51295108 CISA Certified Information Systems Auditor Module Study Guide (1)

7/26/2019 51295108 CISA Certified Information Systems Auditor Module Study Guide (1)

1/309

The Number One Source of Exam and On-the-Job Information

2009

Ed.

CISA

ExamESSENTIALSStudy Guide


2/309

S T U D Y I N F O R M A T I O N F O R E X A M C A N D I D A T E S

CISA ExamESSENTIALS Guide

ExamREVIEW PRO & ExamREVIEW PRESS

2009All rights reserved. No part of the contents of this book may be reproduced ortransmitted in any form or by any means without the written permission of the

publisher.

Covering the 2009 Syllabus


3/309

Important Please Read

Due to the variety of fonts installed on the users'

systems, Acrobat may prompt you to download an

additional language component (which is FREE from

Adobe anyway).

If you receive a message saying that a Traditional

Chinese language pack has to be downloaded in order

to load this eBook, please click YES to have Acrobatdownload the update. The size of the update is about

7M. Dont worry, this download is safe.


4/309

Table of ContentsEND USER LICENSE AGREEMENT 7

EXAM FORMAT 13

ABOUT THIS BOOK 14

EXAM TOPICS 15

EXAM REGISTRATION CONTACTS 19

STUDY PSYCHOLOGY & EXAM TACTICS 20

KEY EXAM STRATEGIES 21

STRATEGY ONE: KEYWORD OR KEY PHRASE MATCHING. 21

STRATEGY TWO: CHOICES GROUPING. 22

STRATEGY THREE: THINK TRICKY. 23

SECURITY THEORIES 25

THE COMPUTER SYSTEM ITSELF AS LARGELY AN UNTRUSTED SYSTEM 27

DEFENSE IN DEPTH 27

VULNERABILITIES 28

SECURITY MEASURES 45

STANDARDS AND GUIDELINES 49

IS ORGANIZATION AND INFORMATION ASSETS PROTECTION 55

THE STAKEHOLDERS 56

THE BOARD 57

THE AUDIT MANAGER 58

AUDIT PERSONNEL 59

IS CONTROLS 61

THE IMPORTANCE OF THE USE OF CONTROLS 61

CLASSIFICATION OF CONTROLS 62

GENERAL CONTROLS VS APPLICATION CONTROLS 63


5/309

ACCESS CONTROL AND THE AUDITING PROCESS 66

ACCESS CONTROL MODELS 66ACLS VERSUS CAPABILITIES 68

WHAT IS ORANGE BOOK, BY THE WAY? 69

TYPES OF ACCESS CONTROL 70

THE AAA CONCEPT 71

ESTABLISHING ACCOUNTABILITY THROUGH EVENT LOGGING 74

THE AUDIT PROCESS 75

THE SARBANESOXLEY ACT AND THE COSO FRAMEWORK 76WHAT IS AUDITING, BY THE WAY? 79

THE ROLE OF AN AUDITOR 82

THE AUDIT PROCESS FLOW 83

OVERALL STRATEGIES 88

AUDIT PLANNING 90

RECOMMENDED TYPES OF AUDIT 100

EXAMPLE AUDIT OBJECTIVES AND PROCEDURES 103

AUDIT FIELDWORKS 111

AUDIT PROGRAM 115

AUDIT REPORT 116

AUDIT FOLLOW-UP 118

AUDIT ASSESSMENT 120

IT STRATEGIC PLANNING 121

IT STRATEGIC PLANNING DEFINED 121

THE ROLE OF IS AUDITING IN THE PLANNING PROCESS 122IN-HOUSE OR OUT-SOURCE? 123

AVOIDING CONFLICTS OF INTERESTS 124

PROTECTION OF INFORMATION ASSETS THROUGH SECURITY POLICY 126

INFORMATION ASSETS DEFINED 126

DATA CLASSIFICATIONS AND LAYER OF RESPONSIBILITIES 129

SECURITY POLICY 131

SECURITY MODELS AND MODES OF OPERATIONS 138

EXAMPLE POLICY 141

CONSEQUENCES OF VIOLATIONS 143EVALUATION 144

ORGANIZATION SPECIFIC CLASSIFICATION SCHEME 145

CHANGE CONTROL 146

BUSINESS CONTINUITY PLANNING 148

DEFINITION 148

BCP VS BPCP VS DRP 149

BCP PHASES 150

STAKEHOLDERS AND CRISIS COMMUNICATIONS 151


6/309

THE RISK ASSESSMENT FLOW 153

RISK VS THREAT AND VULNERABILITY 158

IDENTIFYING RISKS 159

LOSS CALCULATIONS 161BUSINESS IMPACT ANALYSIS DEFINED 164

BIA GOALS AND STEPS 165

BIA CHECKLIST 166

PREPARING FOR EMERGENCY 168

MANAGING RECOVERY 170

TESTING THE PLAN 172

USER ACCEPTANCE 174

PLAN MAINTENANCE 174

INCIDENT HANDLING 177

RISK MANAGEMENT 180

RISK MANAGEMENT DEFINED 181

THE RISK MANAGEMENT STEPS 181

IS AUDITING AND RISK MANAGEMENT 183

RISK-BASED AUDITING 184

RISK MANAGEMENT READINGS 185

PROJECT MANAGEMENT 187

PROJECT MANAGEMENT DEFINED 187

PROJECT

MANAGEMENT AND

AUDIT

188

CHANGE MANAGEMENT 190

CHANGE MANAGEMENT DEFINED 190

CHANGE MANAGEMENT STRATEGIES 192

CHANGE MANAGEMENT VS CHANGE CONTROL VS CONFIGURATION MANAGEMENT 194

CHANGE CONTROL 196

APPLICATION PROGRAM DEVELOPMENT 203

GENERAL GUIDELINES 203SYSTEM CHANGE CONTROL 204

SOFTWARE DEVELOPMENT PROCESSES AND MODELS 205

BUY VS MAKE: ACQUISITION MANAGEMENT METHODS 208

TECHNICAL READINGS 211

SECTION 1: TOPICS ON SECURITY THEORY 211

SECTION 2: TOPICS ON HACKING, ATTACKING, DEFENDING AND AUDITING. 211

SECTION 3: TOPICS ON ENCRYPTION AND VPN. 211


7/309

SECTION 4: TOPICS ON RESPONDING TO ATTACKS 211

SECTION 5: TOPICS ON VIRUSES. 211

EXCELLENT PUBLIC RESOURCES 302

SAMPLE IS AUDIT QUESTIONNAIRE 307

END OF STUDY GUIDE 308


8/309

7

Notes:

End User License Agreement

The CISA ExamESSENTIALS Guide (the "Book") is a certification study product provided by

ExamREVIEW Press (including ExamREVIEW.NET and SystemREVIEW.NET, being referred to as

ExamREVIEW.NET in this document), subject to your compliance with the terms and conditions set

forth below.

PLEASE READ THIS DOCUMENT CAREFULLY BEFORE ACCESSING OR USING THE BOOK.

BY ACCESSING OR USING THE BOOK, YOU AGREE TO BE BOUND BY THE TERMS AND

CONDITIONS SET FORTH BELOW. IF YOU DO NOT WISH TO BE BOUND BY THESE

TERMS AND CONDITIONS, YOU MAY NOT ACCESS OR USE THE BOOK.

EXAMREVIEW.NET MAY MODIFY THIS AGREEMENT AT ANY TIME, AND SUCH

MODIFICATIONS SHALL BE EFFECTIVE IMMEDIATELY UPON POSTING OF THEMODIFIED AGREEMENT ON THE CORPORATE SITE OF EXAMREVIEW.NET. YOU AGREE

TO REVIEW THE AGREEMENT PERIODICALLY TO BE AWARE OF SUCH MODIFICATIONS

AND YOUR CONTINUED ACCESS OR USE OF THE BOOK SHALL BE DEEMED YOUR

CONCLUSIVE ACCEPTANCE OF THE MODIFIED AGREEMENT.

