreachthattheymayhave(somewhat
innocently)beeninvolvedin.
107
Notes:
*Guidelinesregardinginvestigationofincidentsand
coursesofactionthatcouldbetakenbydecisionmakers
basedupondetailsofthesecuritybreach,including
referraltolawenforcementagencies,aswellasinternal
investigationanddisciplinaryprinciples.
k)Considerwhethertherightsandresponsibilitiesof
usersareaddressedinthepolicydocument,including:
*Accountuse,byboththeaccountholderandthe
resourceprovider.Specialconditionsmayapplytothe
useofnormaluseraccounts,andpublicaccessaccounts
(likeanonymousftp),andtheseconditionscouldbe
expressedhere.
*Softwareanddataaccessanduse,includingsourcesof
dataandsoftware.
*Disclosureofinformationwhichispotentiallyharmful,
suchaspasswordinformationorconfiguration
information.
*Etiquette,includingacceptableformsofexpression
(e.g.nonoffensiveexpressionexpectedforunsolicited
electronicmail),andunacceptablepractices(suchasthe
forgingofelectronicmailandnewsarticles).
*Passworduseandformat.
108
Notes:
*Rightstoprivacy,andthecircumstancesunderwhich
theresourceprovidermayintrudeonthefilesheldunder
oractivitiespracticedbyanaccount.
*Othermiscellaneousguidelinesregardingreasonable
practices,suchastheuseofCPUcyclesandtemporary
generalaccessstorageareas.Copyrightissuesmayalso
bediscussedhere.
l)Considerwhethertherightsandresponsibilitiesof
resourceprovidersareaddressedinthepolicydocument,
including:
*physicalsecurityguidelines
*privacyguidelinesand
*configurationguidelines,including:
allocationofresponsibility
networkconnectionguidelines
authenticationguidelines
authoritytoholdandgrantaccountguidelines
109
Notes:
auditingandmonitoringguidelines
passwordformat,enforcementandlifetimeguidelines
and
loginbanners.
You may also perform audit using a wide range of computer tools. For example,
you may perform vulnerability scans using an automated vulnerability scanning
tool to quickly identify known vulnerabilities on the target hosts or devices.
However, since a large amount of system requests will be generated from the
automated vulnerability scanning tool, the system and network performance of
the target groups will likely be impacted during the vulnerability scanning
process. You must therefore devise a plan to minimize possible service
interruption during the scanning process. Also noted that some of the potential
vulnerabilities identified by the automated scanning tool may not represent real
vulnerabilities in the practical real world context. therefore, you should realize
that false positives is not impossible and professional judgment must be
exercised from time to time.
110
Notes:
While network vulnerability scanning is a good method to collect vulnerability

information within a short period of time, it is non-intrusive and would not
attempt to exploit the identified vulnerability. A penetration testing may need to
be adopted if more in-depth findings are desired.
Penetration testing may be performed internally or externally. It involves using

automated tools to scan the network or system to create a complete map of
connected workstations and servers, as well as to identify vulnerabilities from
either inside or outside the network and system under study by attempting to
penetrate them. Sometimes penetration testing may also involve user interviews
and the use of different hacking techniques to test the system or network. The
level of details and types of hacking would have to be thoroughly planned and
agreed upon on prior to proceeding.
In any case, PLAN THEIR USE EARLY PRIOR TO MOVING ON

TO THE FIELDWORKS.
Audit Fieldworks
111
Notes:
During the audit process, the fieldwork concentrates on transaction testing and
informal communications. At this stage the auditor determines whether the
controls identified during the preliminary review are operating properly and in
the manner described.
Remember, you do NOT audit every piece of items. With the help of statistical
sampling techniques, you determine (mostly in a random manner) which piece
of item to work on.
One major purpose of fieldwork is to accumulate sufficient, competent,

relevant, and useful evidence to support the audit comments and
recommendations:
o Audit evidence is sufficient when it is factual and is convincing enough
for an informed person to reach the same conclusion.
o Evidence is competent if it consistently produces the same outcomes.
The activities at this stage often include:

112
Notes:
o Transaction Testing - procedures usually include testing the major

controls and the accuracy and propriety of the transactions. Various
techniques including sampling are used to enhance productivity.
o Advice & Informal Communications - the auditor may discuss any
significant findings with the client. The client may, in return, offer
insights and work with the auditor to determine the best method of
resolving the finding. Most of the time these communications are oral.
Written forms of communication usually indicate the existence of
serious problems.
o Audit Summary - the auditor summarizes the audit findings, conclusions,
and recommendations necessary for preparing the audit report
discussion draft.
o Working Papers sort of scratch paper that are kept for supporting
the audit opinion. They are comprehensive in nature.
In field work IT auditors may use computer-assisted audit techniques (CAATs)

to improve audit coverage by reducing the cost of testing and sampling
procedures that otherwise would be performed manually. CAATs typically
include tools and techniques such as generalized audit software, utility software,
test data, application software tracing and mapping, and audit expert systems.
113
Notes:
Whatever the source, audit software programs should remain under the strict
control of the audit department.
You use CAATs to test application controls as well as perform substantive tests
on sample items. Types of CAATs include Generalized Audit Software (GAS),
Custom Audit Software (CAS), Test Data, Parallel Simulation and Integrated
Test Facility. Through the use of CAATs, you will be able to obtain evidence to
support their final conclusions developed on the audit.
Audit evidence needs to be sufficient, reliable, relevant, and useful in order for
you to form an opinion and to support their findings and conclusions. You
need to devise procedures to gather and organize audit evidence. You should
select the most appropriate procedure for the audit objective. Possible options
include:
l
Inquiry and/or Observation
Inspection
Confirmation
Reperformance
114
Notes:
Monitoring
Working papers is the formal collection of auditors notes, documents,

flowcharts, correspondence, results of observations, plans and results of tests,
the audit plan, minutes of meetings, computerized records, data files or
application results, and evaluations that document the auditor activity for the
entire audit period. They are essential to support the auditors findings and
recommendations in the audit report.
To conclude the fieldwork stage, a list of significant findings from which the
auditor will prepare a draft of the audit report is produced.
Audit Program
An audit program acts as the link between the preliminary survey and the field
work. In the preliminary survey the auditors identify operating objectives, risks,
operating conditions and control procedures. In field work they gather evidence
about the effectiveness of control systems based on observations,
documentation, verification and other audit procedures.
115
Notes:
For a list of popular audit programs you may refer to this hyperlink:
http://www.auditnet.org/asapind.htm
Audit Report
This is the principal product of the audit process - you express your opinions,
present the audit findings, and discuss recommendations for improvements.
According to IS Auditing Standard 070 (Reporting), The IT auditor should provide a report
in an appropriate form, upon the completion of the audit. The report should state the scope,
objectives, period of coverage, and the nature, timing, and extent of the audit work performed.
The report should state the findings, conclusions, and recommendations and any reservations,
qualifications or limitations of scope that IT auditor has with respect to the audit.
It is always advisable for you to first discuss the rough draft with your client
prior to issuing the final report:
1. When the fieldwork is completed, the auditor drafts the report and gives
it to the audit management for a thorough review. A discussion draft is
prepared for the unit's operating management and is submitted for the
client's review before the exit conference.
116
Notes:
2. When audit management has approved the discussion draft, the auditor
meets with the unit's management team to discuss the findings,
recommendations, and text of the draft. At this meeting (which is
known as the Exit Conference), the client is given the chance to
comment on the draft. The ultimate goal is for the group to reach an
agreement on the audit findings (and to maintain a friendly relationship
with the client).
3. After an agreement is made, the auditor prepares a formal draft which
takes into account any revisions resulting from the exit conference and
other discussions. When the changes have been reviewed by audit
management and the client, the final report is produced and rendered to
the audit management as well as the client. The approval of the client
and the Audit Director is required for release of the report to any third
party.
4. The client should be given the opportunity to respond to the audit
findings prior to issuance of the final report which can be included or
attached to our final report. However, if the client decides to respond
after the report has been issued, the first page of the final report should
include a letter requesting the client's written response to the report
recommendations.
117
Notes:
You should discuss the draft of the audit report with management
to give management the chance to correct any weaknesses or
deficiencies before they are reported and/or even released to the
public. You may do this in the form of a Management Comment
Letter.
5. In the response, the client should explain how report findings will be
resolved. An implementation timetable should also be included. It is
technically acceptable for the client to respond with a decision not to
implement an audit recommendation and to bear the risks associated
with an audit finding.
6. Finally, the client may comment on the performance of the audit. This
feedback can be very beneficial to the audit team.
Audit FollowUp
Within a period defined by the client, the auditor will perform a follow-up
review to verify the resolution of the report findings:
118
Notes:
1. Follow-up Review - the client response letter is reviewed and the actions
taken to resolve the audit report findings may be tested. Unresolved
findings will be discussed in the follow-up report.
2. Follow-up Report - lists the actions taken by the client to resolve the
original report findings. Any unresolved findings will be mentioned as
well. It is a recommended practice to have a discussion draft of each
report with unresolved findings circulated to the client before the followup report is issued (again, this is for reaching agreement and maintaining
friendly relationship).
To keep things going properly, you should use a process that enables yourself
to track the status of client management's actions on significant findings and
recommendations.
Note:
If after issuing the audit report it is found that some procedures had been
omitted, you may need to review the available audit alternatives in order to
compensate for the omission. If unfortunately the omitted procedures actually
present material bearing on the audit outcome, the worst case scenario is that
you will have to issue a new report and have the old one cancelled.
119
Notes:
Audit Assessment
Upon completion, your audit work should be evaluated by a partner or senior
manager based on a number of criteria, including:
l
Audit Completeness and Pertinence
Accuracy
Appropriate Conclusions, Findings and Recommendations
Follow-up to Findings and Recommendations
120
Notes:
IT Strategic Planning
IT Strategic Planning defined
Strategic planning is an important activity for information technology
organizations. IT Strategic Planning is closely related to IT governance, which
comprises the body of issues addressed in considering how IT is applied within
the enterprise.
The key goal of the IT strategic planning process is to translate your
organizations vision into detailed short and long-term IT plans and processes
that match the companys business plan and ensure that employees, clients,
suppliers, and partners can easily and securely interact and collaborate:
o IT strategic plans must be aligned with institutional mission, plans, and
priorities. An IT plan must also be flexible to adapt to changes. Most
importantly, IT strategic planning must occur as part of a process that
ensures that the best ideas are put forward and a process that creates
investment on the part of stakeholders.
o Strategic IT planning must include setting long-term goals, identifying
performance goals, selecting the portfolio of IT investments to support
121
Notes:
those goals and continuously measuring the performance of IT

investments. It must be tightly coupled with the organizations strategic
planning and it must be an intrinsic and integrated part of the budget
process.
Remember, IT is a serious (and expensive) investment. Management often

measures investment from a monetary standpoint. Investment MUST produces
returns (in the form of savings or profit increases).
The role of IS Auditing in the planning process

The IS auditor should consider the following options in establishing the overall
objectives of any audit associated with IT governance and the IT strategic
planning process. These options, as mentioned by ISACA4, should include:
o Reporting on the system of governance and/or its effectiveness
o Inclusion or exclusion of financial information systems
http://www.isaca.org/standard/guide1.htm
122
Notes:
o Inclusion or exclusion of non-financial information systems
ISACA (above) further defines the following points that should be considered
by the auditor when reviewing the IT strategic planning process:
o There is a clear definition of IT mission and vision
o There is a strategic information technology planning methodology in
place
o The methodology correlates business goals and objectives to IT business
goals and objectives
o This planning process is periodically updated (at least once per year)
o This plan identifies major IT initiatives and resources needed
o The level of the individuals involved in this process is appropriate
Inhouse or Outsource?
123
Notes:
Note that one major duty of the IS auditors is to validate the acquisition or
development of the business application systems. From a security standpoint,
you need to tell if doing it in house is more secure (and is easier to control) than
buying it off the shelf. A tradeoff is involved in the decision, and different
answers are expected in different circumstances. The general guideline is that
doing it in house allows for more control over the development process and
can allow you to build in more security features. However, this can be costly as
you need to recruit, train and manage your IT team to do the job.
Also, when your own development team is involved you must clearly define the
roles and responsibilities of each team member. Certain roles must not be
overlapped, and certain duties must be clearly separated.
Avoiding conflicts of interests

The principle of separation of duties is that an organization should carefully
separate duties, so that people involved with checking for inappropriate use are
not also capable of making such inappropriate use. No person should be
responsible for completing a task involving sensitive, valuable or critical
information from beginning to end. Likewise, a single person must not be
responsible for approving their own work.
124
Notes:
The general guidelines here are:

l
you dont test nor QC your own work.
creation and daily administration must NOT be performed by the same

individual
Other examples include:

l
development VS production
security VS audit
account payable VS accounts receivable
encryption key management VS changing of keys
125
Notes:
Protection of Information Assets through

Security Policy
Information Assets defined
Information Assets which are mostly of an intellectual nature are the vital
business resources that require protection commensurate with their value.
Mechanisms shall be in place to protect these assets from intentional (or
unintentional) modification, destruction, unauthorized disclosure, or other
malfeasance. The end goal is to make sure that confidentiality, integrity, and
availability of these assets are adequately maintained.
Confidentiality - Protecting sensitive information from unauthorized
modification or disclosure.
Integrity - Safeguarding the accuracy and completeness of information and
computer software.
Availability - Ensuring that all systems, networks, applications and information
are available and accessible by authorized users when they are required.
126
Notes:
Assets - Protection from damage, loss or misuse of all computer and

communications equipment, including computing and communications
premises, data storage media, application/system computer programs and
documentation.
According to INFOSEC, values of information assets may be expressed in

terms of tangible values such as replacement costs of IT facilities, hardware,
media, supplies, documentation, and IT staff supporting the systems intangible
values such as goodwill and replacement costs of data Information values and
Data classification of the information stored, processed, or transmitted by the
asset.
When we talk about the protection of information assets, we are dealing with
two issues here:
1.
The policy for offering protection
2.
The technology that is in use for offering protection
127
Notes:
NOTE:
Practically speaking, copy protection is also a significant issue. If the

software you use (which is part of your information assets) has a
serial number you may be held liable for the illegal copies spawned
from the original copy running on your computer system.
You need to have an idea of what it takes to shape a proper set of Information
Assets Protection policy. Then you know how to go head with an audit.
Questions you may ask here:
Does your organization have a written security policy?
Does the policy identify all individuals responsible for implementing that
policy and what their duties are?
Does the policy identify the steps to be taken if there is a security breach?
Does the policy identify what information it is most important to protect?
Does the policy identify enforcement procedures that identify the penalties
associated with a security breach?
128
Notes:
Is the policy known by all individuals who have the responsibility for
implementing that policy?
Has a security plan been developed based on the security policy?
Data classifications and Layer of responsibilities

