Professional Documents
Culture Documents
ExamESSENTIALS
Study Guide
2009
Ed.
Coveringthe2009Syllabus
2009
All rights reserved. No part of the contents of this book may be reproduced or
transmitted in any form or by any means without the written permission of the
publisher.
ImportantPleaseRead
Duetothevarietyoffontsinstalledontheusers'
systems,Acrobatmaypromptyoutodownloadan
additionallanguagecomponent(whichisFREEfrom
Adobeanyway).
IfyoureceiveamessagesayingthataTraditional
Chineselanguagepackhastobedownloadedinorder
toloadthiseBook,pleaseclickYEStohaveAcrobat
downloadtheupdate.Thesizeoftheupdateisabout
7M.Dontworry,thisdownloadissafe.
Table of Contents
ENDUSERLICENSEAGREEMENT
EXAMFORMAT
13
ABOUTTHISBOOK
14
EXAMTOPICS
15
EXAMREGISTRATIONCONTACTS
19
STUDYPSYCHOLOGY&EXAMTACTICS
20
KEYEXAMSTRATEGIES
21
STRATEGYONE : KEYWORDORKEYPHRASEMATCHING.
STRATEGYTWO : CHOICESGROUPING.
STRATEGYTHREE: THINKTRICKY.
21
22
23
SECURITYTHEORIES
25
THECOMPUTERSYSTEMITSELFASLARGELYANUNTRUSTEDSYSTEM
DEFENSEINDEPTH
VULNERABILITIES
SECURITYMEASURES
STANDARDSANDGUIDELINES
27
27
28
45
49
ISORGANIZATIONANDINFORMATIONASSETSPROTECTION
55
THESTAKEHOLDERS
THEBOARD
THEAUDITMANAGER
AUDITPERSONNEL
56
57
58
59
ISCONTROLS
61
THEIMPORTANCEOFTHEUSEOFCONTROLS
CLASSIFICATIONOFCONTROLS
GENERALCONTROLSVS APPLICATIONCONTROLS
61
62
63
ACCESSCONTROLANDTHEAUDITINGPROCESS
66
ACCESS CONTROLMODELS
ACLSVERSUS CAPABILITIES
WHATISO RANGEBOOK, BYTHEWAY?
TYPESOFACCESSCONTROL
THEAAACONCEPT
ESTABLISHINGACCOUNTABILITYTHROUGHEVENTLOGGING
THEAUDITPROCESS
THESARBANESOXLEYACTANDTHECOSOFRAMEWORK
WHATISAUDITING, BYTHEWAY ?
THEROLEOFANAUDITOR
THEAUDITPROCESSFLOW
OVERALLSTRATEGIES
AUDITPLANNING
RECOMMENDEDTYPESOFAUDIT
EXAMPLEAUDITOBJECTIVESANDPROCEDURES
AUDITF IELDWORKS
AUDITPROGRAM
AUDITREPORT
AUDITFOLLOWUP
AUDITASSESSMENT
66
68
69
70
71
74
75
76
79
82
83
88
90
100
103
111
115
116
118
120
ITSTRATEGICPLANNING
121
IT STRATEGICPLANNINGDEFINED
THEROLEOFIS AUDITINGINTHEPLANNINGPROCESS
INHOUSEOROUT SOURCE?
AVOIDINGCONFLICTSOFINTERESTS
121
122
123
124
PROTECTIONOFINFORMATIONASSETSTHROUGHSECURITYPOLICY
126
INFORMATIONASSETSDEFINED
DATACLASSIFICATIONSANDLAYEROFRESPONSIBILITIES
SECURITYPOLICY
SECURITYMODELSANDMODESOFOPERATIONS
EXAMPLEPOLICY
CONSEQUENCESOFVIOLATIONS
EVALUATION
ORGANIZATIONSPECIFICCLASSIFICATIONSCHEME
CHANGECONTROL
126
129
131
138
141
143
144
145
146
BUSINESSCONTINUITYPLANNING
148
DEFINITION
BCPVSBPCP VSDRP
BCP PHASES
STAKEHOLDERSANDCRISISCOMMUNICATIONS
148
149
150
151
THERISKASSESSMENTFLOW
RISKVS THREATANDVULNERABILITY
IDENTIFYINGRISKS
LOSSCALCULATIONS
BUSINESSIMPACTANALYSISDEFINED
BIAGOALSANDSTEPS
BIACHECKLIST
PREPARINGFOREMERGENCY
MANAGINGRECOVERY
TESTINGTHEPLAN
USERACCEPTANCE
PLANMAINTENANCE
INCIDENTHANDLING
153
158
159
161
164
165
166
168
170
172
174
174
177
RISKMANAGEMENT
180
RISKMANAGEMENTDEFINED
THERISKMANAGEMENTSTEPS
IS AUDITINGANDRISKMANAGEMENT
RISKBASEDAUDITING
RISKMANAGEMENTREADINGS
181
181
183
184
185
PROJECTMANAGEMENT
187
PROJECTMANAGEMENTDEFINED
PROJECTMANAGEMENTANDAUDIT
187
188
CHANGEMANAGEMENT
190
CHANGEMANAGEMENTDEFINED
CHANGEMANAGEMENTSTRATEGIES
CHANGEMANAGEMENTVS CHANGECONTROLVS CONFIGURATIONMANAGEMENT
CHANGECONTROL
190
192
194
196
APPLICATIONPROGRAMDEVELOPMENT
203
GENERALGUIDELINES
SYSTEMCHANGECONTROL
SOFTWAREDEVELOPMENTPROCESSESANDMODELS
BUYVS MAKE: ACQUISITIONMANAGEMENTMETHODS
203
204
205
208
TECHNICALREADINGS
211
211
211
211
SECTION1: TOPICSONSECURITYTHEORY
SECTION2: TOPICSONHACKING,ATTACKING,DEFENDINGANDAUDITING.
SECTION3: TOPICSONENCRYPTIONANDVPN.
SECTION4: TOPICSONRESPONDINGTOATTACKS
SECTION5: TOPICSONVIRUSES .
211
211
EXCELLENTPUBLICRESOURCES
302
SAMPLEISAUDITQUESTIONNAIRE
307
ENDOFSTUDYGUIDE
308
License Grant
This Agreement entitles you to install and use one copy of the Book. In addition, you
may make one archival copy of the Book. The archival copy must be on a storage
medium other than a hard drive, and may only be used for the reinstallation of the Book.
This Agreement does not permit the installation or use of multiple copies of the Book,
or the installation of the Book on more than one computer at any given time, on a
system that allows shared used of applications, on a multi-user network, or on any
configuration or system of computers that allows multiple users. Multiple copy use or
7
Notes:
installation is only allowed if you obtain an appropriate licensing agreement for each user
and each copy of the Book. For further information regarding multiple-copy licensing
of the Book, please contact: michael@ExamREVIEW.NET
Restrictions on Transfer
Without first obtaining the express written consent of ExamREVIEW.NET, you may
not assign your rights and obligations under this Agreement, or redistribute, encumber,
sell, rent, lease, sublicense, or otherwise transfer your rights to the Book.
Restrictions on Use
You may not use, copy, or install the Book on any system with more than one computer,
or permit the use, copying, or installation of the Book by more than one user or on more
than one computer. If you hold multiple, validly licensed copies, you may not use, copy,
or install the Book on any system with more than the number of computers permitted
by license, or permit the use, copying, or installation by more users, or on more
computers than the number permitted by license.
You may not decompile, "reverse-engineer", disassemble, or otherwise attempt to derive
the source code for the Book.
Restrictions on Alteration
You may not modify the Book or create any derivative work of the Book or its
accompanying documentation. Derivative works include but are not limited to
translations. You may not alter any files or libraries in any portion of the Book. You
may not reproduce the database portion or create any tables or reports relating to the
database portion.
Notes:
Restrictions on Copying
You may not copy any part of the Book except to the extent that licensed use inherently
demands the creation of a temporary copy stored in computer memory and not
permanently affixed on storage medium. You may make one archival copy which must
be stored on a medium other than a computer hard drive.
TRADEMARKS.
CISA ExamESSENTIALS Guide /or any other names of ExamREVIEW.NET or its publications,
products, content or services referenced herein or on the Book are the exclusive trademarks or
servicemarksofExamREVIEW.NET.OtherproductandcompanynamesmentionedintheBookmay
bethetrademarksoftheirrespectiveowners.
2.UseoftheBook.
Youunderstandthat,exceptforinformation,productsorservicesclearly identifiedasbeingsupplied
byExamREVIEW.NET, ExamREVIEW.NET does not operate, controlor endorse any information,
productsorservicesonthe Internetinanyway.Except for ExamREVIEW.NETexplicitly identified
information,productsorservices, allinformation,products andservicesoffered throughtheBookor
ontheInternetgenerallyareofferedbythirdparties,thatarenotaffiliatedwithExamREVIEW.NET.
YOUASSUME TOTALRESPONSIBILITY AND RISK FOR YOURUSE OF THE BOOK AND
THE INTERNET. EXAMREVIEW.NET PROVIDES THE BOOK AND RELATED
INFORMATION"ASIS"ANDDOESNOTMAKEANYEXPRESSORIMPLIEDWARRANTIES,
REPRESENTATIONS OR ENDORSEMENTS WHATSOEVER (INCLUDING WITHOUT
LIMITATION WARRANTIES OF TITLE OR NONINFRINGEMENT, OR THE IMPLIED
WARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE)WITH
REGARD TO THE BOOK, ANY INFORMATION OR SERVICE PROVIDED THROUGH THE
BOOK, AND EXAMREVIEW.NET SHALL NOT BE LIABLE FOR ANY COST OR DAMAGE
ARISING EITHER DIRECTLY OR INDIRECTLY FROM ANY SUCH. IT IS SOLELY YOUR
9
Notes:
Notes:
The provisions of paragraphs 2 (Use of the Book), and 3 (Indemnification) are for the benefit of
ExamREVIEW.NET anditsofficers,directors, employees, agents, licensors, suppliers,andanythird
party informationprovidersto theBook.Each ofthese individualsor entitiesshallhave the rightto
assertandenforcethoseprovisionsdirectlyagainstyouonitsownbehalf.
5.Termination.
This Agreement may be terminated by either party without notice at any time for any reason. The
provisions of paragraphs 1 (Copyright, Licenses and Idea Submissions), 2 (Use of the Book), 3
(Indemnification), 4 (ThirdPartyRights)and6(Miscellaneous) shallsurvive any terminationof this
Agreement.
6.Miscellaneous.
This Agreement shall all be governed and construed in accordance with the laws of Hong Kong
applicabletoagreementsmadeandtobeperformedinHongKong.Youagreethatanylegalactionor
proceeding between ExamREVIEW.NET and you for anypurpose concerning this Agreement orthe
parties'obligationshereundershallbebroughtexclusively inacourtofcompetent jurisdictionsitting
in Hong Kong. Any cause of action or claim you may have with respect to the Book must be
commenced within one (1) year after the claim or cause of action arises or such claim or cause of
action is barred. ExamREVIEW.NET's failure to insist upon or enforce strict performance of any
provisionofthisAgreementshallnotbeconstruedas awaiverofanyprovisionorright.Neither the
course of conduct between the parties nor trade practice shall act to modify any provision of this
Agreement.ExamREVIEW.NETmayassignitsrightsanddutiesunderthisAgreementtoanypartyat
anytimewithoutnoticetoyou.
Anyrightsnotexpresslygrantedhereinarereserved.
11
Notes:
Every effort has been made to ensure the accuracy of this book. If you have
comments, questions, or ideas regarding this book, please let us know by
emailing to this address: michael@ExamREVIEW.NET
This electronic book was originally created as a print book. For simplicity, the
electronic version of this book has been modified as little as possible from its
original form.
12
Notes:
Exam Format
The following question formats are used in the CISA exams:
Text Based Multiple-choice: The examinee selects one option that best
answers the question or completes a statement.
Multiple-response: The examinee selects multiple options that best answers
the question or completes a statement.
Sample Directions (Scenario): Read the statement or question and from the
response options, select only the option(s) that represent the BEST possible
answer(s).
There are no fill in the blank questions. There are no graphical questions.
You will mostly be asked to pick one choice as the answer. However, some
questions will require you to pick multiple items something like i and ii, i,
iii & v etc.
q For international candidates, it takes about two months to receive
the results.
q As of 2004 all CISA exams are paper and pencil based.
13
Notes:
Notes:
Our guide focuses on the best business practice and expert advice side
of the exam.
Exam Topics
The official exam objectives can be found from the CISA exam page:
http://www.isaca.org/cisaexam
I personally do not recommend that you spend too much time on these
objectives. The reasons are:
l
many of them simply require nothing but basic common sense you will
be able to answer the corresponding questions easily anyway
the list is way too detailed if you go through them one by one, it will take
you a year or so to finish
15
Notes:
Instead, I prefer to focus on the following areas (because they often involve
topics that do not have fixed answers but instead require the best possible
options):
l
IT strategic planning.
Risk management.
Project Management.
Change Management.
Notes:
Most candidates fail the exam because they focused too much on the IT side of
the exam, with little or no preparation on the auditing related disciplines.
Remember, a large number of the CISA exam candidates are from the
accounting profession where business auditing is a major daily duty.
The exam is about 40% TECHNOLOGY and 60% BUSINESS
PRACTICE.
Tech gurus do not really have an edge because no in-depth nor advanced
technologies are tested here. Instead, the practical business people with
sufficient technology knowledge rule.
The tech questions are easy because they are (and are bound to be)
straight forward. The business practice related questions are difficult
because business rationales are never straight forward too many factors
come into play and therefore making every scenario highly complicated.
And remember, technology does not mean IT technology alone. It also means
Physical Security Technology as well as Biometrics, and many more. As of the
time of this writing the state of biometrics technology is very sophisticated and
accurate, but is highly expensive. Other potential barriers include user
acceptance, enrollment time and throughput. Still, it is gaining ground,
especially in environment where security is CRITICAL.
Take a look at the security measures your company has implemented and
critically assess their features and effectiveness. This will help.
17
Notes:
!!! Biometrics is an important topic. Check out the various forms of biometrics
technology described in this web page:
http://www.cs.indiana.edu/~zmcmahon/biometrics-tech.htm
18
Notes:
19
Notes:
Read the exam instructions carefully before answering the first question.