1. Copyright and Licenses.

License GrantThis Agreement entitles you to install and use one copy of the Book. In addition, you

may make one archival copy of the Book. The archival copy must be on a storagemedium other than a hard drive, and may only be used for the reinstallation of the Book.

This Agreement does not permit the installation or use of multiple copies of the Book,or the installation of the Book on more than one computer at any given time, on asystem that allows shared used of applications, on a multi-user network, or on anyconfiguration or system of computers that allows multiple users. Multiple copy use or


9/309

8

Notes:

installation is only allowed if you obtain an appropriate licensing agreement for each userand each copy of the Book. For further information regarding multiple-copy licensingof the Book, please contact: [email protected]

Restrictions on TransferWithout first obtaining the express written consent of ExamREVIEW.NET, you maynot assign your rights and obligations under this Agreement, or redistribute, encumber,sell, rent, lease, sublicense, or otherwise transfer your rights to the Book.

Restrictions on UseYou may not use, copy, or install the Book on any system with more than one computer,

or permit the use, copying, or installation of the Book by more than one user or on morethan one computer. If you hold multiple, validly licensed copies, you may not use, copy,or install the Book on any system with more than the number of computers permittedby license, or permit the use, copying, or installation by more users, or on morecomputers than the number permitted by license.

You may not decompile, "reverse-engineer", disassemble, or otherwise attempt to derivethe source code for the Book.

Restrictions on AlterationYou may not modify the Book or create any derivative work of the Book or itsaccompanying documentation. Derivative works include but are not limited totranslations. You may not alter any files or libraries in any portion of the Book. Youmay not reproduce the database portion or create any tables or reports relating to thedatabase portion.


10/309

9

Notes:

Restrictions on CopyingYou may not copy any part of the Book except to the extent that licensed use inherentlydemands the creation of a temporary copy stored in computer memory and notpermanently affixed on storage medium. You may make one archival copy which mustbe stored on a medium other than a computer hard drive.

TRADEMARKS.

CISA ExamESSENTIALS Guide /or any other names of ExamREVIEW.NET or its publications,

products, content or services referenced herein or on the Book are the exclusive trademarks orservicemarks of ExamREVIEW.NET. Other product and company names mentioned in the Book may

be the trademarks o f their respective owners.

2. Use of the Book.

You understand that, except for information, products or services clearly identified as being supplied

by ExamREVIEW.N ET, ExamREVIEW.NET does not operate, control or endorse any information,

products or services on the Internet in any way. Except for ExamREVIEW.NET- explicitly identified

information, products or services, all information, products and services offered through the Book or

on the Internet generally are offered by third parties, that are not affiliated with ExamREVIEW.NET.

YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE BOOK AND

THE INTERNET. EXAMREVIEW.NET PROVIDES THE BOOK AND RELATEDINFORMATION "AS IS" AND DOES NOT MAKE ANY EXPRESS OR IMPLIED WARRANTIES,

REPRESENTATIONS OR ENDORSEMENTS WHATSOEVER (INCLUDING WITHOUT

LIMITATION WARRANTIES OF TITLE OR NONINFRINGEMENT, OR THE IMPLIED

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE) WITH

REGARD TO THE BOOK, ANY INFORMATION OR SERVICE PROVIDED THROUGH THE

BOOK, AND EXAMREVIEW.NET SHALL NOT BE LIABLE FOR ANY COST OR DAMAGE

ARISING EITHER DIRECTLY OR INDIRECTLY FROM ANY SUCH. IT IS SOLELY YOUR


11/309

Notes:

RESPONSIBILITY TO EVALUATE THE ACCURACY, COMPLETENESS AND USEFULNESSOF ALL OPINIONS, ADVICE, AND OTHER INFORMATION PROVIDED THROUGH THE

BOOK.

LIMITATION OF LIABILITY

IN NO EVENT WILL EXAMREVIEW.NET BE LIABLE FOR (I) ANY INCIDENTAL,

CONSEQUENTIAL, OR INDIRECT DAMAGES (INCLUDING, BUT NOT LIMITED TO,

DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR

INFORMATION, AND THE LIKE) ARISING OUT OF THE USE OF OR INABILITY TO USE

THE BOOK. EVEN IF EXAMREVIEW.NET OR ITS AUTHORIZED REPRESENTATIVES HAVE

BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (II) ANY CLAIMATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN THE BOOK.

BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OFLIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION

MAY NOT APPLY TO YOU. IN SUCH STATES, EXAMREVIEW.NET LIABILITY IS LIMITED

TO THE GREATEST EXTENT PERMITTED BY LAW.

ExamREVIEW.NET makes no representations whatsoever about any other web site which are

referenced in the book. When you access a non-ExamREVIEW.NET web site, please understand that it

is independent from ExamREVIEW.NET, and that ExamREVIEW.NET has no control over thecontent on that web site. In addition, a link to a ExamREVIEW.NET web site does not mean that

ExamREVIEW.NET endorses or accepts any responsibility for the content, or the use, of such web site.

3. Indemnification.

You agree to indemnify, defend and hold harmless ExamREVIEW.NET, its officers, directors,employees, agents, licensors, suppliers and any third party information providers to the Book from and

against all losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from

any violation of this Agreement (including negligent or wrongful conduct) by you or any other personusing the Book.

4. Third Party Rights.


12/309

Notes:

The provisions of paragraphs 2 (Use of the Book), and 3 (Indemnification) are for the benefit ofExamREVIEW.NET and its officers, directors, employees, agents, licensors, suppliers, and any third

party information providers to the Book. Each of these individuals or entities shall have the right to

assert and enforce those provisions directly against you on its own behalf.

5. Termination.

This Agreement may be terminated by either party without notice at any time for any reason. The

provisions of paragraphs 1 (Copyright, Licenses and Idea Submissions), 2 (Use of the Book), 3

(Indemnification), 4 (Third Party Rights) and 6 (Miscellaneous) shall survive any termination of thisAgreement.

6. Miscellaneous.

This Agreement shall all be governed and construed in accordance with the laws of Hong Kong

applicable to agreements made and to be performed in Hong Kong. You agree that any legal action or

proceeding between ExamREVIEW.NET and you for any purpose concerning this Agreement or the

parties' obligations hereunder shall be brought exclusively in a court of competent jurisdiction sitting

in Hong Kong. Any cause of action or claim you may have with respect to the Book must becommenced within one (1) year after the claim or cause of action arises or such claim or cause of

action is barred. ExamREVIEW.NET's failure to insist upon or enforce strict performance of any

provision of this Agreement shall not be construed as a waiver of any provision or right. Neither the

course of conduct between the parties nor trade practice shall act to modify any provision of this

Agreement. ExamREVIEW.NET may assign its rights and duties under this Agreement to any party atany time without notice to you.

Any rights not expressly granted herein are reserved.


13/309

2

Notes:

Every effort has been made to ensure the accuracy of this book. If you havecomments, questions, or ideas regarding this book, please let us know byemailing to this address: [email protected]

This electronic book was originally created as a print book. For simplicity, theelectronic version of this book has been modified as little as possible from its

original form.


14/309

3

Notes:

Exam Format

The following question formats are used in the CISA exams:

Text Based Multiple-choice: The examinee selects one option that bestanswers the question or completes a statement.

Multiple-response:The examinee selects multiple options that best answersthe question or completes a statement.

Sample Directions (Scenario):Read the statement or question and from theresponse options, select only the option(s) that represent the BEST possibleanswer(s).

There are no fill in the blank questions. There are no graphical questions.

You will mostly be asked to pick one choice as the answer. However, somequestions will require you to pick multiple items something like i and ii,i,iii & v etc.

q For international candidates, it takes about two months to receivethe results.

q As of 2004 all CISA exams are paper and pencil based.


15/309

4

Notes:

About this book

The CISA exam has a lot of questions that ask for your "best decisions" - of thehundreds of questions you will encounter in the exam, a significant portion ofthem requires that you pick the best possible options. These best options areoften based on expert advices and best practices not found in the standardexam text books.

Our CISA ExamESSENTIALS Guide goes the expert-advice way. Instead ofgiving you the hard facts, we give you information that covers the best practices.