The purpose of data classification is to indicate the level of confidentiality,
integrity and availability that is required for each type of information.
The US Classifications are:
Commercial
Confidential
Private
Sensitive
Public
Military
TopSecret
Secret
Confidential
Sensitivebutunclassified
Public
The Data Owners are the senior managers who are ultimately responsible for
protection and use of data. They often determine the data classification. The
Data Custodians, on the other hand, are responsible for maintenance and
129
Notes:
protection of data, such as making backups and performing restores. The IT

guys in the IT department are usually of this role.
NOTE:
Before you give classified information to anyone, you as the holder of the
information MUST do whatever you can to ensure that the person to
whom you are giving the information possess the proper level of security
clearance has the need-to-know.
130
Notes:
Security Policy
Policy is issued top down. It is signed by the top person in the organization,
and that compliance is mandatory. On the other hand, procedures tell the steps
needed for attaining compliance.
The overall objective of a security policy is to control human behavior in an

attempt to reduce the risk to information assets by accidental or deliberate
actions. Top management should set a clear policy direction and demonstrate
support for the maintenance of information security through the commitment
to developing an information security policy across the organization. Such
policy should apply to ALL business units and entities with access to
information assets owned by or entrusted to the organization.
A Baseline IT Security Policy is a top-level directive statement that sets the

minimum standards of a security specification for all departments of the
organization. It states clearly what aspects are of paramount importance to a
department. In other words, it provides the basic rules which must be observed
as mandatory. On the other hand, security guidelines serve to introduce general
concepts relating to Information Technology Security as well as elaborate
131
Notes:
interpretations on the Baseline IT Security Policy. It also provides some

guidelines and considerations for defining detailed security requirements.
Support from the top management is a MUST! Therefore, the policy
document MUST be approved by management and be communicated
to all employees. It should EMPHASIS management commitment and
set out the organization.
Once defined and implemented, the policy owner should be held responsible
for its maintenance and review according to a de fined periodic review process
(update & maintenance of the policy is kind of a hands-on job). Such process
should ensure that a review takes place in response to any changes affecting the
basis of the original risk assessment.
Ownership of critical information and systems should be assigned to capable

individuals, with responsibilities clearly defined and accepted. Responsibilities of
these owners should include:
a) determining business (and the relevant information security) requirements.
b) ensuring information and systems are protected in line with their importance
to the organization.
132
Notes:
c) determining which users are authorized to access particular information and

systems.
d) signing-off access privileges for each user or set of users.
e) defining information interchange agreements.
f) developing service level agreements.
g) signing-off specifications for business requirements.
h) authorizing new or significantly changed systems.
i) ensuring users are aware of their security responsibilities and are able to fulfill
them.
j) being involved with security audits/reviews.
These responsibilities should be clearly documented. Responsibilities for

protecting information and systems should be communicated to owners and
accepted by them.
133
Notes:
Do keep in mind, ALL USERS, NOT just the owners, have a

responsibility to ensure the protection of information and computing
assets!
And for the purpose of the exam, remember that the necessary components
that fit together for effective security management practices are:
l
Data classification
Operational activities
Safeguard selection
Separation of duties
Management security responsibilities
Guidelines and procedures
Risk assessment
Policies and standards
Security awareness.
134
Notes:
The above are concerns at a broader level. On the other hand, at the actual
admin level questions you may ask concerning the hand-son management,
enforcement and implementation of security procedures may include:
How many system administrators does your organization have?
Do your system administrators work full-time as system administrators?
Are your system administrators contractor employees?
Is there segregation of duties among system administrators?
Does each system administrator have a backup person?
Are program modifications approved by the configuration control

function required to be installed by system administrators?
Is there consistency in the implementation of security procedures by

system administrators in the organization?
135
Notes:
To ensure successful implementation of security policies and procedures,

security awareness training, the factors of Awareness, Training and Education
must be considered. Note that:
Systems development staff needs skills to design systems in a disciplined
manner and develop security controls.
IT staff needs skills to run computer installations and networks correctly
and apply security controls. Beware of potential segregation of duties
issue though*.
Business users needs skills to use systems correctly and apply security
controls
Information security specialists needs skills to understand the business,
run security projects, communicate effectively, and perform specialist
security activities.
General questions you may ask concerning user training may include:
l
Is there a formal information security training program within your

organization?
136
Notes:
Are new employees required to receive security awareness training within a

specified number of days after hiring?
Are employees required to get updated security training at regular intervals?
* The risk of IT staff disrupting the running of the network either in error or by malicious
intent should be reduced by the following measures:
a) segregating the duties of staff running the network from those developing/designing the
network.
b) ensuring all network and external staff sign non-disclosure/confidentiality agreements.
c) minimizing reliance on key individuals by automating tasks as well as ensuring complete
and accurate documentation.
d) organizing duties in such a way as to minimize the risk of theft, fraud, error and
unauthorized changes to information.
e) screening applicants for positions that involve running the network through taking up
references and checking career history.
137
Notes:
Security Models and Modes of Operations

A model is a symbolic representation of a policy. It maps the desires of the
policy into a set of rules to be followed by a computer system. It defines the
dos and donts to achieve the goals of the security policies. Even though these
are mostly theoretical information of not much practical value, the exam will
have quite a few questions on them.
The Bell-LaPadula Model was developed by the military in the 1970s to address
leakage of classified information. Main goal is confidentiality. A system using
the Bell-LaPadula model would be classified as a multi-level security system.
The Bell-LaPadula is a state machine model, and could also be categorized as an
information flow model.
The Biba Model is also a state machine model. It is similar to Bell-LaPadula

except that it addresses data integrity rather than data confidentiality. The data
integrity focus is characterized by three goals:
l
Protection from modification by unauthorized users.
Protection from unauthorized modification by authorized users.

138
Notes:
Internally and externally consistent.
The Clark-Wilson model takes a different approach to protecting integrity.

Users cannot access objects directly, but must go through programs that
control their access.
The various information flow models have one thing in common: they have
each object assigned a security class or value. Information is constrained to flow
only in the directions permitted by the security policy.
Based on the above mentioned models, several modes of operations can be

developed for defining the security conditions under which the system actually
functions.
With the Dedicated Security Mode, all users have the clearance and the
need to know to all the data within the system.
139
Notes:
With the System-High Security Mode, all users have clearance and
authorization to access the information in the system, but not necessarily a
need to know.
With the Compartmented Security Mode, all users have the clearance to all
information on the system but might not have need to know and formal
access approval. Users can access a compartment of data only.
The Multilevel Security Mode permits two or more classification levels of

information to be processed at the same time. Users, however, do not have
clearance for all of the information being processed.
Under Limited Access, the minimum user clearance is not cleared and the
maximum data classification is sensitive but unclassified. Under Controlled
Access, there is a limited amount of trust placed on system hardware and
software.
Some questions you may ask when auditing user account related issues:
l
What is the procedure for establishing accounts? What level of supervisor

approval is required?
140
Notes:
Who has root/admin access to your systems?
Can accounts be accessed remotely? If so, by whom? What kind of

justification is required before remote access is permitted?
What is the procedure for forgotten passwords?
What is the procedure for closing accounts when an employee is

terminated?
What is the procedure for monitoring inactive accounts?
What is the technical process by which accounts are established?
Example Policy
The role of the CIO and his/her peers involves developing and publishing
policy in consultation with Business Units and Service Providers as well as
promoting the development of the various supporting standards and
Guidelines.
Below is an example of the terms included in a real life security policy:
141
Notes:
1. Sample company information technology assets must not be used for private
commercial purposes.
2. Users must not breach copyright, nor use facilities for illegal purposes.
3. Users must protect Sample company and vendor intellectual property.
4. Users, external suppliers and clients must, on request, sign a confidentiality
agreement in respect of the use of IT facilities, documentation and data,
including non-disclosure of Sample company information to third parties.
5. All users must abide by Sample company acceptable use policies for e-mail
and Internet and not download, transmit, distribute or store any harassing or
obscene messages and files, or any objectionable material via a Sample
company PC or network. This includes the use of insulting, sexist, racist,
obscene, suggestive or any other inappropriate language.
6. All users are personally accountable for their own logon-id and password.
Passwords must not be disclosed nor shared.
7. The Standards and Guidelines supporting this policy form part of the Policy.
8. Users are responsible for meeting published information technology
standards, guidelines and acceptable use policies.
142
Notes:
9. Appropriate levels of security and encryption will be used when

communicating electronically with external parties. All items for encryption
must be authorized and copies of encryption keys must be lodged with the IT
Security Officer.
10. Any variations or departures from the IT Security Policy must be endorsed
by the Chief Information Officer and must be available for audit.
11. Sample company reserves the right to monitor usage and electronically
record security breaches to ensure compliance is maintained.
12. All Sample company PC's will be loaded with Virus Checking software.
Users must not disable or change the configuration settings of this software
unless directed to do so by an appropriate Technology Group staff member.
13. Authorization must be obtained from the appropriate Technology Group
before any form of communications equipment, including modems, are
attached to the Sample company IT Network.
Consequences of violations
In order for a security policy to be effective, the CONSEQUENCES OF
SECURITY POLICY VIOLATIONS must be clearly defined upfront. In
143
Notes:
fact, any security exposures, misuse or non-compliance must be reported as

soon as an occurrence is identified. Failure to comply with the Information
Technology Security Policy and supporting sub-policies, for internal staff may
lead to disciplinary procedures, for external suppliers and consultants may lead
to the suspension of contracts and withdrawal of access to the organizations
information systems etc.
Evaluation
Broadly known as the Orange Book, the US Dept of Defense has developed
TCSEC (Trusted Computer Systems Evaluation Criteria) to provide a graded
classification for computer system security. The graded classification hierarchy
has four levels:
A Verified Protection
B Mandatory Protection
C Discretionary Protection
D Minimal Security
144
Notes:
The evaluation criteria involve four main areas: Security, Policy, Accountability
and Assurance and Testing. Note that the red book is an interpretation of the
Orange book for networks and network components. The Red Book TNI
ratings are:
l
None
C1 Minimum
C2 Fair
B2 Good
Organization specific classification scheme

There may be a need for an organization specific security classification scheme
that applies across your organization, which should be used to determine
varying levels of the importance of information or systems and the sensitivity of
information or systems. Such security classification scheme should take account
of the possible business impact of a loss of confidentiality, integrity or
availability of information, and be used to classify information held in
electronic or paper form, software and hardware. It should be applied to
business applications, computer installations, networks and systems under
145
Notes:
development, with the purpose of explaining how to resolve conflicting

classifications.
A comprehensive security classification scheme should require critical

information and systems to be distinguished from other information and
systems, that information and systems are protected in line with their
classification. It has to be sign-off by the relevant business owners, and that its
security classifications have to be reviewed whenever changes are made.
Change control
Change control is an important element it describes the procedures for
making and controlling changes to information. Put it this way, change control
procedures restrict the way people make changes to information assets.
The five general procedures for implementing change control are:
Applying to introduce a change

146
Notes:
Cataloging the intended change
Scheduling the change
Implementing the change
Reporting the change to appropriate parties
Change Control is critical to software development as well. Refer to the section

on Change Management for more information.
147
Notes:
Business Continuity Planning

According to a recent Gartner Group document, a business continuance plan should include:
a disaster recovery plan, which specifies an organization's planned strategies for post-failure
procedures a business resumption plan, which specifies a means of maintaining essential
services at the crisis location a business recovery plan, which specifies a means of recovering
business functions at an alternate location and a contingency plan, which specifies a means of
dealing with external events that can seriously impact the organization.
Definition
Business continuity is a term that describes the processes and procedures an
organization puts in place to ensure that essential functions can continue during
and after a disaster. Business continuity planning seeks to prevent interruption
of mission-critical services, and to reestablish full functioning as swiftly and
smoothly as possible.
From a practical standpoint, you must understand that it may not be practical
for any but the largest business functions to maintain full functioning
throughout a disaster crisis. You cannot afford to keep everything running nonstop due to the high cost involved. In fact, the very first step in business
148
Notes:
continuity planning is deciding which of the organization's functions are

essential, and apportioning the available budget accordingly.
BCP vs BPCP vs DRP

Should it be called Business Continuity Planning (BCP)? Business Process
Contingency Planning (BPCP)? Or Disaster Recovery Planning (DRP)?
Traditionally, planning for the restoration and continuation of IT infrastructure
services to support mission-critical business processes was referred to simply as
DRP. Still, at the end of the day their objectives are very similar. Contingency
planning is a popular term to use. So is disaster recovery planning.
One DRP related term is Fault Tolerance. Fault-tolerance (also known as

graceful degradation) is the property that enables a system to continue
operating properly in the event of the failure of some of its components. Fault tolerance is particularly sought-after in high-availability or life-critical systems.
With fault tolerance mechanism in place you subject to way less disruption
when things go wrong.
149
Notes:
BCP Phases
The phases of development for any BCP (Business Continuity Planning)
program should include:
l
Initiation
Business impact analysis
Strategy development
Plan development
Implementation
Testing
Maintenance
The four most important elements of a BCP are:

l
Scope plan initiation
Business impact Analysis includes vulnerability assessment

150
Notes:
Business continuity plan development
Plan approval and implementation
The key phrase in business continuity is "reduce risk", which means to prepare
for any event that could jeopardize your business ability to operate. If disaster
strikes, companies have everything to lose - critical data, profits, and
informationetc, all of which are critical to the running of any company.
BCP should not be a pure IT call. In fact, it should be considered as a business
call. It should be developed by a team representing ALL functional areas of the
organization.
BCP is in fact a project. Managing a BCP is like managing a project. A formal
project needs to be established, and activities should commence only when the
project has been approved by the Board of Directors of the organization.
Stakeholders and crisis communications

You will need to take into account the various stakeholders in the equation.
Below are the stakeholders that will most likely be involved:
151
Notes:
Internal (corporate and business unit level) groups
External groups (customers, vendors, suppliers, public, INSURANCE

COMPANIES)
External agencies (local, state, national governments, emergency

responders, regulators, etc.)
Media (print, radio, television, Internet)
Important points to remember regarding the arrangement with these

stakeholders for handling emergencies shall include:
l
A list of important contacts must be maintained all the time by several key
people in the organization. One of these key people must be available offsite (imagine what can happen if all the key people get buried in the
destructed building).
Determine the chain of command structure who should be in charge if,

lets say, the president may never be available again?
Each business unit should have at least one person assigned to keep a list
of contacts of all the staff within the unit during a tragedy there is a need
152
Notes:
to find out who is still missing. There is also a need to keep the family
members of the staff fully informed on what is happening.
l
A crisis communication plan must always be in place. Communications

must be properly maintained with the outside world during the tragedy.
You will need help from various external agencies. In fact, get in touch
with these agencies regularly to determine how you all can work together in
the case of emergency. You will also want to let your customers know that
everything is under control and there is no need for them to worry too
much.
It will be very ugly if the person in charge of the organization is the last one
who is informed of the tragedy. When something goes wrong, the CEO is
often the target of the media. Do NOT upset the media. Do NOT upset
the reporters.
The Risk Assessment Flow

