Transcript continued

Page:
ISACA
®
The recognized global
leaders in IT governance,
control, security and
assurance
1 of 132
Page:
2 of 132
2010 CISA Review Course
Chapter 5 – Protection of
Information Assets
Page:
Course Agenda
•
•
•
•
•
Learning Objectives
Discuss Task and Knowledge Statements
Discuss specific topics within the chapter
Case studies
Sample questions
3 of 132
Page:
Exam Relevance
Ensure that the CISA candidate…
“Understands and can provide assurance that the security
architecture (policies, standards, procedures and controls)
ensures the confidentiality, integrity and availability of information
assets.”
% of Total Exam Questions
The content area in this chapter will
represent approximately 31% of
the CISA examination
(approximately 62 questions).
Chapter 6
14%
Chapter 1
10%
Chapter 2
15%
Chapter 5
31%
Chapter 3
16%
Chapter 4
14%
4 of 132
Page:
Chapter 5 Learning
Objectives
• Evaluate the design, implementation and monitoring of logical
access controls to ensure the confidentiality, integrity, availability
and authorized use of information assets
• Evaluate network infrastructure security to ensure confidentiality,
integrity, availability and authorized use of the network and the
information transmitted
• Evaluate the design, implementation and monitoring of
environmental controls to prevent or minimize loss
• Evaluate the design, implementation and monitoring of physical
access controls to ensure that information assets are adequately
safeguarded
• Evaluate the processes and procedures used to store, retrieve,
transport and dispose of confidential information assets
5 of 132
Page:
6 of 132
5.2 Importance of Information
Security Management
Security objectives to meet organization’s business requirements
include :
• Ensure the continued availability of their information systems
• Ensure the integrity of the information stored on their computer
systems
• Preserve the confidentiality of sensitive data
• Ensure conformity to applicable laws, regulations and standards
• Ensure adherence to trust and obligation in relation to any
information relating to an identified or identifiable individual
• Preserve the confidentiality of sensitive data in store and in transit
Page:
5.2.1 Key Elements of
Information Security
Management
Key elements of information security management
•
Senior management commitment and support
•
Policies and procedures
•
Organization
•
Security awareness and education
•
Monitoring and compliance
•
Incident handling and response
7 of 132
Page:
5.2.2 Information Security
Management Roles and
Responsibilities
Responsibilities to consider by position include:
•
•
•
•
•
•
•
•
•
•
•
•
IS security steering committee
Executive management
Security advisory group
Chief privacy officer (CPO)
Chief security officer (CSO)
Process owners
Information assets owners and data owners
Users
External parties
Security specialists / advisors
IT developers
IS auditors
8 of 132
Page:
5.2.3 Inventory and
Classification of Information
Assets
The inventory record of each information asset
should include:
•
•
•
•
•
•
•
Specific identification of assets
Relative value to the organization
Location
Security / risk classification
Asset group
Owner
Designated custodian
9 of 132
Page:
10 of 132
5.2.4 System Access
Permission
• Who has access rights and to what?
• What is the level of access to be granted?
• Who is responsible for determining the access rights
and access levels?
• What approvals are needed for access?
Page:
11 of 132
Practice Question
5-1
A utility is available to update critical tables in case of
data inconsistency. This utility can be executed at the
operating system (OS) prompt or as one of the menu
options in an application. The BEST control to mitigate
the risk of an unauthorized manipulation of data is to:
A. delete the utility software and install it as and when
required.
B. provide access to the utility on a need-to-use
basis.
C. provide access to the utility to user management.
D. define access so that the utility can be executed
only in the menu option.
Page:
12 of 132
5.2.5 Mandatory and
Discretionary Access
Controls
• Mandatory
– Enforces corporate security policy
– Compares sensitivity of information resources
• Discretionary
– Enforces data owner-defined sharing of information
resources
Page:
13 of 132
5.2.6 Privacy Management
Issues and the Role of IS
Auditors
Privacy impact analysis or assessments should:
• Pinpoint the nature of personally identifiable information
associated with business processes
• Document the collection, use, disclosure and destruction
of personally identifiable information
• Ensure that accountability for privacy issues exists
• Be the foundation for informed policy, operations and
system design decisions based on an understanding of
privacy risk and the options available for mitigating that
risk
Page:
14 of 132
5.2.6 Privacy Management
Issues and the Role of IS
Auditors (continued)
Compliance with privacy policy and laws
• Identify and understand legal requirements regarding
privacy from laws, regulations and contract agreements
• Check whether personal data are correctly managed in
respect to these requirements
• Verify that the correct security measures are adopted
• Review management’s privacy policy
Page:
15 of 132
5.2.7 Critical Success Factors
to Information Security
Management
• Strong commitment and support by the senior
management on security training
• Professional risk-based approach must be used
systematically to identify sensitive and critical
resources
Page:
16 of 132
5.2.8 Information Security and
External Parties
Page:
17 of 132
5.2.8 Information Security and
External Parties (continued)
Page:
18 of 132
5.2.11 Security Incident
Handling and Response
• Planning and
preparation
• Detection
• Initiation
• Evaluation
• Containment
• Eradication
•
•
•
•
•
Response
Recovery
Closure
Post incident review
Lessons learned
Page:
19 of 132
5.3 Logical Access
Logical access controls are the primary
means used to manage and protect
information assets.