With this information, you will always be able to make the most appropriateexpert judgment in the exam.

If you are looking for the hard facts, visit the following ISACA link:

http://www.isaca.org/TemplateRedirect.cfm?Template=/ContentManagement/ContentDisplay.cfm&ContentID=15262

* In case this link no longer works, refer to the Standards section of ISACAsweb site.

This is the place where most official IS auditing standards and guidelines arelisted. In the exam you will encounter certain questions that test yourmemorization skills you will have to get these hard facts fully loaded intoyour memory. We believe that the official published material is the best sourceof information in this regard.


16/309

5

Notes:

Our guide focuses on the best business practice and expert advice sideof the exam.

Exam Topics

The official exam objectives can be found from the CISA exam page:

http://www.isaca.org/cisaexam

I personally do not recommend that you spend too much time on theseobjectives. The reasons are:

l many of them simply require nothing but basic common sense you willbe able to answer the corresponding questions easily anyway

l the list is way too detailed if you go through them one by one, it will takeyou a year or so to finish

l many of the objectives are heavily overlapped

l to me, they look confusing


17/309

6

Notes:

Instead, I prefer to focus on the following areas (because they often involvetopics that do not have fixed answers but instead require the best possibleoptions):

l Access control models.

l The auditing process.

l IT strategic planning.

l Protection Policy for Information Assetsl Business Continuity Planning.

l Risk management.

l Project Management.

l Change Management.

Why do we choose these topics? Firstly, according to many recent CISAgraduates, these are the topics that frequently give them surprises. Secondly,if you watch closely what ISACA at present offers together with the Big 5accounting firms, you should notice that these topics are always emphasized.


18/309

7

Notes:

Most candidates fail the exam because they focused too much on the IT side ofthe exam, with little or no preparation on the auditing related disciplines.Remember, a large number of the CISA exam candidates are from theaccounting profession where business auditing is a major daily duty.

The exam is about 40% TECHNOLOGY and 60% BUSINESSPRACTICE.

Tech gurus do not really have an edge because no in-depth nor advancedtechnologies are tested here. Instead, the practical business people with

sufficient technology knowledge rule.

The tech questions are easy because they are (and are bound to be)straight forward. The business practice related questions are difficultbecause business rationales are never straight forward too many factorscome into play and therefore making every scenario highly complicated.

And remember, technology does not mean IT technology alone. It also meansPhysical Security Technology as well as Biometrics, and many more. As of thetime of this writing the state of biometrics technology is very sophisticated and

accurate, but is highly expensive. Other potential barriers include useracceptance, enrollment time and throughput. Still, it is gaining ground,especially in environment where security is CRITICAL.

Take a look at the security measures your company has implemented andcritically assess their features and effectiveness. This will help.


19/309


20/309

9

Notes:

Exam Registration Contacts

The CISA exam is offered throughout the world twice a year (in June and inDecember). The best way to register for the exam is to request for the exambulletin from the ISACA Certification Department via email [email protected] or by phone at +1.847.253.1545.

I do recommend that you register early. As I remember, there is an early bird

discount available


21/309

2

Notes:

Study Psychology & Exam Tactics

Always plan ahead!

Always maintain a positive attitude.

Prepare systematically using ExamReview materials.

Ensure you have enough sleep! Health is essential for maintaining afighting spirit.

Arrive at the test center in time to have a margin of safety.

Dress yourself in a manner with emphasis on comfort. Always have a coatready just in case the A/C is way too powerful.

Read the exam instructions carefully before answering the first question.


22/309

2

Notes:

Key exam strategies

To be successful in the CISA exam, you must know how the questions arestructured. The official saying is that the CISA examination will require thecandidates to answer questions and to make judgments based on theinformation learned in courses and on their own professional experiences.Based on our experiences, however, tackling CISA questions involve severalmajor strategies:

Strategy One: Keyword or key phrase matching.

Example: Which of the following would be included in an information securitystrategic plan?

A. Specifications for planned hardware purchases

B. Analysis of future business objectives

C. Target dates for information security projects

D. Annual budgetary targets for the security department


23/309

22

Notes:

The key phrase here is "strategic plan". As we all know, a strategic plan is a veryhigh level thing. Look at the choices, only choice B has a high level element,which is "business objective". Therefore, B is the correct answer.

Strategy Two: Choices grouping.

Example: The MOST important responsibility of an information securitymanager in an organization is:

A. recommending and monitoring security policies.

B. promoting security awareness within the organization.

C. establishing procedures for security policies.

D. administering physical and logical access controls.

When you try to classify or group the choices, you will find that choice B, C andD can be classified into one group a group of implementation activities.Choice A, on the other hand, takes place way before the implementation phase.Therefore, choice A is the answer.


24/309

23

Notes:

Strategy Three: Think tricky.

You need to know how to pick the BEST answer out of several technicallypossible answers. To do this you need to think tricky the questions are alwayswritten with trickiness in mind (believe me, this is exactly the case with mostISACA exam questions).

As an example, you are asked to evaluate the following statements:

In the context of information security, the term Granularity refers to thelevel of detail to which a trusted system can authenticate users.

In the context of information security, the term Granularity refers to thelevel of detail to which imperfections of a trusted system can bemeasured.

In the context of information security, the term Granularity refers to thelevel of detail to which packets can be filtered.

In the context of information security, the term Granularity refers to thelevel of detail to which an access control system can be adjusted.

Which statement is the BEST one?


25/309

24

Notes:

To pick the BEST choice, you must keep in mind that Granularity is a termwhich could be applied to a multitude of usage within the context of IT security.It can be for packet filtering, and it can also be for user access. The laststatement said "access control system" without specifying its exact type. It istherefore representative of almost all possible types of access control system.You know what, this is exactly the type of answer expected. Kinda tricky, isn't it?


26/309

25

Notes:

Security Theories

A security stance is a default position on security matters. The 2 primarysecurity stances are:

i, "Everything not explicitly permitted is forbidden" (default deny). This

improves security at the cost of functionality. A good approach to use if youhave lots of security threats. You may find this approach helpful basing on theprinciple of least privilege (sometimes also known as the principle of leastauthority - POLA), that every module of a computing environment should beable to access only such resources that are necessary to its legitimate purpose.Do keep in mind, an over restrictive system can sacrifice usability. The lack offlexibility can also hinder usability.

ii, "Everything not explicitly forbidden is permitted" (default permit). Thisallows greater functionality by sacrificing security. This is only a good approachin an environment where security threats are non-existent or negligible. Manyearlier Windows systems give Everyone full control, which is no good security-wise.


27/309

26

Notes:

Proper balance of security risks is needed for implementing practicalcomputing systems.

There are two different approaches to security in computing. One focusesmainly on external threats, and generally treats the computer system itself as atrusted system. The other regards the computer system itself as largely an

untrusted system, and redesigns it to make it more secure in a number of ways.Most current real-world computer security efforts focus on external threats, andgenerally treat the computer system itself as a trusted system. Some observersconsider this to be a disastrous mistake, and point out that this distinction is thecause of much of the insecurity of current computer systems - once an attackerhas subverted one part of a system without fine-grained security, he or sheusually has access to most or all of the features of that system. In other words,this security stance tends to produce insecure systems.

The 'trusted systems' approach has been predominant in the design of manyearlier software products, due to the long-standing emphasizes on functionalityand 'ease of use' over security.


28/309

27

Notes:

The computer system itself as largely an untrusted system

The untrusted system approach seeks to enforce the principle of leastprivilege to great extent, where an entity has only the privileges that are neededfor its function. That way, even if an attacker has subverted one part of thesystem, fine-grained security ensures that it is just as difficult for them tosubvert the rest. Furthermore, by breaking the system up into smallercomponents, the complexity of individual components is reduced, opening upthe possibility of using techniques such as automated theorem proving to prove

the correctness of crucial software subsystems. Where formal correctnessproofs are not possible, rigorous use of code review and unit testing measurescan be used to try to make modules as secure as possible.

Defense in depth

From a technical perspective, design with the above mentioned technique

often make use of the concept of "defense in depth", where more than onesubsystem needs to be compromised to compromise the security of thesystem and the information it holds.