20
Notes:
Notes:
The key phrase here is "strategic plan". As we all know, a strategic plan is a very
high level thing. Look at the choices, only choice B has a high level element,
which is "business objective". Therefore, B is the correct answer.
Strategy Two: Choices grouping.
Notes:
You need to know how to pick the BEST answer out of several technically
possible answers. To do this you need to think tricky the questions are always
written with trickiness in mind (believe me, this is exactly the case with most
ISACA exam questions).
As an example, you are asked to evaluate the following statements:
In the context of information security, the term Granularity refers to the
level of detail to which a trusted system can authenticate users.
In the context of information security, the term Granularity refers to the
level of detail to which imperfections of a trusted system can be
measured.
In the context of information security, the term Granularity refers to the
level of detail to which packets can be filtered.
In the context of information security, the term Granularity refers to the
level of detail to which an access control system can be adjusted.
Which statement is the BEST one?
23
Notes:
To pick the BEST choice, you must keep in mind that Granularity is a term
which could be applied to a multitude of usage within the context of IT security.
It can be for packet filtering, and it can also be for user access. The last
statement said "access control system" without specifying its exact type. It is
therefore representative of almost all possible types of access control system.
You know what, this is exactly the type of answer expected. Kinda tricky, isn't it?
24
Notes:
Security Theories
A security stance is a default position on security matters. The 2 primary
security stances are:
Notes:
The 'trusted systems' approach has been predominant in the design of many
earlier software products, due to the long-standing emphasizes on functionality
and 'ease of use' over security.
26
Notes:
Defense in depth
27
Notes:
A typical defense in depth approach divides the key security elements into
layers for creating a cohesive defense strategy. To ensure effective IT
security, you must design, implement, and manage IT security controls for
each layer of this layered model. As an example: you may divide your
controls into the layers of network, hardware, software, and data.
From a broader perspective, an important principle of the Defense in Depth strategy is
that in order to achieve Information Assurance you need to maintain a balanced focus on
the critical elements of People, Technology and Operations.
In any case, security should not be view as an all or nothing issue. The
designers and operators of systems should assume that security breaches are
inevitable in the long term, that full audit trails should be kept of system
activity so that when a security breach occurs, the mechanism and extent of
the breach can be determined. In fact, storing audit trails remotely, where
they can only be appended to, can keep intruders from covering their tracks.
Vulnerabilities
Notes:
Bribes and extortion can occur! With promises or threats that cause
your staff to violate their trust, information security can be at risk big
time! This is more a HR issue but still you need to think of ways to
safeguard security assuming bribery is not entirely impossible.
29
Notes:
NOTE:
NOTE:
Notes:
NOTE:
Notes:
Non-IP based networks are also highly hack-able. Sniffing was pretty
common on the Ethernet (and also on IP networks).
Packet sniffer (another name for protocol analyzer) can be deployed
to intercept and log netowrk traffic that passes through the network.
It can capture unicast, multicast and broadcast traffic provided that
you put your network adapter into promiscuous mode. You may
sniff to analyze network problems, or to gain information for
32
Notes:
Notes:
Notes:
NOTE:
Notes:
Notes:
NOTE:
37
Notes:
NOTE:
38
Notes:
NOTE:
39
Notes:
NOTE:
The best-known types of malware are viruses and worms, which are
known for the manner in which they spread, rather than any other
particular behavior. Originally, the term computer virus was used for a
program which infected other executable software, while a worm
transmitted itself over a network to infect computers. More recently,
the words are often used interchangeably.
NOTE:
Notes:
Notes:
Notes:
Notes:
Remember, in the real world the most security comes from operating
systems where security is not an add-on but a built-in (such as the IBM
OS/400).
44
Notes:
Security measures
45
Notes:
NOTE:
Notes:
Detection:
Intrusion Detection Systems are designed to detect network attacks in
progress and assist in post-attack forensics, while audit trails and logs serve
a similar function for individual systems.
NOTE:
47
Notes:
Response:
"Response" is necessarily defined by the assessed security requirements of
an individual system and may cover the range from simple upgrade of
protections to notification of legal authorities, counter-attacks, and the like.
Example audit questions:
l
Does your organization have an IDS? If so, who defines the IDS
knowledge base?
Notes:
Apart from guidelines published by ISACA, you may also refer to the SoGP.
The Standard of Good Practice (SoGP) is a detailed documentation of best
practices for information security. It is published and revised biannually by the
Information Security Forum (ISF), an international best-practices organization.
The Standard is developed from research based on the actual practices of and
incidents experienced by major organizations. Its relatively frequent update
cycle of two years also allows it to keep up with technological developments
and emerging threats. In fact, the Standard is used as the default governing
document for information security behavior by many major organizations, by
itself or in conjunction with other standards such as ISO 17799 or COBIT.
49
Notes:
One of the most widely used security standards today is ISO 17799 which
started in 1995. This standard consists of two basic parts. BS 7799 part 1 and
BS 7799 part 2 both of which were created by (British Standards Institute) BSI.
Recently this standard has become ISO 27001. The National Institute of
Standards and Technology (NIST) has released several special papers
addressing cyber security. Three of these special papers are very relevant to
cyber security: the 800-12 titled Computer Security Handbook 800-14 titled
Generally Accepted Principals and Practices for Securing Information
Technology and the 800-26 titled Security Self-Assessment Guide for
Information Technology Systems.
Notes:
and accounting scandals. One major provision of the act is the creation of the
Public Company Accounting Oversight Board (PCAOB). The PCAOB
suggests considering the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework (which will be addressed later) in
management/auditor assessment of controls. Auditors have also looked to the
IT Governance Institute's "COBIT: Control Objectives of Information and
Related Technology" for more appropriate standards of measure. Since the
financial reporting processes of most organizations are driven by IT systems, it
is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing
Standard 2" states:
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
are deeply integrated in the initiating, authorizing, processing, and reporting of
financial data. As such, they are inextricably linked to the overall financial
reporting process and would therefore have to be assessed, along with other
important process for compliance with Sarbanes-Oxley Act.
51
Notes:
Notes:
ISO 27001 sets out the requirements for information security management
systems. On the other hand, ISO 27002 offers a code of practice for
information security management.
British Standard 7799 Part 3 provides guidelines for information security risk
management. COBIT links IT initiatives to business requirements, organises IT
activities into a generally accepted process model, identifies the major IT
resources to be leveraged and defines the management control objectives to be
considered. ITIL (or ISO/IEC 20000 series) focuses on the service processes
of IT and considers the central role of the user.
Notes:
54
Notes:
55
Notes:
The stakeholders
A critical factor in protecting information assets is laying the foundation for
effective information security management. In fact, commercial, competitive
and legislative pressures from around the business environment often require
the implementation of proper security policies and related logical access
controls. Security failures are often costly to business. Losses may be suffered as
a result of the failures or costs may be incurred when recovering from the
security incident, followed by more costs to secure the systems and prevent
repeated failures. Job positions within an organization that have information
security responsibilities may include and not limited to the following:
l
Security committee
Data owners
Process owners
IT developers
Security specialists
Auditors
56
Notes:
Users
The board
The board of directors and senior management are responsible for ensuring
that the organization's system of internal controls is operating effectively. An
audit committee should be appointed to oversee audit functions and to
report on audit matters periodically to the board. FYI, in order to comply with
the Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required to
appoint outside directors as audit committee members. On the other hand, all
members of a stock-issuing institutions audit committee must be members of
the board of directors and be independent.
The ability of the audit function to achieve desired objectives depends largely
on the independence of audit personnel. This is especially true if the auditors
are internal auditors rather than outside auditors.
The board of directors should ensure that written guidelines for conducting IT
audits have been adopted, and should assign responsibility for the internal audit
57
Notes:
Notes:
Audit personnel
The auditors, whether internal or external, should in any case be granted the
authority to access records and staff necessary to perform auditing and
reporting. In fact, for any audit effort to be successful, a reporting line MUST
be identified to the highest level of the organization. The auditor's right of
access to information must be clearly identified early in the process.
Management should be required to respond formally, and in a timely manner,
to significant adverse audit findings by taking appropriate corrective action. The
auditors in turn should discuss their findings and recommendations periodically
with the audit committee.
Notes:
60
Notes:
IS Controls
The importance of the use of controls
According to the internal control principle (GASSP), information security
forms the core of an organization's information internal control system, that
"the internal control standards define the minimum level of quality acceptable
for internal control systems in operation and constitute the criteria against
which systems are to be evaluated. These internal control standards apply to all
operations and administrative functions but are not intended to limit or
interfere with duly granted authority related to development of legislation, rulemaking, or other discretionary policymaking in an organization or agency."
There are many ways to classify controls. From an IS perspective, some said
they may be generally classified as physical, technical, or administrative in nature.
Some said that they can be further classified as either preventive or detective.
Three other types of controls, namely deterrent, corrective, and recovery, may
further supplement such classification.
61
Notes:
Classification of controls
l
Notes:
remedy the circumstances that allowed the unauthorized activity and return
conditions to what they were before the violation.
l
Notes:
Data Capture Controls to ensure that all transactions are properly recorded
in the application system
Data Validation Controls to ensure that all transactions are properly valued.
Keep in mind that different types of network model often require the use of
different combinations of control. You must have basic foundation knowledge
on networking in order to pick the correct answers. Know LAN networking
and WAN networking. Know distributed computing and client server
64
Notes:
computing. Know server computing and thin client computing. Dont attempt
to take the exam until you are completely familiar with these basic concepts.
65
Notes:
Notes:
With the Discretionary model, the creator of a file is the owner and can grant
ownership to others. Access control is at the discretion of the owner. Most
common implementation is through access control lists. Discretionary access
control is required for the Orange Book C Level.
Mandatory controls are prohibitive and permissive. With the Mandatory model,
control is based on security labels and categories. Access decisions are based on
clearance level of the data and clearance level of the user, and, classification of
the object. Rules are made by management, configured by the administrators
and enforced by the operating system. Mandatory access control is required for
the Orange Book B Level.
With the Role-Based model, access rights are assigned to roles not directly to
users. Roles are usually tighter controlled than groups - a user can only have
one role.
67
Notes:
68
Notes:
69
Notes:
Identification
Authentication
Authorization
70
Notes:
Accountability
Authentication is the first line of defense. Questions you may ask here:
l
Notes:
Authorization determines if you can carry out the requested actions. Access
criteria types include and not limited to:
l
Roles
Groups
Time of day
Transaction type
etc
72
Notes:
Authentication deals with how ones user account is established. There are also
issues dealing with how such account should be handled and protected (i.e. user
account management) . Some questions you may ask include:
73
Notes:
Notes:
Account disabled
Password/security information copied: failed and successful
System configuration change: failed and successful
Operating system patch applied
Network connections: failed and successful
Audit logs modification: failed and successful
Object access: failed and successful
75
Notes:
Note that several information technology audit related laws and regulations
have been introduced since 1977. These include the Gramm Leach Bliley Act,
the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability
Act, the London Stock Exchange Combined Code, King II, and the Foreign
Corrupt Practices Act. You are expected to understand what they are for.
76
Notes:
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. IT systems
77
Notes:
78
Notes:
An audit:
o compares your actual process against your documented process
o reports to what extent you are following your document process.
o acts as a verification exercise - if you think you are following your
documented process but you do not verify this with an audit, there is a
very good chance that you are not actually following your own processes.
o the audit process is not a process of criticizing anyone or anything in any
way
http://www.experteam.de/starte/leistungen/Themen/SWQualitaetsmanagement/Auditierung.html
79
Notes:
A Security Audit refers to the process or event with the security policy or
standards as a basis to determine the overall state of the existing protection and
to verify whether existing protection has been performed properly. It needs to
target at and focus on finding out whether the current environment is securely
protected in accordance with the defined security policy. A security audit would
therefore require a complete inventory list and audit checklists, which may
cover different areas of IT such as web application, network architecture,
wireless network, etc. It would practically involve the use of security audit tools
and different review techniques for revealing the security loopholes.
http://www.auditnet.org/process.htm
80
Notes:
repetitive checking process to ensure that these security measures are properly
implemented from time to time. You may safely conclude that Security Audit is
performed more frequently than Security Risk Assessment.
81
Notes:
NOTE:
82
Notes:
An auditor acts for the best interest of the client. He/she must place the
responsibilities to be extremely fair and honest ahead of his/her own
interest. This is what FIDUCIARY RESPONSIBILITY is all about.
Notes:
Notes:
Below is the audit flow chart developed by UNISA of Australia. Different types
of audit conducted in different industries may have variations to this model
flow, and this chart is shown here to give you an idea of how the pros conduct
a planned audit in the real world.
85
Notes:
86
Notes:
87
Notes:
Overall Strategies
General Principles for Developing an Audit Strategy include:
In order to have an appropriate auditing strategy and to avoid unnecessary
auditing, you must have a clear understanding of the reasons for auditing.
Additionally, in order to prevent unnecessary audit information from cluttering
the meaningful information, it is important to audit the minimum number of
statements, users, or objects required to get the targeted information.
Notes:
NOTE:
You should log the activities of both the regular users and the power users
(administrators etc). Regular users tend to make careless mistakes, while
power users are capable of making intentional errors.
89
Notes:
NOTE:
Audit Planning
An important part of the process for managing an audit function involves
planning, an activity that covers both audit administration and assignment. One
of the first tasks you must do at this planning stage is to develop a working
budget. You as the IT audit manager must know the capabilities of the audit
staff assigned to the project. In addition to budgeted time needed to perform
the audit, you should also budget time needed to train the audit staff and allow
time for any error correction purposes.
While planning the audit, you should decide what level of the risk of reaching
an incorrect conclusion based on the audit findings that is acceptable.
90
Notes:
The more effective and extensive the audit work is, the less the risk that a
weakness will go undetected and you will issue an inappropriate report. Such
audit risk is dependent on the assessed levels of inherent risk, control risk, and
detection risk (Control risk is determined by evaluating an organizations
internal control structure. You can implement compliance testing procedures
when the effectiveness of an organizations internal controls is evaluated. The
level of detection risk is further determined by the assessment of inherent risk
and the assessment of control risk following compliance testing). In fact, these
risks can be quite accurately determined when performing a risk assessment of
the organization.