As said previously, Security Risk Assessment can be defined as a process of
evaluating security risks related to the use of information technology. It is
conducted at the very beginning for identifying what security measures are
required and when there is a change to the information asset or its environment.
Assessing security risk should therefore be treated as the initial step to evaluate
153
Notes:
and identify risks and consequences associated with vulnerabilities. It provides a

basis for company management to establish an effective security program.
Based on the assessment results, you develop security policies and guidelines,
assign security responsibilities and implement technical security protections.
You then perform cyclic compliance reviews and re-assessment to assure that
security controls are properly put into place to meet users' security requirements,
and to cope with the rapid environmental changes of all kinds. You would need
to rely on continuous feedback and monitoring to achieve this.
Security risk assessment has to be treated as an on-going activity. It should be

conducted at least once every two years to explore the risks in your information
systems. Do understand that a security risk assessment can only give a snapshot
of the risks at a particular time. Therefore, for mission-critical information
system, you should conduct security risk assessment more frequently.
High-level Assessment emphasizes on the analysis of overall infrastructure or

design of a system in a more strategic and systematic approach. Comprehensive
Assessment is typically conducted periodically for the security assurance of all
information systems or selected information systems of a particular department.
Pre-production Assessment is commonly conducted on new information
systems before they are rolled out.
154
Notes:
Prior to conducting risk assessment you should get yourself started with
building up a solid knowledge base. You need to the current and historical
internal environment, the current and historical external environment, internal
and external dependencies and vulnerabilities, threat profiles, as well as
countermeasure choices and related costs.
Throughout the different stages of security risk assessment a large amount of

data and system configurations will have to be collected where some of them
may contain sensitive Therefore, you must ensure all the collected data are
stored securely. The use of file encryption tools and lockable cabinet/room
should be planned early.
The kinds of information that are often desired for performing an assessment
as per recommended by INFOSEC include:
l
Security requirements and objectives
Information available to the public or found in the web pages
Physical assets such as hardware equipment

155
Notes:
Systems such as operating systems, network management systems
Contents such as databases and files
Applications and servers information
Network such as supported protocols and network services offered
Access controls process, application operation process, etc.
Identification and authentication mechanisms requirements
Documented or informal policies and guidelines
According to INFOSEC, the assessment process of a system should include

the identification and analysis of a number of elements, including:
l
all assets of and processes related to the system
threats that could affect the confidentiality, integrity or availability of the

system
system vulnerabilities to the threats
potential impacts and risks from the threat activity

156
Notes:
protection requirements to control the risks
selection of appropriate security measures and analysis of the risk

relationships
You may collect these information through using General control review,
System review, and Vulnerability identification. With General Control Review
you identify threats arisen from the existing general security processes by
examining the systems through interviews, site visits, documentation review,
and observation etc. System Review focuses on system elements such as System
files or logs, Running processes, Access control files, User listing, Configuration
Settings, Security Patch level ...etc. Vulnerability Identification would often
involve using automated tools such as Vulnerability Scanning and Penetration
Testing over the network.
One important element to consider when preparing your risk assessment is to

estimate the potential losses to which a business is exposed. The objective of
the loss potential estimate is to identify critical aspects of the business operation
and to place a monetary value on the loss estimate. The second step of the risk
analysis is to evaluate the threats to the business. The third step in the risk
analysis is to combine the estimates of the value of potential loss and
probability of loss to develop an estimate of annual loss expectancy (ALE). The
157
Notes:
purpose is to pinpoint the significant threats as a guide to the selection of

security measures and to develop a yardstick for determining the amount of
money that is reasonable to spend on each of them.
Risk VS Threat and Vulnerability

The traditional definition of risk:
Risk is the product of threat and vulnerability. This model of risk is appropriate
for assets where applicable threat data can be well predicted from historical
events.
One way to represent this is:
Risk = Threat x Vulnerability
Note that this model of risk assumes that we have knowledge of our
vulnerabilities and our threats.
158
Notes:
Threat is typically defined as an event (such as a flood, tornado, computer virus

outbreak etc.) of low probability yet highly damaging that really catches your
attention. The chance of the event occurring is a probability that the event has
happened. There is no time constraint. The event will likely happen over some
defined period of time. There exists a probability that describes the frequency
of such an event. Vulnerability, on the other hand, is usually defined as a
weakness that is exploited in some very negative way by the threat.
You perform Threat Analysis to identify the threats and to determine the
likelihood of their occurrence and their potential to harm systems or assets.
System error or control logs are usually good sources of data for this.
Social threats are directly related to human factors, which can be intentional or
unintentional. Technical threats are usually caused by technical problems.
Environmental threats are usually caused by environmental disasters.
Identifying Risks
The key part of the BCP Process is the assessment of the potential risks to the
business which could result from disasters or emergency situations. You MUST
consider ALL the possible incidents and the impact that follows. Examples of
159
Notes:
the risks that are possible for any organization on earth include (and not limited
to):
o Environmental Disasters
o Deliberate Disruption (e.g. terrorist attack)
o Loss of Utilities and Services
o Equipment or System Failure
o Serious Information Security Incidents
Risk results may be analyzed using Qualitative & Quantitative Methods and/or
Matrix Approach. With Qualitative method you use descriptive, word scales or
rankings of significance/severity based on experience and judgment. It is more
subjective in nature. On the contrary, Quantitative method uses numerical
information to arrive at percentages or numerical values. Generally speaking, a
qualitative method is better for initial screening while a quantitative method is
more ideal for detailed and specific analysis on some critical elements and for
further analysis on high-risk areas. A matrix approach would involve
documenting and estimating the three major needs of security protection,
which are confidentiality, integrity and availability, in three different levels
160
Notes:
of severity (high, medium, low). The risk level would be ranked based on the
criticality of each risk elements. The idea is that risk interpretation should be
limited to the most significant risks so as to reduce the overall effort and
complexity.
Loss Calculations
The 3 major models are:
l
Single Loss Expectancy (SLE)
Annualized Loss Expectancy (ALE)
Cumulative Loss Expectancy (CLE)
The Single Loss Expectancy model is the model upon which the Annualized
Loss Expectancy and Cumulative Loss Expectancy models are based. This
simple (and less accurate) model has its roots in accounting, with the purpose
of determining how much value in terms of dollars will be lost, and is often
used to express the results in a financial impact analysis.
161
Notes:
The Annualized Loss Expectancy Model of risk comes closer (relatively) to

painting an accurate picture of risk by adding the probability of an event
happening over a single years time. To reach an answer, you need to first
calculate the Single Loss Expectancy to determine this value. Then you obtain
the product of the Single Loss Expectancy and the value of the asset to
produce the Annualized Loss Expectancy. The formula looks like this:
Single Loss
Expectancy
Annualized Rate
Annualized Loss
of Occurrence
Expectancy
The Cumulative Loss Model approaches risks by taking into account all of the
bad things that are likely to happen to your business over the next year. You
will need to look at each threat, the probability of each threat against your
business, and then derive an expected loss. You can take all of the threats, and
compute the annual rate of each threat occurring. This is a relatively
complicated model and is less emphasized in the exam.
162
Notes:
From a CISA point of view, of particular importance when considering

business risks and the impact of potential emergencies is the disruption to, and
availability of, IT services and communications that are supposed to run 24 x7.
As an IS auditor, some of the more important issues that should be considered

when assessing the level of risk associated with IT services and
communications include:
o Specification of IT and Communications Systems and Business

Dependencies
o Key IT, Communications and Information Processing Systems
o Key IT Personnel and Emergency Contact Information
o Key IT and Communications Suppliers and Maintenance Engineers
o Existing IT Recovery Procedures
163
Notes:
At the end of the day you want to know how one may continue IT function
should something goes seriously wrong. Contingency planning is therefore a
critical factor to consider. Questions you should ask may include:
l Does your organization have a contingency plan for dealing with

natural and manmade disasters? If so, who maintains the contingency
plan and who is responsible for its implementation?
l Does your organization have an uninterrupted power source (UPS) to
increase the possibility of an orderly shutdown without loss of data?
l Does the contingency plan identify and prioritize the resources that
are most important to protect in an emergency?
l Is the contingency plan tested periodically?
Business Impact Analysis defined

The BIA is an evaluation of the strengths and weaknesses of your companys
disaster preparedness and the impact an interruption would have on your
business.
164
Notes:
Every BIA should include an exploratory component to reveal any

vulnerabilities, and a planning component to develop strategies for minimizing
risk. A well done BIA should be capable of identifying costs linked to failures,
such as loss of cash flow, replacement of equipment, salaries paid to catch up
with a backlog of work, and loss of profits etc.
The result of analysis is a business impact analysis report, which describes the
potential risks specific to the organization studied. It should quantify the
importance of business components and suggest appropriate fund allocation
for measures to protect them. The possibilities of failures are likely to be
assessed in terms of their impacts on safety, finances, marketing, legal
compliance, and quality assurance.
BIA goals and steps

As part of the risk assessment effort, business impact analysis has 3 primary
goals:
l
Criticality Prioritization: Critical business units must be identified and

prioritized.
Downtime Escalation: Estimate the maximum tolerable downtime.

165
Notes:
Resource Requirements: Identify resource requirements for the critical

processes.
Business impact analysis generally involves 4 steps:

1.
Gathering the needed assessment materials
2.
The vulnerability assessment
3.
Analyzing the information compiled
4.
Documenting the results and presenting recommendations to

management.
BIA checklist
You will need inputs from both the top management and the line managers.
- Determine the business areas
- For each business area, determine the business processes and identify
the essential processes.
166
Notes:
- For the business processes, estimate the costs of failure

What are the costs of non-performance?
What are the costs of late performance?
What is the max tolerable delay in performance?
- Determine attributes for the business processes
Description of process
Frequency of process
Manpower requirements (numbers, skills, who do what)
- Establish communication facilities required
- Establish IT facilities required
- Establish non-IT facilities required
- Establish clerical requirements
- For the business processes, establish the minimum resources required
to operate.
167
Notes:
Priorities essential business processes this is VERY IMPORTANT. One key

assumption behind every BIA is that every component of the organization is
reliant upon the continued functioning of every other component, but that
some are more crucial than others and require a greater allocation of funds in
the wake of a disaster.
- Summarize the requirements for the business processes
Determine the minimum acceptable backup plan
Determine the minimum acceptable recovery configuration
Determine the time scales
- Consider alternative backup/recovery solutions (cost/benefit analysis,
Hot site VS Cold site)
- Determine the Backup and Business Recovery Strategy
Preparing for emergency
168
Notes:
To minimize the effects of potential emergencies, focus must be placed on

those business activities that are keys to the continued viability of the business,
such as:
o Back-up and Recovery Strategies

o Key BCP Personnel and Supplies
o Key Documents and Procedures
Backup is critical. Key questions here include:
l Does your organization have backup policies and procedures?

l How often are system and user backups performed?
l Who is authorized to perform backups?
l Are backup media stored in a secure location offsite?
169
Notes:
l Are backup media tested regularly for restorability/recoverability of

files?
l Can an operational capability be restored within acceptable time
constraints?
l What are the policies and procedures regarding archived data?
The key personnel and the IT staff should be well trained to tackle through
emergency situation and incidents. Ask these questions:
Have users and system administrators received training on how to carry

out their respective responsibilities when an incident occurs? Do they
receive awareness reminders and periodic refresher training?
Does your organization maintain a knowledge base of past incidents and

lessons learned for future use?
Managing recovery
170
Notes:
One critical part of handling any serious emergency situation is in the

management of the Disaster Recovery Phase. Remember, the priority during
recovery is ALWAYS the safety and well being of the employees and other
involved persons. LIFE is the most important asset. Other priorities include
the minimization of the emergency itself, the removal or minimization of the
threat of further injury or damage and the re-establishment of external services
(power, telecom etc).
The Business Recovery Phase will then follow directly on from the Disaster
Recovery Phase. This Phase involves the restoration of normal business
operations. From a business perspective, this is the most critical phase of the
whole BCP exercise as the efficiency and effectiveness of the procedures here
could have a direct bearing on the organizations ability to survive the
emergency.
For a business to truly recover, from an IS standpoint these are items that are
critical:
o Power and Other Utilities
o Premises, Fixtures and Furniture
171
Notes:
o Communications Systems
o IT Systems
o Production and Other Equipments
o Information and Documentation
Testing the plan

The effectiveness of the BCP in emergency situations can only be assessed if
rigorous testing is carried out in realistic conditions. Therefore, the BCP should
be tested within a realistic environment with simulating conditions applicable in
an actual emergency. All persons who will be involved with recovering a
particular business process during emergency should be REQUIRED to
participate in the testing process.
The BCP test itself should be carefully planned as well. The objectives and
scope of the tests are outlined below:
o Develop Objectives and Scope of Tests
172
Notes:
o Setting the Test Environment

o Prepare Test Data
o Identify Who is to Conduct the Tests
o Identify Who is to Control and Monitor the Tests
o Prepare Feedback Questionnaires
o Prepare Budget for Testing Phase
o Training Core Testing Team for each Business Unit
The following activities must be emphasized during the test:

1. Test each part of the Business Recovery Process
2. Test Accuracy of Employee and Vendor Emergency Contact Numbers
3. Assess Test Results
The test process gives IS auditors a good chance to see if the IS controls
relevant to BCP actually work as planned.
173
Notes:
User Acceptance
About user acceptance testing - each user should create a test script designed
to validate the accuracy and performance of its application in a contingency
environment. The test scripts should be defined in such a way that a clear
indication of whether or not they can do business as usual as stated in their
recovery requirements must be made available.
Users should be asked to provide their views on the testing process and on the
results of the test. The users should also provide comments regarding
improvements and modifications that they would like to see as a result of the
test. Upon completion a user sign-off sheet should be provided for this
purpose and must be signed off by a manager of the business.
Plan maintenance
In todays world, the pace of change will never slow down but will continue to
increase. It is necessary for the BCP to keep pace with these changes in order
for it to be useful in the event of a disruptive emergency.
174
Notes:
To ensure that the BCP is regularly updated, the following must be established:
o Change Control Procedures for Updating the Plan
o Responsibilities for Maintenance of Each Part of the Plan
o Test All Changes to Plan
o Advise Person Responsible for BCP Training
The IS auditor, when appropriate, should assist in the process by checking

whether the controls and procedures for the update process are properly
implemented and followed.
For your interest, take a look at the following fragment of a real world audit
report with BCP involved:
Has the Department Adequately Planned For the Actions It Must Take In the Event Of
A Disaster To Minimize the Loss of Computer Operations?
175
Notes:
An organization needs good business continuity planning in order to quickly

recover critical operations after a disaster. Business continuity planning
addresses an organization's ability to continue functioning when normal
operations are disrupted. By necessity, it includes planning for contingencies
and disaster recovery, and is focused on the computer functions that are most
necessary to continued agency operations. Continuity planning enables an
organization to minimize the loss of communications and important
computer operations during an emergency.
The Department has done little business continuity planning for its critical
computer programs. Department management have implemented some
sound practices, such as a system for backing up critical data. However, the
Department doesn't meet many other planning standards. We found
problems such as the following:
The Department hasn't conducted a risk analysis to assess possible

disaster scenarios or threats
The existing continuity plan doesn't assign roles and responsibilities to
176
Notes:
specific staff, and is limited in the recovery instructions it gives