Page:
20 of 132
5.3.1 Logical Access
Exposures
Technical exposures include:
•
•
•
•
•
•
•
Data leakage
Wire tapping
Trojan horses / backdoors
Viruses
Worms
Logic bombs
Denial-of-service attacks
•
•
•
•
•
•
•
Computer shutdown
War driving
Piggybacking
Trap doors
Asynchronous attacks
Rounding down
Salami technique
Page:
21 of 132
5.3.2 Familiarization with the
Organization’s IT Environment
Security layers to be reviewed include:
• The network
• Operating system platform
• Database and application layers
Page:
22 of 132
5.3.3 Paths of Logical Access
General points of entry
• Network connectivity
• Remote access
• Operator console
• Online workstations or terminals
Page:
23 of 132
5.3.4 Logical Access Control
Software
Purpose
• Prevents unauthorized access and modification to
an organization’s sensitive data and use of system
critical functions.
Page:
24 of 132
5.3.4 Logical Access Control
Software (continued)
General operating systems access control functions
include:
•
•
•
•
•
•
•
•
User identification and authentication mechanisms
Restricted logon IDs
Rules for access to specific information resources
Create individual accountability and auditability
Create or change user profiles
Log events
Log user activities
Report capabilities
Page:
25 of 132
5.3.4 Logical Access Control
Software (continued)
Database and / or application-level access control
functions include:
• Create or change data files and database profiles
• Verify user authorization at the application and
transaction levels
• Verify user authorization within the application
• Verify user authorization at the field level for changes
within a database
• Verify subsystem authorization for the user at the file
level
• Log database / data communications access activities for
monitoring access violations
Page:
26 of 132
Practice Question
5-2
Which of the following BEST provides access
control to payroll data being processed on a local
server?
A. Logging access to personal information
B. Using separate passwords for sensitive
transactions
C. Using software that restricts access rules to
authorized staff
D. Restricting system access to business hours
Page:
27 of 132
5.3.5 Identification and
Authentication (continued)
I&A common vulnerabilities
• Weak authentication methods
• Lack of confidentiality and integrity for the stored
authentication information
• Lack of encryption for authentication and protection of
information transmitted over a network
• User’s lack of knowledge on the risks associated with
sharing passwords, security tokens, etc.
Page:
28 of 132
5.3.5 Identification and
Authentication
Logon IDs and passwords
•
•
•
•
Features of passwords
Password syntax (format) rules
Token devices, one-time passwords
Biometric
– Management of biometrics
Page:
29 of 132
5.3.5 Identification and
Authentication (continued)
Best practices for logon IDs and passwords
• Passwords should be a minimum of 8 characters
• Passwords should be a combination of alpha,
numeric, upper and lower case and special
characters
• Login IDs not used should be deactivated
• System should automatically disconnect with no
activity
Page:
30 of 132
Practice Question
5-3
An IS auditor has just completed a review of an
organization that has a mainframe and a client-server
environment where all production data reside. Which of
the following weaknesses would be considered the MOST
serious?
A. The security officer also serves as the database
administrator.
B. Password controls are not administered over the
client-server environment.
C. There is no business continuity plan for the
mainframe system’s non-critical applications.
D. Most local area networks (LANs) do not back up
file server-fixed disks regularly.
Page:
31 of 132
5.3.5 Identification and
Authentication (continued)
• Token devices, one-time passwords
• Biometrics
– Physically-oriented biometric
– Behavior-oriented biometric
Page:
32 of 132
5.3.5 Identification and
Authentication (continued)
Single sign-on (SSO)
• The process for the consolidating all organization
platform-based administration, authentication and
authorization functions into a single centralized
administrative function
• A single sign-on interfaces with:
– Client-server and distributed systems
– Mainframe systems
– Network security including remote access mechanisms
Page:
33 of 132
5.3.5 Identification and
Authentication (continued)
Single sign-on (SSO) advantages
• Multiple passwords are no longer required, therefore,
whereby a user may be more inclined and motivated to
select a stronger password
• It improves an administrator’s ability to manage users’
accounts and authorizations to all associates systems
• It reduces administrative overhead in resetting forgotten
passwords over multiple platforms and applications
• It reduces the time taken by users to log into multiple
applications and platforms
Page:
34 of 132
5.3.6 Identification and
Authentication (continued)
Single sign-on (SSO) disadvantages
• Support for all major operating system environments is
difficult
• The costs associated with SSO development can be
significant when considering the nature and extent of
interface development and maintenance that may be
necessary
• The centralized nature of SSO presents the possibility of
a single point of failure and total compromise of an
organization’s information assets
Page:
35 of 132
Practice Question
5-4
An organization is proposing to install a single signon facility giving access to all systems. The
organization should be aware that:
A. maximum unauthorized access would be
possible if a password is disclosed.