29/309

28

Notes:

A typical defense in depth approach divides the key security elements intolayers for creating a cohesive defense strategy. To ensure effective ITsecurity, you must design, implement, and manage IT security controls foreach layer of this layered model. As an example: you may divide yourcontrols into the layers of network, hardware, software, and data.

From a broader perspective, an important principle of the Defense in Depth strategy isthat in order to achieve Information Assurance you need to maintain a balanced focus onthe critical elements of People, Technology and Operations.

In any case, security should not be view as an all or nothing issue. Thedesigners and operators of systems should assume that security breaches areinevitable in the long term, that full audit trails should be kept of systemactivity so that when a security breach occurs, the mechanism and extent ofthe breach can be determined. In fact, storing audit trails remotely, wherethey can only be appended to, can keep intruders from covering their tracks.

Vulnerabilities

To understand the techniques for securing a computer system, it isimportant to first understand the various types of attacks that can be madeagainst it. These threats can typically be classified into the followingcategories:


30/309

29

Notes:

l You may think of salami attack as a concept that can be applied toscenarios with and without relation to computing. In general, a salamiattack is said to have taken place when tiny amounts of assets aresystematically acquired from a very large number of sources. Since theprocess takes place below the threshold of perception and detection, anongoing accumulation of assets bit by bit is made possible. An example:the digits representing currency on a financial institutions computercould be modified in such a way that values to the right of the penniesfield are automatically rounded down. The salami concept can apply ininformation gathering - aggregating small amounts of information frommany sources with an attempt to derive an overall picture of anorganization.

l Bribes and extortion can occur! With promises or threats that causeyour staff to violate their trust, information security can be at risk bigtime! This is more a HR issue but still you need to think of ways tosafeguard security assuming bribery is not entirely impossible.

l Software flaws such as buffer overflows, are often exploited to gaincontrol of a computer, or to cause it to operate in an unexpectedmanner.


31/309

3

Notes:

NOTE: Buffer overflow (buffer overrun) is supposed to be a programmingerror which may result in memory access exception - that is, aprocess make attempt to store data beyond the fixed boundaries of abuffer area. With careless programming, this kind of access attemptcan be triggered by ill-intented codes. Stack-based buffer overflowsand heap-based buffer overflows are the 2 popular types of attack ofthis nature. Techniques such as Static code analysis can helppreventing such attack. You should also always opt for the use ofsafe libraries.

l Many development methodologies rely on testing to ensure the qualityof any code released this process often fails to discover extremelyunusual potential exploits. The term "exploit" generally refers to smallprograms designed to take advantage of a software flaw that has beendiscovered, either remote or local.

NOTE: As a pre-attack activity, footprinting refers to the technique of

collecting information about systems thru techniques such as PingSweeps, TCP Scans, OS Identification, Domain Queries and DNSInterrogation. Tools involved may include samspade, nslookup,traceroute, neotrace and the like. Passive fingerprinting, on the otherhand, is based primarily on sniffer traces from your remote system.Rather than proactively querying a remote system, you capture


32/309

3

Notes:

packets that pass-by instead.

l Any data that is transmitted over an IP network is at some risk of beingeavesdropped or even modified. Voice over IP has the same securityissues as running regular applications which rely on IP for transmission.

NOTE: The OSI model is a layered model which gives abstract descriptionfor network protocol design. It is a seven layer model, and IP runs atlayer 3, even though the TCP/IP suite itself has its own 4 layerstructure. TCP runs at OSI layer 4, which is on top of IP, forproviding connection oriented service in between the sender and therecipient.

TCP is supposed to provide guaranteed delivery. Every single TCPsegment contains a TCP header with the source and destination port,a sequence number that identifies the first byte of data, and anacknowledgment number that indicates an acknowledgment by therecipient. There are also 6 flag bits, which are URG, ACK, PSH,RST, SYN and FIN. Keep in mind, TCP does not make anyassumptions about the underlying IP network.


33/309

32

Notes:

You can perceive ports as the actual endpoints of every TCPconnection. Examples of well known ports include http port 80, SSLport 443 and others.

ICMP is quite special. It runs at the IP layer mostly for sending one-way informational messages to a networked host. "ping" is an utilitywhich uses ICMP.

The 4 TCP areas that hackers usually look at for determining theoperating system may include TTL (the Time To Live on theoutbound packet), Window Size, DF (the Don't Fragment bit) and

the TOS (the Type of Service). Thru analyzing these and comparewith the database of signatures there is a chance you can tell what theremote operating system is.

l Non-IP based networks are also highly hack-able. Sniffing was prettycommon on the Ethernet (and also on IP networks).

Packet sniffer (another name for protocol analyzer) can be deployedto intercept and log netowrk traffic that passes through the network.It can capture unicast, multicast and broadcast traffic provided thatyou put your network adapter into promiscuous mode. You maysniff to analyze network problems, or to gain information for


34/309

33

Notes:

launching a network attack.

Wireshark (formerly Ethereal) is a free protocol analyzer you may usefor network troubleshooting and sniffing. The functionality it offersis similar to tcpdump but it provides a GUI for ease of use.

l Even machines that operate as a closed system can be eavesdroppedupon via monitoring the faint electro-magnetic transmissions generatedby the hardware such as TEMPEST.

l Wireless networks are highly hack-able.

NOTE: In the world of WLAN, a BSS refers to a set of wireless stationswhich communicate with each others. The 2 types of BSS areindependent BSS and infrastructure BSS. The former is an ad-hocnetwork that has no access points. The latter requires the use ofaccess points. Both of them are not too secure by default.

WEP is the original encryption standard for WLAN. It uses key

lengths in the range of 128-and 256-bit, but is still considered wayless secure than WPA. WPA deploys a pre-shared Shared Key forestablishing a 8-63 character passphrase.

Accidental association could be a form of attack that takes placewhen one's computer latches on to an access point that belongs to a


35/309

34

Notes:

neighboring and overlapping network. Sometimes this can happenaccidentally - that is, the user has no intent to crack into theoverlapping network at all.

Access points exposed to non-filtered traffic can be vulnerable.Broadcast traffic like OSPF, RIP and HSRP ... etc can be corruptedthrough the injection of bogus reconfiguration commands.

You should always have your access points arranged in such a waythat radio coverage is available only to your desired area. Wirelesssignal that "spills" outside of your desired area could be sniffed.

To further secure your WLAN you should always change the defaultSSID as most hackers know most default names of most equipments.

Avoid using dictionary word to form your SSID. Use something hardto guess.

l A computer system is no more secure than the human systemsresponsible for its operation. Malicious individuals have regularlypenetrated well-designed, secure computer systems by taking advantageof the carelessness of trusted individuals, or by deliberately deceivingthem. The availability of the internet makes penetration even easier aseverything is now connected.Attacking web servers had become an exciting yetenjoyable challenge by hackers.


36/309

35

Notes:

NOTE: In a web infrastructure you have router, firewall and a web server.Web server serves requests through port 80 and 443 (SSL). Differentservers work slightly differently, thus having different vulnerabilities.Scanning tools may, through the active ports and obtaining response,to identify the target servers and carry out possible attacks. This isespecially true for web server software that has too many ports otherthan the required ports opened.

IIS can be extremely vulnerable if you simply follow the default

installation options. Windows and IIS always install and configuresuperfluous services that are unpatched, which are the easy targets.

Another problem is that IIS uses a few built-in default accounts thatare weakly protected. You should change the defaults - change theaccount names and the passwords whenever possible. Close allunnecessary ports too.

Part of the reason why IIS is so vulnerable is that it runs onWindows, which is not a very secure platform by design.

Null sessions are no good - they allow attacker to extract systemcritical information such as user account names. NT, 2000 and

Windows Server 2003 domain controllers are believed to besusceptible to enumeration via null sessions. One way to prevent thisis to block UDP port 137 and 138, TCP port 139 and 445. You wantto do this via a firewall at the edge of the network.


