CISA - Protection of Information Assets Tutorial

5.1 Protection of Information Assets

Hello and welcome to the fifth domain of the Certified Information Systems Auditor (CISA) Course offered by Simplilearn. This domain will cover Protection of Information Assets Let us look at the objectives of this domain in the next screen. Objectives By the end of this domain, you should be able to understand and provide assurance that the enterprise’s security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. Detail the design, implementation and monitoring of security controls Discuss the risks associated with use of mobile and wireless devices Understand encryption techniques such as public key infrastructure and risks related to data leakage Detail network detection tools and techniques Discuss how confidential information can be stored, retrieved, transported and disposed. The following screen gives an overview of this domain. Overview An information asset is a component related to provision of accurate data or information for decision making purposes by an entity. It is considered to hold value to that particular organization and should therefore be protected by ensuing Confidentiality, integrity and availability. (CIA) Examples of information Assets are Information (or Data), Computer Application Systems, Computers (Personal Computers (PCs) laptops , PDAs, phones) , Networks (Local Area Network (LAN), Wide Area Network (WAN), Wireless Networks), Human Resources, Facilities (Main Distribution Facilities (MDFs), data centers, server room) and Other Technologies such as database technologies among others Let us continue with the overview in the folloiwng screen. Overview (contd.) The Risks to business include ; Financial loss (electronic fraud), Legal repercussions (privacy issues), Loss of credibility or competitive edge, Blackmail/industrial espionage, Sabotage and Breach of confidentiality Security failures can be costly to business as more costs are incurred to secure systems and prevent further failure. Further more cost are incurred from losses from the failure itself and when recovering from such losses. Let us now look at threats to information assests in the next slide. Threats to Information Assets The threats to Information Assets include; Hackers, Crackers Phreakers, authorized or unauthorized employees, IS personnel, End users, Former employees, Interested or educated outsiders (competitors, organized criminals), Part-time and temporary personnel, Vendors and consultants and finally accidental ignorance. Let us begin with the first topic in this domain in the following screen.

5.2 Knowledge Statement 5.1

In this topic, we will learn about the concepts under the first knowledge statement, KS 5.1. We will begin with design, implementation and monitoring of security controls in the next screen. . Design, implementation and monitoring of security controls The key knowledge statement is to understand the techniques for the design, implementation and monitoring of security controls, including security awareness programs .Security needs to be aligned with business objectives to provide reasonable reduction in risk. Security objectives may include the following:

• Ensure the continued availability of information systems.

• Ensure the integrity of information stored on its computer systems and Security while the information is in transit.

• Preserve the confidentiality of sensitive data while stored and in transit.

• Ensure compliance with applicable laws, regulations and standards. Let us continue discussing design, implementation and monitoring of security controls in the next screen Design, implementation and monitoring of security controls (contd.)

• Ensure adherence to trust and obligation requirements for any information assets accordance with the applicable privacy policy or privacy laws and regulations. Prudence in application of controls is important because controls entail a cost either directly or indirectly by impacting on business operations. The business impact analysis (BIA) is the process used to establish the material adverse events the business should be worried about. The following screen lists the main areas to be covered under this knowledge statement. Main Areas of Coverage The main areas to cover here are.

• Key elements of information security management • Critical success factors to information security

• Inventory and classifications of Information assets

• Network Infrastructure Security In the next screen, we will learn about Information Security Management (ISM) Slide10: Information Security Management (ISM) Effective ISM is the most critical factor in protecting information assets and privacy. The factors that raise the profile of information and privacy risk include; electronic trading through service providers and directly with customers, loss of organizational barriers through use of remote access facilities and high-profile security exposures: viruses, denial of service (DOS) attacks, intrusions, unauthorized access, disclosures and identity theft over the Internet, etc. Let us continue discussing Information Security Management (ISM) in the next screen Information Security Management (ISM) (contd.)

The security objectives to meet business requirements are:

 To ensure continued availability of information systems

 To ensure integrity of information stored in systems and while in transit

 To preserve confidentiality of sensitive data

 To ensure conformity to applicable laws, regulations and standards

 To ensure adherence to trust and obligation requirements

 To ensure protection of sensitive data Data integrity, as it relates to security objectives, generally refers to accuracy, completeness, consistency (or neutrality), validity and verifiability of the data once loaded on the system Integrity refers to reliability of data.

Let us continue discussing Information Security Management (ISM) in the next screen Information Security Management (ISM) (contd.) The Key elements of ISM:

 Senior management commitment and support. The risk management begins at the top.

 Policies and procedures. The framework that captures top management declaration of direction.

 Organization: clearly defined and allocated roles and responsibilities supplemented with guidance. Let us continue discussing Information Security Management (ISM) in the next screen Information Security Management (ISM) (contd.)