There should also be a risk assessment process that describes and analyzes the
risks inherent in the existing IT operation. You should update the risk
assessment as necessary to reflect changes to internal control or work processes,
91
Notes:
and to incorporate new operations (if any). In fact, the level of risk should be
one of the most significant factors considered when determining the frequency
and depth of audit activities.
When assessing materiality, you should consider the aggregate level of error
acceptable to management, the IT audit committee, and the appropriate
regulatory agencies. You need to consider the potential for the cumulative
effect of small errors or weaknesses to become material. While establishing
materiality, you may audit non-financial items such as physical access controls,
logical access controls, and systems for personnel management, manufacturing
control, design, quality control, and password generation...etc etc.
The audit plan should detail the audit functions budgeting and planning
processes. The plan should describe audit goals, schedules, staffing needs, and
reporting. The audit plan should ideally be defined by combining the results of
the risk assessment and the resources required to yield the timing and frequency
of planned audits. The audit committee should formally approve this audit plan.
The auditors should in turn report the status of planned versus actual audits
regularly.
92
Notes:
At the planning portion of the audit, an auditor should perform the following:
1. notify the client of the audit
2. discuss the scope and objectives of the examination with organization
management in a formal meeting
3. gather information on important processes
4. evaluate existing controls
5. plan the remaining audit steps
Notes:
A firewall acts as a choke point in the network where all passing-by traffics are inspected. A
proxy firewall acts as a middleman between the two parties so there is no direct connection
between them. It works by making a copy of each incoming packet, changing the source address
and then transmitting it to the final destination.
94
Notes:
Application level proxies inspect the entire packet and make filtering decisions based on both
the header information and the actual packet content. They allow for the greatest level of control
at the expense of resource consumption. Circuit level proxies make filtering decisions based on
basic information such as packet header information, IP addresses, ports, and protocol type.
They are less secure. Routers can achieve basic protection by filtering IP address through the use
of access control lists. They are never intended for providing serious firewalling service.
Notes:
Talking about application security, you would also need to know the different methods of
software system testing.
l
With Black box testing, the tester has no previous knowledge on the test object's internal
structure and would not examine the codes involved. The test is therefore unbiased.
However, since the tester is independent of the designer, it is almost impossible to ensure
that all existent "paths" of the system are fully tested. On the contrary, White box testing
(also known as clear box testing/glass box testing/structural testing) uses an internal
perspective of the system to design test cases. Test cases are therefore designed and
implemented based on full knowledge of the test object's internal structure. The tester has
to know the codes inside and out in order to test accurately. Bias is therefore possible to
exist.
Stress testing is a common way to test and determine the stability of a given system. It
involves testing beyond normal operational capacity in order to observe system performance
under stress. Emphasis is on robustness, availability, and error handling during heavy
workload.
A use case is a technique commonly used for capturing functional requirements of systems.
It allows you to describe the sequences of events that, when taken together, can lead to the
completion of a particular set of system activities for achieving a particular purpose.
Boundary value analysis is a special software testing design technique for determining test
cases that cover specifically those off-by-one errors (logical errors which involve the discrete
96
Notes:
Audit sampling, which is often desirable due to practical needs, refers to the
application of an audit procedure to usually less than 100% of the population so
you may evaluate audit evidence within a class of transactions for the purpose
of forming a conclusion concerning the population. Sampling may be done
statistically through Random Sampling or Systematic Sampling, or nonstatistically through Haphazard Sampling or Judgmental Sampling. Do note that
sample size is a factor that may affect the level of sampling risk - the smaller the
sample size the more likely you will end up with more errors.
You should also make decisions about the nature, extent, and timing of
evidence to be gathered. The types of evidence may include:
l
Notes:
Notes:
Keep in mind:
The IS auditor should consider whether his or her organizational status is appropriate for the
nature of the planned audit. Where this is not considered to be the case, the hiring of an
independent third party to manage or perform this audit should be considered by the
appropriate level of management3.
In fact, you may audit your audit program and policy through asking questions
like:
l
3
http://www.isaca.org/standard/guide1.htm
99
Notes:
Is there a policy stating how long the captured audit logs are to be retained?
You want to have a FIREWALL AUDIT to ensure that the firewall and the
associated systems have all been properly configured to enforce the security
policy with the minimal and optimal security protection. The firewall should be
audited for its configuration and also for its physical access control.
100
Notes:
101
Notes:
You want to perform HOST SECURITY AUDIT for assessing the operating
system level security of different the computer server platforms.
Misconfiguration of the operating systems may open up security holes that may
not be known by your system administrators and the goal of this audit is to sort
them all out.
Notes:
Objective:
Toassesswhetheraccessfromtheinternalnetworktothe
InternetandfromtheInternettotheinternalnetwork
arecontrolled.
103
Notes:
Criteria:
TheInternetpolicyshouldconveytoallstafftheintent
ofthecontrolstobeimplementedbythefirewall.
Procedures:
a)ObtainacopyoftheInternetPolicy.
b)Identifytheprocessthatwasusedtodevelopthe
policy.Ascertainwhethertheprocessconsideredthe
valueofanddegreeofrelianceonthefirewallandthe
severity,probability,andextentofthepotentialfor
directandindirectharm.
c)Assesswhetherthepolicy:
*identifiesthespecificassetsthatthefirewallis
intendedtoprotectandtheobjectivesofthatprotection
(integrity,availability,andconfidentiality)
*describestheorganizationalstructureandassociated
responsibilitiesandaccountabilityofpersonnelwhowill
bechargedwithimplementingthepolicy,monitoring
compliancewiththepolicyandadheringtothepolicy
*supportsthelegitimateuseandflowofdataand
104
Notes:
informationand
*documentswhatinformationpassingthroughthefirewall
willbemonitored(limitorganizationalliability,reduce
abuse,supportprosecutionforabuse)and
*isconsistentbothintoneandinprinciplewithother
organizationalpoliciesandacceptedpractice(e.g
availabilityofInternetaccessfornonbusinessuse)
d)Ascertainwhetherlegalcounselhasreviewedthe
policytoensureconsistencywithrequirementsand
limitationsimposedexternally(laws,regulationsetc.).
e)Determinewhethermanagementapprovalofthepolicy
hasbeensoughtandgrantedandthedateofthemost
recentreviewofthepolicybymanagement.
f)IdentifyhowtheInternetpolicywas/iscommunicated
tousersandhowawarenessismaintained.Selectasample
ofusersanddiscusstheirunderstandingoftheir
responsibilitiesrelatedtoInternetuseandhowto
reportproblems.
g)Determinewhetherstandardsandprocedureshavebeen
definedtospecifythemeansbywhichthepolicyis
implemented.
105
Notes:
h)Assesswhetherthestandardsandproceduresspecify
whoisresponsibleandempoweredtodoeachfunction
requiredfortheproperoperationofthefirewall.
i)Assesswhetherthesecuritypolicy:
*iseasytoreadandlocaterelevantsections
*isversionedanddated
*iscarefullywordedwithallambiguoustermsprecisely
defined
*setsoutacceptableconditionsofuseaswellas
unacceptableconditionsofuse
*iswidelycommunicatedtoaffectedpersonsand
*isreviewedatregularintervals.
j)Considerwhetherthefollowingissuesareaddressedin
thepolicydocument:
*Scopeofthepolicyinrelationtootherinternaland
externalnetworkswithwhichitmaybeconnected.
*Basicphilosophythatmaybeusedformakingnon
deterministicdecisions.
106
Notes:
*Governingpolicies,suchasFederalandProvincialLaw,
contractualtermsandconditions,orotherpolicies
internaltotheCompany.
*Identificationofthepersonwhohasultimateauthority
tointerpretandapplythepolicytoaparticular
situation.
*Allowanceforthepolicytobetemporarilywaivedbya
personofauthorityundercertainconditionsor
guidelines.
*Formaldefinitionofhowthepeopleaffectedbythe
policywillbeinformedofitscontents.
*Frequencyandnecessityforreviewsofthepolicy.
*Outlineoftheassetsthatmustbeprotected,andfrom
whatthreats.
*Securityincidenthandlingprinciples.
*Guidelinesforliabilityofpersonnelwithregardto
securitybreachestodiscouragepeoplefromhiding
detailsofabreachthattheymayhave(somewhat
innocently)beeninvolvedin.
107
Notes:
*Guidelinesregardinginvestigationofincidentsand
coursesofactionthatcouldbetakenbydecisionmakers
basedupondetailsofthesecuritybreach,including
referraltolawenforcementagencies,aswellasinternal
investigationanddisciplinaryprinciples.
k)Considerwhethertherightsandresponsibilitiesof
usersareaddressedinthepolicydocument,including:
*Accountuse,byboththeaccountholderandthe
resourceprovider.Specialconditionsmayapplytothe
useofnormaluseraccounts,andpublicaccessaccounts
(likeanonymousftp),andtheseconditionscouldbe
expressedhere.
*Softwareanddataaccessanduse,includingsourcesof
dataandsoftware.
*Disclosureofinformationwhichispotentiallyharmful,
suchaspasswordinformationorconfiguration
information.
*Etiquette,includingacceptableformsofexpression
(e.g.nonoffensiveexpressionexpectedforunsolicited
electronicmail),andunacceptablepractices(suchasthe
forgingofelectronicmailandnewsarticles).
*Passworduseandformat.
108
Notes:
*Rightstoprivacy,andthecircumstancesunderwhich
theresourceprovidermayintrudeonthefilesheldunder
oractivitiespracticedbyanaccount.
*Othermiscellaneousguidelinesregardingreasonable
practices,suchastheuseofCPUcyclesandtemporary
generalaccessstorageareas.Copyrightissuesmayalso
bediscussedhere.
l)Considerwhethertherightsandresponsibilitiesof
resourceprovidersareaddressedinthepolicydocument,
including:
*physicalsecurityguidelines
*privacyguidelinesand
*configurationguidelines,including:
allocationofresponsibility
networkconnectionguidelines
authenticationguidelines
authoritytoholdandgrantaccountguidelines
109
Notes:
auditingandmonitoringguidelines
passwordformat,enforcementandlifetimeguidelines
and
loginbanners.
You may also perform audit using a wide range of computer tools. For example,
you may perform vulnerability scans using an automated vulnerability scanning
tool to quickly identify known vulnerabilities on the target hosts or devices.
However, since a large amount of system requests will be generated from the
automated vulnerability scanning tool, the system and network performance of
the target groups will likely be impacted during the vulnerability scanning
process. You must therefore devise a plan to minimize possible service
interruption during the scanning process. Also noted that some of the potential
vulnerabilities identified by the automated scanning tool may not represent real
vulnerabilities in the practical real world context. therefore, you should realize
that false positives is not impossible and professional judgment must be
exercised from time to time.
110
Notes:
Audit Fieldworks
111
Notes:
During the audit process, the fieldwork concentrates on transaction testing and
informal communications. At this stage the auditor determines whether the
controls identified during the preliminary review are operating properly and in
the manner described.
Remember, you do NOT audit every piece of items. With the help of statistical
sampling techniques, you determine (mostly in a random manner) which piece
of item to work on.
Notes:
Notes:
Whatever the source, audit software programs should remain under the strict
control of the audit department.
You use CAATs to test application controls as well as perform substantive tests
on sample items. Types of CAATs include Generalized Audit Software (GAS),
Custom Audit Software (CAS), Test Data, Parallel Simulation and Integrated
Test Facility. Through the use of CAATs, you will be able to obtain evidence to
support their final conclusions developed on the audit.
Audit evidence needs to be sufficient, reliable, relevant, and useful in order for
you to form an opinion and to support their findings and conclusions. You
need to devise procedures to gather and organize audit evidence. You should
select the most appropriate procedure for the audit objective. Possible options
include:
l
Inspection
Confirmation
Reperformance
114
Notes:
Monitoring
Audit Program
An audit program acts as the link between the preliminary survey and the field
work. In the preliminary survey the auditors identify operating objectives, risks,
operating conditions and control procedures. In field work they gather evidence
about the effectiveness of control systems based on observations,
documentation, verification and other audit procedures.
115
Notes:
For a list of popular audit programs you may refer to this hyperlink:
http://www.auditnet.org/asapind.htm
Audit Report
This is the principal product of the audit process - you express your opinions,
present the audit findings, and discuss recommendations for improvements.
According to IS Auditing Standard 070 (Reporting), The IT auditor should provide a report
in an appropriate form, upon the completion of the audit. The report should state the scope,
objectives, period of coverage, and the nature, timing, and extent of the audit work performed.
The report should state the findings, conclusions, and recommendations and any reservations,
qualifications or limitations of scope that IT auditor has with respect to the audit.
It is always advisable for you to first discuss the rough draft with your client
prior to issuing the final report:
1. When the fieldwork is completed, the auditor drafts the report and gives
it to the audit management for a thorough review. A discussion draft is
prepared for the unit's operating management and is submitted for the
client's review before the exit conference.
116
Notes:
2. When audit management has approved the discussion draft, the auditor
meets with the unit's management team to discuss the findings,
recommendations, and text of the draft. At this meeting (which is
known as the Exit Conference), the client is given the chance to
comment on the draft. The ultimate goal is for the group to reach an
agreement on the audit findings (and to maintain a friendly relationship
with the client).
3. After an agreement is made, the auditor prepares a formal draft which
takes into account any revisions resulting from the exit conference and
other discussions. When the changes have been reviewed by audit
management and the client, the final report is produced and rendered to
the audit management as well as the client. The approval of the client
and the Audit Director is required for release of the report to any third
party.
4. The client should be given the opportunity to respond to the audit
findings prior to issuance of the final report which can be included or
attached to our final report. However, if the client decides to respond
after the report has been issued, the first page of the final report should
include a letter requesting the client's written response to the report
recommendations.
117
Notes:
You should discuss the draft of the audit report with management
to give management the chance to correct any weaknesses or
deficiencies before they are reported and/or even released to the
public. You may do this in the form of a Management Comment
Letter.
5. In the response, the client should explain how report findings will be
resolved. An implementation timetable should also be included. It is
technically acceptable for the client to respond with a decision not to
implement an audit recommendation and to bear the risks associated
with an audit finding.