The Department hasn't made any arrangements for off-site processing
for its critical computer programs.
Incident Handling
The major activities involved in the planning and preparation of an incident
handling mechanism should as a minimum include:
l
Security Incident Handling Plan
Reporting Procedure
Escalation Procedure
Security Incident Response Procedure
Training and Education
Incident Monitoring Measure

177
Notes:
There has to be a proper reporting procedure in place so that in case an

incident occurs, all parties involved would know whom they should report to,
and in what way, and what should be noted and reported. Such reporting
procedure should have a clearly identified point of contact, and comprises
simple but well-defined steps to follow. It should be widely published to all
concerned staff for their information and reference. You should ensure that all
related staff are familiar with the reporting procedure and are capable of
reporting security incident instantly.
There must also be a comprehensive Escalation Procedure established. Such

procedure would define the way to escalate the incident to management and
relevant parties for ensuring that important decisions are promptly taken. You
need to put in place an important contact list for addressing legal, technical, and
managerial issues that should be prepared to facilitate different stages of
security incident handling. You should set out the points of contact with the
corresponding contact information as well as the various levels for notification
basing on the type and severity of the impact caused by the incident.
The system or functional area's manager must establish a security incident

response procedure for guiding the security incident response team through the
178
Notes:
incident handling process. Moreover, a sufficient level of security measures for

incident monitoring must be implemented to protect the system during normal
operation as well as to monitor potential security incidents. For example, you
want to install firewall device and apply authentication and access control
measures to protect important system and data resources. You also want to
install intrusion detection tool to proactively monitor, detect and respond to
system intrusions or hacking. It may be a good idea to also install anti-virus tool
and malicious code detection and repair software to detect and remove
computer virus and malicious codes, and prevent them from affecting the
system operation.
179
Notes:
Risk Management
Risk is a concept that auditors and managers use to express their concerns about the probable
effects of an uncertain environment. Because the future cannot be predicted with certainty,
auditors and managers have to consider a range of possible events that could take place5.
Risk management is a discipline for dealing with uncertainty6.
As mentioned by David McNamee in his article Management Control

Concepts, uncertainty and randomness exist in nature, that risk is not
something to be worried or concerned about but something to be managed. In
fact, managing a range of risks is required for both survival and success in
nowadays environment.
Every organization can and should use risk management strategies and tools to
protect vital assets.
http://www.mc2consulting.com/riskart2.htm
http://www.nonprofitrisk.org/tutorials/rm_tutorial/2.htm
180
Notes:
The discipline of risk management aims at helping an organization to identify,

assess and control risks that may be present in operations, service delivery,
staffing, and governance activities.
Good risk management can reduce legal costs and lawsuit altogether.
Remember, legal cost is one of the worst nightmares an organization can ever
have.
Risk management defined

The risk management process provides a framework for identifying risks and
deciding what to do about them. Since not all risks are created equal, risk
management does not simply identify risks but also to weigh various risks and
make decisions about which risks deserve immediate attention.
The risk management steps

The steps involved in proper risk management shall include:
181
Notes:
o Context establishment - begin a risk management program by setting

goals and identifying any potential barriers or impediments to the
implementation of the program.
o Risks identification - categorize risks according to the major categories of
assets of the organization in question.
o Risks evaluation and prioritization - establish a list of risk related action
items in priority order.
o Strategies selection and implementation use risk management
techniques to address virtually every risk your organization is facing.
Such techniques should include:
v Avoidance - do not offer programs that pose too great a risk.
v Modification modify an activity to make it safer for all involved.
v Retention - make conscious decisions to retain risk.
v Sharing - share risk with another organization through contractual
arrangement, such as insurance contracts and risk management
service contracts.
182
Notes:
o Program update keep the risk management techniques and plans

periodically reviewed and updated to make certain that they remain the
most appropriate strategy.
Always remember, people are the heart and soul of your organization that are
irreplaceable. Risks associated with peoples life always deserve the most
attention.
IS Auditing and Risk Management

IS auditors may participate in assessing and controlling new systems and
technologies that are emerging in the business world. By applying a risk and
audit framework for assessment and control, new methods of systems planning,
development, deployment and operation can be introduced in a relatively safe
manner. Questions you may ask here:
Has an overall risk assessment been performed on critical information

assets? If so, how recently was it performed or updated?
Have risks previously identified been corrected? Are there remaining

vulnerabilities that have not been addressed?
183
Notes:
Riskbased Auditing
When performing audit assignments, there are usually two different approaches:
the checklist approach VS the risk-based approach.
Auditing using checklists is basically auditing without an appreciation of why
the auditor is doing some particular task, and can be seen as auditing without an
understanding of the risks involved in the business process.
On the other hand, with risk-based auditing, the auditor must have a thorough
understanding of the business process as well as the risks and controls in the
system for achieving the organization's goals. The risk-based audit plan is
specifically tuned to spend more time on the areas of highest risk and greatest
importance to the goals. Less time will be spent on areas of lower importance
and lower risk.
184
Notes:
Risk Management Readings

Below is a list of HIGHLY RECOMMENDED REFERENCE READINGS.
I strongly recommend that you go through all of them:
The New Risk Management

http://www.intekworld.com/Newsletters/vol3/10oct04/riskmanagement
.htm
Failure in Risk Management

http://www.findarticles.com/p/articles/mi_m3937/is_2000_Jan/ai_6219
7034
Assessing Internet Security Risk, Part One: What is Risk Assessment?

http://www.securityfocus.com/infocus/1591
185
Notes:
Trends: Rethinking risks

http://www.cioinsight.com/article2/0,1397,1458270,00.asp?kc=CTNKT0
209KTX1K0100481
186
Notes:
Project Management
Project Management is a decision-making and strategic risk. It is defined as the application of
knowledge, skills, tools, and techniques to project activities in order to meet or exceed
stakeholder needs and expectations from a project7.
Project Management defined

Project management is not simply a technical subject. Instead, it is a business
one. It involves balancing the competing demands of:
v scope
v time
v cost
v quality
v different stakeholders
7
http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAuditPage!OpenDocument
187
Notes:
To be precise, Project Management is the defining, planning, scheduling, and

controlling of the tasks that must be completed to reach your goal and the
FAIR allocation of the resources to perform those tasks. On the other hand, a
Project Performance audit is an audit for helping you to understand the current
capability of your project management processes or staff, benchmark your
business against best practice, and help you focus improvement to maximum
effect.
Project Management and Audit

Remember, controlling the project is important because things never work out
exactly as planned. To meet your goal, it's important that you be on top of
changes. This is where the audit function fits in.
To truly appreciate the relationship between IS audit and Project Management,
I recommend that you read the following REAL LIFE Project Management
audit documents that have been used by real world government organizations /
NGOs:
188
Notes:
The Canadian Passport Office IRIS Project

http://www.ppt.gc.ca/publications/iris_oct99.aspx
Template - PM Audit Checklist

http://www.auditnet.org/docs/PMAuditQuestionnaire.pdf#search='PROJECT%20MANAGEMENT%20AUD
IT'
Also, read the following document in-depth. This is an excellent article that
describes the complex relationship between Project Management, Risk
Management and the Auditing function:
http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAudi
tE-businessrisksProjectMgmt!OpenDocument
By going through these documents, you will be able to tell exactly the role of
the audit function in a project management context.
189
Notes:
Change Management
Change Management Defined
You can think of Change Management as
v The task of managing change
v An area of professional practice
v A body of knowledge
One meaning of managing change refers to the making of changes in a planned

and managed or systematic fashion, with the aim of more effectively
implementing new methods and systems in an ongoing organization. These
changes may be of the type which the organization exercises little or no control,
or of the type that is well-planned.
190
Notes:
As an Area of Professional Practice, we see many independent consultants

who acknowledge that they are change agents that manage change for their
clients, that their practices are change management practices. And stemming
from the view of change management as an area of professional practice, there
arises the third definition of change management: the subject matter of change
management as a body of knowledge.
In fact, at the heart of change management we have the change problem - some
future state to be realized, some current state to be left behind, and some
process for getting from the one to the other. At the conceptual level, the
change problem is a matter of moving from one state to another. At the
practical level, changes and the change problems they present are problems of
adaptation, that they require the organization to adjust itself to an ever-changing
set of circumstances.
Change management auditing, with respect to the IT control environment

within an organization, is aimed at limiting unauthorized changes and errors
and disruption from changes to essential IT assets, including computer
applications and system platforms. A change management control system is
therefore made available for setting out procedures to analyze, implement, and
review changes to information technology infrastructure.
191
Notes:
Change Management strategies

Generally speaking, there is no single strategy in regards to change management.
One may adopt a general or what is called a "grand strategy", but for any given
initiative some mix of strategies is the best option.
Four strategies have been outlined in Fred Nickolss article Change
Management 101:
192
Notes:
Strategy
Rational-Empirical
Description
People are rational and will follow their selfinterest once it is revealed to them. Change
is based on the communication of information
and the proffering of incentives.
Normative-Reeducative
People are social beings and will adhere to

cultural norms and values. Change is based on
redefining and reinterpreting existing norms and
values, and developing commitments to new
ones.
Power-Coercive
People are basically compliant and will

generally do what they are told or can be made
to do. Change is based on the exercise of
authority and the imposition of sanctions.
Environmental-Adaptive
People oppose loss and disruption but they

adapt readily to new circumstances. Change is
based on building a new organization and
gradually transferring people from the old one
to the new one.
193
Notes:
The proper mix of strategies to be used can be determined by the following

factors:
v Degree of Resistance
v The Stakes
v The Time Frame
v Expertise
v Dependency
Along the journey of making changes, there is a need to control the change
process and the elements within it. Change control is often perceived as a part
of the Change Management process where the audit function may fit in.
Change Management VS Change Control VS

Configuration Management
194
Notes:
If we play with the textual definitions, one may argue that Change Management
and Change Control are two totally different disciplines. In fact, in the field of
Project Management, there tend to be differing understandings of these terms
or expressions. The problems are compounded where participants are
unfamiliar with project work and do not recognize the implicit context.
The term Change Management is normally used to mean the achievement of

change in human behavior as part of an overall business solution. The term
Change Control, which is often being referred to as "Change Management",
refers to the management process for requesting reviewing, approving, carrying
out and controlling changes to the project's deliverables.
Change Control is usually applied once the first version of a deliverable has
been completed and agreed.
Sometimes people associate Change Control with Configuration Management,

which is the technical and administrative control of the multiple versions or
editions of a specific deliverable (particularly where the component has been
changed after it was initially completed):
195
Notes:
Configuration Management is the identification and maintenance of the configuration of a

software product, throughout the product's life, and including both successive and parallel
product versions, for the purpose of systematically controlling changes and thereby maintaining
the product's integrity and traceability8.
Change Control
Change Control is a technique for the management of modifications to existing application
software. Compared with the reactive-ness of Incident Reporting, Change Control recognizes the
need for adaptation to externally imposed change, and looks for opportunities for internally
instigated change. It is concerned not only with adaptation of an application's existing functions,
but also with its extension to include new functions9.
To know what change control exactly is, take a look at the following fragment
of an audit report extracted from a real world case:
8
http://www.anu.edu.au/people/Roger.Clarke/SOS/ChgeCtl90.html
Ibid.
196
Notes:
Does the Department Adequately Manage the Maintenance and Updating of Its Critical
Software?
Because of the dynamic nature of computer software, it's important to have a

well organized system to manage the process of making changes. Large and
complex computer programs are constantly in flux. As a result, computers
programs remain works in progress long after they are put into daily use.
However, if changes to the software aren't well organized and closely
managed, the software can quickly become unreliable.
The Department places the responsibility for managing changes on the users,
where it belongs. System changes are approved and monitored by several
steering groups made up of users of the system from across the state, as well
as representatives from the Department's programming staff. While
programmers make the actual changes, users decide which changes need to be
made and set priorities for the programmers.
Overall, the change control process needs to be better organized and

197
Notes:
documented. The system of user groups the Department uses to control the
process is well designed. However, change control as a whole could be
improved by adding more organization and better documentation.
Specifically, the Department could improve its system by:
developing written change control policies

developing a policy requiring the system supervisor to approve in
writing incorporation of software changes into the production software
in the case of significant changes, requiring formal user acceptance
tests before the final changes are allowed to be incorporated into the
production software
requiring staff to update user operation manuals when changes are
made to the software
Change control is often being perceived as a means of prolonging the life of an

application that must be increasingly a proactive measure driven by business
needs and initiated by functional managers. The IS auditors help to check and
198
Notes:
find out whether the proper IS control mechanisms needed by the change
control process are in place and are properly followed.
Refer to the summary below for several more related terms:
In the context of IT, the term configuration management (configuration

control) often refers to:
i, the management of security features and assurances through control of
changes made to hardware, software, firmware, documentation, test, test
fixtures and test documentation of an automated information system,
throughout the development and operational life of a system and
ii, the control of changes, including the recording thereof, that are made to the
hardware, software, firmware, and documentation throughout the system
lifecycle.
Revision control (also known as version control) refers to the management of

multiple revisions of the same unit of information. It is most commonly used in
system engineering and software development to manage ongoing development
199
Notes:
of digital documents like application source code. Changes are identified by

incrementing an associated number or letter code, termed the "revision
number", "revision level", or simply "revision" and associated historically with
the person making the change.
Release Management is the discipline within software engineering of

managing software releases. A release manager serves as a liaison between
varying business units to guarantee smooth and timely delivery of software
products or updates. He also holds the keys to production systems and takes
responsibility for their quality and availability.
Key points to follow:

Prior to changes being applied to the live environment, change requests
should be documented through a change request form and accepted
only from authorized individuals. All changes have to be approved by
the application owner, and that the possible impact of changes should
be assessed in terms of overall risk and on other components of the
application. Additionally, all changes should be tested and should be
reviewed to ensure that they do not compromise security controls. Backout positions should be established so that the changes can be backedout if they fail.
200
Notes:
Application changes should be performed by individuals who are

capable of making changes correctly and securely and be supervised by a
specialist. It must also be signed-off by the application owner.
Arrangements should be made to ensure that once changes have been
applied, version control is maintained and that details of changes are
communicated to relevant individuals. Additionally, checks must be
performed on a regular basis to confirm that only intended changes have
been made, such as using code comparison programs or checking
before and after contents of key records such as within customer
master files.
From a pure software development point of view, Release Management is

closely related to Change Control.
Questions you may ask concerning configuration management:
Does your organization have a configuration control plan?
201
Notes:
Does your organization have a configuration control function or the

equivalent to direct activities in this area? If so, does the configuration
control function approve and record all changes to hardware, software, and
firmware?
Does your organization have network and system diagrams and a list of all
system resources?
Are only authorized individuals allowed to move and install computer

equipment?
202
Notes:
Application Program Development

Basic knowledge on database system, data modeling, procedural
programming and object oriented programming is required under this
knowledge domain.
Security is an issue that must be addressed in each phase of the development

effort, not just at the end of development. Therefore, separation of duties has
to be practiced all the time, and a programmer should never have direct access
to codes that are in the production stage. Remember, separation of duties is
always the correct answer!
General guidelines
Program development security is particular important when there is proprietary
software under development. The general guidelines are:
203
Notes:
Allow only the applications programmers to have access to application

programs under development, and nothing else.
Allow only systems programmers to have access to system programs under

development, and nothing else.
Allow only librarians to have write access to system and application

libraries, and nothing else.
Allow access to live data only through programs that are in the application
libraries, and nothing else.
Proper change controls must be in place if changes to program codes are

regularly required.
System change control

Changes must be authorized, tested and recorded. Changes can be approved
only if they do not affect the security level of the system.
The change control sub-phases include:

204
Notes:
- Request control
- Change control
- Release control
The change control process includes the following steps:

- Make a formal request of change
- Analyze the request
- Record the change request
- Submit the change request for approval
- Develop the change
Software development processes and models

System development life cycle (SDLC) refers to the process of developing
information systems through investigation, analysis, design, implementation and
205
Notes:
maintenance. It is a systems approach to problem solving and is made up of

several phases, including:
Software concept
Requirements analysis
Architectural design
Coding and debugging
System testing
The Waterfall Model as a popular version of the systems development life cycle
model for software engineering includes the following phases:
- System requirements
- Software requirements
- Analysis
- Program design
206
Notes:
- Coding
- Testing
- Operations & Maintenance
The waterfall model describes a development method that is linear and

sequential. It offers distinct goals for each phase of development. The
advantage is that it allows for departmentalization and managerial control. For
example, a schedule can be set with deadlines for each stage of development
and a product can proceed through the development process step by step
without much complexity. The disadvantage is that it does not allow for much
reflection or revision. That means, once an application is in the testing stage, it
is very difficult to go back and change something that was not well-thought out
in the concept stage.
The spiral model is a development model that combines elements of both

design and prototyping-in-stages in an effort to combine advantages of both
the top-down approach and the bottom-up methodology. Under this model,
each phase starts with a design goal and ends with the client reviewing the
progress thus far. Analysis and engineering efforts are applied at each phase of
the project, with an eye toward the overall end goal of the project.
207
Notes:
The Chaos model is a structure of software development that extends the spiral
model and the waterfall model. It notes that the phases of the life cycle apply to
all levels of projects, from the whole project to individual lines of code. In fact,
this model has several tie-ins with the chaos theory:
l
It helps explain why software is so unpredictable.
It explains why high-level concepts like architecture cannot be treated

independently of low-level lines of code.
It provides a hook for explaining what to do next in terms of the chaos

strategy.
Buy VS Make: Acquisition Management Methods

It is very common for an organization to purchase off-the-shelf or tailor made
software from the outside. Because of this, it is important to investigate the
acquisition process used by the organization so as to comply with the defined
security guidelines and procedures. In fact, part of that contract/outsourcing
process should include making sure that the security vendors service levels are
spelled out satisfactorily. A recommended way is to devise an evaluation matrix
208
Notes:
that lists the requirements of the organization and rates each service provider
on how well they achieve each requirement.
If acquisition is conducted through bidding, certain controls of the bidding
process should be in place. Here are the general guidelines:
A formal bidding process should be open and fair, encourage
competition, and provide the purchasing entity with the best product at
the lowest possible price.
Develop a checklist for the review of various requirements for formal
bids, including insurance, bonding, specifications, and evaluation and
award.
Establish a system to monitor compliance with the bid tabulation
procedure, including the rules and controls for accepting bid changes
after the bids are opened.
Develop and implement an effective filing system for bid files.
Require that all purchase specifications clearly state the bid evaluation
criteria and ascertain that the staff use only the evaluation criteria
included in the purchase specifications.
Criteria for bids should be laid out in the request for proposal.
209
Notes:
Formal bidders list should be maintained.

Bids should be opened and recorded by someone not involved in the
bid evaluation process. Retain the bid envelope that shows the dates
and times of bid receipt and opening, and file it with the other bid
documents.
210
Notes:
Technical Readings
There are 5 sections included in this part of the study guide. They cover the
majority of technical topics that will be tested in the CISA/CISM exams. By
going through all of them your readiness of the real exams can be reasonably
assured.
q Section 1: Topics on security theory.
q Section 2: Topics on Hacking, attacking, defending and
auditing.
q Section 3: Topics on encryption and VPN.
q Section 4: Topics on responding to attacks
q Section 5: Topics on viruses.
As a reminder: Biometrics is an important topic. Check out the various forms

of biometrics technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their
drawbacks and their impacts.
211
Notes:
Slide 1
Technical Readings
forCISA/CISMcandidates
Coveringthetechnicalelementsofthe2005/06objectives
Copyright 2005/06. All rights reserved.
212
Notes:
Slide 2
What is included in this study guide?

n
Thereare5sectionsincludedinthispartofthestudy
guide.Theycoverthemajorityoftechnicaltopicsthatwill
betestedintheCISA/CISMexams.Bygoingthroughall
ofthemyourreadinessoftherealexamscanbe
reasonablyassured.
q
q
q
q
q
Section1:Topicsonsecuritytheory.
Section2:TopicsonHacking,attacking,defendingandauditing.
Section3:TopicsonencryptionandVPN.
Section4:Topicsonrespondingtoattacks
Section5:Topicsonviruses.
213
Notes:
Slide 3
What is included? contd

n
Basically,wedidallthehomeworkforyou!We:
q
reviewedthemajorpreparationproductsavailableinthe
marketandidentifiedthemissingcriticalinformation
collectedandsummarizedthesemissingpiecesandpresents
themtoyouinaneasytofollowstyle
214
Notes:
Slide 4
Before you begin

n
Makesureyouhaveenoughtimebasedon
pastexperience,ittakesanaveragestudent
3fulldaysattheleasttogothroughallthe
sections.
215
Notes:
Slide 5
Before you begin

n
CopyrightInformation
q
Somecontentsofthisproductareextractedandrecompiled
fromthevariousLinuxSecurityHOWTOdocumentwhichis
copyrightedbyKevinFenziandDaveWreski,anddistributed
underthefollowingterms:
n
LinuxHOWTOdocumentsmaybereproducedanddistributedin
wholeorinpart,inanymedium,physicalorelectronic,aslongas
thiscopyrightnoticeisretainedonallcopies.Alltranslations,
derivativeworks,oraggregateworksincorporatinganyLinux
HOWTOdocumentsarecoveredunderthiscopyrightnotice.
Informationpresentedinthisproductis
platformindependent.Contenthasbeen
modifiedtofulfillthepurposeofthisproduct.
216
Notes:
Slide 6
Section 1
SecurityTheory
217
Notes:
Slide 7
Section 1 Issue 1
n
WhyDoWeNeedSecurity?
q
Intheeverchangingworldofglobaldatacommunications,
inexpensiveInternetconnections,andfastpacedsoftware
development,securityisbecomingmoreandmoreofan
issue.Securityisnowabasicrequirementbecauseglobal
computingisinherentlyinsecure.Asyourdatagoesfrom
pointAtopointBontheInternet,forexample,itmaypass
throughseveralotherpointsalongtheway,givingother
userstheopportunitytointercept,andevenalter,it.Even
otherusersonyoursystemmaymaliciouslytransformyour
dataintosomethingyoudidnotintend.
Unauthorizedaccesstoyoursystemmaybeobtainedby
intruders,alsoknownas"crackers",whothenuse
advancedknowledgetoimpersonateyou,stealinformation
fromyou,orevendenyyouaccesstoyourownresources.
218
Notes:
Slide 8
Section 1 Issue 2
n
HowSecureIsSecure?
q
First,keepinmindthatnocomputersystemcan
everbecompletelysecure.Allyoucandoismake
itincreasinglydifficultforsomeonetocompromise
yoursystem.Fortheaveragehomeuser,not
muchisrequiredtokeepthecasualcrackerat
bay.However,forhighprofileusers(banks,
telecommunicationscompanies,etc),muchmore
workisrequired.
219
Notes:
Slide 9
Section 1 Issue 2 contd

n
HowSecureIsSecure?
q
Anotherfactortotakeintoaccountisthatthemoresecure
yoursystemis,themoreintrusiveyoursecuritybecomes.
Youneedtodecidewhereinthisbalancingactyour
systemwillstillusable,andyetsecureforyourpurposes.
Forinstance,youcouldrequireeveryonedialingintoyour
systemtouseacallbackmodemtocallthembackattheir
homenumber.Thisismoresecure,butifsomeoneisnot
athome,itmakesitdifficultforthemtologin.Youcould
alsosetupyoursystemwithnonetworkorconnectionto
theInternet,butthislimitsitsusefulness.
220
Notes:
Slide 10

q
Ifyouareamediumtolargesizedsite,you
shouldestablishasecuritypolicystatinghow
muchsecurityisrequiredbyyoursiteandwhat
auditingisinplacetocheckit.
10
221
Notes:
Slide 11
Section 1 Issue 3
n
WhatAreYouTryingtoProtect?
q
Beforeyouattempttosecureyoursystem,you
shoulddeterminewhatlevelofthreatyouhaveto
protectagainst,whatrisksyoushouldorshould
nottake,andhowvulnerableyoursystemisasa
result.Youshouldanalyzeyoursystemtoknow
whatyou'reprotecting,whyyou'reprotectingit,
whatvalueithas,andwhohasresponsibilityfor
yourdataandotherassets.
11
222
Notes:
Slide 12

q
Riskisthepossibilitythatanintrudermaybesuccessfulinattempting
toaccessyourcomputer.Cananintruderreadorwritefiles,orexecute
programsthatcouldcausedamage?Cantheydeletecriticaldata?Can
theypreventyouoryourcompanyfromgettingimportantworkdone?
Don'tforget:someonegainingaccesstoyouraccount,oryoursystem,
canalsoimpersonateyou.Additionally,havingoneinsecureaccount
onyoursystemcanresultinyourentirenetworkbeingcompromised.
Ifyouallowasingleusertologinusinga.rhosts file,ortousean
insecureservicesuchastftp,youriskanintrudergetting'hisfootin
thedoor'.Oncetheintruderhasauseraccountonyoursystem,or
someoneelse'ssystem,itcanbeusedtogainaccesstoanother
system,oranotheraccount.
Threat istypicallyfromsomeonewithmotivationtogainunauthorized
accesstoyournetworkorcomputer.Youmustdecidewhomyoutrust
tohaveaccesstoyoursystem,andwhatthreattheycouldpose.
12
223
Notes:
Slide 13
Section 1 Issue 4
n
Typesofintruders:
q
TheCuriousThistypeofintruderisbasicallyinterested
infindingoutwhattypeofsystemanddatayouhave.
TheMaliciousThistypeofintruderisouttoeitherbring
downyoursystems,ordefaceyourwebpage,orotherwise
forceyoutospendtimeandmoneyrecoveringfromthe
damagehehascaused.
TheHighProfileIntruderThistypeofintruderistrying
touseyoursystemtogainpopularityandinfamy.Hemight
useyourhighprofilesystemtoadvertisehisabilities.
13
224
Notes:
Slide 14

q
TheCompetitionThistypeofintruderisinterestedin
whatdatayouhaveonyoursystem.Itmightbesomeone
whothinksyouhavesomethingthatcouldbenefithim,
financiallyorotherwise.
TheBorrowersThistypeofintruderisinterestedin
settingupshoponyoursystemandusingitsresourcesfor
theirownpurposes.Hetypicallywillrunchatorircservers,
pornarchivesites,orevenDNSservers.
TheLeapfroggerThistypeofintruderisonlyinterested
inyoursystemtouseittogetintoothersystems.Ifyour
systemiswellconnectedoragatewaytoanumberof
internalhosts,youmaywellseethistypetryingto
compromiseyoursystem.
14
225
Notes:
Slide 15
Section 1 Issue 5
n
Vulnerability
q
Itdescribeshowwellprotectedyourcomputerisfrom
anothernetwork,andthepotentialforsomeonetogain
unauthorizedaccess.What'satstakeifsomeonebreaks
intoyoursystem?Ofcoursetheconcernsofadynamic
PPPhomeuserwillbedifferentfromthoseofacompany
connectingtheirmachinetotheInternet,oranotherlarge
network.
Howmuchtimewouldittaketoretrieve/recreateanydata
thatwaslost?Aninitialtimeinvestmentnowcansaveten
timesmoretimelaterifyouhavetorecreatedatathatwas
lost.Haveyoucheckedyourbackupstrategy,andverified
yourdatalately?
15
226
Notes:
Slide 16
Section 1 Issue 6
n
DevelopingASecurityPolicy
q
Createasimple,genericpolicyforyoursystem
thatyouruserscanreadilyunderstandandfollow.
Itshouldprotectthedatayou'resafeguardingas
wellastheprivacyoftheusers.Somethingsto
consideraddingare:whohasaccesstothe
system(Canmyfriendusemyaccount?),who's
allowedtoinstallsoftwareonthesystem,who
ownswhatdata,disasterrecovery,and
appropriateuseofthesystem.
16
227
Notes:
Slide 17