 Security awareness and education through training and regular updates: • Written policies and procedures, and updates • Non-disclosure statements signed by employees • Newsletters, web pages, videos, and other media. • Visible enforcement of security rules • Simulated security incidents and simulated drills • Rewards for reporting suspicious events • Periodic audits  Monitoring and compliance. Control includes an element of monitoring and usually relates to regulatory/legal compliance  Incident Handling and Response. In the next few screens we will learn about roles and responsibilities under the Information Security Management. ISM Roles and Responsibilities Roles and Responsibilities must be defined, documented and communicated to personnel and management. IS security steering committee is represented by individuals from various management levels. It also discusses and approves security policies, guidelines and procedures; with input from end users, executive management, auditors, security administration, IS personnel and legal counsel. The committee is formally established with appropriate Terms of Reference. Executive management is responsible for the overall protection of information assets and issuing ISM Roles and Responsibilities (contd.) Security advisory group is responsible for defining information risk management process & acceptable level of risk and reviewing security plans. It is comprised of people involved in the business and provides comments on security issues to chief security officer (CSO). It also advises the business whether the security programs meet business objectives. ISM Roles and Responsibilities (contd.) Chief information security officer (CISO) is a senior level corporate official responsible for articulating and enforcing policies used to protect information assets. He has a much broader role than CSO who is normally only responsible for physical security within the organization. Information asset owners and data owners: are entrusted with the responsibility for the owned asset, including performance of a risk assessment, selection of appropriate controls to mitigate the risk and to accept the residual risk . ISM Roles and Responsibilities (contd.) Process Owners ensure appropriate security measures consistent with organizational policy are maintained. Users comply with procedures set out in the security policy and adhere to privacy and security regulations – often specific to sensitive data (e.g., health, legal, finance, etc.) Chief privacy officer (CPO) is a senior level corporate official and is responsible for articulating and enforcing policies used to protect customers’ and employees’ privacy rights ISM Roles and Responsibilities (contd.) External parties follow procedures set out in the security policy. They adhere to privacy and security regulations – often specific to sensitive data (e.g.,health, legal, finance, etc.) Information Security administrator is a staff level position. He is responsible for providing adequate physical and logical security for IS programs, data and equipment. Normally guided by the information security policies. ISM Roles and Responsibilities (contd.) Security specialists /advisors assist with the design, implementation, management and review of security policies, standards and procedures. IT developers implements information security within their applications IS auditors provide independent assurance on appropriateness and effectiveness of information security objectives and controls related to these objectives. In the next screen we will learn about system access permissions. System Access Permission System Access Permission is the ability to do something with a computer resource: read, create, modify or delete a file or data; execute a program or use an external connection. It is controlled at the physical and/or logical level. Logical controls govern access to information and programs. It is built into operating systems, invoked through access control software, and incorporated in application programs, DBs, network control devices and utilities Let us continue discussing system access permissions in the next screen System Access Permission (contd.) Physical controls restrict entry and exit of personnel, movement of equipment and media. They include badges, memory cards, keys and biometrics. Access is granted on a documented, need-to-know basis; with legitimate business requirement based on least privilege and on segregation of duties principles. Access principles relate to 4 layers of security namely; Network, Platform (typically the operating system), Database and Application. In the next screen we will learn about Mandatory & Discretonary Access Controls Mandatory and Discretionary Access Controls The Mandatory Access Controls (MACs) are logical access controls (MACs) that cannot be modified by normal users or data owners. They act by default and are used to enforce critical security without possible exception. Only administrators can grant a right of access guided by an established policy of the organization. Discretionary Access Controls (DACs) controls may be configured or modified by the users or data owners . Access may be activated or modified by a data owner. DACs cannot override MACs and they act as additional filters to restrict access further. In the next few screens we will learn about Privacy Management Issues and Role of IS Auditors Privacy Management Issues and Role of IS Auditors Privacy Issues relates to personally identifiable information ( e.g. Personal Identification No. – PIN). Regulations generally restrict use of such data by give the subject individual rights to access and correct that data. It also governs how such data is obtained, requiring knowledge and consent of the data subject. Impact of risks include marketing risks, transborder data flow and variations in regulations and may require privacy experts during risk assessment. Privacy Management Issues and Role of IS Auditors (contd.) The goals of a privacy impact assessment are; identifying the nature of personally identifiable information relating to business processes, documenting the collection, use, disclosure, storage, and destruction of personally identifiable information, providing management with an understanding of privacy risk and options to mitigate this risk, ensuring accountability for privacy and facilitating compliance with relevant regulations. Privacy Management Issues and Role of IS Auditors (contd.) IS audit considerations relating to privacy include adequacy of privacy assessment i.e compliance with privacy policy, laws & other regulations and the manner in which IT is used for competitive gain. Another consideration is the ongoing assessments conducted when new products, services, systems, operations/processes, and third parties are under consideration. Besides, trans-boarder and multinational laws should also be considered. Privacy Management Issues and Role of IS Auditors (contd.) Focus and extent of privacy impact assessment may depend on changes in technology, processes or people as shown below Technology Processes People New Programs Change Management Business partners Change in existing programs Business process re-engineering Vendors Additional system linkages Enhanced accessibility rules Service providers Data warehouse New systems New products New operations In the next few screens we will learn about Information Security and External Parties Information Security and External Parties Human Resources Security and Third Parties: Security roles and responsibilities of employees, contractors and third-party users should be defined and documented in accordance with the org security policy. Information Security policies to guide employees, contractors and 3rd party users Information Security and External Parties: Security of information and processing facilities must be maintained when external party services or products are introduced. Controls must be agreed to and defined in a formal agreement. Organization must have right to audit the implementation and operations. Information Security and External Parties (contd.) External Party arrangements include: Service providers (ISPs, network providers), Managed security services, Customers, Outsourcing facilities and/or operations (IT systems, data collections services), Management and business consultants and auditors, Developers and suppliers, cleaning, catering and other outsourced support services. Others include temporary personnel, student placement and other casual short term appointments. Information Security and External Parties (contd.) The risks related to External Party Access is information processing facilities required to be accessed by external parties. These types of access include: Physical access, Logical access, Network connectivity - organization and external party, Value and sensitivity of information involved, and its criticality for business operations and Legal and other regulatory requirements Information Security and External Parties (contd.) Security in relation to Customers involve identifying security requirements for customers’ access. The customer access security considerations:  Asset protection  Description of product or service to be provided  Reasons, requirements and benefits for customer access  Access control policy  Arrangements for reporting, notification and investigation of information inaccuracies  Target levels of service and unacceptable levels of service  Right to monitor and revoke any activity related to an organization’s assets  Intellectual property rights and copyright assignment You will now attempt a question to test what you have learnt so far.