B. user access rights would be restricted by the
additional security parameters.
C. the security administrator’s workload would
increase.
D. user access rights would be increased.
Page:
36 of 132
5.3.6 Authorization Issues
Access restrictions at the file level include:
•
•
•
•
Read, inquiry or copy only
Write, create, update or delete only
Execute only
A combination of the above
Page:
37 of 132
5.3.6 Authorization Issues
(continued)
Access control lists (ACLs) refer to a register of:
• Users who have permission to use a particular system
resource
• The types of access permitted
Page:
38 of 132
5.3.6 Authorization Issues
(continued)
Logical access security administration
• Centralized environment
• Decentralized environment
Page:
39 of 132
5.3.6 Authorization Issues
(continued)
Advantages of conducting security in a
decentralized environment
• Security administration is onsite at the distributed
location
• Security issues resolved in a timely manner
• Security controls are monitored frequently
Page:
40 of 132
5.3.6 Authorization Issues
(continued)
Risks associated with distributed responsibility for
security administration
• Local standards might be implemented rather than
those required
• Levels of security management might be below what
can be maintained by central administration
• Unavailability of management checks and audits
Page:
41 of 132
5.3.6 Authorization Issues
(continued)
Remote access security
• Today’s organizations require remote access
connectivity to their information resources for
different types of users such as employees, vendors,
consultants, business partners and customer
representatives.
Page:
42 of 132
5.3.6 Authorization Issues
(continued)
Remote access security risks include:
•
•
•
•
Denial of service
Malicious third parties
Misconfigured communications software
Misconfigured devices on the corporate computing
infrastructure
• Host systems not secured appropriately
• Physical security issues over remote users’ computers
Page:
43 of 132
5.3.6 Authorization Issues
(continued)
Remote access security controls include:
• Policy and standards
• Proper authorizations
• Identification and authentication mechanisms
• Encryption tools and techniques, such as the use of VPN
• System and network management
Page:
44 of 132
5.3.6 Authorization Issues
(continued)
Remote access using personal digital assistants
(PDAs)
• Address control issues
• Inherent increased risks due to PDA lack of security
Page:
45 of 132
5.3.6 Authorization Issues
(continued)
Access issues with mobile technology
• These devices should be strictly controlled both by policy
and by denial of use. Possible actions include:
– Banning all use of transportable drives in the security policy
– Where no authorized use of USB ports exists, disabling use with a
logon script which removes them from the system directory
– If they are considered necessary for business use, encrypting all
data transported or saved by these devices
Page:
46 of 132
5.3.6 Authorization Issues
(continued)
Audit logging in monitoring system access
• Provides management an audit trail to monitor activities
of a suspicious nature, such as a hacker attempting brute
force attacks on a privileged logon ID
Page:
47 of 132
Practice Question
5-5
An IS auditor reviewing the log of failed logon
attempts would be MOST concerned if which of the
following accounts was targeted?
A. Network administrator
B. System administrator
C. Data administrator
D. Database administrator
Page:
48 of 132
5.3.6 Authorization Issues
(continued)
Tools for audit trails (logs) analysis
• Audit reduction tools
• Trends/variance-detection tools
• Attack signature-detection tools
Page:
49 of 132
5.3.6 Authorization Issues
(continued)
• Intrusion detection system (IDS)
• Intrusion prevention system (IPS)
Page:
50 of 132
5.3.7 Storing, Retrieving,
Transporting and Disposing of
Confidential Information
Policies required for:
• Backup files of databases
• Data banks
• Disposal of media previously used to hold
confidential information
• Management of equipment sent for offsite maintenance
• Public agencies and organizations concerned with sensitive, critical or
confidential information
• E-token electronic keys
• Storage records
Page:
51 of 132
5.3.7 Storing, Retrieving, Transporting
and Disposing of Confidential
Information (continued)
Policies required for:
• Backup files of databases
• Data banks
• Disposal of media previously used to hold
confidential information
• Management of equipment sent for offsite maintenance
• Public agencies and organizations concerned with sensitive,
critical or confidential information
• E-token electronic keys
• Storage records
Page:
52 of 132
5.3.7 Storing, Retrieving, Transporting
and Disposing of Confidential
Information (continued)
Preserving information during shipment or storage
• Recommendations applicable to all types of media
– Keep out of direct sunlight
– Keep free of liquids
– Keep free of dust
– Keep media away from exposure to magnetic fields, radio
equipment or any sources of vibration
– Do not transport in areas and at times of exposure to strong
magnetic storm
Page:
53 of 132
5.3.7 Storing, Retrieving, Transporting
and Disposing of Confidential
Information (continued)
Media Storage
Precautions
Hard drives
 Store hard drives in antistatic bags, and be sure that the person removing
them from the bag is static-free.