q
Agenerallyacceptedsecuritypolicystartswiththephrase
Thatw hichisnotpermittedisprohibited
n
Thismeansthatunlessyougrantaccesstoaserviceforauser,thatuser
shouldn'tbeusingthatserviceuntilyoudograntaccess.Makesurethe
policiesworkonyourregularuseraccount.Saying,"Ah,Ican'tfigureout
thispermissionsproblem,I'lljustdoitasroot"canleadtosecurityholes
thatareveryobvious,andevenonesthathaven'tbeenexploitedyet.
rfc1244isadocumentthatdescribeshowtocreateyourownnetwork
securitypolicy.
rfc1281isadocumentthatshowsanexamplesecuritypolicywith
detaileddescriptionsofeachstep.
Finally,youmightwanttolookattheCOASTpolicyarchiveat
ftp://coast.cs.purdue.edu/pub/doc/policy toseehowareallifesecurity
policylookslike.Therearepolicyfilesforpublicdownload.
17
228
Notes:
Slide 18
Section 1 Issue 7
n
MeansofSecuringYourSite
q
Whatwouldhappentoyourreputationifanintruderdeletedsomeofyour
users'data?Ordefacedyourwebsite?Orpublishedyourcompany's
corporateprojectplanfornextquarter?Ifyouareplanninganetwork
installation,therearemanyfactorsyoumusttakeintoaccountbeforeadding
asinglemachinetoyournetwork.
EvenifyouhaveasingledialupPPPaccount,orjustasmallsite,thisdoes
notmeanintruderswon'tbeinterestedinyoursystems.Large,highprofile
sitesarenottheonlytargets manyintruderssimplywanttoexploitas
manysitesaspossible,regardlessoftheirsize.Additionally,theymayusea
securityholeinyoursitetogainaccesstoothersitesyou'reconnectedto.
Intrudershavealotoftimeontheirhands,andcanavoidguessinghow
you'veobscuredyoursystemjustbytryingallthepossibilities.Thereare
alsoanumberofreasonsanintrudermaybeinterestedinyoursystems,
whichwewilldiscusslater.
18
229
Notes:
Slide 19
Section 1 Issue 8
n
HostSecurity
q
Perhapstheareaofsecurityonwhichadministrators
concentratemostishostbasedsecurity.Thistypically
involvesmakingsureyourownsystemissecure,and
hopingeveryoneelseonyournetworkdoesthesame.
Choosinggoodpasswords,securingyourhost'slocal
networkservices,keepinggoodaccountingrecords,and
upgradingprogramswithknownsecurityexploitsare
amongthethingsthelocalsecurityadministratoris
responsiblefordoing.Althoughthisisabsolutelynecessary,
itcanbecomeadauntingtaskonceyournetworkbecomes
largerthanafewmachines.
19
230
Notes:
Slide 20
Section 1 Issue 9
n
LocalNetworkSecurity
q
Networksecurityisasnecessaryaslocalhost
security.Withhundreds,thousands,ormore
computersonthesamenetwork,youcan'trelyon
eachoneofthosesystemsbeingsecure.
Ensuringthatonlyauthorizeduserscanuseyour
network,buildingfirewalls,usingstrong
encryption,andensuringthereareno"rogue"
(thatis,unsecured)machinesonyournetworkare
allpartofthenetworksecurityadministrator's
duties.
20
231
Notes:
Slide 21
Section 1 Issue 10
n
SecurityThroughObscurity
q
Onetypeofsecuritythatmustbediscussedis"security
throughobscurity".Thismeans,forexample,movinga
servicethathasknownsecurityvulnerabilitiestoanon
standardportinhopesthatattackerswon'tnoticeit'sthere
andthuswon'texploitit.Restassuredthattheycan
determinethatit'sthereandwillexploitit.Securitythrough
obscurityisnosecurityatall.Simplybecauseyoumay
haveasmallsite,orarelativelylowprofile,doesnotmean
anintruderwon'tbeinterestedinwhatyouhave.
21
232
Notes:
Slide 22
Section 1 Issue 11
n
PhysicalSecurity
q
Thefirstlayerofsecurityyouneedtotakeinto
accountisthephysicalsecurityofyourcomputer
systems.Whohasdirectphysicalaccesstoyour
machine?Shouldthey?Canyouprotectyour
machinefromtheirtampering?Shouldyou?
Howmuchphysicalsecurityyouneedonyour
systemisverydependentonyoursituation,
and/orbudget.
22
233
Notes:
Slide 23

q
Ifyouareahomeuser,youprobablydon'tneedalot
(althoughyoumightneedtoprotectyourmachinefrom
tamperingbychildrenorannoyingrelatives).Ifyouareina
lab,youneedconsiderablymore,butuserswillstillneedto
beabletogetworkdoneonthemachines.Manyofthe
followingsectionswillhelpout.Ifyouareinanoffice,you
mayormaynotneedtosecureyourmachineoffhoursor
whileyouareaway.Atsomecompanies,leavingyour
consoleunsecuredisaterminationoffense.
Obviousphysicalsecuritymethodssuchaslocksondoors,
cables,lockedcabinets,andvideosurveillanceareallgood
ideas,butbeyondthescopeofthisdocument.:)
23
234
Notes:
Slide 24
Section 1 Issue 12
n
Computerlocks
q
ManymodernPCcasesincludea"locking"
feature.Usuallythiswillbeasocketonthefront
ofthecasethatallowsyoutoturnanincludedkey
toalockedorunlockedposition.Caselockscan
helppreventsomeonefromstealingyourPC,or
openingupthecaseanddirectly
manipulating/stealingyourhardware.Theycan
alsosometimespreventsomeonefromrebooting
yourcomputerfromtheirownfloppyorother
hardware.
24
235
Notes:
Slide 25

q
Thesecaselocksdodifferentthingsaccordingtothesupportin
themotherboardandhowthecaseisconstructed.OnmanyPC's
theymakeitsoyouhavetobreakthecasetogetthecaseopen.
Onsomeothers,theywillnotletyoupluginnewkeyboardsor
mice.Checkyourmotherboardorcaseinstructionsformore
information.Thiscansometimesbeaveryusefulfeature,even
thoughthelocksareusuallyverylowqualityandcaneasilybe
defeatedbyattackerswithlocksmithing.
Somemachines(mostnotablySPARCsandmacs)havea
dongleonthebackthat,ifyouputacablethrough,attackers
wouldhavetocutthecableorbreakthecasetogetintoit.Just
puttingapadlockorcombolockthroughthesecanbeagood
deterrenttosomeonestealingyourmachine.
25
236
Notes:
Slide 26
Section 2
Hacking,attacking,defendingandauditing
26
237
Notes:
Slide 27
Section 2 Issue 1
n
Tobeabletodefendandaudit,youshould
knowhowtohack(thinklikeahacker)J
27
238
Notes:
Slide 28
Section 2 Issue 2
n
PacketSniffers
q Oneofthemostcommonwaysintrudersgainaccesstomore
systemsonyournetworkisbyemployingapacketsnifferona
alreadycompromisedhost.This"sniffer"justlistensonthe
Ethernetportforthingslikepasswdandloginandsuinthe
packetstreamandthenlogsthetrafficafterthat.Thisway,
attackersgainpasswordsforsystemstheyarenoteven
attemptingtobreakinto.Cleartextpasswordsarevery
vulnerabletothisattack.
q Example:HostAhasbeencompromised.Attackerinstallsa
sniffer.SnifferpicksupadminloggingintoHostBfromHostC.It
getstheadmin'spersonalpasswordastheylogintoB.Then,the
admindoesasutofixaproblem.Theynowhavetheroot
passwordforHostB.Latertheadminletssomeonetelnetfrom
hisaccounttoHostZonanothersite.Nowtheattackerhasa
password/loginonHostZ.
28
239
Notes:
Slide 29

q
Inthisdayandage,theattackerdoesn'teven
needtocompromiseasystemtodothis:they
couldalsobringalaptoporpcintoabuildingand
tapintoyournet.
Usingssh orotherencryptedpasswordmethods
thwartsthisattack.ThingslikeAPOPforPOP
accountsalsopreventsthisattack.(NormalPOP
loginsareveryvulnerabletothis,asisanything
thatsendscleartextpasswordsoverthenetwork.)
29
240
Notes:
Slide 30
Section 2 Issue 3
n
SATAN,ISS,andOtherNetworkScanners
q
Thereareanumberofdifferentsoftwarepackagesouttherethatdoport
andservicebasedscanningofmachinesornetworks.SATAN,ISS,SAINT,
andNessusaresomeofthemorewellknownones.Thissoftwareconnects
tothetargetmachine(orallthetargetmachinesonanetwork) onallthe
portstheycan,andtrytodeterminewhatserviceisrunningthere.Basedon
thisinformation,youcantellifthemachineisvulnerabletoa specificexploit
onthatserver.
n
SATAN(SecurityAdministrator'sToolforAnalyzingNetworks)is aportscanner
withawebinterface.Itcanbeconfiguredtodolight,medium,orstrongchecksona
machineoranetworkofmachines.It'sagoodideatogetSATAN andscanyour
machineornetwork,andfixtheproblemsitfinds.Makesureyougetthecopyof
SATANfrommetalaborareputableFTPorwebsite.TherewasaTrojancopyof
SATANthatwasdistributedoutonthenet.NotethatSATANhasnotbeenupdated
inquiteawhile,andsomeoftheothertoolsbelowmightdoabetterjob.
30
241
Notes:
Slide 31

n
ISS(InternetSecurityScanner)isanotherportbased
scanner.ItisfasterthanSatan,andthusmightbebetter
forlargenetworks.However,SATANtendstoprovide
moreinformation.
AbacusisasuiteoftoolsdevelopedbyPsionicto
providehostbasedsecurityandintrusiondetection.
31
242
Notes:
Slide 32

n
SAINTisaupdatedversionofSATAN.Itiswebbased
andhasmanymoreuptodateteststhanSATAN.
Nessusisafreesecurityscanner.Ithasagraphical
interfaceforeaseofuse.Itisalsodesignedwithavery
nicepluginsetupfornewlyupdatedportscanningtests.
32
243
Notes:
Slide 33

n
Securityscannersareoftenusedinthe
processofsecurityauditingaswellas
footprinting.
q
Footprintingisthefirststepininformation
gatheringofhackerstoperformasuccessful
attack,oneneedstogatherinformation
information onallaspectsoftheperspective
organizationssecurityposture,profileoftheir
Intranet,remoteaccesscapabilities,and
intranet/extranetpresenceetc.
33
244
Notes:
Slide 34

n
Footprintingreliesoninfogathering.Thesearepopular
sourcesofsuchinfo:
q
q
q
q
q
q
AmericanRegistryforInternetNumbers
CERT/CCFindingSiteContacts
InterNIC
NetworkOperationsCentersList
NetworkSolutions
USSecurityandExchange
Enumerationisalsoaninformationgatheringtechnique,
butisanintrusiveone!
n
Itistheprocessofextractingvaliduseraccounts,poorly
protectedFileSharesorotherresourcesfromatargetsystem.
q
Thisprocessisusuallylogged.
34
245
Notes:
Slide 35

q
Securityauditingtobeperformedbeforeanything
hadhappenedtypicallyinvolvestheuseof
SecurityScannersandothertoolstotestthe
securitylevelofthenetwork.
35
246
Notes:
Slide 36

q
Securityauditingtobeperformedafterthingshad
gonewrongtypicallyinvolvestheexaminationof
theaudittrail.
n
However,thepresenceofRootkitsandCoverTracks
mayhinderthisprocess.
q
Rootkitsaretoolsusedbyhackerstohidetheirpresenceon
compromisedsystems.Theyaremostlycollectionsof
trojanedbinariesthatreplacethecommoncommands.
Covertrackscanwipeouttheauditlogs.Examplesinclude
WipeandZap.
36
247
Notes:
Slide 37
Section 2 Issue 4
n
DetectingPortScans
q TherearesometoolsdesignedtoalertyoutoprobesbySATAN
andISSandotherscanningsoftware.However,ifyouliberally
usetcp_wrappers,andlookoveryourlogfilesregularly,you
shouldbeabletonoticesuchprobes.Evenonthelowestsetting,
SATANstillleavestracesinthelogsonastockRedHatsystem.
q Therearealso"stealth"portscanners.ApacketwiththeTCP
ACKbitset(asisdonewithestablishedconnections)willlikely
getthroughapacketfilteringfirewall.ThereturnedRSTpacket
fromaportthat_hadnoestablishedsession_canbetakenas
proofoflifeonthatport.Idon'tthinkTCPwrapperswilldetect
this.
37
248
Notes:
Slide 38
Section 2 Issue 5
n
DenialofServiceAttacks
q
A"DenialofService"(DoS)attackisonewherethe
attackertriestomakesomeresourcetoobusytoanswer
legitimaterequests,ortodenylegitimateusersaccessto
yourmachine.
Denialofserviceattackshaveincreasedgreatlyinrecent
years.
38
249
Notes:
Slide 39

q
ThereisnofixedformatofDoS.Infact,thereare
manytypesofDoSattacksthatarebasedontons
ofdifferentmethods.ADenialofServiceAttack
canbebasedoncrashingrouterswhichmakesa
networkinaccessible,crashingDNSservers
whichpreventstheuseofDomainNames,
congestinghostswithrequestsetcetcitcan
beanythingthatstopsthingsfromworking.
ADoSAttackisALWAYSusedinconjunction
withananotherattack.
39
250
Notes:
Slide 40

q
SYNFloodingSYNfloodingisanetworkdenial
ofserviceattack.Ittakesadvantageofa
"loophole"inthewayTCPconnectionsare
created.
n
n
SometimesknownasSynk4
SystemswhichfallpreytotheSynFloodingattackwill
havedifficultyacceptinganynewincomingnetwork
connections.Therefore,legitimateusersattemptingto
connecttotheserverwillnotbeabletodoso.
40
251
Notes:
Slide 41

q
Pentium"F00F"BugItwasrecentlydiscovered
thataseriesofassemblycodessenttoagenuine
IntelPentiumprocessorwouldrebootthemachine.
ThisaffectseverymachinewithaPentium
processor(notclones,notPentiumProorPII),no
matterwhatoperatingsystemit'srunning.
41
252
Notes:
Slide 42

q
PingFlooding/Smurf/FragglePingfloodingisa
simplebruteforcedenialofserviceattack.Theattacker
sendsa"flood"ofICMPpacketstoyourmachine.Ifthey
aredoingthisfromahostwithbetterbandwidththanyours,
yourmachinewillbeunabletosendanythingonthe
network.
n
Avariationonthisattack,called"smurfing",sendsICMP
packetstoahostwithyourmachine'sreturnIP,allowingthem
tofloodyoulessdetectably.
Smurfattacksarenetworkamplificationattacks.
FraggleattackissimilartoSmurfattackexceptthatit
usesUDPechopackets,notICMPechos.
42
253
Notes:
Slide 43

q
Pingo'DeathThePingo'DeathattacksendsICMP
ECHOREQUESTpacketsthataretoolargetofitinthe
kerneldatastructuresintendedtostorethem.Because
sendingasingle,large(65,510bytes)"ping"packetto
manysystemswillcausethemtohangorevencrash,this
problemwasquicklydubbedthe"Pingo'Death."Thisone
haslongbeenfixed,andisnolongeranythingtoworry
about.
Teardrop/NewTearOneofthemostrecentexploits
involvesabugpresentintheIPfragmentationcodeon
LinuxandWindowsplatforms.
n
n
Teardropisanattackthatexploitsthevulnerabilityfoundin
someimplementationsofthepacketreassembly.
NewTearisanewteardroptypeexploitwhichmainlyaffects
NT4andWin95.
43
254
Notes:
Slide 44