37/309

36

Notes:

Another vulnerability on Windows is the inter-processcommunications (IPC) mechanism. It is a mechanism that allows aprocess to communicate with another. This can take place ondifferent computers that are connected through a network, that is

why it can be bad - real bad.

l Social engineering is a collection of techniques used to manipulatepeople into performing actions or divulging confidential information.While similar to a confidence trick or simple fraud, the term typicallyapplies to trickery for information gathering or computer system access.

l Denial of service (DoS) attacks are not primarily a means to gainunauthorized access or control of a system. They are instead designedto render it unusable. Attackers can deny service to individual victims,such as by deliberately guessing a wrong password 3 consecutive timeand thus causing the victim account to be locked, or they may overloadthe capabilities of a machine or network and block all users altogether.These types of attack are, in practice, very hard to prevent, because the

behavior of whole networks needs to be analyzed, not only of smallpieces of code. Distributed denial of service (DDoS) is even worse - alarge number of compromised hosts are used to flood a target systemwith network requests, thus attempting to render it unusable throughresource exhaustion.


38/309

37

Notes:

l Many computer manufacturers used to preinstall backdoors on theirsystems to provide technical support for customers. With the existencesof backdoors, it is possible to bypass normal authentication whileintended to remain hidden to casual inspection. The backdoor may takethe form of an installed program or could be in the form of an existing"legitimate" program, or executable file.

NOTE: A backdoor refers to a generally undocumented means of gettinginto a system, mostly for programming and

maintenance/troubleshooting needs. Most real world programs havebackdoors.

On Windows some backdoor programs may get themselves installedto start when the system boots. You want to know if there areservices that are somewhat configured to automatically start - theymay be Trojan horse or backdoor program.

l A specific form of backdoors is rootkit, which replaces system binariesof the operating system to hide the presence of other programs, users,

services and open ports.


39/309

38

Notes:

NOTE: rootkit originally describes those recompiled Unix tools that wouldhide any trace of the intruder. You can say that the only purpose ofrootkit is to hide evidence from system administrators so there is no

way to detect malicious special privilege access attempts.

l To some, secrecy means security so closed source software solutionsare preferable. In the modern days this may not always be true. Withthe open source model, people may freely revise and inspect codes so

back doors and other hidden tricks / defects can hardly go undetected.

l Malware is software designed to infiltrate or damage a computer systemwithout the owner's informed consent. It is a blend of the words"malicious" and "software". The expression is a general term used bycomputer professionals to mean a variety of forms of hostile, intrusive,or annoying software or program code. Software is considered malwarebased on the intent of the creator rather than any particular features. Itincludes computer viruses, worms, trojan horses, spyware, adware, and

other unwanted software.


40/309

39

Notes:

NOTE: As a common type of Trojan horses, a legitimate software mighthave been corrupted with malicious code which runs when theprogram is used. The key is that the user has to invoke the programin order to trigger the malicious code. In other words, a trojan horsesimply cannot operate autonomously. You would also want to knowthat most but not all trojan horse payloads are harmful - a few ofthem are harmless. Most trojan horse programs are spread through e-mails. Some earlier trojan horse programs were bundled in "RootKits". For example, the Linux Root Kit version 3 (lrk3) which wasreleased in December 96 had tcp wrapper trojans included andenhanced in the kit.

Keystroke logging (in the form of spyware) was originally a functionof diagnostic tool deployed by software developers for capturinguser's keystrokes. This is done for determining the sources of erroror for measuring staff productivity. Imagine if someone uses it tocapture user input of critical business data such as CC info ... Youmay want to use anti spyware applications to detect and clean themup. Web-based on-screen keyboards may be a viable option for webapplications.


41/309

4

Notes:

NOTE: The majority of malware and viruses exploit known vulnerabilities inpopular OS. They typically come out within days after a vulnerabilityis announced. One way to protect your computers against thesethreats is to keep your OS and software security updates as current aspossible through applying service packs, patches and hot fixes.

l The best-known types of malware are viruses and worms, which areknown for the manner in which they spread, rather than any other

particular behavior. Originally, the term computer virus was used for aprogram which infected other executable software, while a wormtransmitted itself over a network to infect computers. More recently,the words are often used interchangeably.

NOTE: Nonresident viruses proactively and immediately search for victimsto infect and then transfer control to the infected applicationprogram. Resident viruses don't do that. Instead, they wait inmemory on execution and infect new victims that are invoked on the

system. Modern anti virus software can fight against both. Examplesof modern AV software includes Norton AV, PC Tools AV, AVGPro, F-Prot, and NOD32.

Note that viruses that are capable of rewriting themselvesdynamically to avoid getting detected are metamorphic. The core of


42/309

4

Notes:

the payload of these viruses is a metamorphic engine.

l Direct access attacks may be conducted through the use of commonconsumer devices. For example, someone gaining physical access to acomputer can install all manner of devices to compromise security,

including operating system modifications, software worms, keyboardloggers, and covert listening devices. The attacker can also easilydownload large quantities of data onto backup media or portabledevices.

To secure a system, one should aim at reducing vulnerabilities. For example,in order to harden a Linux system you would first disable any unnecessaryservices/ports, and then have the rlogin service disabled. UnnecessaryTCP/UDP ports should be closely monitored. Similar things could be done

on Windows.

Computer code is regarded by some as just a form of mathematics. It istheoretically possible to prove the correctness of computer programs


43/309

42

Notes:

though the likelihood of actually achieving this in large-scale practicalsystems is regarded as unlikely in the extreme by most with practicalexperience in the industry. In practice, only a small fraction of computerprogram code is mathematically proven, or even goes throughcomprehensive information technology audits or inexpensive but extremelyvaluable computer security audits.

On the other hand, it is technically possible to protect messages in transit bymeans of cryptography. You may also work at preventing informationleakage. Information Leakage Detection and Prevention (ILD&P or ILDP)is a computer security term referring to systems designed to detect andprevent the unauthorized transmission of information from the computersystems of an organization to outsiders.

Audit questions related to cryptography may include:

l Does your organization use cryptographic technology to protect

sensitive information during transmission? Does the technology youuse provide a digital signature capability for messages containingsensitive information?

l Does your organization use cryptographic technology to protectsensitive information stored in the system and in archives?


44/309

43

Notes:

l Does your organization have a policy that clearly states wheninformation is to be encrypted?

In some systems, non-administrator users are over-privileged by design, inthe sense that they are allowed to modify internal structures of the system.In some environments, users are over-privileged because they have beeninappropriately granted administrator or equivalent status. In some worstcase scenarios, administrators are like cow boys who often go wild. Relevantquestions to ask in this regard may include:

l How many system administrators does your organization have?l Do your system administrators work full-time as system administrators?

What if they also work for someone else...l Are your system administrators contractor employees? How much

control you want them to be able to exercise?l Is there segregation of duties among system administrators?l Does each system administrator have a delegate and/or backup person?

What can they perform on the systems?l Are program modifications approved by the configuration control

function required to be installed by system administrators?l Is there consistency in the implementation of security procedures by

system administrators in the organization?


45/309

44

Notes:

Technically speaking, all Social Engineering techniques are based on flawsin human logic known as cognitive biases. These bias flaws are used invarious combinations to create attack techniques. For example, pretexting isthe act of creating and using an invented scenario (the pretext) to persuade atarget to release information or perform an action and is usually done overthe telephone. It's more than a simple lie as it most often involves someprior research or set up and the use of pieces of known information toestablish legitimacy in the mind of the target. Phishing, on the other hand,applies to email appearing to come from a legitimate business requesting"verification" of information and warning of some dire consequence if it isnot done. Sadly, social engineering and direct computer access attacks canonly be effectively prevented by non-computer means, which can bedifficult to enforce, relative to the sensitivity of the information. Socialengineering attacks in particular are very difficult to foresee and prevent.

Remember, in the real world the most security comes from operating

systems where security is not an add-on but a built-in (such as the IBMOS/400).


46/309

45

Notes:

Security measures

A state of computer "security" is the conceptual ideal, attained by the use ofthe processes of Prevention, Detection, and Response.