6. Finally, the client may comment on the performance of the audit. This
feedback can be very beneficial to the audit team.
Audit FollowUp
Within a period defined by the client, the auditor will perform a follow-up
review to verify the resolution of the report findings:
118
Notes:
1. Follow-up Review - the client response letter is reviewed and the actions
taken to resolve the audit report findings may be tested. Unresolved
findings will be discussed in the follow-up report.
2. Follow-up Report - lists the actions taken by the client to resolve the
original report findings. Any unresolved findings will be mentioned as
well. It is a recommended practice to have a discussion draft of each
report with unresolved findings circulated to the client before the followup report is issued (again, this is for reaching agreement and maintaining
friendly relationship).
To keep things going properly, you should use a process that enables yourself
to track the status of client management's actions on significant findings and
recommendations.
Note:
If after issuing the audit report it is found that some procedures had been
omitted, you may need to review the available audit alternatives in order to
compensate for the omission. If unfortunately the omitted procedures actually
present material bearing on the audit outcome, the worst case scenario is that
you will have to issue a new report and have the old one cancelled.
119
Notes:
Audit Assessment
Upon completion, your audit work should be evaluated by a partner or senior
manager based on a number of criteria, including:
l
Accuracy
120
Notes:
IT Strategic Planning
IT Strategic Planning defined
Strategic planning is an important activity for information technology
organizations. IT Strategic Planning is closely related to IT governance, which
comprises the body of issues addressed in considering how IT is applied within
the enterprise.
The key goal of the IT strategic planning process is to translate your
organizations vision into detailed short and long-term IT plans and processes
that match the companys business plan and ensure that employees, clients,
suppliers, and partners can easily and securely interact and collaborate:
o IT strategic plans must be aligned with institutional mission, plans, and
priorities. An IT plan must also be flexible to adapt to changes. Most
importantly, IT strategic planning must occur as part of a process that
ensures that the best ideas are put forward and a process that creates
investment on the part of stakeholders.
o Strategic IT planning must include setting long-term goals, identifying
performance goals, selecting the portfolio of IT investments to support
121
Notes:
http://www.isaca.org/standard/guide1.htm
122
Notes:
ISACA (above) further defines the following points that should be considered
by the auditor when reviewing the IT strategic planning process:
o There is a clear definition of IT mission and vision
o There is a strategic information technology planning methodology in
place
o The methodology correlates business goals and objectives to IT business
goals and objectives
o This planning process is periodically updated (at least once per year)
o This plan identifies major IT initiatives and resources needed
o The level of the individuals involved in this process is appropriate
Inhouse or Outsource?
123
Notes:
Note that one major duty of the IS auditors is to validate the acquisition or
development of the business application systems. From a security standpoint,
you need to tell if doing it in house is more secure (and is easier to control) than
buying it off the shelf. A tradeoff is involved in the decision, and different
answers are expected in different circumstances. The general guideline is that
doing it in house allows for more control over the development process and
can allow you to build in more security features. However, this can be costly as
you need to recruit, train and manage your IT team to do the job.
Also, when your own development team is involved you must clearly define the
roles and responsibilities of each team member. Certain roles must not be
overlapped, and certain duties must be clearly separated.
Notes:
development VS production
security VS audit
125
Notes:
126
Notes:
When we talk about the protection of information assets, we are dealing with
two issues here:
1.
2.
127
Notes:
NOTE:
You need to have an idea of what it takes to shape a proper set of Information
Assets Protection policy. Then you know how to go head with an audit.
Questions you may ask here:
Does the policy identify all individuals responsible for implementing that
policy and what their duties are?
Does the policy identify the steps to be taken if there is a security breach?
Does the policy identify enforcement procedures that identify the penalties
associated with a security breach?
128
Notes:
Is the policy known by all individuals who have the responsibility for
implementing that policy?
Military
TopSecret
Secret
Confidential
Sensitivebutunclassified
Public
The Data Owners are the senior managers who are ultimately responsible for
protection and use of data. They often determine the data classification. The
Data Custodians, on the other hand, are responsible for maintenance and
129
Notes:
Before you give classified information to anyone, you as the holder of the
information MUST do whatever you can to ensure that the person to
whom you are giving the information possess the proper level of security
clearance has the need-to-know.
130
Notes:
Security Policy
Policy is issued top down. It is signed by the top person in the organization,
and that compliance is mandatory. On the other hand, procedures tell the steps
needed for attaining compliance.
Notes:
Once defined and implemented, the policy owner should be held responsible
for its maintenance and review according to a de fined periodic review process
(update & maintenance of the policy is kind of a hands-on job). Such process
should ensure that a review takes place in response to any changes affecting the
basis of the original risk assessment.
Notes:
133
Notes:
And for the purpose of the exam, remember that the necessary components
that fit together for effective security management practices are:
l
Data classification
Operational activities
Safeguard selection
Separation of duties
Risk assessment
Security awareness.
134
Notes:
The above are concerns at a broader level. On the other hand, at the actual
admin level questions you may ask concerning the hand-son management,
enforcement and implementation of security procedures may include:
135
Notes:
General questions you may ask concerning user training may include:
l
136
Notes:
* The risk of IT staff disrupting the running of the network either in error or by malicious
intent should be reduced by the following measures:
a) segregating the duties of staff running the network from those developing/designing the
network.
b) ensuring all network and external staff sign non-disclosure/confidentiality agreements.
c) minimizing reliance on key individuals by automating tasks as well as ensuring complete
and accurate documentation.
d) organizing duties in such a way as to minimize the risk of theft, fraud, error and
unauthorized changes to information.
e) screening applicants for positions that involve running the network through taking up
references and checking career history.
137
Notes:
The Bell-LaPadula Model was developed by the military in the 1970s to address
leakage of classified information. Main goal is confidentiality. A system using
the Bell-LaPadula model would be classified as a multi-level security system.
The Bell-LaPadula is a state machine model, and could also be categorized as an
information flow model.
Notes:
The various information flow models have one thing in common: they have
each object assigned a security class or value. Information is constrained to flow
only in the directions permitted by the security policy.
With the Dedicated Security Mode, all users have the clearance and the
need to know to all the data within the system.
139
Notes:
With the System-High Security Mode, all users have clearance and
authorization to access the information in the system, but not necessarily a
need to know.
With the Compartmented Security Mode, all users have the clearance to all
information on the system but might not have need to know and formal
access approval. Users can access a compartment of data only.
Under Limited Access, the minimum user clearance is not cleared and the
maximum data classification is sensitive but unclassified. Under Controlled
Access, there is a limited amount of trust placed on system hardware and
software.
Some questions you may ask when auditing user account related issues:
l
Notes:
Example Policy
The role of the CIO and his/her peers involves developing and publishing
policy in consultation with Business Units and Service Providers as well as
promoting the development of the various supporting standards and
Guidelines.
Below is an example of the terms included in a real life security policy:
141
Notes:
1. Sample company information technology assets must not be used for private
commercial purposes.
2. Users must not breach copyright, nor use facilities for illegal purposes.
3. Users must protect Sample company and vendor intellectual property.
4. Users, external suppliers and clients must, on request, sign a confidentiality
agreement in respect of the use of IT facilities, documentation and data,
including non-disclosure of Sample company information to third parties.
5. All users must abide by Sample company acceptable use policies for e-mail
and Internet and not download, transmit, distribute or store any harassing or
obscene messages and files, or any objectionable material via a Sample
company PC or network. This includes the use of insulting, sexist, racist,
obscene, suggestive or any other inappropriate language.
6. All users are personally accountable for their own logon-id and password.
Passwords must not be disclosed nor shared.
7. The Standards and Guidelines supporting this policy form part of the Policy.
8. Users are responsible for meeting published information technology
standards, guidelines and acceptable use policies.
142
Notes:
Consequences of violations
In order for a security policy to be effective, the CONSEQUENCES OF
SECURITY POLICY VIOLATIONS must be clearly defined upfront. In
143
Notes:
A Verified Protection
B Mandatory Protection
C Discretionary Protection
D Minimal Security
144
Notes:
The evaluation criteria involve four main areas: Security, Policy, Accountability
and Assurance and Testing. Note that the red book is an interpretation of the
Orange book for networks and network components. The Red Book TNI
ratings are:
l
None
C1 Minimum
C2 Fair
B2 Good
Notes:
Change control
Change control is an important element it describes the procedures for
making and controlling changes to information. Put it this way, change control
procedures restrict the way people make changes to information assets.
Notes:
147
Notes:
Definition
Business continuity is a term that describes the processes and procedures an
organization puts in place to ensure that essential functions can continue during
and after a disaster. Business continuity planning seeks to prevent interruption
of mission-critical services, and to reestablish full functioning as swiftly and
smoothly as possible.
From a practical standpoint, you must understand that it may not be practical
for any but the largest business functions to maintain full functioning
throughout a disaster crisis. You cannot afford to keep everything running nonstop due to the high cost involved. In fact, the very first step in business
148
Notes:
149
Notes:
BCP Phases
The phases of development for any BCP (Business Continuity Planning)
program should include:
l
Initiation
Strategy development
Plan development
Implementation
Testing
Maintenance
Notes:
The key phrase in business continuity is "reduce risk", which means to prepare
for any event that could jeopardize your business ability to operate. If disaster
strikes, companies have everything to lose - critical data, profits, and
informationetc, all of which are critical to the running of any company.
BCP should not be a pure IT call. In fact, it should be considered as a business
call. It should be developed by a team representing ALL functional areas of the
organization.
BCP is in fact a project. Managing a BCP is like managing a project. A formal
project needs to be established, and activities should commence only when the
project has been approved by the Board of Directors of the organization.
Notes:
A list of important contacts must be maintained all the time by several key
people in the organization. One of these key people must be available offsite (imagine what can happen if all the key people get buried in the
destructed building).
Each business unit should have at least one person assigned to keep a list
of contacts of all the staff within the unit during a tragedy there is a need
152
Notes:
to find out who is still missing. There is also a need to keep the family
members of the staff fully informed on what is happening.
l
It will be very ugly if the person in charge of the organization is the last one
who is informed of the tragedy. When something goes wrong, the CEO is
often the target of the media. Do NOT upset the media. Do NOT upset
the reporters.
Notes:
Notes:
Prior to conducting risk assessment you should get yourself started with
building up a solid knowledge base. You need to the current and historical
internal environment, the current and historical external environment, internal
and external dependencies and vulnerabilities, threat profiles, as well as
countermeasure choices and related costs.
The kinds of information that are often desired for performing an assessment
as per recommended by INFOSEC include:
l
Notes:
Notes:
You may collect these information through using General control review,
System review, and Vulnerability identification. With General Control Review
you identify threats arisen from the existing general security processes by
examining the systems through interviews, site visits, documentation review,
and observation etc. System Review focuses on system elements such as System
files or logs, Running processes, Access control files, User listing, Configuration
Settings, Security Patch level ...etc. Vulnerability Identification would often
involve using automated tools such as Vulnerability Scanning and Penetration
Testing over the network.
Notes:
Note that this model of risk assumes that we have knowledge of our
vulnerabilities and our threats.
158
Notes:
You perform Threat Analysis to identify the threats and to determine the
likelihood of their occurrence and their potential to harm systems or assets.
System error or control logs are usually good sources of data for this.
Social threats are directly related to human factors, which can be intentional or
unintentional. Technical threats are usually caused by technical problems.
Environmental threats are usually caused by environmental disasters.
Identifying Risks
The key part of the BCP Process is the assessment of the potential risks to the
business which could result from disasters or emergency situations. You MUST
consider ALL the possible incidents and the impact that follows. Examples of
159
Notes:
the risks that are possible for any organization on earth include (and not limited
to):
o Environmental Disasters
o Deliberate Disruption (e.g. terrorist attack)
o Loss of Utilities and Services
o Equipment or System Failure
o Serious Information Security Incidents
Risk results may be analyzed using Qualitative & Quantitative Methods and/or
Matrix Approach. With Qualitative method you use descriptive, word scales or
rankings of significance/severity based on experience and judgment. It is more
subjective in nature. On the contrary, Quantitative method uses numerical
information to arrive at percentages or numerical values. Generally speaking, a
qualitative method is better for initial screening while a quantitative method is
more ideal for detailed and specific analysis on some critical elements and for
further analysis on high-risk areas. A matrix approach would involve
documenting and estimating the three major needs of security protection,
which are confidentiality, integrity and availability, in three different levels
160
Notes:
of severity (high, medium, low). The risk level would be ranked based on the
criticality of each risk elements. The idea is that risk interpretation should be
limited to the most significant risks so as to reduce the overall effort and
complexity.
Loss Calculations
The 3 major models are:
l
The Single Loss Expectancy model is the model upon which the Annualized
Loss Expectancy and Cumulative Loss Expectancy models are based. This
simple (and less accurate) model has its roots in accounting, with the purpose
of determining how much value in terms of dollars will be lost, and is often
used to express the results in a financial impact analysis.
161
Notes:
Single Loss
Expectancy
Annualized Rate
Annualized Loss
of Occurrence
Expectancy
The Cumulative Loss Model approaches risks by taking into account all of the
bad things that are likely to happen to your business over the next year. You
will need to look at each threat, the probability of each threat against your
business, and then derive an expected loss. You can take all of the threats, and
compute the annual rate of each threat occurring. This is a relatively
complicated model and is less emphasized in the exam.
162
Notes:
163
Notes:
At the end of the day you want to know how one may continue IT function
should something goes seriously wrong. Contingency planning is therefore a
critical factor to consider. Questions you should ask may include:
Notes:
Notes:
2.
3.
4.
BIA checklist
You will need inputs from both the top management and the line managers.
- Determine the business areas
- For each business area, determine the business processes and identify
the essential processes.
166
Notes:
Notes:
168
Notes:
169
Notes:
The key personnel and the IT staff should be well trained to tackle through
emergency situation and incidents. Ask these questions:
Managing recovery
170
Notes:
The Business Recovery Phase will then follow directly on from the Disaster
Recovery Phase. This Phase involves the restoration of normal business
operations. From a business perspective, this is the most critical phase of the
whole BCP exercise as the efficiency and effectiveness of the procedures here
could have a direct bearing on the organizations ability to survive the
emergency.