 If the original box and padding for the hard drive is available, use it for
shipping.
 Avoid styrofoam packaging products or other materials that can cause
static electricity.
 Quick drops or spikes in temperature are a danger, since such changes
can lead to hard drive rashes.
 If the hard drive has been in a cold environment, bring it to room
temperature prior to installing and using it.
 Avoid sudden mechanical shocks or vibrations.
Magnetic media
 Store tapes vertically.
 Store tapes in acid-free containers.
 Write-protect tapes immediately.
Floppy disks
 When handling the floppy, pick it up by the label. The mylar surface must
never be touched.
 Write labels using a felt tip pen only.
CDs and DVDs




Handle by the edges or by the hole in the middle.
Be careful not to bend the CD.
Avoid long-term exposure to bright light.
Store in a hard jewel case, not in soft sleeves.
Page:
54 of 132
5.4 Network Infrastructure
Security
Communication network controls
• Network control functions should be performed by technically
qualified operators
• Network control functions should be separated, and the duties
should be rotated on a regular basis, where possible
• Network control software must restrict operator access from
performing certain functions (e.g., the ability to amend/delete
operator activity logs)
• Network control software should maintain an audit trail of all
operator activities
• Audit trails should be periodically reviewed by operations
management to detect any unauthorized network operations
activities
Page:
55 of 132
5.4 Network Infrastructure
Security (continued)
Communication network controls (continued)
• Network operation standards and protocols should be
documented and made available to the operators, and should
be reviewed periodically to ensure compliance
• Network access by the system engineers should be monitored
and reviewed closely to detect unauthorized access to the
network
• Analysis should be performed to ensure workload balance, fast
response time and system efficiency
• A terminal identification file should be maintained by the
communications software to check the authentication of a
terminal when it tries to send or receive messages
• Data encryption should be used, where appropriate, to protect
messages from disclosure during transmission
Page:
56 of 132
5.4.1 LAN Security
The IS auditor should identify and document:
•
•
•
•
•
•
LAN topology and network design
LAN administrator / LAN owner
Functions performed by the LAN administrator/owner
Distinct groups of LAN users
Computer applications used on the LAN
Procedures and standards relating to network design,
support, naming conventions and data security
Page:
57 of 132
5.4.2 Client-server Security
Control techniques in place
•
•
•
•
Securing access to data or application
Use of network monitoring devices
Data encryption techniques
Authentication systems
• Use of application level access control programs
Page:
58 of 132
5.4.2 Client-server Security
(continued)
Client / server risks and issues
• Access controls may be weak in a client-server
environment
• Change control and change management procedures.
• The loss of network availability may have a serious impact
on the business or service
• Obsolescence of the network components
• The use of modems to connect the network to other
networks
Page:
59 of 132
5.4.2 Client-server Security
(continued)
Client / server risks and issues (continued)
• The connection of the network to public switched telephone
networks may be weak
• Changes to systems or data
• Access to confidential data and data modification may be
unauthorized
• Application code and data may not be located on a single
machine enclosed in a secure computer room, as with
mainframe computing
Page:
60 of 132
5.4.3 Wireless Security Threats
and Risk Mitigation
Threats categorization
• Errors and omissions
• Fraud and theft committed by authorized or unauthorized
users of the system
• Employee sabotage
• Loss of physical and infrastructure support
• Malicious hackers
• Industrial espionage
• Malicious code
• Foreign government espionage
• Threats to personal privacy
Page:
61 of 132
5.4.3 Wireless Security Threats
and Risk Mitigation (continued)
Security requirements
•
•
•
•
Authenticity
Nonrepudiation
Accountability
Network availability
Page:
62 of 132
5.4.3 Wireless Security Threats
and Risk Mitigation (continued)
Malicious access to WLANs
• War driving
• War walking
• War chalking
Page:
63 of 132
5.4.3 Wireless Security Threats
and Risk Mitigation (continued)
Malicious access to WLANs
• War driving
• War walking
• War chalking
Page:
64 of 132
5.4.4 Internet Threats and
Security
Network security attacks
• Passive attacks
• Active attacks
Page:
65 of 132
5.4.4 Internet Threats and
Security (continued)
Passive attacks
• Network analysis