Prevention:User account access controls and cryptography can protect systems files anddata, respectively. Firewalls are by far the most common prevention systemsfrom a network security perspective as they can shield access to internalnetwork services, and block certain kinds of attacks through packet filtering.

NOTE: Stateful firewall can determine whether an IP packet belongs to anew connection or is actually part of an existing connection. Packetfilter does not care about this at all.

To prevent messages from being intercepted during transmission over thenetwork, technologies like IPSec and SSL should be considered.


47/309

46

Notes:

NOTE: IPsec is different from SSL in that it runs at layer 3, so it can protectboth TCP and UDP traffic. SSL operates from the transport layer upso less flexibility can be offered. The goal of SSL is to provideendpoint authentication as well as communications privacy viacryptography.

Symmetric key algorithms use trivially related (or even identical)cryptographic keys for decryption and also encryption. They usemuch less computational power, but would require the use of ashared secret key on each end. The storage and exchange of suchshared secret can be a source of security risk. Asymmetric key

algorithms use different keys so they don't have to worry about theshared secret but they consume way more CPU power.

RSA is an example of asymmetric algorithm. With both a public keyand a private key, it is used primarily for public key encryption. It is,in fact, suitable for both signing and encryption. However, adaptivechosen ciphertext attack can be used against RSA encryptedmessages. Also, timing attacks can be used against RSA's signaturescheme.

In addition to message encryption, you may want to enforce non-

repudiation. You may use a public key certificate (one thatincorporates a digital signature) to bind a public key with an identity.In a PKI, the signature is typically of a Certificate Authority.

In a typical PKI a hash function is often used to turn data into asmaller number which serves as a digital sort of fingerprint. In


48/309

47

Notes:

cryptography, a good hash function allows for "one-way" operation,meaning there is almost no way to calculate the data input value.SHA is one example. It has several variants, which are SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. They are designed by theNSA and published thru the NIST. MD5 is another example. It usesa 128-bit hash value to create a hash that is typically a 32 characterhex number.

Detection:Intrusion Detection Systems are designed to detect network attacks inprogress and assist in post-attack forensics, while audit trails and logs servea similar function for individual systems.

NOTE: A typical IDS has a few components, such as sensors which detectand generate security events, a console interface for you to monitorevents and alerts plus managing the setup, and an engine whichrecords and analyzes the logged events. These components work

together such that a suspected intrusion may be evaluated andsignaled (through an alert or an alarm). One may, however, flood anIDS with way too many traffic such that the IDS is too busy keepingup with the pace.


49/309

48

Notes:

Response:"Response" is necessarily defined by the assessed security requirements ofan individual system and may cover the range from simple upgrade ofprotections to notification of legal authorities, counter-attacks, and the like.

Example audit questions:

l Does your organization have an Internet access policy?

l How are network services accessed by members of your organization?

l Is back door access by unapproved means possible?

l Does your organization have a firewall? If so, how is it configured? Whatservices are accessible by external users inside and outside of this firewall?

l Does your organization have an IDS? If so, who defines the IDSknowledge base?

l Who has external remote access to your organizations systems?

l Is your networks internal architecture hidden from untrusted externalusers?


50/309

49

Notes:

l Do you have any established session control practices in place?

Standards and guidelines

ISACA has become a pace-setting global organization for informationgovernance, control, security and audit professionals. Their IS auditing andcontrol standards are followed by many.

Apart from guidelines published by ISACA, you may also refer to the SoGP.The Standard of Good Practice (SoGP) is a detailed documentation of bestpractices for information security. It is published and revised biannually by theInformation Security Forum (ISF), an international best-practices organization.The Standard is developed from research based on the actual practices of andincidents experienced by major organizations. Its relatively frequent updatecycle of two years also allows it to keep up with technological developments

and emerging threats. In fact, the Standard is used as the default governingdocument for information security behavior by many major organizations, byitself or in conjunction with other standards such as ISO 17799 or COBIT.


51/309

5

Notes:

One of the most widely used security standards today is ISO 17799 whichstarted in 1995. This standard consists of two basic parts. BS 7799 part 1 andBS 7799 part 2 both of which were created by (British Standards Institute) BSI.Recently this standard has become ISO 27001. The National Institute ofStandards and Technology (NIST) has released several special papersaddressing cyber security. Three of these special papers are very relevant tocyber security: the 800-12 titled Computer Security Handbook 800-14 titledGenerally Accepted Principals and Practices for Securing InformationTechnology and the 800-26 titled Security Self-Assessment Guide forInformation Technology Systems.

ISO 17799 states that information security is characterized by integrity,confidentiality, and availability. The ISO 17799 standard is arranged into elevencontrol areas security policy, organizing information security, assetmanagement, human resources security, physical and environmental security,communication and operations, access controls, information systemsacquisition/development/maintenance, incident handling, business continuitymanagement, compliance.

The SarbanesOxley Act of 2002 (commonly called SOX or SarBox) is aUnited States federal law passed in response to a number of major corporate


52/309

5

Notes:

and accounting scandals. One major provision of the act is the creation of thePublic Company Accounting Oversight Board (PCAOB). The PCAOBsuggests considering the Committee of Sponsoring Organizations of theTreadway Commission (COSO) framework (which will be addressed later) inmanagement/auditor assessment of controls. Auditors have also looked to theIT Governance Institute's "COBIT: Control Objectives of Information andRelated Technology" for more appropriate standards of measure. Since thefinancial reporting processes of most organizations are driven by IT systems, itis apparent that IT plays a vital role in internal control. As PCAOB's "AuditingStandard 2" states:

"The nature and characteristics of a company's use of information technologyin its information system affect the company's internal control over financialreporting."

Chief information officers are responsible for the security, accuracy and the

reliability of the systems that manage and report the financial data. IT systemsare deeply integrated in the initiating, authorizing, processing, and reporting offinancial data. As such, they are inextricably linked to the overall financialreporting process and would therefore have to be assessed, along with otherimportant process for compliance with Sarbanes-Oxley Act.


53/309

52

Notes:

The SEC identifies the COSO framework by name as a methodology forachieving compliance. The COSO framework defines five areas, which whenimplemented, can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department areRisk Assessment, Control Environment, Control Activities, Monitoring, andInformation & Communication.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)is a U.S. private-sector initiative. Formed in 1985, its major objective is toidentify the factors that cause fraudulent financial reporting and to makerecommendations to reduce its incidence. COSO has established a commondefinition of internal controls, standards, and criteria against which companiesand organizations can assess their control systems.

The Federal Information Security Management Act (FISMA) is a US federallaw enacted way back in 2002. It imposes a mandatory set of processes thathave to be followed for information systems operated by a government agencyor by a contractor which works on behalf of the agency. The FederalInformation Processing Standards (FIPS), on the other hand, are a set ofpublicly announced standards developed by the US government for use by


54/309

53

Notes:

non-military government agencies and their contractors. FIPS 46 in particularcovers some major Data Encryption Standards, while FIPS 140 covers securityrequirements for cryptography modules.

ISO 27001 sets out the requirements for information security managementsystems. On the other hand, ISO 27002 offers a code of practice forinformation security management.

British Standard 7799 Part 3 provides guidelines for information security riskmanagement. COBIT links IT initiatives to business requirements, organises ITactivities into a generally accepted process model, identifies the major ITresources to be leveraged and defines the management control objectives to beconsidered. ITIL (or ISO/IEC 20000 series) focuses on the service processesof IT and considers the central role of the user.

Trusted Computer System Evaluation Criteria (TCSEC) has classification onthe various security requirements based on the evaluation of functionality,effectiveness and assurance of operating systems for the government andmilitary sectors. TCSEC was introduced in 1985 and retired in 2000.


55/309

54

Notes:

Information Technology Security Evaluation Criteria (ITSEC) is the first singlestandard for evaluating security attributes of computer systems by the countriesin Europe.

Common Criteria (also known as ISO/IEC 15408) combines and alignsexisting and emerging evaluation criteria with a collaborative effort among

national security standards organisations of Canada, France, Germany, Japan,Netherlands, Spain, UK and US. Common Criteria Evaluation and ValidationScheme (CCEVS) establishes a national program for the evaluation ofinformation technology products for conformance to the InternationalCommon Criteria for Information Technology Security Evaluation.