q
Land/LaTierraTheLandattackusesIP
spoofingincombinationwiththeopeningofa
TCPconnection.Boththesourceanddestination
IPaddressesaremodifiedtobethesamethe
addressofthedestinationhost.Itmisleadsthe
machinetocontinuesendingACKpacketsand
thusremainingintheloop.TheLaTierraattackis
similarexceptthatLaTierrasendstheTCPpacket
tomorethanoneportandmorethanonce.
44
255
Notes:
Slide 45

q
BlastasmallandquickTCPservicestresstest
toolthatcanspotpotentialweaknessesinyour
networkservers.
n
ItcanbeusedasatoolforgeneratingDoSattack!
Bonkanattackthatmodifiesthefragoffset.
n
Alsoknownasteardropreversed
45
256
Notes:
Slide 46

n
Therearemanywaystoprotectoneself
againstDoSattacks.Themostpopularways
are:
q
q
patchingthenetworkingcodeoftheOSkernel
configuringthenetworkwithprotectivedevices
suchasfirewalls.
46
257
Notes:
Slide 47
Section 2 Issue 6
n
Firewalls
q Firewallsareameansofcontrollingwhat
informationisallowedintoandoutofyour
localnetwork.Typicallythefirewallhostis
connectedtotheInternetandyourlocalLAN,
andtheonlyaccessfromyourLANtothe
Internetisthroughthefirewall.Thiswaythe
firewallcancontrolwhatpassesbackand
forthfromtheInternetandyourLAN.
47
258
Notes:
Slide 48

q
Thereareanumberoftypesoffirewallsand
methodsofsettingthemup.
n
n
n
Linuxmachinesmakeprettygoodfirewalls.Firewallcode
canbebuiltrightinto2.0andhigherkernels.Theuser
spacetoolsipfwadmfor2.0kernelsandipchainsfor2.2
kernels,allowsyoutochange,onthefly,thetypesof
networktrafficyouallow.Youcanalsologparticulartypes
ofnetworktraffic.
Windows2000providessimplepacketfilteringfunctions.
WindowsXPprovidesInternetConnectionFirewall.
48
259
Notes:
Slide 49

n
Webopediaclassifiesfirewalltechniquesas
below:
Packetfilter:Looksateachpacketenteringorleavingthenetworkand
acceptsorrejectsitbasedonuserdefinedrules.Packetfilteringisfairly
effectiveandtransparenttousers,butitisdifficulttoconfigure.Inaddition,
itissusceptibletoIPspoofing.
Applicationgateway:Appliessecuritymechanismstospecificapplications,
suchasFTPandTelnetservers.Thisisveryeffective,butcanimposea
performancedegradation.
Circuitlevelgateway:AppliessecuritymechanismswhenaTCPorUDP
connectionisestablished.Oncetheconnectionhasbeenmade,packets
canflowbetweenthehostswithoutfurtherchecking.
Proxyserver:Interceptsallmessagesenteringandleavingthenetwork.
Theproxyservereffectivelyhidesthetruenetworkaddresses.
49
260
Notes:
Slide 50

q
TheNationalInstituteofStandardsandTechnology
haveputtogetheranexcellentdocumentonfirewalls.
Althoughdated1995,itisstillquitegood
(http://csrc.nist.gov/).
50
261
Notes:
Slide 51
Section 2 Issue 7
n
BIOSSecurity
q
TheBIOSisthelowestlevelofsoftwarethatconfiguresor
manipulatesyourx86basedhardware.Allbootmethods
accesstheBIOStodeterminehowtobootupyour
machine.Otherhardwarehassimilarsoftware
(OpenFirmware onMacsandnewSuns,SunbootPROM,
etc...).YoucanuseyourBIOStopreventattackersfrom
rebootingyourmachineandmanipulatingyoursystem.
ManyPCBIOSsletyousetabootpassword.Thisdoesn't
provideallthatmuchsecurity(theBIOScanbereset,or
removedifsomeonecangetintothecase),butmightbea
gooddeterrent(i.e.itwilltaketimeandleavetracesof
tampering).Thismightslowattackersdown.
51
262
Notes:
Slide 52

q
Manyx86BIOSsalsoallowyoutospecifyvariousother
goodsecuritysettings.CheckyourBIOSmanualorlookat
itthenexttimeyoubootup.Forexample,someBIOSs
disallowbootingfromfloppydrivesandsomerequire
passwordstoaccesssomeBIOSfeatures.
Note:Ifyouhaveaservermachine,andyousetupaboot
password,yourmachinewillnotbootupunattended.Keep
inmindthatyouwillneedtocomeinandsupplythe
passwordintheeventofapowerfailure.
52
263
Notes:
Slide 53
Section 2 Issue 8
n
DLLInjection
q
amethodofinsertingmaliciouscodeintoanother
runningprocess'ssothataccesstosome
otherwiserestrictedpieceofinformationis
possible.
53
264
Notes:
Slide 54
Section 2 Issue 9
n
BackDoor
q
aneasyroutebackintoanalreadycompromised
systemthatwasputinplacebythecurrent
attackerorapreviousattacker.Itmaybea
programthatbindsitselftoaspecificportand
listensfortheattackertoconnecttoit,orapre
testedexploitthatisconfiguredbytheattackerfor
futurereuse.
54
265
Notes:
Slide 55
Section 2 Issue 10
n
Privilegeescalation
thestageofpenetrationthatoccursAFTERan
attackerhasalreadygainedaccesstoasystem.
q Itaimsatgainingadministratorlevelprivilegeson
thesystem.
q
55
266
Notes:
Slide 56
Section 2 Issue 11
n
Wardialing
attackthroughthephonesystem.
q Wardialerswereoriginallydevelopedbyandfor
phonephreaksseekingfreelongdistanceservice.
q
Theyarewellsuitedtothetaskofscanningandfinding
modemsforpossiblenetworkentry.
Examplesinclude:
q
q
q
TelesweepSecure
PhoneSweep
THCScan
56
267
Notes:
Slide 57
Section 2 Issue 12
n
PurloiningandPilfering
Oftenbeingrefertoasimageandbandwidththeft.
q Digitalwatermarkingisonewaytoprotectagainst
imagetheft.
q
57
268
Notes:
Slide 58
Section 3
EncryptionandVPN
58
269
Notes:
Slide 59
Section 3 Issue 1
n
VPNsVirtualPrivateNetworks
q VPN'sareawaytoestablisha"virtual"networkontopofsome
alreadyexistingnetwork.Thisvirtualnetworkoftenisencrypted
andpassestrafficonlytoandfromsomeknownentitiesthat
havejoinedthenetwork.VPNsareoftenusedtoconnect
someoneworkingathomeoverthepublicInternettoaninternal
companynetwork.
q VPNs useauthenticatedlinkstoensurethatonlyauthorized
userscanconnecttoyournetwork,andtheyuseencryptionto
ensurethatdatathattravelsovertheInternetcan'tbeintercepted
andusedbyothers.VPNtechnologyalsoallowsacorporationto
connecttoitsbranchofficesortoothercompaniesoverapublic
networkwhilemaintainingsecurecommunications.
q InWindows2000,VPNsarebuiltusingPPTPorL2TP.
59
270
Notes:
Slide 60

n
PointtoPointTunnelingProtocol(PPTP)provides
dataencryptionusingMicrosoftPointtoPoint
Encryption.
LayerTwoTunnelingProtocol(L2TP)providesdata
encryption,authentication,andintegrityusingIPSec.
q
q
PPTPissuitableforNonWindows2000computers.
L2TPissuitableforWindows2000orWindowsXPclients.
IfyouwanttotryoutconfiguringaVPNwithWindows
2000,readtheMSKBarticle308208.
60
271
Notes:
Slide 61
Section 3 Issue 2
n
Accordingto W ebopedia,"AstheInternetandother
formsofelectroniccommunicationbecomemore
prevalent,electronicsecurityisbecomingincreasingly
important.Cryptographyisusedtoprotectemail
messages,creditcardinformation,andcorporatedata.
Oneofthemostpopularcryptographysystemsused
ontheInternetisPrettyGoodPrivacybecauseit's
effectiveandfree.Cryptographysystemscanbe
broadlyclassifiedintosymmetrickeysystemsthatuse
asinglekeythatboththesenderandrecipienthave,
andpublickeysystemsthatusetwokeys,apublickey
knowntoeveryoneandaprivatekeythatonlythe
recipientofmessagesuses."
61
272
Notes:
Slide 62
Section 3 Issue 3
n
CA
q
Certificationauthoritiesareresponsiblefor
managingcertificaterequestsandissuing
certificatestoparticipatingIPSecnetworkpeers.
Theseservicesprovidecentralizedkey
managementfortheparticipatingpeersand
simplifyadministration.
62
273
Notes:
Slide 63
Section 3 Issue 4
n
Digitalsignatures
q Digitalsignaturesareenabledbypublickeycryptographyand
areprovidingameanstodigitallyauthenticatedevicesand
individualusers.
q Inpublickeycryptography,eachuserhasakeypaircontaining
bothapublicandaprivatekey.Anythingencryptedwithoneof
thekeyscanbedecryptedwiththeother.
q Insimpleterms,asignatureisformedwhendataisencrypted
withauser'sprivatekey.Thereceiververifiesthesignatureby
decryptingthemessagewiththesender'spublickey.
q Thefactthatthemessagecouldbedecryptedusingthesender's
publickeyshowsthattheholderoftheprivatekeymusthave
createdthemessage.
63
274
Notes:
Slide 64

q
Howcanyouknowwithahighdegreeofcertainty
thatitreallydoesbelongtothesender,andnotto
someonepretendingtobethesender?
n
Usedigitalcertificates.Adigitalcertificatecontains
informationtoidentifyauserordevice,suchasthe
name,serialnumber,company,departmentorIP
address.Italsocontainsacopyoftheentity'spublickey.
64
275
Notes:
Slide 65

n
Sincethecertificateisitselfsignedbyacertification
authority,itistrustworthy.
TobeabletovalidatetheCA'ssignature,thereceiver
mustknowtheCA'spublickey.Thisisusuallyhandled
outofbandorthroughanoperationdoneatinstallation.
Withoutdigitalsignatures,onemustmanually
exchangepublicsecretsbetweeneachpairof
peersthatuseIPSectoprotectcommunications
betweenthem.
65
276
Notes:
Slide 66
Section 3 Issue 5
n
Legalissues
q
Becarefulwhendeployingcryptographytechnology
overseas.Accordingto W ebopedia,"PGPissuchan
effectiveencryptiontoolthattheU.S.governmentactually
broughtalawsuitagainstZimmermanforputtingitinthe
publicdomainandhencemakingitavailabletoenemiesof
theU.S.Afterapublicoutcry,theU.S.lawsuitwasdropped,
butitisstillillegaltousePGPinmanyothercountries."
Bytheway,ifyouwanttolearnmoreaboutPGP,referto
itsofficialhomepageatPGPI.ORG.
66
277
Notes:
Slide 67
Section 4
Respondingtoattacks
67
278
Notes:
Slide 68
Section 4 Issue 1
n
SecurityCompromiseUnderway.
q
Spottingasecuritycompromiseunderwaycanbeatense
undertaking.Howyoureactcanhavelargeconsequences.
Ifthecompromiseyouareseeingisaphysicalone,odds
areyouhavespottedsomeonewhohasbrokenintoyour
home,officeorlab.Youshouldnotifyyourlocalauthorities.
Inalab,youmighthavespottedsomeonetryingtoopena
caseorrebootamachine.Dependingonyourauthority
andprocedures,youmightaskthemtostop,orcontact
yourlocalsecuritypeople.
68
279
Notes:
Slide 69

n
DetectingPhysicalSecurityCompromises
q Thefirstthingtoalwaysnoteiswhenyourmachinewasrebooted.
Theonlytimesyourmachineshouldrebootiswhenyoutakeit
downforOSupgrades,hardwareswapping,orthelike.Ifyour
machinehasrebootedwithoutyoudoingit,thatmaybeasign
thatanintruderhascompromisedit.Manyofthewaysthatyour
machinecanbecompromisedrequiretheintrudertorebootor
poweroffyourmachine.
q Checkforsignsoftamperingonthecaseandcomputerarea.
Althoughmanyintruderscleantracesoftheirpresenceoutof
logs,it'sagoodideatocheckthroughthemallandnoteany
discrepancy.
q Itisalsoagoodideatostorelogdataatasecurelocation,such
asadedicatedlogserverwithinyourwellprotectednetwork.
Onceamachinehasbeencompromised,logdatabecomesof
littleuseasitmostlikelyhasalsobeenmodifiedbytheintruder.
69
280
Notes:
Slide 70

q
Thesyslogdaemoncanbeconfiguredtoautomatically
sendlogdatatoacentralsyslogserver,butthisistypically
sentunencrypted,allowinganintrudertoviewdataasitis
beingtransferred.Thismayrevealinformationaboutyour
networkthatisnotintendedtobepublic.Therearesyslog
daemonsavailablethatencryptthedataasitisbeingsent.
Alsobeawarethatfakingsyslogmessagesiseasywith
anexploitprogramhavingbeenpublished.Syslogeven
acceptsnetlogentriesclaimingtocomefromthelocalhost
withoutindicatingtheirtrueorigin.
70
281
Notes:
Slide 71

q
Somethingstocheckforinyourlogs:
n
n
n
n
n
n
Shortorincompletelogs.
Logscontainingstrangetimestamps.
Logswithincorrectpermissionsorownership.
Recordsofrebootsorrestartingofservices.
missinglogs.
suentriesorloginsfromstrangeplaces.
71
282
Notes:
Slide 72

q
Ifyouhavedetectedalocalusertryingtocompromiseyour
security,thefirstthingtodoisconfirmtheyareinfactwhoyou
thinktheyare.Checkthesitetheyarelogginginfrom.Isitthe
sitetheynormallyloginfrom?No?Thenuseanonelectronic
meansofgettingintouch.Forinstance,callthemonthephone
orwalkovertotheiroffice/houseandtalktothem.Iftheyagree
thattheyareon,youcanaskthemtoexplainwhattheywere
doingortellthemtoceasedoingit.Iftheyarenoton,andhave
noideawhatyouaretalkingabout,oddsarethisincident
requiresfurtherinvestigation.Lookintosuchincidents,andhave
lotsofinformationbeforemakinganyaccusations.
Ifyouhavedetectedanetworkcompromise,thefirstthingtodo
(ifyouareable)istodisconnectyournetwork.Iftheyare
connectedviamodem,unplugthemodemcableiftheyare
connectedviaEthernet,unplugtheEthernetcable.Thiswill
preventthemfromdoinganyfurtherdamage,andtheywill
probablyseeitasanetworkproblemratherthandetection.
72
283
Notes:
Slide 73