• Eavesdropping
• Traffic analysis
Page:
66 of 132
5.4.4 Internet Threats and
Security (continued)
Active attacks
• Brute-force attack
• Masquerading
• Packet replay
• Phishing
• Message modification
• Unauthorized access through the Internet or web-based services
• Denial of service
• Dial-in penetration attacks
• E-mail bombing and spamming
• E-mail spoofing
Page:
67 of 132
5.4.4 Internet Threats and
Security (continued)
Active attacks
• Brute-force attack
• Masquerading
• Packet replay
• Phishing
• Message modification
• Unauthorized access through the Internet or web-based services
• Denial of service
• Dial-in penetration attacks
• E-mail bombing and spamming
• E-mail spoofing
Page:
68 of 132
5.4.4 Internet Threats and
Security (continued)
Active attacks
• Brute-force attack
• Masquerading
• Packet replay
• Phishing
• Message modification
• Unauthorized access through the Internet or web-based services
• Denial of service
• Dial-in penetration attacks
• E-mail bombing and spamming
• E-mail spoofing
Page:
69 of 132
5.4.4 Internet Threats and
Security (continued)
Causal factors for Internet attacks
• Availability of tools and techniques on the Internet
• Lack of security awareness and training
• Exploitation of security vulnerabilities
• Inadequate security over firewalls
– Internet security controls
Page:
70 of 132
5.4.4 Internet Threats and
Security (continued)
Causal factors for Internet attacks
• Availability of tools and techniques on the Internet
• Lack of security awareness and training
• Exploitation of security vulnerabilities
• Inadequate security over firewalls
– Internet security controls
Page:
71 of 132
5.4.4 Internet Threats and
Security (continued)
Firewall security systems
• Firewall general features
• Firewall types
– Router packet filtering
– Application firewall systems
– Stateful inspection
Page:
72 of 132
5.4.4 Internet Threats and
Security (continued)
Examples of firewall implementations
• Screened-host firewall
• Dual-homed firewall
• Demilitarized zone (DMZ)
Page:
73 of 132
5.4.4 Internet Threats and
Security (continued)
Examples of firewall implementations
• Screened-host firewall
• Dual-homed firewall
• Demilitarized zone (DMZ)
Page:
74 of 132
5.4.4 Internet Threats and
Security (continued)
Firewall issues
•
•
•
•
•
•
A false sense of security
The circumvention of firewall
Misconfigured firewalls
What constitutes a firewall
Monitoring activities may not occur on a regular basis
Firewall policies
Page:
75 of 132
5.4.4 Internet Threats and
Security (continued)
• Firewall security systems
• Firewall platforms
– Using hardware or software
– Appliances versus normal servers
Page:
76 of 132
5.4.4 Internet Threats and
Security (continued)
Intrusion detection system (IDS)
• An IDS works in conjunction with routers and firewalls by
monitoring network usage anomalies
– Network-based IDS
– Host-based IDS
Page:
77 of 132
5.4.4 Internet Threats and
Security (continued)
Intrusion detection system (IDS) components
• Sensors that are responsible for collecting data
• Analyzers that receive input from sensors and
determine intrusive activity
• An administration console
• A user interface
Page:
78 of 132
5.4.4 Internet Threats and
Security (continued)
Intrusion detection systems (IDS) types include:
• Signature-based
• Statistical-based
• Neural networks
Page:
79 of 132
5.4.4 Internet Threats and
Security (continued)
Intrusion detection system (IDS) features
•
•
•
•
•
•
Intrusion detection
Gathering evidence on intrusive activity
Automated response
Security monitoring
Interface with system tolls
Security policy management
Page:
80 of 132
Practice Question
5-6
A B-to-C e-commerce website as part of its
information security program wants to monitor,
detect and prevent hacking activities and alert the
system administrator when suspicious activities
occur. Which of the following infrastructure
components could be used for this purpose?
A. IDS’s
B. Firewalls
C. Routers
D. Asymmetric Encryption
Page:
81 of 132
5.4.4 Internet Threats and
Security (continued)
Honeypots and honeynets
• High interaction – Give hackers a real environment to
attack
• Low interaction – Emulate production environments
Page:
82 of 132
5.4.5 Encryption
• Key elements of encryption systems
– Encryption algorithm
– Encryption key
– Key length
• Private key cryptographic systems
• Public key cryptographic systems
Page:
83 of 132
5.4.5 Encryption (continued)
•
•
•
•
Elliptical curve cryptosystem (ECC)
Quantum cryptography
Advanced Encryption Standard (AES)
Digital signatures
Page:
84 of 132
5.4.5 Encryption (continued)
Digital signatures
•
•
•
•
Data integrity
Authentication
Nonrepudiation
Replay protection
Page:
85 of 132
5.4.5 Encryption (continued)
Digital envelope
• Used to send encrypted information and the relevant key
along with it.