ISO/IEC 13335 (IT Security Management) offers a series of guidelines fortechnical security control measures. On the other hand, the Payment Card

Industry Data Security Standard offers 12 core security requirements, whichinclude security management, policies, procedures, network architecture,software design and other critical measures.


56/309

55

Notes:

IS Organizationand Information Assets

Protection

There must be a proper Information Management Policy in place andintegrated with the Information Security Policy. This policy should clearlydefine information as an asset of the business unit that needs protection, andthat local business managers are the owners of information who are ultimately

held responsible. In fact, to get the staff really serious about informationsecurity, it is necessary to define roles and responsibilities of those involved inthe ownership and classification of information.

No organization on earth has unlimited resources. You just cannot protecteverything to the fullest extent. Therefore it is important for you to classify theinformation assets and then allocate resources accordingly. You also need toknow whether it is cost effective to protect a certain information asset what ifthe protection measure itself costs even more to implement? However, youmust assess the cost element accurately and comprehensively. Some costs maynot be easily quantified even though they could hurt big time when things gowrong (legal cost as an example).


57/309

56

Notes:

The stakeholders

A critical factor in protecting information assets is laying the foundation foreffective information security management. In fact, commercial, competitiveand legislative pressures from around the business environment often requirethe implementation of proper security policies and related logical accesscontrols. Security failures are often costly to business. Losses may be suffered asa result of the failures or costs may be incurred when recovering from thesecurity incident, followed by more costs to secure the systems and preventrepeated failures. Job positions within an organization that have informationsecurity responsibilities may include and not limited to the following:

l Executive management (Senior management, Directors etc)

l Security committee

l Data owners

l Process owners

l IT developers

l Security specialists

l Auditors


58/309

57

Notes:

l Users

The board

The board of directors and senior management are responsible for ensuringthat the organization's system of internal controls is operating effectively. Anaudit committee should be appointed to oversee audit functions and to

report on audit matters periodically to the board. FYI, in order to comply withthe Sarbanes-Oxley Act of 2002, public stock-issuing institutions are required toappoint outside directors as audit committee members. On the other hand, allmembers of a stock-issuing institutions audit committee must be members ofthe board of directors and be independent.

The ability of the audit function to achieve desired objectives depends largelyon the independence of audit personnel. This is especially true if the auditors

are internal auditors rather than outside auditors.

The board of directors should ensure that written guidelines for conducting ITaudits have been adopted, and should assign responsibility for the internal audit


59/309

58

Notes:

function (IT audit is commonly conducted in-house by the internal auditfunction) to a member of management who has sufficient audit expertise and isindependent of the other business operations of the organization. In general,the position of the auditor within the organizational structure, the reportingauthority for audit results, and the auditors responsibilities should indicate thedegree of auditor independence within the organization. The board should doits best to ensure that the audit department does not participate in activities thatmay compromise, or appear to compromise, its independence. These activitiesmay include preparing reports or records, developing procedures, orperforming other operational duties normally reviewed by auditors. Keep inmind, the auditors independence may also be determined by analyzing thereporting process and verifying that management does not interfere with thecandor of the findings and recommendations.

The audit manager

The audit manager is responsible for implementing board-approved audit

directives. This manager should oversee the audit function and providesleadership and direction in communicating and monitoring audit policies,practices, programs, and processes conducted by the internal audit staff. Theextent of external audit work (if any) should be clearly defined in a separate andformal engagement letter. This letter should discuss the scope of the audit, the


60/309

59

Notes:

objectives, resource requirements, audit timeframe, and resulting reports.Expecta bunch of meetings, coordination, collaboration, and conflicts between the outside guys and theinsiders.

Audit personnel

The auditors, whether internal or external, should in any case be granted the

authority to access records and staff necessary to perform auditing andreporting. In fact, for any audit effort to be successful, a reporting line MUSTbe identified to the highest level of the organization. The auditor's right ofaccess to information must be clearly identified early in the process.Management should be required to respond formally, and in a timely manner,to significant adverse audit findings by taking appropriate corrective action. Theauditors in turn should discuss their findings and recommendations periodicallywith the audit committee.

Personnel performing IT audits should have information systems knowledgecommensurate with the scope and sophistication of the organizations ITenvironment and possess sufficient analytical skills to determine and report the


61/309

6

Notes:

root cause of deficiencies (they don't have to be CISA certified - althoughcertification is a "plus").

Sometimes the audit function will be requested to take a role in thedevelopment, acquisition, conversion, and testing of major applications. It isnecessary that such participation be independent and objective. Auditors candetermine and should recommend appropriate controls to project management.However, such recommendations should not pre-approve the controls. At the

most they should only guide the developers in considering appropriate controlstandards and structures throughout their project.


62/309

6

Notes:

IS Controls

The importance of the use of controls

According to the internal control principle (GASSP), information security

forms the core of an organization's information internal control system, that"the internal control standards define the minimum level of quality acceptablefor internal control systems in operation and constitute the criteria againstwhich systems are to be evaluated. These internal control standards apply to alloperations and administrative functions but are not intended to limit orinterfere with duly granted authority related to development of legislation, rule-making, or other discretionary policymaking in an organization or agency."

There are many ways to classify controls. From an IS perspective, some saidthey may be generally classified as physical, technical, or administrative in nature.Some said that they can be further classified as either preventive or detective.Three other types of controls, namely deterrent, corrective, and recovery, mayfurther supplement such classification.


63/309

62

Notes:

Classification of controls

l Examples of physical controls include locks, security guards, badges,alarms, and similar measures to control access to computers, relatedequipment, and the processing facility itself.

l Technical controls refer to safeguards incorporated in computer hardware,operations or applications software, communications hardware andsoftware, and related devices. They are sometimes referred to as logicalcontrols.

l Administrative controls refer to management constraints, operationalprocedures, accountability procedures, and supplemental administrativecontrols established for providing an acceptable level of protection forcomputing resources.

l Preventive controls attempt to avoid the occurrence of unwanted events.Detective controls, on the other hand, attempt to identify unwanted eventsafter they have occurred. Deterrent controls attempt to discourageindividuals from intentionally violating information security policies orprocedures by making it difficult or even undesirable to performunauthorized activities. Corrective controls, on the other hand, attempt to


64/309

63

Notes:

remedy the circumstances that allowed the unauthorized activity and returnconditions to what they were before the violation.

l Recovery controls attempt to restore lost resources or capabilities and helpthe organization recover losses caused by a security violation.

General Controls VS Application Controls

From a broader perspective, you can view controls as either General Controlsor Application Controls. General controls are about the overall information-processing environment. They include:

l Organizational Controls (in particular the segregation of duties controls).

l Data Center and Network Operations Controls

l Hardware & Software Acquisition and Maintenance Controls

l Access Security Controls

l Application System Acquisition, Development, and Maintenance Controls


65/309

64

Notes:

Application controls, on the other hand, cover the processing of individualapplications and help ensure the completeness and accuracy of transactionprocessing, authorization, and validity. They typically include:

l Data Capture Controls to ensure that all transactions are properly recordedin the application system

l Data Validation Controls to ensure that all transactions are properly valued.

l Processing Controls to ensure the proper processing of transactions.

l Output Controls to ensure that computer output is not distributed tounauthorized users.

l Error Controls to ensure that errors are corrected and properlyresubmitted at the correct point in processing.

Keep in mind that different types of network model often require the use ofdifferent combinations of control. You must have basic foundation knowledgeon networking in order to pick the correct answers. Know LAN networkingand WAN networking. Know distributed computing and client server


66/309

65

Notes:

computing. Know server computing and thin client computing. Dont attemptto take the exam until you are completely familiar with these basic concepts.

Tests of controls refer to audit procedures that are performed to evaluatethe effectiveness of either the design or the operation of the internalcontrols in question. A CISM plans and implements the needed controls.

A CISA, on the other hand, tests these controls.