5.4 Knowledge Statement 5.2

In this topic, we will learn about the concepts in knowledge statement, 5.2. Let us discuss Monitoring and responding to Security Incidents in the following screens Monitoring and responding to Security Incidents The key knowledge point is the processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team) A formal incident response capability should be established to minimize the impact of security incidents recovery in a timely and controlled manner and learn from such incidents. (History should be kept through properly recording of incidents). While security management may be responsible for monitoring and investigating events and may have drafted or set a requirement for escalation procedures, other functions must be involved to ensure proper response. These functions must have well-defined and communicated processes in place that are tested periodically. : The main areas covered here are: Security incident handling and response. In the next screen we will discuss about Incident Handling and Response Incident Handling and Response An incident is an adverse event that threatens some aspect of information security. To minimize damage from security incidents and to recover and to learn from such incidents, a formal incident response capability had to be established, and it includes; planning and preparation, detection, initiation, recording, evaluation, containment, eradication, escalation, response, recovery, closure and post-incident review Let us continue discussing Incident Handling and Response Incident Handling and Response (contd.) Procedures are defined for reporting different types of incidents. The process involves quick reporting and collection of evidence and formal disciplinary process, and where applicable, automated intrusion detection systems. Incident Handling and Response roles involve;  Coordinator who is the liaison to business process owners.  Director who oversees incident response capability.  Manager(s) who manage individual incidents.  Security specialists that detect, investigate, contain and recover from incidents.  Non-security technical specialists that provide assistance on subject matter expertise.  Business unit leader liaisons which include legal, HR and PR. Logical access controls is another are we are going to learn in subsequent slide. You will now attempt a question to test what you have learnt so far.

5.6 Knowledge Statement 5.3

In this topic, we will learn about the concepts in knowledge statement, 5.3. Let us discuss Logical access controls in the following screens Logical Access Controls Knowledge point to learn here is logical access controls for the identification, authentication and restriction of users to authorized functions and data. Logical access controls are used to manage and protect information assets. Controls enact and substantiate policies and procedures designed by management to protect information assets. Controls exist at both the operating system level and the application level, so it is important to understand logical access controls as they apply to systems that may reside on multiple operating system platforms and involve more than one application system or authentication point. Let us continue the discussion about Logical Access Controls in the next few screens Logical Access Controls (contd.) Logical security is often determined based on the job function of users. The success of logical access controls is tied to the strength of the authentication method (e.g., strong passwords). All user access to systems and data should be appropriately authorized and should be commensurate with the role of the individual. Authorization generally takes the form of signatures (physical or electronic) of relevant management. The strength of the authentication is proportional to the quality of the method used: "strong authentication" may include dual or multifactor authentication using user 10, password, tokens and biometrics. The main areas covered here are: • Logical Access Logical access controls (contd.) Logical access controls are the primary means used to manage and protect information assets. These exposures can result in minor inconveniences to a total shutdown of computer functions. Logical access controls involve managing and controlling access to information resources. It is based on management policies and procedures for information security. Logical access controls must be evaluated vis-à-vis information security objectives. Familiarization with the IT environment helps in determining which areas, from a risk standpoint, warrant IS auditing attention. This includes reviewing security layers associated with IS architecture: network, OS, database, application Logical Access Controls (contd.) Paths of logical access (points of entry to IS infrastructure): Back-end, front-end systems, Internally-based users, externally-based users and direct access to specific servers. All points of entry must be known. General points of entry relate to network or telecomm infrastructure in controlling access to information resources. • Typical client-server environment: primary domain controllers network management devices e.g. routers and firewalls. General modes of access: Network connectivity: Remote access: remotely dialling into a network for services that can be performed remotely (e.g. email). Logical Access Controls (contd.) Traditional Points of Entry: Mainly applicable for mainframe-based systems used for large database systems or “legacy” applications. • Operator Console. These are privileged computer terminals that control most computer operations and functions. They provide high level of system access but do not have strong logical access controls. It is located in a suitably controlled facility so that physical access can only be gained by authorized personnel. On-Line workstations in client-server environments. This method typically require at least a logon-ID and password to gain access to the host computer system. It may also require further entry of authentication or identification data for access to application specific systems Logical Access Controls (contd.) IS resources are more accessible and available anytime and anywhere. Computers store large volumes of data. Sharing of resources has increased from one system to another and accessibility has increased through intranet/internet. Logical access control software has become critical in protecting IS resources. It prevents unauthorized access and modification to sensitive data, and use of critical functions. It is applied across all layers of IS architecture (network, OS, DBs and applications). Logical Access Controls (contd.) Common attributes of these software is that it has some form of identification and authentication. Provides access authorization. It also checks specific information resource and provide logs and reporting of user activities. Greatest degree of protection is applied at the network and platform/OS level mainly because it is the primary point of entry to systems. Besides, it is the foundation (primary infrastructure) on which applications and DBs will reside. Also, OS system access control software interfaces with databases and/or applications to protect system libraries and datasets. These network devices (e.g. routers and firewalls) manage external access to networks thus need highest degree of protection. Logical Access Controls (contd.) General OS/application access control software functions include; creating or changing user profiles, assigning user identification and authentication, applying user logon limitation rules (e.g. restrict logon IDs to specific workstations at specific times), establishing rules for access to specific resources, creating individual accountability and auditability by logging user activities, logging events and reporting capabilities. Logical Access Controls (contd.) Database or application level controls creates or changes data files and database profiles. It also verifies user authorization at the application and transaction level, within the application and at the field level for changes within the database. It also verifies subsystem authorization for the user at the file level. In addition it logs database/data communications access activities for monitoring access violations. On the next three slides, we shall attempt to answer another question to check on our knowledge on this area. You will now attempt a question to test what you have learnt so far.