For a business to truly recover, from an IS standpoint these are items that are
critical:
o Power and Other Utilities
o Premises, Fixtures and Furniture
171
Notes:
o Communications Systems
o IT Systems
o Production and Other Equipments
o Information and Documentation
The BCP test itself should be carefully planned as well. The objectives and
scope of the tests are outlined below:
o Develop Objectives and Scope of Tests
172
Notes:
The test process gives IS auditors a good chance to see if the IS controls
relevant to BCP actually work as planned.
173
Notes:
User Acceptance
About user acceptance testing - each user should create a test script designed
to validate the accuracy and performance of its application in a contingency
environment. The test scripts should be defined in such a way that a clear
indication of whether or not they can do business as usual as stated in their
recovery requirements must be made available.
Users should be asked to provide their views on the testing process and on the
results of the test. The users should also provide comments regarding
improvements and modifications that they would like to see as a result of the
test. Upon completion a user sign-off sheet should be provided for this
purpose and must be signed off by a manager of the business.
Plan maintenance
In todays world, the pace of change will never slow down but will continue to
increase. It is necessary for the BCP to keep pace with these changes in order
for it to be useful in the event of a disruptive emergency.
174
Notes:
To ensure that the BCP is regularly updated, the following must be established:
o Change Control Procedures for Updating the Plan
o Responsibilities for Maintenance of Each Part of the Plan
o Test All Changes to Plan
o Advise Person Responsible for BCP Training
For your interest, take a look at the following fragment of a real world audit
report with BCP involved:
Has the Department Adequately Planned For the Actions It Must Take In the Event Of
A Disaster To Minimize the Loss of Computer Operations?
175
Notes:
The Department has done little business continuity planning for its critical
computer programs. Department management have implemented some
sound practices, such as a system for backing up critical data. However, the
Department doesn't meet many other planning standards. We found
problems such as the following:
Notes:
Incident Handling
The major activities involved in the planning and preparation of an incident
handling mechanism should as a minimum include:
l
Reporting Procedure
Escalation Procedure
Notes:
Notes:
179
Notes:
Risk Management
Risk is a concept that auditors and managers use to express their concerns about the probable
effects of an uncertain environment. Because the future cannot be predicted with certainty,
auditors and managers have to consider a range of possible events that could take place5.
Risk management is a discipline for dealing with uncertainty6.
http://www.mc2consulting.com/riskart2.htm
http://www.nonprofitrisk.org/tutorials/rm_tutorial/2.htm
180
Notes:
181
Notes:
182
Notes:
Notes:
Riskbased Auditing
When performing audit assignments, there are usually two different approaches:
the checklist approach VS the risk-based approach.
Auditing using checklists is basically auditing without an appreciation of why
the auditor is doing some particular task, and can be seen as auditing without an
understanding of the risks involved in the business process.
On the other hand, with risk-based auditing, the auditor must have a thorough
understanding of the business process as well as the risks and controls in the
system for achieving the organization's goals. The risk-based audit plan is
specifically tuned to spend more time on the areas of highest risk and greatest
importance to the goals. Less time will be spent on areas of lower importance
and lower risk.
184
Notes:
185
Notes:
186
Notes:
Project Management
Project Management is a decision-making and strategic risk. It is defined as the application of
knowledge, skills, tools, and techniques to project activities in order to meet or exceed
stakeholder needs and expectations from a project7.
http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAuditPage!OpenDocument
187
Notes:
188
Notes:
Also, read the following document in-depth. This is an excellent article that
describes the complex relationship between Project Management, Risk
Management and the Auditing function:
http://www.knowledgeleader.com/iafreewebsite.nsf/content/TechnologyAudi
tE-businessrisksProjectMgmt!OpenDocument
By going through these documents, you will be able to tell exactly the role of
the audit function in a project management context.
189
Notes:
Change Management
Change Management Defined
You can think of Change Management as
v The task of managing change
v An area of professional practice
v A body of knowledge
190
Notes:
In fact, at the heart of change management we have the change problem - some
future state to be realized, some current state to be left behind, and some
process for getting from the one to the other. At the conceptual level, the
change problem is a matter of moving from one state to another. At the
practical level, changes and the change problems they present are problems of
adaptation, that they require the organization to adjust itself to an ever-changing
set of circumstances.
Notes:
192
Notes:
Strategy
Rational-Empirical
Description
People are rational and will follow their selfinterest once it is revealed to them. Change
is based on the communication of information
and the proffering of incentives.
Normative-Reeducative
Power-Coercive
Environmental-Adaptive
193
Notes:
v Degree of Resistance
v The Stakes
v The Time Frame
v Expertise
v Dependency
Along the journey of making changes, there is a need to control the change
process and the elements within it. Change control is often perceived as a part
of the Change Management process where the audit function may fit in.
Notes:
If we play with the textual definitions, one may argue that Change Management
and Change Control are two totally different disciplines. In fact, in the field of
Project Management, there tend to be differing understandings of these terms
or expressions. The problems are compounded where participants are
unfamiliar with project work and do not recognize the implicit context.
Change Control is usually applied once the first version of a deliverable has
been completed and agreed.
Notes:
Change Control
Change Control is a technique for the management of modifications to existing application
software. Compared with the reactive-ness of Incident Reporting, Change Control recognizes the
need for adaptation to externally imposed change, and looks for opportunities for internally
instigated change. It is concerned not only with adaptation of an application's existing functions,
but also with its extension to include new functions9.
To know what change control exactly is, take a look at the following fragment
of an audit report extracted from a real world case:
8
http://www.anu.edu.au/people/Roger.Clarke/SOS/ChgeCtl90.html
Ibid.
196
Notes:
Does the Department Adequately Manage the Maintenance and Updating of Its Critical
Software?
The Department places the responsibility for managing changes on the users,
where it belongs. System changes are approved and monitored by several
steering groups made up of users of the system from across the state, as well
as representatives from the Department's programming staff. While
programmers make the actual changes, users decide which changes need to be
made and set priorities for the programmers.
Notes:
documented. The system of user groups the Department uses to control the
process is well designed. However, change control as a whole could be
improved by adding more organization and better documentation.
Specifically, the Department could improve its system by:
Notes:
find out whether the proper IS control mechanisms needed by the change
control process are in place and are properly followed.
Notes:
Notes:
201
Notes:
Does your organization have network and system diagrams and a list of all
system resources?
202
Notes:
General guidelines
Program development security is particular important when there is proprietary
software under development. The general guidelines are:
203
Notes:
Allow access to live data only through programs that are in the application
libraries, and nothing else.
Notes:
- Request control
- Change control
- Release control
Notes:
Software concept
Requirements analysis
Architectural design
System testing
The Waterfall Model as a popular version of the systems development life cycle
model for software engineering includes the following phases:
- System requirements
- Software requirements
- Analysis
- Program design
206
Notes:
- Coding
- Testing
- Operations & Maintenance
Notes:
The Chaos model is a structure of software development that extends the spiral
model and the waterfall model. It notes that the phases of the life cycle apply to
all levels of projects, from the whole project to individual lines of code. In fact,
this model has several tie-ins with the chaos theory:
l
Notes:
that lists the requirements of the organization and rates each service provider
on how well they achieve each requirement.
If acquisition is conducted through bidding, certain controls of the bidding
process should be in place. Here are the general guidelines:
A formal bidding process should be open and fair, encourage
competition, and provide the purchasing entity with the best product at
the lowest possible price.
Develop a checklist for the review of various requirements for formal
bids, including insurance, bonding, specifications, and evaluation and
award.
Establish a system to monitor compliance with the bid tabulation
procedure, including the rules and controls for accepting bid changes
after the bids are opened.
Develop and implement an effective filing system for bid files.
Require that all purchase specifications clearly state the bid evaluation
criteria and ascertain that the staff use only the evaluation criteria
included in the purchase specifications.
Criteria for bids should be laid out in the request for proposal.
209
Notes:
210
Notes:
Technical Readings
There are 5 sections included in this part of the study guide. They cover the
majority of technical topics that will be tested in the CISA/CISM exams. By
going through all of them your readiness of the real exams can be reasonably
assured.
q Section 1: Topics on security theory.
q Section 2: Topics on Hacking, attacking, defending and
auditing.
q Section 3: Topics on encryption and VPN.
q Section 4: Topics on responding to attacks
211
Notes:
Slide 1
Technical Readings
forCISA/CISMcandidates
Coveringthetechnicalelementsofthe2005/06objectives
212
Notes:
Slide 2
Thereare5sectionsincludedinthispartofthestudy
guide.Theycoverthemajorityoftechnicaltopicsthatwill
betestedintheCISA/CISMexams.Bygoingthroughall
ofthemyourreadinessoftherealexamscanbe
reasonablyassured.
q
q
q
q
q
Section1:Topicsonsecuritytheory.
Section2:TopicsonHacking,attacking,defendingandauditing.
Section3:TopicsonencryptionandVPN.
Section4:Topicsonrespondingtoattacks
Section5:Topicsonviruses.
213
Notes:
Slide 3
Basically,wedidallthehomeworkforyou!We:
q
reviewedthemajorpreparationproductsavailableinthe
marketandidentifiedthemissingcriticalinformation
collectedandsummarizedthesemissingpiecesandpresents
themtoyouinaneasytofollowstyle
214
Notes:
Slide 4
Makesureyouhaveenoughtimebasedon
pastexperience,ittakesanaveragestudent
3fulldaysattheleasttogothroughallthe
sections.
215
Notes:
Slide 5
CopyrightInformation
q
Somecontentsofthisproductareextractedandrecompiled
fromthevariousLinuxSecurityHOWTOdocumentwhichis
copyrightedbyKevinFenziandDaveWreski,anddistributed
underthefollowingterms:
n
LinuxHOWTOdocumentsmaybereproducedanddistributedin
wholeorinpart,inanymedium,physicalorelectronic,aslongas
thiscopyrightnoticeisretainedonallcopies.Alltranslations,
derivativeworks,oraggregateworksincorporatinganyLinux
HOWTOdocumentsarecoveredunderthiscopyrightnotice.
Informationpresentedinthisproductis
platformindependent.Contenthasbeen
modifiedtofulfillthepurposeofthisproduct.
Copyright 2005/06. All rights reserved.
216
Notes:
Slide 6
Section 1
SecurityTheory
217
Notes:
Slide 7
Section 1 Issue 1
n
WhyDoWeNeedSecurity?
q
Intheeverchangingworldofglobaldatacommunications,
inexpensiveInternetconnections,andfastpacedsoftware
development,securityisbecomingmoreandmoreofan
issue.Securityisnowabasicrequirementbecauseglobal
computingisinherentlyinsecure.Asyourdatagoesfrom
pointAtopointBontheInternet,forexample,itmaypass
throughseveralotherpointsalongtheway,givingother
userstheopportunitytointercept,andevenalter,it.Even
otherusersonyoursystemmaymaliciouslytransformyour
dataintosomethingyoudidnotintend.
Unauthorizedaccesstoyoursystemmaybeobtainedby
intruders,alsoknownas"crackers",whothenuse
advancedknowledgetoimpersonateyou,stealinformation
fromyou,orevendenyyouaccesstoyourownresources.
Copyright 2005/06. All rights reserved.
218
Notes:
Slide 8
Section 1 Issue 2
n
HowSecureIsSecure?
q
First,keepinmindthatnocomputersystemcan
everbecompletelysecure.Allyoucandoismake
itincreasinglydifficultforsomeonetocompromise
yoursystem.Fortheaveragehomeuser,not
muchisrequiredtokeepthecasualcrackerat
bay.However,forhighprofileusers(banks,
telecommunicationscompanies,etc),muchmore
workisrequired.
219
Notes:
Slide 9
HowSecureIsSecure?
q
Anotherfactortotakeintoaccountisthatthemoresecure
yoursystemis,themoreintrusiveyoursecuritybecomes.
Youneedtodecidewhereinthisbalancingactyour
systemwillstillusable,andyetsecureforyourpurposes.
Forinstance,youcouldrequireeveryonedialingintoyour
systemtouseacallbackmodemtocallthembackattheir
homenumber.Thisismoresecure,butifsomeoneisnot
athome,itmakesitdifficultforthemtologin.Youcould
alsosetupyoursystemwithnonetworkorconnectionto
theInternet,butthislimitsitsusefulness.
220
Notes:
Slide 10
Ifyouareamediumtolargesizedsite,you
shouldestablishasecuritypolicystatinghow
muchsecurityisrequiredbyyoursiteandwhat
auditingisinplacetocheckit.
10
221
Notes:
Slide 11
Section 1 Issue 3
n
WhatAreYouTryingtoProtect?
q
Beforeyouattempttosecureyoursystem,you
shoulddeterminewhatlevelofthreatyouhaveto
protectagainst,whatrisksyoushouldorshould
nottake,andhowvulnerableyoursystemisasa
result.Youshouldanalyzeyoursystemtoknow
whatyou'reprotecting,whyyou'reprotectingit,
whatvalueithas,andwhohasresponsibilityfor
yourdataandotherassets.
11
222
Notes:
Slide 12
Riskisthepossibilitythatanintrudermaybesuccessfulinattempting
toaccessyourcomputer.Cananintruderreadorwritefiles,orexecute
programsthatcouldcausedamage?Cantheydeletecriticaldata?Can
theypreventyouoryourcompanyfromgettingimportantworkdone?
Don'tforget:someonegainingaccesstoyouraccount,oryoursystem,
canalsoimpersonateyou.Additionally,havingoneinsecureaccount
onyoursystemcanresultinyourentirenetworkbeingcompromised.
Ifyouallowasingleusertologinusinga.rhosts file,ortousean
insecureservicesuchastftp,youriskanintrudergetting'hisfootin
thedoor'.Oncetheintruderhasauseraccountonyoursystem,or
someoneelse'ssystem,itcanbeusedtogainaccesstoanother
system,oranotheraccount.
Threat istypicallyfromsomeonewithmotivationtogainunauthorized
accesstoyournetworkorcomputer.Youmustdecidewhomyoutrust
tohaveaccesstoyoursystem,andwhatthreattheycouldpose.