• The message to be sent, can be encrypted by using
either:
– Asymmetric key
– Symmetric key
Page:
86 of 132
5.4.5 Encryption (continued)
Public Key Infrastructure (PKI)
•
•
•
•
•
Digital certificates
Certificate authority (CA)
Registration authority (RA)
Certificate revocation list (CRL)
Certification practice statement (CPS)
Page:
87 of 132
5.4.5 Encryption (continued)
Use of encryption in OSI protocols
•
•
•
•
•
•
Secure sockets layer (SSL)
Secure Hypertext Transfer Protocol (S/HTTP)
IP security
SSH
Secure multipurpose Internet mail extensions (S/MIME)
Secure electronic transactions (SET)
Page:
88 of 132
5.4.5 Encryption (continued)
Use of encryption in OSI protocols
•
•
•
•
•
Secure sockets layer (SSL)
Secure Hypertext Transfer Protocol (S/HTTP)
IP security
SSH
Secure multipurpose Internet mail extensions
(S/MIME)
• Secure electronic transactions (SET)
Page:
89 of 132
Practice Question
5-7
Which of the following BEST determines whether
complete encryption and authentication protocols for
protecting information while being transmitted exist?
A. A digital signature with RSA has been
implemented.
B. Work is being done in tunnel mode with the
nested services of authentication header (AH)
and encapsulating security payload (ESP).
C. Digital certificates with RSA are being used.
D. Work is being done in transport mode with the
nested services of AH and ESP.
Page:
90 of 132
Practice Question
5-8
Which of the following concerns about the security
of an electronic message would be addressed by
digital signatures?
A. Unauthorized reading
B. Theft
C. Unauthorized copying
D. Alteration
Page:
91 of 132
Practice Question
5.9
Which of the following would be MOST appropriate
to ensure the confidentiality of transactions initiated
via the Internet?
A. Digital signature
B. Data Encryption Standard (DES)
C. Virtual private network (VPN)
D. Public key encryption
Page:
92 of 132
5.4.6 Viruses
Viruses attack four parts of the computer
• Executable program files
• The file directory system, which tracks the location of all
the computer’s files
• Boot and system areas, which are needed to start the
computer
• Data files
Page:
93 of 132
5.4.6 Viruses (continued)
•
•
•
•
Virus and worm controls
Management procedural controls
Technical controls
Anti-virus software implementation strategies
Page:
94 of 132
Practice Question
5-10 Which of the following is the MOST effective
antivirus control?
A. Scanning e-mail attachments on the mail
server
B. Restoring systems from clean copies
C. Disabling USB ports
D. An online antivirus scan with up-to-date virus
definitions
Page:
95 of 132
5.4.7 Voice-Over IP
VoIP security issues
• Inherent poor security
– The current Internet architecture does not provide the same
physical wire security as the phone lines
• The key to securing VoIP
– Security mechanisms such as those deployed in data
networks (e.g., firewalls, encryption) to emulate the security
level currently used by PSTN network users
Page:
96 of 132
5.5.2 Auditing Logical Access
When evaluating logical access controls the IS
auditor should:
• Obtain a general understanding of the security risks facing
information processing
• Document and evaluate controls over potential access paths into
the system
• Test controls over access paths to determine whether they are
functioning and effective
• Evaluate the access control environment to determine if the control
objectives are achieved
• Evaluate the security environment to assess its adequacy
Page:
97 of 132
5.5.3 Techniques for Testing
Security
•
•
•
•
•
•
•
Terminal cards and keys
Terminal identification
Logon IDs and passwords
Controls over production resources
Logging and reporting access violations
Follow-up access violations
Bypassing security and compensating controls
Page:
98 of 132
5.5.3 Techniques for Testing
Security (continued)
•
•
•
•
•
•
•
Terminal cards and keys
Terminal identification
Logon IDs and passwords
Controls over production resources
Logging and reporting access violations
Follow-up access violations
Bypassing security and compensating controls
Page:
99 of 132
5.5.3 Techniques for Testing
Security (continued)
•
•
•
•
•
•
•
Terminal cards and keys
Terminal identification
Logon IDs and passwords
Controls over production resources
Logging and reporting access violations
Follow-up access violations
Bypassing security and compensating controls
Page:
100 of 132
5.6 Auditing Network
Infrastructure Security
• Review network diagrams
• Identify the network design implemented
• Determine that applicable security policies, standards,
procedures and guidance on network management and
usage exist
• Identify who is responsible for security and operation of
Internet connections
• Identify legal problems arising from the Internet
• Review service level agreements (SLAs) if applicable
• Review network administrator procedures
Page:
101 of 132
5.6.1 Auditing Remote Access
• Assess remote access points of entry
• Test dial-up access controls
• Test the logical controls
• Evaluate remote access approaches for cost-effectiveness,
risk and business requirements
Page:
102 of 132
5.6.1 Auditing Remote Access
(continued)
Audit Internet points of presence:
•
•
•
•
•
E-mail
Marketing
Sales channel / electronic commerce