67/309

66

Notes:

Access Control and the Auditing Process

Access control protects your systems and resources from unauthorized access.An access control model is a framework that dictates how subjects accessobjects. The most popular models are: mandatory access control, discretionary

access control and role-based access control. Even though these models areoften associated with IT technology, try to think of them as securitymanagement principles they can be applied to disciplines other than IT.

Access Control Models

The decision of what access control models to implement is based on

organizational policy and on two generally accepted standards of practice,which are separation of duties and least privilege. Controls (in the context ofAccess Control) may be characterized as either mandatory or discretionary.With mandatory controls, only administrators may make decisions that bear onor derive from the predefined policy. Access controls that are not based on


68/309

67

Notes:

established policy may be characterized as discretionary controls (or need-to-know controls).

With the Discretionary model, the creator of a file is the owner and can grantownership to others. Access control is at the discretion of the owner. Mostcommon implementation is through access control lists. Discretionary accesscontrol is required for the Orange Book C Level.

Mandatory controls are prohibitive and permissive. With the Mandatory model,control is based on security labels and categories. Access decisions are based onclearance level of the data and clearance level of the user, and, classification ofthe object. Rules are made by management, configured by the administratorsand enforced by the operating system. Mandatory access control is required forthe Orange Book B Level.

With the Role-Based model, access rights are assigned to roles not directly tousers. Roles are usually tighter controlled than groups - a user can only haveone role.


69/309

68

Notes:

ACLs VERSUS Capabilities

The two fundamental means of enforcing privilege separation andcontrolling access are access control lists (ACLs) and capabilities. Thesemantics of ACLs have been proven to be insecure in many situations. Ithas also been shown that ACL's promise of giving access to an object toonly one person can never be guaranteed in practice. Both of theseproblems are resolved by capabilities. This does not mean practical flawsexist in all ACL-based systems, but only that the designers of certain utilities

must take responsibility to ensure that they do not introduce flaws.

For various historical reasons, capabilities have been mostly restricted toresearch operating systems and commercial OSes still use ACLs.Capabilities can, however, also be implemented at the language level, leadingto a style of programming that is essentially a refinement of standard object-oriented design. A reason for the lack of adoption of capabilities may bethat ACLs appeared to offer a quick fix for security without pervasiveredesign of the operating system and hardware.


70/309

69

Notes:

What is Orange Book, by the way?

Orange Book refers to the US Department of Defense Trusted ComputerSystem Evaluation Criteria. Although originally written for military systems, thesecurity classifications are now broadly used within the computer industry.

The Orange Book security categories range from D (Minimal Protection) to A(Verified Protection):

D - Minimal Protection - Any system that does not comply to any othercategory, or has failed to receive a higher classification.

C - Discretionary Protection - applies to Trusted Computer Bases (TCBs) withoptional object (i.e. file, directory, devices etc.) protection.

B - Mandatory Protection - specifies that the TCB protection systems should bemandatory, not discretionary.

A - Verified Protection - the highest security division.

Further information on the Orange Book categories can be found here:http://www.dynamoo.com/orange/summary.htm


71/309

7

Notes:

Types of Access Control

To ensure that access controls adequately protect all of an organizationsresources, it is recommended that you first categorize the resources that needprotection.

In an access control model, there are subject and object:

l Subject: Entity requiring access to an object user, process. (Active).

l Object: Entity to which access is requested file, process. (Passive).

Access control information can be viewed as a matrix with rows representingthe subjects, and columns representing the objects.

Access control consists of the following primary areas:

l Identification

l Authentication

l Authorization


72/309

7

Notes:

l Accountability

The AAA concept

The three As are often being referred to as the AAA concept. The generaltypes of authentication are:

l Something a person knows (eg. password)

l Something a person has (eg. ID card)

l Something a person is (eg. role and title)

Strong authentication requires two of the above and is known as two-factorauthentication.

Authentication is the first line of defense. Questions you may ask here:

l What password rules are enforced, in particular in terms of length andalphanumeric combinations?

l How often are users required to change their passwords?


73/309

72

Notes:

l Does your system use a password cracker to identify nonsecure passwords?

l Does your organization keep a password history file?

l Do users have unique authentication for different types of access?

l Does your organization use authentication other than reusable passwords?Any policy for use of such authentication?

Authorization determines if you can carry out the requested actions. Accesscriteria types include and not limited to:

l Roles

l Groups

l Physical or logical location

l Time of day

l Transaction type

l etc


74/309

73

Notes:

A common practice is to have all access criteria default to no access at thevery beginning, although this may not be always true in modern days OS forusability sake (for example, in earlier Windows everyone has full control bydefault).

Authentication deals with how ones user account is established. There are alsoissues dealing with how such account should be handled and protected (i.e. useraccount management) . Some questions you may ask include:

l Is logoff at the end of the day required?

l Are there automatic session timeouts?

l Can a user use a password to lock the screen?

l Does an unsuccessful logon indicate the cause of failure?

l Under what circumstances are accounts locked?

l Is the user informed about the last successful/unsuccessful logon attempt?


75/309

74

Notes:

Establishing Accountability through event logging

Accountability determines who is responsible for a particular action taken. Toproperly establish accountability, audit trail and logging facility must be available.As an example, here is a list of what should be logged in a networkedenvironment:

System startup

System shutdown

File system full

Hardware failures

Logins: failed and successful / local or remote

Account creation: failed and successful

Account modification: failed and successful assigning, changing orremoving rights and privileges

Account removal: failed and successful


76/309

75

Notes:

Account disabled

Password/security information copied: failed and successful

System configuration change: failed and successful

Operating system patch applied

Network connections: failed and successful

Audit logs modification: failed and successful

Object access: failed and successful

The audit process

You need to know the fundamentals of auditing not just IS auditing, but

auditing in general.

Most CISA study text books in the market fail to give a complete and clearpicture of the auditing process as a whole. We will fill this gap here.


77/309

76

Notes:

At the end of this e-book there is a sample IS Audit Questionnaire. Gothrough that Questionnaire and you will understand exactly what areexpected to be accomplished by an IS audit.

Note that several information technology audit related laws and regulationshave been introduced since 1977. These include the Gramm Leach Bliley Act,the Sarbanes-Oxley Act, the Health Insurance Portability and AccountabilityAct, the London Stock Exchange Combined Code, King II, and the Foreign

Corrupt Practices Act. You are expected to understand what they are for.

* Health Insurance Portability and Accountability Act (HIPAA)

* Gramm-Leach-Bliley Act (GLBA)

* Sarbanes-Oxley Act (SOX)

* Foreign Corrupt Practices Act (FCPA)

The SarbanesOxley Act and the COSO framework


78/309

77

Notes:

The SarbanesOxley Act of 2002 (commonly called SOX or SarBox) is aUnited States federal law passed in response to a number of major corporateand accounting scandals. One major provision of the act is the creation of thePublic Company Accounting Oversight Board (PCAOB). The PCAOBsuggests considering the Committee of Sponsoring Organizations of theTreadway Commission (COSO) framework in management/auditorassessment of controls. Auditors have also looked to the IT GovernanceInstitute's "COBIT: Control Objectives of Information and RelatedTechnology" for more appropriate standards of measure.

Since the financial reporting processes of most organizations are driven by ITsystems, it is apparent that IT plays a vital role in internal control. As PCAOB's"Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technologyin its information system affect the company's internal control over financial

reporting."

Chief information officers are responsible for the security, accuracy and thereliability of the systems that manage and report the financial data. IT systems


79/309

78

Notes:

are deeply integrated in the initiating, authorizing, processing, and reporting offinancial data. As such, they are inextricably linked to the overall financialreporting process and would therefore have to be assessed, along with otherimportant process for compliance with Sarbanes-Oxley Act.

The SEC identifies the COSO framework by name as a methodology forachieving compliance. The COSO framework defines five areas, which whenimplemented, can help support the requirements as set forth in the Sarbanes-

Oxley legislation. These five areas and their impacts for the IT Department areRisk Assessment, Control Environment, Control Activities, Monitoring, andInformation & Communication.

Committee of Sponsoring Organizatio

Documents

51295108 CISA Certified Information Systems Auditor Module Study Guide (1)