12
223
Notes:
Slide 13
Section 1 Issue 4
n
Typesofintruders:
q
TheCuriousThistypeofintruderisbasicallyinterested
infindingoutwhattypeofsystemanddatayouhave.
TheMaliciousThistypeofintruderisouttoeitherbring
downyoursystems,ordefaceyourwebpage,orotherwise
forceyoutospendtimeandmoneyrecoveringfromthe
damagehehascaused.
TheHighProfileIntruderThistypeofintruderistrying
touseyoursystemtogainpopularityandinfamy.Hemight
useyourhighprofilesystemtoadvertisehisabilities.
13
224
Notes:
Slide 14
TheCompetitionThistypeofintruderisinterestedin
whatdatayouhaveonyoursystem.Itmightbesomeone
whothinksyouhavesomethingthatcouldbenefithim,
financiallyorotherwise.
TheBorrowersThistypeofintruderisinterestedin
settingupshoponyoursystemandusingitsresourcesfor
theirownpurposes.Hetypicallywillrunchatorircservers,
pornarchivesites,orevenDNSservers.
TheLeapfroggerThistypeofintruderisonlyinterested
inyoursystemtouseittogetintoothersystems.Ifyour
systemiswellconnectedoragatewaytoanumberof
internalhosts,youmaywellseethistypetryingto
compromiseyoursystem.
14
225
Notes:
Slide 15
Section 1 Issue 5
n
Vulnerability
q
Itdescribeshowwellprotectedyourcomputerisfrom
anothernetwork,andthepotentialforsomeonetogain
unauthorizedaccess.What'satstakeifsomeonebreaks
intoyoursystem?Ofcoursetheconcernsofadynamic
PPPhomeuserwillbedifferentfromthoseofacompany
connectingtheirmachinetotheInternet,oranotherlarge
network.
Howmuchtimewouldittaketoretrieve/recreateanydata
thatwaslost?Aninitialtimeinvestmentnowcansaveten
timesmoretimelaterifyouhavetorecreatedatathatwas
lost.Haveyoucheckedyourbackupstrategy,andverified
yourdatalately?
15
226
Notes:
Slide 16
Section 1 Issue 6
n
DevelopingASecurityPolicy
q
Createasimple,genericpolicyforyoursystem
thatyouruserscanreadilyunderstandandfollow.
Itshouldprotectthedatayou'resafeguardingas
wellastheprivacyoftheusers.Somethingsto
consideraddingare:whohasaccesstothe
system(Canmyfriendusemyaccount?),who's
allowedtoinstallsoftwareonthesystem,who
ownswhatdata,disasterrecovery,and
appropriateuseofthesystem.
Copyright 2005/06. All rights reserved.
16
227
Notes:
Slide 17
Agenerallyacceptedsecuritypolicystartswiththephrase
Thatw hichisnotpermittedisprohibited
n
Thismeansthatunlessyougrantaccesstoaserviceforauser,thatuser
shouldn'tbeusingthatserviceuntilyoudograntaccess.Makesurethe
policiesworkonyourregularuseraccount.Saying,"Ah,Ican'tfigureout
thispermissionsproblem,I'lljustdoitasroot"canleadtosecurityholes
thatareveryobvious,andevenonesthathaven'tbeenexploitedyet.
rfc1244isadocumentthatdescribeshowtocreateyourownnetwork
securitypolicy.
rfc1281isadocumentthatshowsanexamplesecuritypolicywith
detaileddescriptionsofeachstep.
Finally,youmightwanttolookattheCOASTpolicyarchiveat
ftp://coast.cs.purdue.edu/pub/doc/policy toseehowareallifesecurity
policylookslike.Therearepolicyfilesforpublicdownload.
17
228
Notes:
Slide 18
Section 1 Issue 7
n
MeansofSecuringYourSite
q
Whatwouldhappentoyourreputationifanintruderdeletedsomeofyour
users'data?Ordefacedyourwebsite?Orpublishedyourcompany's
corporateprojectplanfornextquarter?Ifyouareplanninganetwork
installation,therearemanyfactorsyoumusttakeintoaccountbeforeadding
asinglemachinetoyournetwork.
EvenifyouhaveasingledialupPPPaccount,orjustasmallsite,thisdoes
notmeanintruderswon'tbeinterestedinyoursystems.Large,highprofile
sitesarenottheonlytargets manyintruderssimplywanttoexploitas
manysitesaspossible,regardlessoftheirsize.Additionally,theymayusea
securityholeinyoursitetogainaccesstoothersitesyou'reconnectedto.
Intrudershavealotoftimeontheirhands,andcanavoidguessinghow
you'veobscuredyoursystemjustbytryingallthepossibilities.Thereare
alsoanumberofreasonsanintrudermaybeinterestedinyoursystems,
whichwewilldiscusslater.
18
229
Notes:
Slide 19
Section 1 Issue 8
n
HostSecurity
q
Perhapstheareaofsecurityonwhichadministrators
concentratemostishostbasedsecurity.Thistypically
involvesmakingsureyourownsystemissecure,and
hopingeveryoneelseonyournetworkdoesthesame.
Choosinggoodpasswords,securingyourhost'slocal
networkservices,keepinggoodaccountingrecords,and
upgradingprogramswithknownsecurityexploitsare
amongthethingsthelocalsecurityadministratoris
responsiblefordoing.Althoughthisisabsolutelynecessary,
itcanbecomeadauntingtaskonceyournetworkbecomes
largerthanafewmachines.
19
230
Notes:
Slide 20
Section 1 Issue 9
n
LocalNetworkSecurity
q
Networksecurityisasnecessaryaslocalhost
security.Withhundreds,thousands,ormore
computersonthesamenetwork,youcan'trelyon
eachoneofthosesystemsbeingsecure.
Ensuringthatonlyauthorizeduserscanuseyour
network,buildingfirewalls,usingstrong
encryption,andensuringthereareno"rogue"
(thatis,unsecured)machinesonyournetworkare
allpartofthenetworksecurityadministrator's
duties.
Copyright 2005/06. All rights reserved.
20
231
Notes:
Slide 21
Section 1 Issue 10
n
SecurityThroughObscurity
q
Onetypeofsecuritythatmustbediscussedis"security
throughobscurity".Thismeans,forexample,movinga
servicethathasknownsecurityvulnerabilitiestoanon
standardportinhopesthatattackerswon'tnoticeit'sthere
andthuswon'texploitit.Restassuredthattheycan
determinethatit'sthereandwillexploitit.Securitythrough
obscurityisnosecurityatall.Simplybecauseyoumay
haveasmallsite,orarelativelylowprofile,doesnotmean
anintruderwon'tbeinterestedinwhatyouhave.
21
232
Notes:
Slide 22
Section 1 Issue 11
n
PhysicalSecurity
q
Thefirstlayerofsecurityyouneedtotakeinto
accountisthephysicalsecurityofyourcomputer
systems.Whohasdirectphysicalaccesstoyour
machine?Shouldthey?Canyouprotectyour
machinefromtheirtampering?Shouldyou?
Howmuchphysicalsecurityyouneedonyour
systemisverydependentonyoursituation,
and/orbudget.
22
233
Notes:
Slide 23
Ifyouareahomeuser,youprobablydon'tneedalot
(althoughyoumightneedtoprotectyourmachinefrom
tamperingbychildrenorannoyingrelatives).Ifyouareina
lab,youneedconsiderablymore,butuserswillstillneedto
beabletogetworkdoneonthemachines.Manyofthe
followingsectionswillhelpout.Ifyouareinanoffice,you
mayormaynotneedtosecureyourmachineoffhoursor
whileyouareaway.Atsomecompanies,leavingyour
consoleunsecuredisaterminationoffense.
Obviousphysicalsecuritymethodssuchaslocksondoors,
cables,lockedcabinets,andvideosurveillanceareallgood
ideas,butbeyondthescopeofthisdocument.:)
23
234
Notes:
Slide 24
Section 1 Issue 12
n
Computerlocks
q
ManymodernPCcasesincludea"locking"
feature.Usuallythiswillbeasocketonthefront
ofthecasethatallowsyoutoturnanincludedkey
toalockedorunlockedposition.Caselockscan
helppreventsomeonefromstealingyourPC,or
openingupthecaseanddirectly
manipulating/stealingyourhardware.Theycan
alsosometimespreventsomeonefromrebooting
yourcomputerfromtheirownfloppyorother
hardware.
Copyright 2005/06. All rights reserved.
24
235
Notes:
Slide 25
Thesecaselocksdodifferentthingsaccordingtothesupportin
themotherboardandhowthecaseisconstructed.OnmanyPC's
theymakeitsoyouhavetobreakthecasetogetthecaseopen.
Onsomeothers,theywillnotletyoupluginnewkeyboardsor
mice.Checkyourmotherboardorcaseinstructionsformore
information.Thiscansometimesbeaveryusefulfeature,even
thoughthelocksareusuallyverylowqualityandcaneasilybe
defeatedbyattackerswithlocksmithing.
Somemachines(mostnotablySPARCsandmacs)havea
dongleonthebackthat,ifyouputacablethrough,attackers
wouldhavetocutthecableorbreakthecasetogetintoit.Just
puttingapadlockorcombolockthroughthesecanbeagood
deterrenttosomeonestealingyourmachine.
25
236
Notes:
Slide 26
Section 2
Hacking,attacking,defendingandauditing
26
237
Notes:
Slide 27
Section 2 Issue 1
n
Tobeabletodefendandaudit,youshould
knowhowtohack(thinklikeahacker)J
27
238
Notes:
Slide 28
Section 2 Issue 2
n
PacketSniffers
q Oneofthemostcommonwaysintrudersgainaccesstomore
systemsonyournetworkisbyemployingapacketsnifferona
alreadycompromisedhost.This"sniffer"justlistensonthe
Ethernetportforthingslikepasswdandloginandsuinthe
packetstreamandthenlogsthetrafficafterthat.Thisway,
attackersgainpasswordsforsystemstheyarenoteven
attemptingtobreakinto.Cleartextpasswordsarevery
vulnerabletothisattack.
q Example:HostAhasbeencompromised.Attackerinstallsa
sniffer.SnifferpicksupadminloggingintoHostBfromHostC.It
getstheadmin'spersonalpasswordastheylogintoB.Then,the
admindoesasutofixaproblem.Theynowhavetheroot
passwordforHostB.Latertheadminletssomeonetelnetfrom
hisaccounttoHostZonanothersite.Nowtheattackerhasa
password/loginonHostZ.
28
239
Notes:
Slide 29
Inthisdayandage,theattackerdoesn'teven
needtocompromiseasystemtodothis:they
couldalsobringalaptoporpcintoabuildingand
tapintoyournet.
Usingssh orotherencryptedpasswordmethods
thwartsthisattack.ThingslikeAPOPforPOP
accountsalsopreventsthisattack.(NormalPOP
loginsareveryvulnerabletothis,asisanything
thatsendscleartextpasswordsoverthenetwork.)
29
240
Notes:
Slide 30
Section 2 Issue 3
n
SATAN,ISS,andOtherNetworkScanners
q
Thereareanumberofdifferentsoftwarepackagesouttherethatdoport
andservicebasedscanningofmachinesornetworks.SATAN,ISS,SAINT,
andNessusaresomeofthemorewellknownones.Thissoftwareconnects
tothetargetmachine(orallthetargetmachinesonanetwork) onallthe
portstheycan,andtrytodeterminewhatserviceisrunningthere.Basedon
thisinformation,youcantellifthemachineisvulnerabletoa specificexploit
onthatserver.
n
SATAN(SecurityAdministrator'sToolforAnalyzingNetworks)is aportscanner
withawebinterface.Itcanbeconfiguredtodolight,medium,orstrongchecksona
machineoranetworkofmachines.It'sagoodideatogetSATAN andscanyour
machineornetwork,andfixtheproblemsitfinds.Makesureyougetthecopyof
SATANfrommetalaborareputableFTPorwebsite.TherewasaTrojancopyof
SATANthatwasdistributedoutonthenet.NotethatSATANhasnotbeenupdated
inquiteawhile,andsomeoftheothertoolsbelowmightdoabetterjob.
30
241
Notes:
Slide 31
ISS(InternetSecurityScanner)isanotherportbased
scanner.ItisfasterthanSatan,andthusmightbebetter
forlargenetworks.However,SATANtendstoprovide
moreinformation.
AbacusisasuiteoftoolsdevelopedbyPsionicto
providehostbasedsecurityandintrusiondetection.
31
242
Notes:
Slide 32
SAINTisaupdatedversionofSATAN.Itiswebbased
andhasmanymoreuptodateteststhanSATAN.
Nessusisafreesecurityscanner.Ithasagraphical
interfaceforeaseofuse.Itisalsodesignedwithavery
nicepluginsetupfornewlyupdatedportscanningtests.
32
243
Notes:
Slide 33
Securityscannersareoftenusedinthe
processofsecurityauditingaswellas
footprinting.
q
Footprintingisthefirststepininformation
gatheringofhackerstoperformasuccessful
attack,oneneedstogatherinformation
information onallaspectsoftheperspective
organizationssecurityposture,profileoftheir
Intranet,remoteaccesscapabilities,and
intranet/extranetpresenceetc.
Copyright 2005/06. All rights reserved.
33
244
Notes:
Slide 34
Footprintingreliesoninfogathering.Thesearepopular
sourcesofsuchinfo:
q
q
q
q
q
q
AmericanRegistryforInternetNumbers
CERT/CCFindingSiteContacts
InterNIC
NetworkOperationsCentersList
NetworkSolutions
USSecurityandExchange
Enumerationisalsoaninformationgatheringtechnique,
butisanintrusiveone!
n
Itistheprocessofextractingvaliduseraccounts,poorly
protectedFileSharesorotherresourcesfromatargetsystem.
q
Thisprocessisusuallylogged.
Copyright 2005/06. All rights reserved.
34
245
Notes:
Slide 35
Securityauditingtobeperformedbeforeanything
hadhappenedtypicallyinvolvestheuseof
SecurityScannersandothertoolstotestthe
securitylevelofthenetwork.