q
Ifyouareunabletodisconnectthenetwork(ifyouhaveabusy
site,oryoudonothavephysicalcontrolofyourmachines),the
nextbeststepistousesomethingliketcp_wrappersoripfwadm
todenyaccessfromtheintruder'ssite.
Ifyoucan'tdenyallpeoplefromthesamesiteastheintruder,
lockingtheuser'saccountwillhavetodo.Notethatlockingan
accountisnotaneasything.Youhavetokeepinmind.rhosts
files,FTPaccess,andahostofpossiblebackdoors.
Afteryouhavedoneoneoftheabove(disconnectedthenetwork,
deniedaccessfromtheirsite,and/ordisabledtheiraccount),you
needtokillalltheiruserprocessesandlogthemoff.
Youshouldmonitoryoursitewellforthenextfewminutes,asthe
attackerwilltrytogetbackin.Perhapsusingadifferentaccount,
and/orfromadifferentnetworkaddress.
73
284
Notes:
Slide 74
Section 4 Issue 2
n
SecurityCompromisehasalreadyhappened
q
Soyouhaveeitherdetectedacompromisethathas
alreadyhappenedoryouhavedetecteditandlocked
(hopefully)theoffendingattackeroutofyoursystem.Now
what?
n
ClosingtheHole
q
Ifyouareabletodeterminewhatmeanstheattackerusedtoget
intoyoursystem,youshouldtrytoclosethathole.Forinstance,
perhapsyouseeseveralFTPentriesjustbeforetheuserloggedin.
DisabletheFTPserviceandcheckandseeifthereisanupdated
version,orifanyofthelistsknowofafix.
Checkallyourlogfiles,andmakeavisittoyoursecuritylistsand
pagesandseeifthereareanynewcommonexploitsyoucanfix.
74
285
Notes:
Slide 75

n
AssessingtheDamage
q
Thefirstthingistoassessthedamage.Whathasbeen
compromised?Ifyouarerunninganintegritycheckerlike
Tripwire,youcanuseittoperformanintegritycheckit
shouldhelptotellyouwhathasbeencompromised.Ifnot,
youwillhavetolookaroundatallyourimportantdata.
Sincesystemsaregettingeasierandeasiertoinstall,you
mightconsidersavingyourconfigfiles,wipingyourdisk(s),
reinstalling,thenrestoringyouruserfilesandyourconfig
filesfrombackups.Thiswillensurethatyouhaveanew,
cleansystem.Ifyouhavetorestorefilesfromthe
compromisedsystem,beespeciallycautiousofanybinaries
thatyourestore,astheymaybeTrojanhorsesplacedthere
bytheintruder.
75
286
Notes:
Slide 76

q
Reinstallationshouldbeconsideredmandatoryuponan
intruderobtainingrootaccess.Additionally,you'dliketo
keepanyevidencethereis,sohavingasparediskinthe
safemaymakesense.
Thenyouhavetoworryabouthowlongagothe
compromisehappened,andwhetherthebackupsholdany
damagedwork.Moreonbackupslater.
76
287
Notes:
Slide 77

n
Backups,Backups,Backups!
q
Havingregularbackupsisagodsendforsecuritymatters.If
yoursystemiscompromised,youcanrestorethedatayou
needfrombackups.Ofcourse,somedataisvaluabletothe
attackertoo,andtheywillnotonlydestroyit,theywillsteal
itandhavetheirowncopiesbutatleastyouwillstillhave
thedata.
77
288
Notes:
Slide 78

q
Youshouldcheckseveralbackupsbackintothepastbefore
restoringafilethathasbeentamperedwith.Theintruder
couldhavecompromisedyourfileslongago,andyoucould
havemademanysuccessfulbackupsofthecompromised
file!
Ofcourse,therearealsoaraftofsecurityconcernswith
backups.Makesureyouarestoringtheminasecureplace.
Knowwhohasaccesstothem.(Ifanattackercangetyour
backups,theycanhaveaccesstoallyourdatawithoutyou
everknowingit.)
78
289
Notes:
Slide 79

n
TrackingDowntheIntruder.
q
Ok,youhavelockedtheintruderout,andrecoveredyour
system,butyou'renotquitedoneyet.Whileitisunlikely
thatmostintruderswilleverbecaught,youshouldreport
theattack.
Youshouldreporttheattacktotheadmincontactatthesite
fromwhichtheattackerattackedyoursystem.Youcanlook
upthiscontactwithwhoisortheInternic database.You
mightsendthemanemailwithallapplicablelogentriesand
datesandtimes.Ifyouspottedanythingelsedistinctive
aboutyourintruder,youmightmentionthattoo.After
sendingtheemail,youshould(ifyouaresoinclined)follow
upwithaphonecall.Ifthatadmininturnspotsyourattacker,
theymightbeabletotalktotheadminofthesitewherethey
arecomingfromandsoon.
79
290
Notes:
Slide 80

q
Goodcrackersoftenusemanyintermediatesystems,some
(ormany)ofwhichmaynotevenknowtheyhavebeen
compromised.Tryingtotrackacrackerbacktotheirhome
systemcanbedifficult.Beingpolitetotheadmins youtalk
tocangoalongwaytogettinghelpfromthem.
Youshouldalsonotifyanysecurityorganizationsyouarea
partof(CERTorsimilar),aswellasyoursystemvendor.
80
291
Notes:
Slide 81
Section 5
Virus
81
292
Notes:
Slide 82
Section 5 Issue 1
n
Computervirusacomputerprogramwhich
reproducesitselfthroughlegitimate
processesincomputerprogramsand
operatingsystems.Itcanalterthebehaviorof
aprogramoroperatingsystemwithoutthe
knowledgeofcomputerusers.
q Ititselfiswrittenwith maliciouspurposesin
mind.
82
293
Notes:
Slide 83
Section 5 Issue 2
n
ToknowtheCURRENTLATESTinfoonthe
variousviruses,visitthefollowingwebsites:
WildListOrganizationInternational,theworld's
premiersourceofinformationonwhichviruses
arespreadingIntheWild(http://www.wildlist.org/).
q TheVirusBulletin,aninternationalantivirus
publicationthatkeepstrackoftheoccurrenceof
computerviruses(http://www.virusbtn.com/).
q
83
294
Notes:
Slide 84
Section 5 Issue 3
n
Virusexpertsingeneralprefertocategorize
virusesby:
theirbehaviors
q theaffectedoperatingsystemplatforms
q thetypeofprogramminglanguagesusedto
developthem
q
84
295
Notes:
Slide 85
Section 5 Issue 4
n
AmajorityofearlyvirusesareProgram
Virusesthatinfectedprogramswhichended
inthe.comand.exefileextensions.
Theyinfectexecutablefilesbyplacingtheir
programminginstructionsinsidetheother
programs.
q TheydoNOTinfect.BATfiles,since.BATfiles
aresimplytextbasedscripts.Theycanbe
embeddedinto.BATfilesforexecutionthough.
q Theycannotbypassantivirussoftware.
q
85
296
Notes:
Slide 86
Section 5 Issue 5
n
Scriptvirusesmostlyaffectscriptinglanguageslike
MicrosoftVisualBasicandJavaScriptbecame
commonplace.
Macrovirusesmostlyaffectbusinesssoftware,such
asMSOffice.Macrosletusersautomateaseriesof
commandsinsidedocumentsorspreadsheets.
Macroinstructionscaneasilybemodifiedbyviruses
toperformerraticbehaviors.
Allthesevirusescanbedetectedbynowadaysanti
virussoftwarepackages.
86
297
Notes:
Slide 87
Section 5 Issue 6
n
Bootsectorvirusesinfectedhiddenstartup
programsbuiltintodiskettemediaandhard
drives.
q
Sincetheystartbeforetheoperatingsystemis
loaded,theycaneasilybypasstheantivirus
software.
87
298
Notes:
Slide 88
Section 5 Issue 7
Tofurtherspreadviruses,viruswriters
developedTrojanhorsesprogramsthat
trickusersintostartingthemandtheninstall
malicioussoftware.
n Hybridvirusesareanothertypeoflatest
inventions.Theycanactinmorethanone
wayasanexample,anInternetwormmay
beabletoinfectprogramfiles.
n
88
299
Notes:
Slide 89
Section 5 Issue 8
n
Melissa
Averyfamousvirus.
q AppearinginMarch1999,itspreadquicklyand
causedmassivetroublesworldwide.Infact,
Microsofthadtoshutdownfouroutofsix
incomingmailserversunderthestrainproduced
byMelissa.
q
89
300
Notes:
Slide 90
Congratulations!
Youhavecompletedallthesections.
n Forthelatestproductinformation,pleasevisit
ourwebsites:
n
www.ExamREVIEW.NET
90
301
Notes:
Excellent public resources

Some of these web resources may have expired at the time you read this
document. If so please do a web search through Yahoo or Googles using the
resource title as the search subject. Good luck.
Know biometrics. Biometrics is an important topic. Check out the various

forms of biometrics technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm . Know their
drawbacks and their impacts.
Other recommended readings (primarily from NIST) include:
April 21, 2006: Draft Special Publication 800-92 Guide to Computer

Security Log Management
Adobe PDF (1,939 KB)

302
Notes:
http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf
This document provides detailed information on developing, implementing,

and maintaining effective log management practices throughout an enterprise.
It includes guidance on establishing a centralized log management infrastructure,
which includes hardware, software, networks, and media. It also discusses the
log management processes that should be put in place at an organization-wide
level, including the definition of roles and responsibilities, the creation of
feasible logging policies, and the division of responsibilities between systemlevel and organization-level administrators. Guidance is also provided on log
management at the individual system level, such as configuring log generating
sources, supporting logging operations, performing log data analysis, and
managing long-term data storage.
August 15, 2005: Draft NIST Special Publication 800-26 Revision 1,

Guide for Information Security Program Assessments and System
Reporting Form
Adobe pdf (1,153 KB)

303
Notes:
http://csrc.nist.gov/publications/drafts/Draft-sp800-26Rev1.pdf
This draft document brings the assessment process up to date with key
standards and guidelines developed by NIST.
May 4, 2006: Draft Special Publication 800-80, Guide for Developing

Performance Metrics for Information Security
Adobe PDF (762 KB)

http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf
This guide is intended to assist organizations in developing metrics for an

information security program. The methodology links information security
program performance to agency performance. It leverages agency-level strategic
planning processes and uses security controls from NIST SP 800-53,
Recommended Security Controls for Federal Information Systems, to
characterize security performance.
304
Notes:
April 21, 2006: Draft Special Publication 800-53A, Guide for Assessing the
Security Controls in Federal Information Systems
Adobe PDF (5,487 KB)

http://csrc.nist.gov/publications/drafts/SP800-53A-spd.pdf
The document provides a comprehensive listing of methods and procedures to

assess the effectiveness of security controls in federal information systems.
Assessment procedures have been developed for each security control and
control enhancement in NIST Special Publication 800-53 with the rigor and
intensity of assessments aligned with the impact levels in FIPS 199.
March 13, 2006: Draft Federal Information Processing Standard (FIPS)

186-3 - Digital Signature Standard (DSS)
Adobe PDF (474 KB)

305
Notes:
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-1863%20_March2006.pdf
The draft defines methods for digital signature generation that can be used for
the protection of messages, and for the verification and validation of those
digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This
draft includes requirements for obtaining the assurances necessary for valid
digital signatures.
February 3, 2006: Draft Special Publication 800-88: Guidelines for Media

Sanitization
Adobe PDF (526 KB)

http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf
This guide is intended to assist organizations and system owners in making

practical sanitization decisions based on the level of sensitivity of their
information.
306
Notes:
Sample IS Audit Questionnaire
307
Notes:
You may download the latest sample questionnaire via the

web link below:
http://www.examreview.net/IT_Questionnaire.pdf
End of Study Guide
308
Notes:

CISA Certified Information Systems Auditor Module Study Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA Certified Information Systems Auditor Module Study Guide

Uploaded by

Copyright:

Available Formats

CISA

The Number One Source of Exam and OntheJob Information

ST UD Y IN F ORMAT ION FO R EX AM CAND ID ATES

CISA ExamESSENTIALS Guide

ExamREVIEW PRO & ExamREVIEW PRESS

End User License Agreement

RESPONSIBILITY TO EVALUATE THE ACCURACY, COMPLETENESS AND USEFULNESS

About this book

many of the objectives are heavily overlapped

to me, they look confusing

Access control models.

The auditing process.

Protection Policy for Information Assets

Business Continuity Planning.

Why do we choose these topics? Firstly, according to many recent CISA

Exam Registration Contacts

Study Psychology & Exam Tactics

Prepare systematically using ExamReview materials.

Ensure you have enough sleep! Health is essential for maintaining a

Key exam strategies

Strategy One: Keyword or key phrase matching.

Example: Which of the following would be included in an information security

Example: The MOST important responsibility of an information security

Strategy Three: Think tricky.

i, "Everything not explicitly permitted is forbidden" (default deny). This

ii, "Everything not explicitly forbidden is permitted" (default permit). This

Proper balance of security risks is needed for implementing practical

There are two different approaches to security in computing. One focuses

The computer system itself as largely an untrusted system

The untrusted system approach seeks to enforce the principle of least

From a technical perspective, design with the above mentioned technique

To understand the techniques for securing a computer system, it is

You may think of salami attack as a concept that can be applied to

Software flaws such as buffer overflows, are often exploited to gain

Buffer overflow (buffer overrun) is supposed to be a programming

Many development methodologies rely on testing to ensure the quality

As a pre-attack activity, footprinting refers to the technique of

packets that pass-by instead.

Any data that is transmitted over an IP network is at some risk of being

The OSI model is a layered model which gives abstract description

You can perceive ports as the actual endpoints of every TCP

launching a network attack.

Even machines that operate as a closed system can be eavesdropped

Wireless networks are highly hack-able.

In the world of WLAN, a BSS refers to a set of wireless stations

neighboring and overlapping network. Sometimes this can happen

A computer system is no more secure than the human systems

In a web infrastructure you have router, firewall and a web server.

Another vulnerability on Windows is the inter-process

Social engineering is a collection of techniques used to manipulate

Denial of service (DoS) attacks are not primarily a means to gain

Many computer manufacturers used to preinstall backdoors on their

A backdoor refers to a generally undocumented means of getting

A specific form of backdoors is rootkit, which replaces system binaries

rootkit originally describes those recompiled Unix tools that would

To some, secrecy means security so closed source software solutions

Malware is software designed to infiltrate or damage a computer system

As a common type of Trojan horses, a legitimate software might

The majority of malware and viruses exploit known vulnerabilities in

Nonresident viruses proactively and immediately search for victims

the payload of these viruses is a metamorphic engine.

Direct access attacks may be conducted through the use of common

To secure a system, one should aim at reducing vulnerabilities. For example,