5.8 Knowledge Statement 5.4

In this topic, we will learn about the concepts in knowledge statement, 5.4. Let us discuss Security Controls Related to Hardware, System Software Security controls related to hardware, system software. In this slide, we learn on the security controls related to hardware, system software (e.g., applications, operating systems), and database management systems. Access control software utilizes both identification and authentication (I&A). Once authenticated, the system then restricts access based on the specific role of the user. I&A is the process by which the system obtains identity from a user, the credentials needed to authenticate identity, and validates both pieces of information. I&A is a critical building block of computer security since it is needed for most types of access control and is necessary for establishing user accountability. For most systems, I&A is the first line of defense because it prevents unauthorized access (or unauthorized processes) to a computer system or an information asset. In the next screen we will discuss more about Security Controls Related to Hardware and System Software. Security Controls Related to Hardware, System Software (contd.) Logical access can be implemented in various ways. The IS auditor should be aware of the strengths and weaknesses of various architectures such as single sign-on (SSO), where a single authentication will enable access to all authorized applications; identity management; multifactor authentication. If this risk is considered manageable, it should drive the implementation of multifactor authentication. The main areas covered here are: ● Identification and Authentication ● Single Sign-on In the next screen we will discuss about Identification & Authentication Identification and Authentication. Identification and Authentication involves proving one’s identity, which is authenticated prior to being granted access. It is a critical building block of IS security in which the basis of most access control systems: first line of defense – preventing unauthorized access. I&A also establishes user accountability – linking activities to users. Multifactor authentication is a combination of more than one method e.g. token and password or PIN, token and biometric device. Let us continue discussing Identification and Authentication in the next slide Identification and Authentication (contd.) Categories can be something you know (e.g., password), something you have (e.g., token card), something you are or do (a biometric feature) or where you are. These techniques can be used independently or in combination (single-factor or two-factor authentication). Some of the common vulnerabilities expected are; • Weak authentication methods. • Potential for bypassing authentication mechanism. • Lack of confidentiality and integrity of stored authentication information. • Lack of encryption for transmitted authentication information. • Lack of user knowledge regarding risks of sharing authentication elements e.g.password. In the next few screens we will discuss about Identification and Authentication-Logon IDs and Passwords Identification and Authentication – Logon ID’s and Passwords. Logon IDs and Passwords is a two-phase user identification/authentication process based on something you know:  Logon ID – individual identification  Password – individual authentication It is used to restrict access to computerized information, transactions, programs, and system software. It may involve an internal list of valid logon-IDs and a corresponding set of access rules for each logon-ID. The access rules can be specified at OS level (controlling access to files), or within individual applications controlling access to menu functions and types of data). Identification and Authentication – Logon ID’s and Passwords (contd.) Features of Passwords include; • Easy for the user to remember but difficult for a perpetrator to guess. • when the user logs on for the first time, the system should force a password change to improve confidentiality. • limited number of logon attempts, typically three. • user verification for “forgotten” passwords. • internal one-way encryption, and not displayed in any form. • changed periodically, e.g. every 30 days. • unique; if it is known by more than one person, responsibility for activity cannot be enforced. Identification and Authentication – Logon ID’s and Passwords (contd.) Password syntax (format) rules: • ideally, a minimum of eight characters in length • a combination of at least three of the following: alpha, numeric, upper & lower case, and special characters; some prohibit use of vowels • not particularly identifiable to the user • system should enforce regular change of passwords – e.g. after every 30 days • no re-use of previous passwords for e.g. at least one year after being changed • deactivate dormant logon Ids • automatic session/inactivity time-outs • Powerful user-ids (accounts) such as Supervisor and Administrator accounts should be strictly controlled; these could have full access to the system. • Administrator password should be known only by one person; however, the password should be kept in a sealed envelope for business continuity. Let us proceed to the next slide for more on passwords. Identification and Authentication – Logon ID’s and Passwords (contd.) Token Devices and One-time Passwords is a two-factor authentication technique; e.g. a microprocessor-controlled smart card, which generates unique, time-dependent / one-time passwords (called “session passwords”). This is good for only one logon session. The users enter this password along with a password they have memorized to gain access to the system. It is characterized by unique session characteristic (ID or time) appended to the password. Technique involves ‘something you have’ (a device subject to theft) and ‘something you know’ (a PIN). In the next screen we will learn about Identification and Authentication – Biometric Access Control Identification and Authentication – Biometric Access Control. Biometric Security Access Control is the best means of authenticating a user’s identity based on a unique, measurable attribute or trait for verifying the identity of a human being. It restricts computer access based on a physical (something you are) or behavioural (something you do) feature of the user, e.g. a fingerprint or eye retina pattern. A reader interprets the individual’s biometric features before permitting authorized access. However, it is not a fool proof process: certain biometric features can change (e.g. scarred fingerprints, change in voice). The final template is derived through an iterative averaging process of acquiring samples. Let us continue discussing Identification and Authentication – Biometric Access Control Identification and Authentication – Biometric Access Control (contd.) Physically oriented biometrics are palm, Hand geometry, Iris, Retina, Fingerprint, Face. Behaviour oriented biometrics can be Signature recognition and Voice recognition. In the next few screens we will discuss about Identification and Authentication - Single Sign-on (SSO) Identification and Authentication – Single Sign-On. Single sign-on (SSO) is a consolidation of the organisation platform-based administration, authentication and authorization functions. It interfaces with client server and distributed systems, mainframe systems and network security including remote access. The primary domain handles the first instance where user credentials are entered and the secondary domain is any other resource that uses these credentials. Identification and Authentication - Single Sign-on (SSO) (contd.) Single sign on (SSO) Challenges: • Overcoming heterogeneous nature of diverse architecture (networks, platforms, databases, and applications) • Requires understanding of each systems authorisation rules, and audit logs and reports • Allowing host systems to control the set of users allowed access to particular host systems SSO Advantages: • Multiple passwords not required – users motivated to select stronger passwords • Efficiency in managing users and their authorisations • Reduced administrative overheads for resetting passwords • Efficiency of disabling/deactivating user accounts • Reduced logon time Identification and Authentication - Single Sign-on (SSO) (contd.) SSO Disadvantages: • Single point of network failure • Few software solutions accommodate all major OS • Substantial interface development required (development costly) In the next screen we will discuss about Logical Access Security Administration. Logical Access Security Administration. Logical Access Security Administration can be centralised or decentralised Advantages of decentralised administration:  Administration onsite at distributed location  Timely resolution of issues  More frequent monitoring Controlling remote and distributed sites  Software access controls  Physical access controls: lockable terminals, locked computer rooms  Control over dial-in facilities (modems, laptops)  Controls over access to system documentation  Controls over data transmission: access, accuracy, completeness  Controls over replicated files and their updates: accuracy and reduced duplication Let us continue discussion about Logical Access Security Administration. Logical Access Security Administration (contd.) Risks associated with decentralised administration. Local standards (rather than organisational) may be implemented. Level of security management may be below that of the central site. Unavailability of management checks and audits by the central site. In the next screen we will discuss about Remote Access Security Remote Access Security Business need of remote access provides users with the same functionality that exists within their offices. The components of remote access: • Remote environment: employees, branches, laptops • Telecommunication infrastructure: the carrier used. • Corporate computing infrastructure: corporate connecting devices, communications software. Remote Access Risks could be denial of service, malicious third-party access, misconfigured communication software, misconfigured devices, host systems not secured appropriately and physical security weaknesses at the remote stations. Let us continue discussing about Remote Access Security in the next screen Remote Access Security (contd.) Remote access methods are Analog modems and the public telephone network, dedicated network connections (proprietary circuits) and TCP/IP internet based remote access. The remote Access Controls are; • Policy and standards. • Proper authorisation. • Identification and authentication mechanisms. • Encryption tools and techniques. • System and network management. In the next scree we will discuss about PDAs and Mobile Technology PDAs and Mobile Technology PDAs augment desktops and laptops due to their ease of use and functionality. The Inherent risks is that they are easy to steal, easy to lose, ready access to information stored. Access issues with mobile technologies includes Flash disk and controls. Let us continue discussing about PDAs and Mobile Technology in the next screen PDAs and Mobile Technology (contd.) Control issues to address are;  Compliance with policies and procedures, including approval for PDA use  Awareness of responsibilities and due care  Compliance with security requirements  Authorisation and approval of use  Standard PDA applications, authorised and licensed  Synchronisation: backup and updating  Encryption  Virus detection and control  Device registration  Camera use Access issues with mobile technology: Include flash disks. Controls include policy, denial of use, disabling USB ports (using logon scripts) and encryption of data transported on these devices. In the next screen we will discuss about System Access System Access Audit logging in monitoring system access. Most access control software automatically log and report all access attempts – success and failures. It provides management with an audit trail to monitor activities. It facilitates accountability. Access rights to system logs should be for review purposes and it is a form of security against modification. Let us continue discussing about System Access in the next screen System Access (contd.) The tools for analysis of audit log information:  Audit reduction tools – filter out insignificant data  Trend/variance detection tools  Attack signature detection tools Reviewing audit logs monitors patterns or trends and violations and/or use of incorrect passwords. Restricting and Monitoring Access: Features that bypass security accessed by software programmers, include bypass label processing (BLP), System exits and Special system logon Ids. You will now attempt a question to test what you have learnt so far.

5.10 Knowledge Statement 5.5

In this topic, we will learn about the concepts in knowledge statement, 5.5. Let us discuss Risks and Controls Associated With Virtualized Systems Risks and Controls Associated with virtualized systems. This slide endeavors to learn risks and controls associated with virtualization of systems Virtualization provides an organization with a significant opportunity to increase efficiency and decrease costs its IT operations. The IS auditor needs to know the different advantages and disadvantages and needs to consider whether the enterprise has considered the applicable risks in its decision to adopt, implement and maintain this technology. At a higher level virtualization allows multiple operating systems (OSs), or guests, to coexist on the same physical server, or host, in isolation of one another. Let us continue discussing about Risks and Controls Associated with virtualized systems in the next screen Risks and Controls Associated with virtualized systems (contd.) Virtualization creates a layer between the hardware and the guests OSs to managed shared processing and memory resources on the host machine. A management console often provides administrative access to manage the virtualized system. Virtualization introduce additional risks that the enterprise must manage effectively. Key risk is that the host represents a single point of failure within the system. A successful attack on the host could result in a compromise very large in impact. Hence our main topic of focus will be virtualisation. Main Areas Covered here are: • Virtualisation You will now attempt a question to test what you have learnt so far.

5.12 Knowledge Statement 5.6

In this topic, we will learn about the concepts in knowledge statement, 5.6. Let us discuss Network Security Controls in the next screen Network security controls Knowledge of the configuration, implementation, operation and maintenance of network security controls are what we’ll learn in this slide. Enterprises can effectively prevent and detect most attacks on their networks by employing perimeter security controls. Firewalls and intrusion detection system (IDS) provide protection and critical alert information at borders between trusted and untrusted networks. Proper implementation and maintenance of firewalls and IDS is critical to successful,in-depth security program.The IS auditor must understand the level of intruder detection provided by the different possible locations of the IDS and the importance of policies and procedures to determine the action required by security and technical staff when an intruder is reported. Our main areas of coverage will Internet Threats and Security. Main areas of covered here are: ● Internet Threats and Security In the next few screens we will discuss about Network Infrastructure Security Network infrastructure security The table demonstates network infrastructure security. Network Infrastructure Security (contd.) Auditing use of the Internet involves ensuring a business case for Email (communication), Marketing (customer communication), Sales channel or e-commerce, Channel for delivery of goods and services (online stores, Internet banking) and Information gathering (research). Network Infrastructure Security (contd.) Auditing Networks Review network diagrams to identify networking infrastructure and network design. Also, review network management: policies, procedures, standards, guidance distributed to staff. Besides, identify responsibility for security and operation and review staff training, duties and responsibilities. You will further review legal issues regarding the use of the Internet., service level agreements with third parties and network administrator procedures. Network infrastructure security (contd.) Auditing remote access invloves;  Identify all remote access facilities, ensuring they have been documented  Review policies governing the use of remote access  Review architecture, identifying points of entry and assessing their controls  Test dial-up access controls  Review relation to business requirements Network Infrastructure Security (contd.) General network controls are functions performed by technically qualified operators. These functions are separated and rotated regularly. Apply least-privilege access rights for operators. Audit trail of operator activities must be periodically reviewed by management. Network operations standards must documented. A review of workload balance, response times and system efficiency must also be perfomed. Further consider terminal authentication and data encryption. Some of the network management control software include Novell Netware, Windows NT/2000, UNIX. You will now attempt a question to test what you have learnt so far.

5.14 Knowledge Statement 5.7

In this topic, we will learn about the concepts in knowledge statement, 5.7. Let us discuss Network & Internet Security Devices, Protocols and Techniques in the next screen Network & Internet Security Devices, Protocols and Techniques The key knowledge to learn in this topic is network and internet security devices, protocols and techniques. Application and evaluation of technologies to reduce risk and secure data is dependent on proper understanding of security devices, their functions and protocols used in delivering functionality. An organization implements specific applications of cryptographic systems in order to ensure confidentiality of important data. There are a number of cryptographic protocols which provide secure communications on the Internet. Additionally, the security landscape is filled with technologies and solutions to address many needs. Solutions include firewalls, intrusion detection and prevention devices, proxy devices, web filters, antivirus and antispam filters, data leak protection functionality, identity and access control mechanisms, secured remote access and wireless security. Understanding the solution's function and its application to the underlying infrastructure requires knowledge of the infrastructure itself and the protocols in use. In the next screen we will see the main areas to be covered under this topc Network & Internet Security Devices, Protocols and Techniques(contd.) Main Areas Covered here are: ● Encryption ● Network Infrastructure Security In the next few screens we will learn about Firewalls Firewalls. Firewall is a security perimeter for corporate networks connecting to the Internet aimed at preventing external intruders and untrusted internal users (internal hackers). It applies rules to control network traffic flowing in and out of a network: allowing users to access the Internet and stopping hackers or others on the Internet from gaining access to the network. The guiding principle used is least privilege (need-to-use basis) Firewalls (contd.) General functions of firewalls includes; Blocking access to particular sites , limiting traffic on public services to relevant ports, preventing access to certain servers and/or services, monitoring and recording communication between internal and external networks (Network penetration, Internal subversion), Encryption and VPN, and Single choke point –concentrating security on a single system. General Firewall features include; combination of hardware (routers, servers) and software. It should control the most vulnerable point between a corporate network and the Internet. Firewalls (contd.) General techniques used to control traffic are; • Service control –IP address TCP port • Direction control – direction of traffic • User control – based on user rights • Behaviour control – based on how services are being used e.g. filter email for spam In the next few screens we will discuss about Types of Firewalls Types of firewalls. The types of Firewalls are ; • Router packet filtering, • Application firewall systems and • Stateful inspection firewalls. Router packet filtering firewall is deployed between the private network and the Internet. Screening routers examine packet headers to acertain IP address (identity) of the sender and receiver and the authorised port numbers allowed to use the information transmitted – kind of Internet service being used. These information is used to prevent certain packets from being sent between the network and the Internet. Types of Firewalls (Contd.) The common attacks against packet filtering are IP spoofing, source routing specification and miniature fragment attack. This method is simple and stable. The demerit is that it is easily weakened by improperly configured filters. Also it is unable to prevent attacks tunneled over permitted service. The diagram in the slide describes this type of firewall. Types of Firewalls (Contd.) Application firewall systems. This type of firewall allows information flow between internal and external systems but do not allow direct exchange of packets. Host applications must be secured against threats posed by allowed packets. They rest on hardened operating systems, e.g. WinNT, UNIX. It works at the application layer of the OSI model. The firewall analyse packets through a series of proxies, one for each service. There are two types: Application-level firewalls and Circuit-level firewalls Types of Firewalls (Contd.) Application-level firewalls: analyze packets through a series of proxies, one for each service. Circuit-level firewalls validates TCP and UDP sessions through a single general-purpose proxy. The diagram in the slide demonstates this. Application firewall systems are set up as proxy servers acting on behalf of network users. It employs bastion hosting and it is heavily fortified against attack handling all incoming requests from the Internet to the network. Single host makes security maintenance easier as only the firewall system is compromised, not the network. In the next screen we will discuss about Types of Firewalls and Firewall Issues Slide 105: Types of Firewalls and Firewall Issues Stateful Inspection firewalls: Track destination IP address of each packet leaving the network and references responses to request that went out. It maps source IP addresses of incoming packets to destination IP addresses of outgoing requests. It prevents attacks initiated and originated by outsiders. Main advantage is that it is more efficient than application firewall systems. The disadvantage is that it is more complex to administer. Issues related to firewalls:  False sense of security. No additional internal controls are needed.  Weak against internal threats. For example, a disgruntled employee cooperating with an external attacker.  cannot protect against attacks that bypass the firewall e.g. modem dial-in  Misconfigured firewalls  Misunderstanding of what constitutes a firewall  Monitoring activities not done regularly In the next screen we will discuss about Implementation of Firewalls Firewalls Implementation. Firewall can be implemented in three ways; Screened-host firewall, Dual-homed firewall and Demilitarised zone (screened subnet firewall) In the next screen we will discuss about Screened-host firewall Screened Host Firewall Screened-host firewall. This method utilizes packet filtering and a bastion host (proxy services):  bastion host connects to the internal network  packet-filtering router installed between the Internet and the bastion host Intruder has to penetrate two systems before the network is compromised. Internal hosts reside on the same network as the bastion host - security policies determine whether: hosts connect directly to the Internet or hosts use proxy services of the bastion host. The diagram in the slide explains further on this. In the next screen we will discuss about Dual-Homed Firewall Dual-Homed firewall. This type of implemetation is more restrictive form of screened-host firewall. One interface is established for information servers, and a separate interface for private network hosts. Direct traffic to internal hosts is physically prevented as explained in the diagram. In the next screen we will discuss about Demilitarized zone (screened subnet firewall) - DMZ Demilitarised zone (screened subnet firewall) – DMZ This mode utilises two packet-filtering routers and a bastion host. It is the most secure firewall system and supports network and application-level security. The separate DMZ functions are an isolated network for public servers, proxy servers, and modem pools. Key benefits are that the intruder must penetrate three separate devicesThe private network addresses are not disclosed to the Internet. Also, internal systems do not have direct access to the Internet. In the next screen we will dicuss about Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) monitor network usage anomalies. It is used together with firewalls and routers. It continuously operates in the background and the administrator is alerted when intrusions are detected. It protects against external and internal misuse. IDS components • Sensor. This collects data (network packets, log files, system call traces). • Analyser. This receives input from sensors and determines intrusive activity. • Admin console • User interface Let us continue discussing about Intrusion Detection Systems (IDS) in the next screen Intrusion Detection Systems (IDS) (contd.) IDS are categorized into ; Network-based IDSs (NIDS) which identifies attacks within a network, and Host-based IDSs (HIDS) which is configured for a specific environment and monitor internal resources of systems. IDS types are; • Signature based. Intrusion patterns stored as signatures and limited by detection rules. • Statistical based. Monitoirs expected behaviour. • Neural networks. Similar to statistical, but added learning functionality. • A signature. Statistical combination offers better protection. In the next screen we will learn about IDS and Intrusion Prevention Systems (IPS) IDS and Intrusion Prevention Systems (IPS) The key features of intrusion detection systems: • Intrusion detection and alerts • Gathering evidence • Automated response (e.g. disconnect) • Security policy administration and monitoring • Interfaces with system tools (logging facilities) IDS limitations include; • Weaknesses in policy definition • Application-level vulnerabilities • Backdoors to applications • Weaknesses in identification and authentication schemes Let us continue discussing about IDS and Intrusion Prevention Systems (IPS) in the next screen IDS and Intrusion Prevention Systems (IPS) (contd.) Intrusion Prevention Systems (IPS) IPS is closely related to IDS. It is designed to detect and prevent attacks by predicting an attack before it happens hence, limiting damage or disruption to systems that are attacked. It must be properly configured and tuned to be effective. In the next scree we will learn about Honey Pots & Honey Nets Honey pots and Honey nets. Honeypot is a software application that pretends to be an unfortunate server on the Internet and is not set up to actively protect against break-ins. Rather, they act as decoy systems that lure hackers and, therefore, are attractive to hackers.The more a honeypot is targeted by an intruder, the more valuable it becomes. Honeypot is technically related to IDSs and firewalls but it has no real production value as an active sentinel of networks. The two basic types of Honeypots are; • High interaction –Give hackers a real environment to attack. • Low interaction – Emulate production environments. Honeynet is multiple honeypots networked together to simulate a larger network installation is known as a honeynet. Honeynet let hackers break into the false network while allowing investigators to watch their every move by a combination of surveillance technologies. You will now attempt a question to test what you have learnt so far.

5.16 Knowledge Statement 5.8

In this topic, we will learn about the concepts in knowledge statement, 5.8. Let us discuss about Information System Attack Methods and Techniques in the next screen Information System Attack Methods and Techniques. The candidate need to graps the knowledge of information system attack methods and techniques covered under this topic. Risks arise from vulnerabilities (whether technical or human) within an environment. Several attack techniques exploit those vulnerabilities and may originate either within or outside the organization. Computer attacks can result in proprietary or confidential data being stolen or modified, loss of customer confidence and market share, embarrassment to management and legal actions against an organization. Let us continue discussing about Information System Attack Methods and Techniques in the next screen Information System Attack Methods and Techniques (contd.) Understanding the methods, techniques and exploits used to compromise an environment provides the IS auditor with a more complete context for understanding the risks an organization faces. The IS auditor should understand enough of these attack types to recognize their risk to the business and how they should be addressed by appropriate controls. The IS auditor should understand the concept of "social engineering" since these attacks can circumvent the strongest technical security. The only effective control is regular user education. Main areas covered here are: ● Computer Crime issues and Exposures ● Wireless Security Threats and Risks Mitigation In the next few screens we will discuss about Computer Crime Issues and Exposures Computer Crime Issues and Exposures. Computer crimes can be committed from various sources, including: • Computer is the object of the crime: Perpetrator uses another computer to launch an attack • Computer is the subject of the crime: Perpetrator uses computer to commit crime and the target is another computer • Computer is the tool of the crime: Perpetrator uses computer to commit crime but the target is not the computer but instead data stored on the computer. • Computer symbolises the crime: Perpetrator lures the user of computers to get confidential information (e.g. Social engineering methods). Computer Crime Issues and Exposures (contd.) Common attack methods and techniques include; alteration attack, Botnets, Brute-force Attack, Denial of Service (DoS) Attack, Dial-in Penetration Attack, War Dialing, Eavesdropping, E-mail Bombing and Spamming, E-mail Spoofing. Computer Crime Issues and Exposures (contd.) More common attack methods and techniques include; • Flooding • Interrupt Attack • Malicious Codes • Man-in-the-middle Attack • Masquerading • Message Modification • Network Analysis • Packet Replay • Phishing • Piggybacking • Race Conditions • Remote Maintenance Tools • Resource Enumeration and Browsing • Salami • Spam • Traffic Analysis • Unauthorised Access Through the Internet and World Wide Web (WWW) • Viruses, Worms and Spyware • War Driving • War Walking • War Chalking In the next few screens we will learn about Local Area Network (LAN) Security Local Area Network (LAN) Security Local area network is faced with alot of risks. Example of these risks are; • Unauthorised access and changes to data and/or programs • Inability to maintain version control • Limited user verification and potential public access • General access as opposed to need-to-know access • Impersonation or masquerading as a legitimate LAN user • Internal user sniffing • Internal user spoofing • Virus infection • Unlicensed or excessive numbers of software copies • Destruction of logging and auditing data • Lack of LAN administrator experience, expertise • Varying media, protocol, hardware, network software that makes standard management difficult • Security set aside for operational efficiency Local Area Network (LAN) Security (contd.) LAN administrative capabilities include declaring ownership of programs and files, limiting access to read-only, record and file locking to prevent simultaneous update and enforcing user ID/password sign-on procedures. In order to understand LANs, it is paramount for a candidate to have a good knowledge of; • LAN topology and network diagram • Functions performed by the LAN administrator / owner • LAN users and user groups • Applications used on the LAN • Procedures and standards of network design, support, naming conventions, data security Local Area Network (LAN) Security (contd.) Dial-up access controls are having encrypted passwords, portable PCs, Dial-back procedures and One-time password generators or tokens. Local Area Network (LAN) Security (contd.) Client-server risks include; • Numerous access routes / points • Increased risk of access to data and processing • Weaker access controls (password change controls or access rules) • Weaker change control and change management • Inaccurate, unauthorised access and changes to systems or data • Loss of network availability • Obsolescence of network components • Unauthorised connection of the network to other networks through modems • Weak connection to public switched telephone networks • Application code and data may not be stored on a secured machine Local Area Network (LAN) Security (contd.) Client Server Controls that will ensure security include; • Disabling floppy drives • Automatic boot or start-up batch files (login scripts) • Network monitoring devices • Data encryption • Environment-wide authentication procedures • Application-level access control • Organisation of users into functional groups In the next few screen we will discuss about Internet Threats Internet Threats The Internet is a global TCP/IP-based system that enables public and private heterogeneous networks to communicate with one another. Internet threats are cateqorized into; • Passive attacks. Involves probing for network information. • Active attacks:  Intrusion or penetration into a network, gaining full control (or enough) to cause certain threats.  unauthorised access to modify data and/or programs.  obtaining sensitive information for personal gain.  escalating privileges.  denial of service.  Impact could affect financial, legal or competitive edge. Internet Threats (contd.) Types Passive attacks are ; • Network analysis. Involves creating a profile of a network security infrastructure (“foot printing”):  System aliases, internal addresses  Potential gateways, firewalls  Vulnerable operating system services • Eavesdropping. Involves gathering information flowing thru the network for personal analysis or third parties • Traffic analysis. Entails determining the nature of traffic flow between defined hosts Internet Threats (contd.) Active attacks can be in the following ways; • Brute-force attack. This entails launching many attacks to gain unauthorised access; e.g. password cracking. • Masquerading. This is presenting an identity other than the original identity (which is unauthorised). • Packet replay – passively capturing data packets and actively inserting them into the network: Replayed packets treated as another genuine stream; it is effective when data received is interpreted and acted upon without human intervention. • Message modification – making unauthorised changes/deletions to captured messages Internet Threats (contd.) • Unauthorised access through the Internet:  Telnet passwords transmitted in clear text  Releasing CGI scripts as shareware  Client-side execution of scripts (JAVA applets) • Denial of service – flooding servers with data/requests:  Systems are paralysed  Genuine users are frustrated with unavailability of system • Dial-in penetration attacks – using phone number ranges and social engineering • Email bombing – repeating identical messages to particular addresses • Email spamming – sending messages to numerous users • Email spoofing – altering the identity of the source of the message In the next few screens we will learn about Logical Access ExposuresSlide 133: Logical Access Exposures. Trojan Horses - hiding malicious fraudulent code in an authorized computer program. Rounding Down – drawing off small amounts of money from a computerized transaction or account to the perpetrator’s account. Salami Technique – slicing off (truncating) small amounts of money from a computerized transaction or account (similar to rounding down). Viruses – malicious program code inserted into other executable code that can self- replicate and spread from computer to computer. Worms - destructive programs that may destroy data or utilize tremendous computer and communication resources do not replicate like viruses. Logic Bombs - similar to computer viruses but do not self-replicate destruction or modification of data is programmed to a specific time in the future difficult to detect before they blow up. Logical Access Exposures (contd.) Trap Doors are exits out of an authorized program. They allow insertion of specific logic, such as program interrupts, to permit a view of data during processing. Used by programmers to bypass OS integrity during debugging and maintenance. There are meant to be eliminated in final editing of the code, but sometimes forgotten or intentionally left for future access. Asynchronous attacks. These are OS-based attacks in a multi-processing environment: job scheduling, resource scheduling, checkpoint/restart capabilities. Checkpoint copy: data, system parameters, security levels. Attacks involve access to and modification of this data to allow higher-priority security. Results in unauthorised access to data, other programs and the OS. Logical Access Exposures (contd.) Data Leakage involves siphoning or leaking information out of the computer: dumping files to paper, stealing tapes WireTapping. This is eavesdropping on information being transmitted over telecommunication lines Piggybacking is following an authorised person through a secured door. Also it means electronically attaching to an authorised telecommunications link to interce

Find our CISA®- Certified Information Systems Auditor Online Classroom training classes in top cities:

Name Date Place
CISA®- Certified Information Systems Auditor 8 May -30 May 2021, Weekend batch Your City View Details
CISA®- Certified Information Systems Auditor 11 Jun -3 Jul 2021, Weekdays batch Seattle View Details
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*