35
246
Notes:
Slide 36
Securityauditingtobeperformedafterthingshad
gonewrongtypicallyinvolvestheexaminationof
theaudittrail.
n
However,thepresenceofRootkitsandCoverTracks
mayhinderthisprocess.
q
Rootkitsaretoolsusedbyhackerstohidetheirpresenceon
compromisedsystems.Theyaremostlycollectionsof
trojanedbinariesthatreplacethecommoncommands.
Covertrackscanwipeouttheauditlogs.Examplesinclude
WipeandZap.
36
247
Notes:
Slide 37
Section 2 Issue 4
n
DetectingPortScans
q TherearesometoolsdesignedtoalertyoutoprobesbySATAN
andISSandotherscanningsoftware.However,ifyouliberally
usetcp_wrappers,andlookoveryourlogfilesregularly,you
shouldbeabletonoticesuchprobes.Evenonthelowestsetting,
SATANstillleavestracesinthelogsonastockRedHatsystem.
q Therearealso"stealth"portscanners.ApacketwiththeTCP
ACKbitset(asisdonewithestablishedconnections)willlikely
getthroughapacketfilteringfirewall.ThereturnedRSTpacket
fromaportthat_hadnoestablishedsession_canbetakenas
proofoflifeonthatport.Idon'tthinkTCPwrapperswilldetect
this.
37
248
Notes:
Slide 38
Section 2 Issue 5
n
DenialofServiceAttacks
q
A"DenialofService"(DoS)attackisonewherethe
attackertriestomakesomeresourcetoobusytoanswer
legitimaterequests,ortodenylegitimateusersaccessto
yourmachine.
Denialofserviceattackshaveincreasedgreatlyinrecent
years.
38
249
Notes:
Slide 39
ThereisnofixedformatofDoS.Infact,thereare
manytypesofDoSattacksthatarebasedontons
ofdifferentmethods.ADenialofServiceAttack
canbebasedoncrashingrouterswhichmakesa
networkinaccessible,crashingDNSservers
whichpreventstheuseofDomainNames,
congestinghostswithrequestsetcetcitcan
beanythingthatstopsthingsfromworking.
ADoSAttackisALWAYSusedinconjunction
withananotherattack.
39
250
Notes:
Slide 40
SYNFloodingSYNfloodingisanetworkdenial
ofserviceattack.Ittakesadvantageofa
"loophole"inthewayTCPconnectionsare
created.
n
n
SometimesknownasSynk4
SystemswhichfallpreytotheSynFloodingattackwill
havedifficultyacceptinganynewincomingnetwork
connections.Therefore,legitimateusersattemptingto
connecttotheserverwillnotbeabletodoso.
40
251
Notes:
Slide 41
Pentium"F00F"BugItwasrecentlydiscovered
thataseriesofassemblycodessenttoagenuine
IntelPentiumprocessorwouldrebootthemachine.
ThisaffectseverymachinewithaPentium
processor(notclones,notPentiumProorPII),no
matterwhatoperatingsystemit'srunning.
41
252
Notes:
Slide 42
PingFlooding/Smurf/FragglePingfloodingisa
simplebruteforcedenialofserviceattack.Theattacker
sendsa"flood"ofICMPpacketstoyourmachine.Ifthey
aredoingthisfromahostwithbetterbandwidththanyours,
yourmachinewillbeunabletosendanythingonthe
network.
n
Avariationonthisattack,called"smurfing",sendsICMP
packetstoahostwithyourmachine'sreturnIP,allowingthem
tofloodyoulessdetectably.
Smurfattacksarenetworkamplificationattacks.
FraggleattackissimilartoSmurfattackexceptthatit
usesUDPechopackets,notICMPechos.
42
253
Notes:
Slide 43
Pingo'DeathThePingo'DeathattacksendsICMP
ECHOREQUESTpacketsthataretoolargetofitinthe
kerneldatastructuresintendedtostorethem.Because
sendingasingle,large(65,510bytes)"ping"packetto
manysystemswillcausethemtohangorevencrash,this
problemwasquicklydubbedthe"Pingo'Death."Thisone
haslongbeenfixed,andisnolongeranythingtoworry
about.
Teardrop/NewTearOneofthemostrecentexploits
involvesabugpresentintheIPfragmentationcodeon
LinuxandWindowsplatforms.
n
n
Teardropisanattackthatexploitsthevulnerabilityfoundin
someimplementationsofthepacketreassembly.
NewTearisanewteardroptypeexploitwhichmainlyaffects
NT4andWin95.
43
254
Notes:
Slide 44
Land/LaTierraTheLandattackusesIP
spoofingincombinationwiththeopeningofa
TCPconnection.Boththesourceanddestination
IPaddressesaremodifiedtobethesamethe
addressofthedestinationhost.Itmisleadsthe
machinetocontinuesendingACKpacketsand
thusremainingintheloop.TheLaTierraattackis
similarexceptthatLaTierrasendstheTCPpacket
tomorethanoneportandmorethanonce.
44
255
Notes:
Slide 45
BlastasmallandquickTCPservicestresstest
toolthatcanspotpotentialweaknessesinyour
networkservers.
n
ItcanbeusedasatoolforgeneratingDoSattack!
Bonkanattackthatmodifiesthefragoffset.
n
Alsoknownasteardropreversed
45
256
Notes:
Slide 46
Therearemanywaystoprotectoneself
againstDoSattacks.Themostpopularways
are:
q
q
patchingthenetworkingcodeoftheOSkernel
configuringthenetworkwithprotectivedevices
suchasfirewalls.
46
257
Notes:
Slide 47
Section 2 Issue 6
n
Firewalls
q Firewallsareameansofcontrollingwhat
informationisallowedintoandoutofyour
localnetwork.Typicallythefirewallhostis
connectedtotheInternetandyourlocalLAN,
andtheonlyaccessfromyourLANtothe
Internetisthroughthefirewall.Thiswaythe
firewallcancontrolwhatpassesbackand
forthfromtheInternetandyourLAN.
47
258
Notes:
Slide 48
Thereareanumberoftypesoffirewallsand
methodsofsettingthemup.
n
n
n
Linuxmachinesmakeprettygoodfirewalls.Firewallcode
canbebuiltrightinto2.0andhigherkernels.Theuser
spacetoolsipfwadmfor2.0kernelsandipchainsfor2.2
kernels,allowsyoutochange,onthefly,thetypesof
networktrafficyouallow.Youcanalsologparticulartypes
ofnetworktraffic.
Windows2000providessimplepacketfilteringfunctions.
WindowsXPprovidesInternetConnectionFirewall.
48
259
Notes:
Slide 49
Webopediaclassifiesfirewalltechniquesas
below:
Packetfilter:Looksateachpacketenteringorleavingthenetworkand
acceptsorrejectsitbasedonuserdefinedrules.Packetfilteringisfairly
effectiveandtransparenttousers,butitisdifficulttoconfigure.Inaddition,
itissusceptibletoIPspoofing.
Applicationgateway:Appliessecuritymechanismstospecificapplications,
suchasFTPandTelnetservers.Thisisveryeffective,butcanimposea
performancedegradation.
Circuitlevelgateway:AppliessecuritymechanismswhenaTCPorUDP
connectionisestablished.Oncetheconnectionhasbeenmade,packets
canflowbetweenthehostswithoutfurtherchecking.
Proxyserver:Interceptsallmessagesenteringandleavingthenetwork.
Theproxyservereffectivelyhidesthetruenetworkaddresses.
49
260
Notes:
Slide 50
TheNationalInstituteofStandardsandTechnology
haveputtogetheranexcellentdocumentonfirewalls.
Althoughdated1995,itisstillquitegood
(http://csrc.nist.gov/).
50
261
Notes:
Slide 51
Section 2 Issue 7
n
BIOSSecurity
q
TheBIOSisthelowestlevelofsoftwarethatconfiguresor
manipulatesyourx86basedhardware.Allbootmethods
accesstheBIOStodeterminehowtobootupyour
machine.Otherhardwarehassimilarsoftware
(OpenFirmware onMacsandnewSuns,SunbootPROM,
etc...).YoucanuseyourBIOStopreventattackersfrom
rebootingyourmachineandmanipulatingyoursystem.
ManyPCBIOSsletyousetabootpassword.Thisdoesn't
provideallthatmuchsecurity(theBIOScanbereset,or
removedifsomeonecangetintothecase),butmightbea
gooddeterrent(i.e.itwilltaketimeandleavetracesof
tampering).Thismightslowattackersdown.
51
262
Notes:
Slide 52
Manyx86BIOSsalsoallowyoutospecifyvariousother
goodsecuritysettings.CheckyourBIOSmanualorlookat
itthenexttimeyoubootup.Forexample,someBIOSs
disallowbootingfromfloppydrivesandsomerequire
passwordstoaccesssomeBIOSfeatures.
Note:Ifyouhaveaservermachine,andyousetupaboot
password,yourmachinewillnotbootupunattended.Keep
inmindthatyouwillneedtocomeinandsupplythe
passwordintheeventofapowerfailure.
52
263
Notes:
Slide 53
Section 2 Issue 8
n
DLLInjection
q
amethodofinsertingmaliciouscodeintoanother
runningprocess'ssothataccesstosome
otherwiserestrictedpieceofinformationis
possible.
53
264
Notes:
Slide 54
Section 2 Issue 9
n
BackDoor
q
aneasyroutebackintoanalreadycompromised
systemthatwasputinplacebythecurrent
attackerorapreviousattacker.Itmaybea
programthatbindsitselftoaspecificportand
listensfortheattackertoconnecttoit,orapre
testedexploitthatisconfiguredbytheattackerfor
futurereuse.
54
265
Notes:
Slide 55
Section 2 Issue 10
n
Privilegeescalation
thestageofpenetrationthatoccursAFTERan
attackerhasalreadygainedaccesstoasystem.
q Itaimsatgainingadministratorlevelprivilegeson
thesystem.
q
55
266
Notes:
Slide 56
Section 2 Issue 11
n
Wardialing
attackthroughthephonesystem.
q Wardialerswereoriginallydevelopedbyandfor
phonephreaksseekingfreelongdistanceservice.
q
Theyarewellsuitedtothetaskofscanningandfinding
modemsforpossiblenetworkentry.
Examplesinclude:
q
q
q
TelesweepSecure
PhoneSweep
THCScan
56
267
Notes:
Slide 57
Section 2 Issue 12
n
PurloiningandPilfering
Oftenbeingrefertoasimageandbandwidththeft.
q Digitalwatermarkingisonewaytoprotectagainst
imagetheft.
q
57
268
Notes:
Slide 58
Section 3
EncryptionandVPN
58
269
Notes:
Slide 59
Section 3 Issue 1
n
VPNsVirtualPrivateNetworks
q VPN'sareawaytoestablisha"virtual"networkontopofsome
alreadyexistingnetwork.Thisvirtualnetworkoftenisencrypted
andpassestrafficonlytoandfromsomeknownentitiesthat
havejoinedthenetwork.VPNsareoftenusedtoconnect
someoneworkingathomeoverthepublicInternettoaninternal
companynetwork.
q VPNs useauthenticatedlinkstoensurethatonlyauthorized
userscanconnecttoyournetwork,andtheyuseencryptionto
ensurethatdatathattravelsovertheInternetcan'tbeintercepted
andusedbyothers.VPNtechnologyalsoallowsacorporationto
connecttoitsbranchofficesortoothercompaniesoverapublic
networkwhilemaintainingsecurecommunications.
q InWindows2000,VPNsarebuiltusingPPTPorL2TP.
59
270
Notes:
Slide 60
PointtoPointTunnelingProtocol(PPTP)provides
dataencryptionusingMicrosoftPointtoPoint
Encryption.
LayerTwoTunnelingProtocol(L2TP)providesdata
encryption,authentication,andintegrityusingIPSec.
q
q
PPTPissuitableforNonWindows2000computers.
L2TPissuitableforWindows2000orWindowsXPclients.
IfyouwanttotryoutconfiguringaVPNwithWindows
2000,readtheMSKBarticle308208.
60
271
Notes:
Slide 61
Section 3 Issue 2
n
Accordingto W ebopedia,"AstheInternetandother
formsofelectroniccommunicationbecomemore
prevalent,electronicsecurityisbecomingincreasingly
important.Cryptographyisusedtoprotectemail
messages,creditcardinformation,andcorporatedata.
Oneofthemostpopularcryptographysystemsused
ontheInternetisPrettyGoodPrivacybecauseit's
effectiveandfree.Cryptographysystemscanbe
broadlyclassifiedintosymmetrickeysystemsthatuse
asinglekeythatboththesenderandrecipienthave,
andpublickeysystemsthatusetwokeys,apublickey
knowntoeveryoneandaprivatekeythatonlythe
recipientofmessagesuses."
61
272
Notes:
Slide 62
Section 3 Issue 3
n
CA
q
Certificationauthoritiesareresponsiblefor
managingcertificaterequestsandissuing
certificatestoparticipatingIPSecnetworkpeers.
Theseservicesprovidecentralizedkey
managementfortheparticipatingpeersand
simplifyadministration.
62
273
Notes:
Slide 63
Section 3 Issue 4
n
Digitalsignatures
q Digitalsignaturesareenabledbypublickeycryptographyand
areprovidingameanstodigitallyauthenticatedevicesand
individualusers.
q Inpublickeycryptography,eachuserhasakeypaircontaining
bothapublicandaprivatekey.Anythingencryptedwithoneof
thekeyscanbedecryptedwiththeother.
q Insimpleterms,asignatureisformedwhendataisencrypted
withauser'sprivatekey.Thereceiververifiesthesignatureby
decryptingthemessagewiththesender'spublickey.
q Thefactthatthemessagecouldbedecryptedusingthesender's
publickeyshowsthattheholderoftheprivatekeymusthave
createdthemessage.
63
274
Notes:
Slide 64
Howcanyouknowwithahighdegreeofcertainty
thatitreallydoesbelongtothesender,andnotto
someonepretendingtobethesender?
n
Usedigitalcertificates.Adigitalcertificatecontains
informationtoidentifyauserordevice,suchasthe
name,serialnumber,company,departmentorIP
address.Italsocontainsacopyoftheentity'spublickey.
64
275
Notes:
Slide 65
Sincethecertificateisitselfsignedbyacertification
authority,itistrustworthy.