Channel of deliver for goods / services
Information gathering
Page:
103 of 132
5.6.1 Auditing Remote Access
(continued)
Audit scope should identify network penetration
tests:
•
•
•
•
•
Precise IP addresses / ranges to be tested
Host restricted
Acceptable testing techniques
Acceptance of proposed methodology from management
Attack simulation details
Page:
104 of 132
5.6.1 Auditing Remote Access
(continued)
Audit should also include:
•
•
•
•
Full network assessment reviews
Development and authorization of network changes
Unauthorized changes
Computer forensics
Page:
105 of 132
5.7.1 Environmental Issues
and Exposures
Power failures:
•
•
•
•
Total failure (blackout)
Severely reduced voltage (brownout)
Sags, spikes and surges
Electromagnetic interference (EMI)
Page:
106 of 132
5.7.2 Controls for
Environmental Exposures
•
•
•
•
•
•
•
•
Alarm control panels
Water detectors
Handheld fire extinguishers
Manual fire alarms
Smoke detectors
Fire suppression systems
Strategically locating the computer room
Regular inspection by fire department
Page:
107 of 132
5.7.2 Controls for
Environmental Exposures
(continued)
•
•
•
•
•
•
•
•
•
Fireproof walls, floors and ceilings of the computer room
Electrical surge protectors
Uninterruptible power supply / generator
Emergency power-off switch
Power leads from two substations
Wiring placed in electrical panels and conduit
Inhibited activities within the IPF
Fire-resistant office materials
Documented and tested emergency evacuation plans
Page:
108 of 132
5.8.1 Physical Access Issues
and Exposures
•
•
•
•
•
•
•
•
Unauthorized entry
Damage, vandalism or theft to equipment or documents
Copying or viewing of sensitive or copyrighted information
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement
Page:
109 of 132
5.8.1 Physical Access Issues
and Exposures (continued)
Possible perpetrators include employees who are:
•
•
•
•
•
•
Disgruntled
On strike
Threatened by disciplinary action or dismissal
Addicted to a substance or gambling
Experiencing financial or emotional problems
Notified of their termination
Page:
110 of 132
5.8.2 Physical Access
Controls
• Bolting door locks
•
•
•
•
•
Combination door locks (cipher locks)
Electronic door locks
Biometric door locks
Manual logging
Electronic logging
Page:
111 of 132
5.8.2 Physical Access
Controls (continued)
•
•
•
•
•
•
Identification badges (photo IDs)
Video cameras
Security guards
Controlled visitor access
Bonded personnel
Deadman doors
Page:
112 of 132
5.8.2 Physical Access
Controls (continued)
•
•
•
•
•
•
Not advertising the location of sensitive facilities
Computer workstation locks
Controlled single entry point
Alarm system
Secured report / document distribution cart
Windows
Page:
113 of 132
5.8.3 Auditing Physical
Access
• Touring the information processing facility (IPF)
• Testing of physical safeguards
Page:
114 of 132
5.10.1 Case Study A Scenario
Management is currently considering ways in which to
enhance the physical security and protection of its data
center. The IS auditor has been asked to assist in this
process by evaluating the current environment and making
recommendations for improvement.
The data center consists of 15,000 square feet (1,395
square meters) of raised flooring on the ground floor of the
corporate headquarters building.
Page:
115 of 132
5.10.1 Case Study A Scenario
(continued)
A total of 22 operations personnel require regular access.
Currently, access to the data center is obtained using a
proximity card, which is assigned to each authorized
individual.
There are three entrances to the data center, each of which
utilizes a card reader and has a camera monitoring the
entrance. These cameras feed their signals to a monitor at
the building reception desk, which cycles through these
images along with views from other cameras inside and
outside the building.
Page:
116 of 132
5.10.1 Case Study A Scenario
(continued)
Two of the doors to the data center also have key locks
that bypass the electronic system so that a proximity card
is not required for entry.
Use of proximity cards is written to an electronic log. This
log is retained for 45 days. During the review, the IS
auditor noted that 64 proximity cards are currently active
and issued to various personnel.
The data center has no exterior windows, although one
wall is glass and overlooks the entry foyer and reception
area for the building.
Page:
117 of 132
Case Study A Question
1.
Which of the following risks would be mitigated by
supplementing the proximity card system with a
biometric scanner to provide two-factor
authentication?
A. Piggybacking or tailgating
B. Sharing access cards
C. Failure to log access
D. Copying of keys
Page:
118 of 132
Case Study A Question
2.
Which of the following access mechanisms would
present the GREATEST difficulty in terms of user
acceptance?
A. Hand geometry recognition
B. Fingerprints
C. Retina scanning
D. Voice recognition
Page:
119 of 132
5.10.2 Case Study B Scenario
A company needed to enable remote access to one of its servers for
remote maintenance purposes. Firewall policy did not allow any
external access to the internal systems. Therefore, it was decided to
install a modem on that server and to activate the remote access
service to permit dial-up access.
As a control, a policy has been implemented to manually power on the
modem only when the third party was requesting access to the server
and powered off by the company’s system administrator when the
access is no longer needed. As more and more systems are being
maintained remotely, the company is asking an IS auditor to evaluate
the current risks of the existing solution and to propose the best
strategy for addressing future connectivity requirements.
Page:
120 of 132
Case Study B Question
1.
What test is MOST important for the IS auditor to
perform as part of the review of dial-up access
controls?
A. Dial the server from authorized and
unauthorized telephone lines
B. Determine bandwidth requirements of remote
maintenance and the maximum line capacity
C. Check if the availability of the line is
guaranteed to allow remote access any time
D. Check if call back is not used and the cost of
calls is charged to the third party
Page:
121 of 132
Case Study B Question
2.
What is the MOST significant risk that the IS auditor
should evaluate regarding the existing remote access
practice?
A. Modem is not powered on / off whenever it is
needed
B. A non-disclosure agreement was not signed
by the third party
C. Data exchanged over the line is not
encrypted
D. Firewall controls are bypassed
Page:
122 of 132
Case Study B Question
3.
Which of the following recommendations is MOST
likely to reduce the current level of remote access
risks?
A. Maintain an access log with the date and time
when the modem was powered on / off
B. Encrypt the traffic over the telephone line
C. Migrate the dial-up access to an Internet VPN
solution
D. Update firewall policies and implement an
IDS system
Page:
123 of 132
Case Study B Question
4.
What control should be implemented to prevent an
attack on the internal network being initiated through
an Internet VPN connection?
A. Firewall rules are periodically reviewed
B. All VPNs terminate at a single concentrator
C. An IDS capable to analyze encrypted traffic is
implemented
D. Antivirus software is installed on all
production servers
Page:
124 of 132
5.10.3 Case Study C Scenario
“My Music” is a company dedicated to the production and
distribution of video clips specializing in jazz music. Born in
the Internet era, the company has actively supported the
use of notebook computers by its staff so they can use
them when traveling and when working from home.
Through the Internet they can access the company
databases and provide online information to customers.
This decision has resulted in an increase in productivity
and high morale among employees who are allowed to
work up to two days a week from home.
Page:
125 of 132
5.10.3 Case Study C Scenario
(continued)
Based on written procedures and a training course, employees
learn security procedures to avoid the risk of unauthorized
access to company data. Employees’ access to the company
data includes using logon IDs and passwords to the application
server through a VPN. Initial passwords are assigned by the
security administrator.
When the employee logs on for the first time, the system forces
a password change to improve confidentiality. Management is
currently considering ways to improve security protection for
remote access by employees. The IS auditor has been asked to
assist in this process by evaluating the current environment and
making recommendations for improvement.
Page:
126 of 132
Case Study C Question
1.
Which of the following levels provides a higher
degree of protection in applying access control
software to avoid unauthorized access risks?
A. Network and operating system level
B. Application level
C. Database level
D. Log file level
Page:
127 of 132
Case Study C Question
2.
When an employee notifies the company that he has forgotten
his password, what should be done FIRST by the security
administrator?
A. Allow the system to randomly generate a new
password
B. Verify the user’s identification through a challenge /
response system
C. Provide the employee with the default password and
explain that it should be changed as soon as possible
D. Ask the employee to move to the administrator
terminal to generate a new password in order to
assure confidentiality
Page:
128 of 132
5.10.4 Case Study D Scenario
A major financial institution has just implemented a
centralized banking solution (CBS) in one of its branches.
It has a secondary concern to look after marketing of the
bank.
Employees of a separate legal entity work on the bank
premises, but they have no access to the bank’s solution
software. Employees of other branches get training on this
solution from this branch and for training purposes
temporary access credentials are also given to such
employees.
Page:
129 of 132
5.10.4 Case Study D Scenario
(continued)
IS auditors observed that employees of the separate legal
entity also access the CBS software through the branch
employees access credentials.
IS auditors also observed that there are numerous active
IDs of employees who got training from the branch and
have since been transferred to their original branch.
Page:
130 of 132
Case Study D Question
1.
Which of the following should an IS auditor
recommend to effectively eliminate such password
sharing?
A. Assimilation of security need to keep
passwords secret
B. Stringent rules prohibiting sharing of
passwords
C. Use of smart cards along with strong
passwords
D. Use of smart cards along with an employee’s
terminal ID
Page:
131 of 132
Case Study D Question
2.
Which of the following BEST addresses user ID
management of trainee employees?
A. Unused user IDs shall be automatically
deleted periodically
B. To integrate access rights with the human
resource process
C. Passwords of unused but active user IDs
shall be suspended
D. Active user ID register shall be checked
frequently
Page:
132 of 132
Conclusion
• Quick Reference Review
– Page 292 of the CISA Review Manual 2010