TobeabletovalidatetheCA'ssignature,thereceiver
mustknowtheCA'spublickey.Thisisusuallyhandled
outofbandorthroughanoperationdoneatinstallation.
Withoutdigitalsignatures,onemustmanually
exchangepublicsecretsbetweeneachpairof
peersthatuseIPSectoprotectcommunications
betweenthem.
65
276
Notes:
Slide 66
Section 3 Issue 5
n
Legalissues
q
Becarefulwhendeployingcryptographytechnology
overseas.Accordingto W ebopedia,"PGPissuchan
effectiveencryptiontoolthattheU.S.governmentactually
broughtalawsuitagainstZimmermanforputtingitinthe
publicdomainandhencemakingitavailabletoenemiesof
theU.S.Afterapublicoutcry,theU.S.lawsuitwasdropped,
butitisstillillegaltousePGPinmanyothercountries."
Bytheway,ifyouwanttolearnmoreaboutPGP,referto
itsofficialhomepageatPGPI.ORG.
66
277
Notes:
Slide 67
Section 4
Respondingtoattacks
67
278
Notes:
Slide 68
Section 4 Issue 1
n
SecurityCompromiseUnderway.
q
Spottingasecuritycompromiseunderwaycanbeatense
undertaking.Howyoureactcanhavelargeconsequences.
Ifthecompromiseyouareseeingisaphysicalone,odds
areyouhavespottedsomeonewhohasbrokenintoyour
home,officeorlab.Youshouldnotifyyourlocalauthorities.
Inalab,youmighthavespottedsomeonetryingtoopena
caseorrebootamachine.Dependingonyourauthority
andprocedures,youmightaskthemtostop,orcontact
yourlocalsecuritypeople.
68
279
Notes:
Slide 69
DetectingPhysicalSecurityCompromises
q Thefirstthingtoalwaysnoteiswhenyourmachinewasrebooted.
Theonlytimesyourmachineshouldrebootiswhenyoutakeit
downforOSupgrades,hardwareswapping,orthelike.Ifyour
machinehasrebootedwithoutyoudoingit,thatmaybeasign
thatanintruderhascompromisedit.Manyofthewaysthatyour
machinecanbecompromisedrequiretheintrudertorebootor
poweroffyourmachine.
q Checkforsignsoftamperingonthecaseandcomputerarea.
Althoughmanyintruderscleantracesoftheirpresenceoutof
logs,it'sagoodideatocheckthroughthemallandnoteany
discrepancy.
q Itisalsoagoodideatostorelogdataatasecurelocation,such
asadedicatedlogserverwithinyourwellprotectednetwork.
Onceamachinehasbeencompromised,logdatabecomesof
littleuseasitmostlikelyhasalsobeenmodifiedbytheintruder.
69
280
Notes:
Slide 70
Thesyslogdaemoncanbeconfiguredtoautomatically
sendlogdatatoacentralsyslogserver,butthisistypically
sentunencrypted,allowinganintrudertoviewdataasitis
beingtransferred.Thismayrevealinformationaboutyour
networkthatisnotintendedtobepublic.Therearesyslog
daemonsavailablethatencryptthedataasitisbeingsent.
Alsobeawarethatfakingsyslogmessagesiseasywith
anexploitprogramhavingbeenpublished.Syslogeven
acceptsnetlogentriesclaimingtocomefromthelocalhost
withoutindicatingtheirtrueorigin.
70
281
Notes:
Slide 71
Somethingstocheckforinyourlogs:
n
n
n
n
n
n
Shortorincompletelogs.
Logscontainingstrangetimestamps.
Logswithincorrectpermissionsorownership.
Recordsofrebootsorrestartingofservices.
missinglogs.
suentriesorloginsfromstrangeplaces.
71
282
Notes:
Slide 72
Ifyouhavedetectedalocalusertryingtocompromiseyour
security,thefirstthingtodoisconfirmtheyareinfactwhoyou
thinktheyare.Checkthesitetheyarelogginginfrom.Isitthe
sitetheynormallyloginfrom?No?Thenuseanonelectronic
meansofgettingintouch.Forinstance,callthemonthephone
orwalkovertotheiroffice/houseandtalktothem.Iftheyagree
thattheyareon,youcanaskthemtoexplainwhattheywere
doingortellthemtoceasedoingit.Iftheyarenoton,andhave
noideawhatyouaretalkingabout,oddsarethisincident
requiresfurtherinvestigation.Lookintosuchincidents,andhave
lotsofinformationbeforemakinganyaccusations.
Ifyouhavedetectedanetworkcompromise,thefirstthingtodo
(ifyouareable)istodisconnectyournetwork.Iftheyare
connectedviamodem,unplugthemodemcableiftheyare
connectedviaEthernet,unplugtheEthernetcable.Thiswill
preventthemfromdoinganyfurtherdamage,andtheywill
probablyseeitasanetworkproblemratherthandetection.
72
283
Notes:
Slide 73
Ifyouareunabletodisconnectthenetwork(ifyouhaveabusy
site,oryoudonothavephysicalcontrolofyourmachines),the
nextbeststepistousesomethingliketcp_wrappersoripfwadm
todenyaccessfromtheintruder'ssite.
Ifyoucan'tdenyallpeoplefromthesamesiteastheintruder,
lockingtheuser'saccountwillhavetodo.Notethatlockingan
accountisnotaneasything.Youhavetokeepinmind.rhosts
files,FTPaccess,andahostofpossiblebackdoors.
Afteryouhavedoneoneoftheabove(disconnectedthenetwork,
deniedaccessfromtheirsite,and/ordisabledtheiraccount),you
needtokillalltheiruserprocessesandlogthemoff.
Youshouldmonitoryoursitewellforthenextfewminutes,asthe
attackerwilltrytogetbackin.Perhapsusingadifferentaccount,
and/orfromadifferentnetworkaddress.
73
284
Notes:
Slide 74
Section 4 Issue 2
n
SecurityCompromisehasalreadyhappened
q
Soyouhaveeitherdetectedacompromisethathas
alreadyhappenedoryouhavedetecteditandlocked
(hopefully)theoffendingattackeroutofyoursystem.Now
what?
n
ClosingtheHole
q
Ifyouareabletodeterminewhatmeanstheattackerusedtoget
intoyoursystem,youshouldtrytoclosethathole.Forinstance,
perhapsyouseeseveralFTPentriesjustbeforetheuserloggedin.
DisabletheFTPserviceandcheckandseeifthereisanupdated
version,orifanyofthelistsknowofafix.
Checkallyourlogfiles,andmakeavisittoyoursecuritylistsand
pagesandseeifthereareanynewcommonexploitsyoucanfix.
74
285
Notes:
Slide 75
AssessingtheDamage
q
Thefirstthingistoassessthedamage.Whathasbeen
compromised?Ifyouarerunninganintegritycheckerlike
Tripwire,youcanuseittoperformanintegritycheckit
shouldhelptotellyouwhathasbeencompromised.Ifnot,
youwillhavetolookaroundatallyourimportantdata.
Sincesystemsaregettingeasierandeasiertoinstall,you
mightconsidersavingyourconfigfiles,wipingyourdisk(s),
reinstalling,thenrestoringyouruserfilesandyourconfig
filesfrombackups.Thiswillensurethatyouhaveanew,
cleansystem.Ifyouhavetorestorefilesfromthe
compromisedsystem,beespeciallycautiousofanybinaries
thatyourestore,astheymaybeTrojanhorsesplacedthere
bytheintruder.
75
286
Notes:
Slide 76
Reinstallationshouldbeconsideredmandatoryuponan
intruderobtainingrootaccess.Additionally,you'dliketo
keepanyevidencethereis,sohavingasparediskinthe
safemaymakesense.
Thenyouhavetoworryabouthowlongagothe
compromisehappened,andwhetherthebackupsholdany
damagedwork.Moreonbackupslater.
76
287
Notes:
Slide 77
Backups,Backups,Backups!
q
Havingregularbackupsisagodsendforsecuritymatters.If
yoursystemiscompromised,youcanrestorethedatayou
needfrombackups.Ofcourse,somedataisvaluabletothe
attackertoo,andtheywillnotonlydestroyit,theywillsteal
itandhavetheirowncopiesbutatleastyouwillstillhave
thedata.
77
288
Notes:
Slide 78
Youshouldcheckseveralbackupsbackintothepastbefore
restoringafilethathasbeentamperedwith.Theintruder
couldhavecompromisedyourfileslongago,andyoucould
havemademanysuccessfulbackupsofthecompromised
file!
Ofcourse,therearealsoaraftofsecurityconcernswith
backups.Makesureyouarestoringtheminasecureplace.
Knowwhohasaccesstothem.(Ifanattackercangetyour
backups,theycanhaveaccesstoallyourdatawithoutyou
everknowingit.)
78
289
Notes:
Slide 79
TrackingDowntheIntruder.
q
Ok,youhavelockedtheintruderout,andrecoveredyour
system,butyou'renotquitedoneyet.Whileitisunlikely
thatmostintruderswilleverbecaught,youshouldreport
theattack.
Youshouldreporttheattacktotheadmincontactatthesite
fromwhichtheattackerattackedyoursystem.Youcanlook
upthiscontactwithwhoisortheInternic database.You
mightsendthemanemailwithallapplicablelogentriesand
datesandtimes.Ifyouspottedanythingelsedistinctive
aboutyourintruder,youmightmentionthattoo.After
sendingtheemail,youshould(ifyouaresoinclined)follow
upwithaphonecall.Ifthatadmininturnspotsyourattacker,
theymightbeabletotalktotheadminofthesitewherethey
arecomingfromandsoon.
Copyright 2005/06. All rights reserved.
79
290
Notes:
Slide 80
Goodcrackersoftenusemanyintermediatesystems,some
(ormany)ofwhichmaynotevenknowtheyhavebeen
compromised.Tryingtotrackacrackerbacktotheirhome
systemcanbedifficult.Beingpolitetotheadmins youtalk
tocangoalongwaytogettinghelpfromthem.
Youshouldalsonotifyanysecurityorganizationsyouarea
partof(CERTorsimilar),aswellasyoursystemvendor.
80
291
Notes:
Slide 81
Section 5
Virus
81
292
Notes:
Slide 82
Section 5 Issue 1
n
Computervirusacomputerprogramwhich
reproducesitselfthroughlegitimate
processesincomputerprogramsand
operatingsystems.Itcanalterthebehaviorof
aprogramoroperatingsystemwithoutthe
knowledgeofcomputerusers.
q Ititselfiswrittenwith maliciouspurposesin
mind.
82
293
Notes:
Slide 83
Section 5 Issue 2
n
ToknowtheCURRENTLATESTinfoonthe
variousviruses,visitthefollowingwebsites:
WildListOrganizationInternational,theworld's
premiersourceofinformationonwhichviruses
arespreadingIntheWild(http://www.wildlist.org/).
q TheVirusBulletin,aninternationalantivirus
publicationthatkeepstrackoftheoccurrenceof
computerviruses(http://www.virusbtn.com/).
q
83
294
Notes:
Slide 84
Section 5 Issue 3
n
Virusexpertsingeneralprefertocategorize
virusesby:
theirbehaviors
q theaffectedoperatingsystemplatforms
q thetypeofprogramminglanguagesusedto
developthem
q
84
295
Notes:
Slide 85
Section 5 Issue 4
n
AmajorityofearlyvirusesareProgram
Virusesthatinfectedprogramswhichended
inthe.comand.exefileextensions.
Theyinfectexecutablefilesbyplacingtheir
programminginstructionsinsidetheother
programs.
q TheydoNOTinfect.BATfiles,since.BATfiles
aresimplytextbasedscripts.Theycanbe
embeddedinto.BATfilesforexecutionthough.
q Theycannotbypassantivirussoftware.
q
85
296
Notes:
Slide 86
Section 5 Issue 5
n
Scriptvirusesmostlyaffectscriptinglanguageslike
MicrosoftVisualBasicandJavaScriptbecame
commonplace.
Macrovirusesmostlyaffectbusinesssoftware,such
asMSOffice.Macrosletusersautomateaseriesof
commandsinsidedocumentsorspreadsheets.
Macroinstructionscaneasilybemodifiedbyviruses
toperformerraticbehaviors.
Allthesevirusescanbedetectedbynowadaysanti
virussoftwarepackages.
Copyright 2005/06. All rights reserved.
86
297
Notes:
Slide 87
Section 5 Issue 6
n
Bootsectorvirusesinfectedhiddenstartup
programsbuiltintodiskettemediaandhard
drives.
q
Sincetheystartbeforetheoperatingsystemis
loaded,theycaneasilybypasstheantivirus
software.
87
298
Notes:
Slide 88
Section 5 Issue 7
Tofurtherspreadviruses,viruswriters
developedTrojanhorsesprogramsthat
trickusersintostartingthemandtheninstall
malicioussoftware.
n Hybridvirusesareanothertypeoflatest
inventions.Theycanactinmorethanone
wayasanexample,anInternetwormmay
beabletoinfectprogramfiles.
n
88
299
Notes:
Slide 89
Section 5 Issue 8
n
Melissa
Averyfamousvirus.
q AppearinginMarch1999,itspreadquicklyand
causedmassivetroublesworldwide.Infact,
Microsofthadtoshutdownfouroutofsix
incomingmailserversunderthestrainproduced
byMelissa.
q
89
300
Notes:
Slide 90
Congratulations!
Youhavecompletedallthesections.
n Forthelatestproductinformation,pleasevisit
ourwebsites:
n
www.ExamREVIEW.NET
90
301
Notes:
Notes:
http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf
Notes:
http://csrc.nist.gov/publications/drafts/Draft-sp800-26Rev1.pdf
This draft document brings the assessment process up to date with key
standards and guidelines developed by NIST.
Notes:
April 21, 2006: Draft Special Publication 800-53A, Guide for Assessing the
Security Controls in Federal Information Systems
Notes:
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-1863%20_March2006.pdf
The draft defines methods for digital signature generation that can be used for
the protection of messages, and for the verification and validation of those
digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This
draft includes requirements for obtaining the assurances necessary for valid
digital signatures.
Notes:
307
Notes:
http://www.examreview.net/IT_Questionnaire.pdf
308
Notes: