Protection of Information Assets: CISA Tutorial


5.1 Protection of Information Assets

Hello and welcome to the fifth domain of the Certified Information Systems Auditor (CISA) Course offered by Simplilearn. This domain will cover Protection of Information Assets Let us look at the objectives of this domain in the next screen. Objectives By the end of this domain, you should be able to understand and provide assurance that the enterprise’s security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. Detail the design, implementation and monitoring of security controls Discuss the risks associated with use of mobile and wireless devices Understand encryption techniques such as public key infrastructure and risks related to data leakage Detail network detection tools and techniques Discuss how confidential information can be stored, retrieved, transported and disposed. The following screen gives an overview of this domain. Overview An information asset is a component related to provision of accurate data or information for decision making purposes by an entity. It is considered to hold value to that particular organization and should therefore be protected by ensuing Confidentiality, integrity and availability. (CIA) Examples of information Assets are Information (or Data), Computer Application Systems, Computers (Personal Computers (PCs) laptops , PDAs, phones) , Networks (Local Area Network (LAN), Wide Area Network (WAN), Wireless Networks), Human Resources, Facilities (Main Distribution Facilities (MDFs), data centers, server room) and Other Technologies such as database technologies among others Let us continue with the overview in the folloiwng screen. Overview (contd.) The Risks to business include ; Financial loss (electronic fraud), Legal repercussions (privacy issues), Loss of credibility or competitive edge, Blackmail/industrial espionage, Sabotage and Breach of confidentiality Security failures can be costly to business as more costs are incurred to secure systems and prevent further failure. Further more cost are incurred from losses from the failure itself and when recovering from such losses. Let us now look at threats to information assests in the next slide. Threats to Information Assets The threats to Information Assets include; Hackers, Crackers Phreakers, authorized or unauthorized employees, IS personnel, End users, Former employees, Interested or educated outsiders (competitors, organized criminals), Part-time and temporary personnel, Vendors and consultants and finally accidental ignorance. Let us begin with the first topic in this domain in the following screen.

5.2 Knowledge Statement 5.1

In this topic, we will learn about the concepts under the first knowledge statement, KS 5.1. We will begin with design, implementation and monitoring of security controls in the next screen. . Design, implementation and monitoring of security controls The key knowledge statement is to understand the techniques for the design, implementation and monitoring of security controls, including security awareness programs .Security needs to be aligned with business objectives to provide reasonable reduction in risk. Security objectives may include the following:

• Ensure the continued availability of information systems.

• Ensure the integrity of information stored on its computer systems and Security while the information is in transit.

• Preserve the confidentiality of sensitive data while stored and in transit.

• Ensure compliance with applicable laws, regulations and standards. Let us continue discussing design, implementation and monitoring of security controls in the next screen Design, implementation and monitoring of security controls (contd.)

• Ensure adherence to trust and obligation requirements for any information assets accordance with the applicable privacy policy or privacy laws and regulations. Prudence in application of controls is important because controls entail a cost either directly or indirectly by impacting on business operations. The business impact analysis (BIA) is the process used to establish the material adverse events the business should be worried about. The following screen lists the main areas to be covered under this knowledge statement. Main Areas of Coverage The main areas to cover here are.

• Key elements of information security management • Critical success factors to information security

• Inventory and classifications of Information assets

• Network Infrastructure Security In the next screen, we will learn about Information Security Management (ISM) Slide10: Information Security Management (ISM) Effective ISM is the most critical factor in protecting information assets and privacy. The factors that raise the profile of information and privacy risk include; electronic trading through service providers and directly with customers, loss of organizational barriers through use of remote access facilities and high-profile security exposures: viruses, denial of service (DOS) attacks, intrusions, unauthorized access, disclosures and identity theft over the Internet, etc. Let us continue discussing Information Security Management (ISM) in the next screen Information Security Management (ISM) (contd.)

The security objectives to meet business requirements are:

 To ensure continued availability of information systems

 To ensure integrity of information stored in systems and while in transit

 To preserve confidentiality of sensitive data

 To ensure conformity to applicable laws, regulations and standards

 To ensure adherence to trust and obligation requirements

 To ensure protection of sensitive data Data integrity, as it relates to security objectives, generally refers to accuracy, completeness, consistency (or neutrality), validity and verifiability of the data once loaded on the system Integrity refers to reliability of data.

Let us continue discussing Information Security Management (ISM) in the next screen Information Security Management (ISM) (contd.) The Key elements of ISM:

 Senior management commitment and support. The risk management begins at the top.

 Policies and procedures. The framework that captures top management declaration of direction.

 Organization: clearly defined and allocated roles and responsibilities supplemented with guidance. Let us continue discussing Information Security Management (ISM) in the next screen Information Security Management (ISM) (contd.)

 Security awareness and education through training and regular updates: • Written policies and procedures, and updates • Non-disclosure statements signed by employees • Newsletters, web pages, videos, and other media. • Visible enforcement of security rules • Simulated security incidents and simulated drills • Rewards for reporting suspicious events • Periodic audits  Monitoring and compliance. Control includes an element of monitoring and usually relates to regulatory/legal compliance  Incident Handling and Response. In the next few screens we will learn about roles and responsibilities under the Information Security Management. ISM Roles and Responsibilities Roles and Responsibilities must be defined, documented and communicated to personnel and management. IS security steering committee is represented by individuals from various management levels. It also discusses and approves security policies, guidelines and procedures; with input from end users, executive management, auditors, security administration, IS personnel and legal counsel. The committee is formally established with appropriate Terms of Reference. Executive management is responsible for the overall protection of information assets and issuing ISM Roles and Responsibilities (contd.) Security advisory group is responsible for defining information risk management process & acceptable level of risk and reviewing security plans. It is comprised of people involved in the business and provides comments on security issues to chief security officer (CSO). It also advises the business whether the security programs meet business objectives. ISM Roles and Responsibilities (contd.) Chief information security officer (CISO) is a senior level corporate official responsible for articulating and enforcing policies used to protect information assets. He has a much broader role than CSO who is normally only responsible for physical security within the organization. Information asset owners and data owners: are entrusted with the responsibility for the owned asset, including performance of a risk assessment, selection of appropriate controls to mitigate the risk and to accept the residual risk . ISM Roles and Responsibilities (contd.) Process Owners ensure appropriate security measures consistent with organizational policy are maintained. Users comply with procedures set out in the security policy and adhere to privacy and security regulations – often specific to sensitive data (e.g., health, legal, finance, etc.) Chief privacy officer (CPO) is a senior level corporate official and is responsible for articulating and enforcing policies used to protect customers’ and employees’ privacy rights ISM Roles and Responsibilities (contd.) External parties follow procedures set out in the security policy. They adhere to privacy and security regulations – often specific to sensitive data (e.g.,health, legal, finance, etc.) Information Security administrator is a staff level position. He is responsible for providing adequate physical and logical security for IS programs, data and equipment. Normally guided by the information security policies. ISM Roles and Responsibilities (contd.) Security specialists /advisors assist with the design, implementation, management and review of security policies, standards and procedures. IT developers implements information security within their applications IS auditors provide independent assurance on appropriateness and effectiveness of information security objectives and controls related to these objectives. In the next screen we will learn about system access permissions. System Access Permission System Access Permission is the ability to do something with a computer resource: read, create, modify or delete a file or data; execute a program or use an external connection. It is controlled at the physical and/or logical level. Logical controls govern access to information and programs. It is built into operating systems, invoked through access control software, and incorporated in application programs, DBs, network control devices and utilities Let us continue discussing system access permissions in the next screen System Access Permission (contd.) Physical controls restrict entry and exit of personnel, movement of equipment and media. They include badges, memory cards, keys and biometrics. Access is granted on a documented, need-to-know basis; with legitimate business requirement based on least privilege and on segregation of duties principles. Access principles relate to 4 layers of security namely; Network, Platform (typically the operating system), Database and Application. In the next screen we will learn about Mandatory & Discretonary Access Controls Mandatory and Discretionary Access Controls The Mandatory Access Controls (MACs) are logical access controls (MACs) that cannot be modified by normal users or data owners. They act by default and are used to enforce critical security without possible exception. Only administrators can grant a right of access guided by an established policy of the organization. Discretionary Access Controls (DACs) controls may be configured or modified by the users or data owners . Access may be activated or modified by a data owner. DACs cannot override MACs and they act as additional filters to restrict access further. In the next few screens we will learn about Privacy Management Issues and Role of IS Auditors Privacy Management Issues and Role of IS Auditors Privacy Issues relates to personally identifiable information ( e.g. Personal Identification No. – PIN). Regulations generally restrict use of such data by give the subject individual rights to access and correct that data. It also governs how such data is obtained, requiring knowledge and consent of the data subject. Impact of risks include marketing risks, transborder data flow and variations in regulations and may require privacy experts during risk assessment. Privacy Management Issues and Role of IS Auditors (contd.) The goals of a privacy impact assessment are; identifying the nature of personally identifiable information relating to business processes, documenting the collection, use, disclosure, storage, and destruction of personally identifiable information, providing management with an understanding of privacy risk and options to mitigate this risk, ensuring accountability for privacy and facilitating compliance with relevant regulations. Privacy Management Issues and Role of IS Auditors (contd.) IS audit considerations relating to privacy include adequacy of privacy assessment i.e compliance with privacy policy, laws & other regulations and the manner in which IT is used for competitive gain. Another consideration is the ongoing assessments conducted when new products, services, systems, operations/processes, and third parties are under consideration. Besides, trans-boarder and multinational laws should also be considered. Privacy Management Issues and Role of IS Auditors (contd.) Focus and extent of privacy impact assessment may depend on changes in technology, processes or people as shown below Technology Processes People New Programs Change Management Business partners Change in existing programs Business process re-engineering Vendors Additional system linkages Enhanced accessibility rules Service providers Data warehouse New systems New products New operations In the next few screens we will learn about Information Security and External Parties Information Security and External Parties Human Resources Security and Third Parties: Security roles and responsibilities of employees, contractors and third-party users should be defined and documented in accordance with the org security policy. Information Security policies to guide employees, contractors and 3rd party users Information Security and External Parties: Security of information and processing facilities must be maintained when external party services or products are introduced. Controls must be agreed to and defined in a formal agreement. Organization must have right to audit the implementation and operations. Information Security and External Parties (contd.) External Party arrangements include: Service providers (ISPs, network providers), Managed security services, Customers, Outsourcing facilities and/or operations (IT systems, data collections services), Management and business consultants and auditors, Developers and suppliers, cleaning, catering and other outsourced support services. Others include temporary personnel, student placement and other casual short term appointments. Information Security and External Parties (contd.) The risks related to External Party Access is information processing facilities required to be accessed by external parties. These types of access include: Physical access, Logical access, Network connectivity - organization and external party, Value and sensitivity of information involved, and its criticality for business operations and Legal and other regulatory requirements Information Security and External Parties (contd.) Security in relation to Customers involve identifying security requirements for customers’ access. The customer access security considerations:  Asset protection  Description of product or service to be provided  Reasons, requirements and benefits for customer access  Access control policy  Arrangements for reporting, notification and investigation of information inaccuracies  Target levels of service and unacceptable levels of service  Right to monitor and revoke any activity related to an organization’s assets  Intellectual property rights and copyright assignment You will now attempt a question to test what you have learnt so far.

5.4 Knowledge Statement 5.2

In this topic, we will learn about the concepts in knowledge statement, 5.2. Let us discuss Monitoring and responding to Security Incidents in the following screens Monitoring and responding to Security Incidents The key knowledge point is the processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team) A formal incident response capability should be established to minimize the impact of security incidents recovery in a timely and controlled manner and learn from such incidents. (History should be kept through properly recording of incidents). While security management may be responsible for monitoring and investigating events and may have drafted or set a requirement for escalation procedures, other functions must be involved to ensure proper response. These functions must have well-defined and communicated processes in place that are tested periodically. : The main areas covered here are: Security incident handling and response. In the next screen we will discuss about Incident Handling and Response Incident Handling and Response An incident is an adverse event that threatens some aspect of information security. To minimize damage from security incidents and to recover and to learn from such incidents, a formal incident response capability had to be established, and it includes; planning and preparation, detection, initiation, recording, evaluation, containment, eradication, escalation, response, recovery, closure and post-incident review Let us continue discussing Incident Handling and Response Incident Handling and Response (contd.) Procedures are defined for reporting different types of incidents. The process involves quick reporting and collection of evidence and formal disciplinary process, and where applicable, automated intrusion detection systems. Incident Handling and Response roles involve;  Coordinator who is the liaison to business process owners.  Director who oversees incident response capability.  Manager(s) who manage individual incidents.  Security specialists that detect, investigate, contain and recover from incidents.  Non-security technical specialists that provide assistance on subject matter expertise.  Business unit leader liaisons which include legal, HR and PR. Logical access controls is another are we are going to learn in subsequent slide. You will now attempt a question to test what you have learnt so far.

5.6 Knowledge Statement 5.3

In this topic, we will learn about the concepts in knowledge statement, 5.3. Let us discuss Logical access controls in the following screens Logical Access Controls Knowledge point to learn here is logical access controls for the identification, authentication and restriction of users to authorized functions and data. Logical access controls are used to manage and protect information assets. Controls enact and substantiate policies and procedures designed by management to protect information assets. Controls exist at both the operating system level and the application level, so it is important to understand logical access controls as they apply to systems that may reside on multiple operating system platforms and involve more than one application system or authentication point. Let us continue the discussion about Logical Access Controls in the next few screens Logical Access Controls (contd.) Logical security is often determined based on the job function of users. The success of logical access controls is tied to the strength of the authentication method (e.g., strong passwords). All user access to systems and data should be appropriately authorized and should be commensurate with the role of the individual. Authorization generally takes the form of signatures (physical or electronic) of relevant management. The strength of the authentication is proportional to the quality of the method used: "strong authentication" may include dual or multifactor authentication using user 10, password, tokens and biometrics. The main areas covered here are: • Logical Access Logical access controls (contd.) Logical access controls are the primary means used to manage and protect information assets. These exposures can result in minor inconveniences to a total shutdown of computer functions. Logical access controls involve managing and controlling access to information resources. It is based on management policies and procedures for information security. Logical access controls must be evaluated vis-à-vis information security objectives. Familiarization with the IT environment helps in determining which areas, from a risk standpoint, warrant IS auditing attention. This includes reviewing security layers associated with IS architecture: network, OS, database, application Logical Access Controls (contd.) Paths of logical access (points of entry to IS infrastructure): Back-end, front-end systems, Internally-based users, externally-based users and direct access to specific servers. All points of entry must be known. General points of entry relate to network or telecomm infrastructure in controlling access to information resources. • Typical client-server environment: primary domain controllers network management devices e.g. routers and firewalls. General modes of access: Network connectivity: Remote access: remotely dialling into a network for services that can be performed remotely (e.g. email). Logical Access Controls (contd.) Traditional Points of Entry: Mainly applicable for mainframe-based systems used for large database systems or “legacy” applications. • Operator Console. These are privileged computer terminals that control most computer operations and functions. They provide high level of system access but do not have strong logical access controls. It is located in a suitably controlled facility so that physical access can only be gained by authorized personnel. On-Line workstations in client-server environments. This method typically require at least a logon-ID and password to gain access to the host computer system. It may also require further entry of authentication or identification data for access to application specific systems Logical Access Controls (contd.) IS resources are more accessible and available anytime and anywhere. Computers store large volumes of data. Sharing of resources has increased from one system to another and accessibility has increased through intranet/internet. Logical access control software has become critical in protecting IS resources. It prevents unauthorized access and modification to sensitive data, and use of critical functions. It is applied across all layers of IS architecture (network, OS, DBs and applications). Logical Access Controls (contd.) Common attributes of these software is that it has some form of identification and authentication. Provides access authorization. It also checks specific information resource and provide logs and reporting of user activities. Greatest degree of protection is applied at the network and platform/OS level mainly because it is the primary point of entry to systems. Besides, it is the foundation (primary infrastructure) on which applications and DBs will reside. Also, OS system access control software interfaces with databases and/or applications to protect system libraries and datasets. These network devices (e.g. routers and firewalls) manage external access to networks thus need highest degree of protection. Logical Access Controls (contd.) General OS/application access control software functions include; creating or changing user profiles, assigning user identification and authentication, applying user logon limitation rules (e.g. restrict logon IDs to specific workstations at specific times), establishing rules for access to specific resources, creating individual accountability and auditability by logging user activities, logging events and reporting capabilities. Logical Access Controls (contd.) Database or application level controls creates or changes data files and database profiles. It also verifies user authorization at the application and transaction level, within the application and at the field level for changes within the database. It also verifies subsystem authorization for the user at the file level. In addition it logs database/data communications access activities for monitoring access violations. On the next three slides, we shall attempt to answer another question to check on our knowledge on this area. You will now attempt a question to test what you have learnt so far.

5.8 Knowledge Statement 5.4

In this topic, we will learn about the concepts in knowledge statement, 5.4. Let us discuss Security Controls Related to Hardware, System Software Security controls related to hardware, system software. In this slide, we learn on the security controls related to hardware, system software (e.g., applications, operating systems), and database management systems. Access control software utilizes both identification and authentication (I&A). Once authenticated, the system then restricts access based on the specific role of the user. I&A is the process by which the system obtains identity from a user, the credentials needed to authenticate identity, and validates both pieces of information. I&A is a critical building block of computer security since it is needed for most types of access control and is necessary for establishing user accountability. For most systems, I&A is the first line of defense because it prevents unauthorized access (or unauthorized processes) to a computer system or an information asset. In the next screen we will discuss more about Security Controls Related to Hardware and System Software. Security Controls Related to Hardware, System Software (contd.) Logical access can be implemented in various ways. The IS auditor should be aware of the strengths and weaknesses of various architectures such as single sign-on (SSO), where a single authentication will enable access to all authorized applications; identity management; multifactor authentication. If this risk is considered manageable, it should drive the implementation of multifactor authentication. The main areas covered here are: ● Identification and Authentication ● Single Sign-on In the next screen we will discuss about Identification & Authentication Identification and Authentication. Identification and Authentication involves proving one’s identity, which is authenticated prior to being granted access. It is a critical building block of IS security in which the basis of most access control systems: first line of defense – preventing unauthorized access. I&A also establishes user accountability – linking activities to users. Multifactor authentication is a combination of more than one method e.g. token and password or PIN, token and biometric device. Let us continue discussing Identification and Authentication in the next slide Identification and Authentication (contd.) Categories can be something you know (e.g., password), something you have (e.g., token card), something you are or do (a biometric feature) or where you are. These techniques can be used independently or in combination (single-factor or two-factor authentication). Some of the common vulnerabilities expected are; • Weak authentication methods. • Potential for bypassing authentication mechanism. • Lack of confidentiality and integrity of stored authentication information. • Lack of encryption for transmitted authentication information. • Lack of user knowledge regarding risks of sharing authentication elements e.g.password. In the next few screens we will discuss about Identification and Authentication-Logon IDs and Passwords Identification and Authentication – Logon ID’s and Passwords. Logon IDs and Passwords is a two-phase user identification/authentication process based on something you know:  Logon ID – individual identification  Password – individual authentication It is used to restrict access to computerized information, transactions, programs, and system software. It may involve an internal list of valid logon-IDs and a corresponding set of access rules for each logon-ID. The access rules can be specified at OS level (controlling access to files), or within individual applications controlling access to menu functions and types of data). Identification and Authentication – Logon ID’s and Passwords (contd.) Features of Passwords include; • Easy for the user to remember but difficult for a perpetrator to guess. • when the user logs on for the first time, the system should force a password change to improve confidentiality. • limited number of logon attempts, typically three. • user verification for “forgotten” passwords. • internal one-way encryption, and not displayed in any form. • changed periodically, e.g. every 30 days. • unique; if it is known by more than one person, responsibility for activity cannot be enforced. Identification and Authentication – Logon ID’s and Passwords (contd.) Password syntax (format) rules: • ideally, a minimum of eight characters in length • a combination of at least three of the following: alpha, numeric, upper & lower case, and special characters; some prohibit use of vowels • not particularly identifiable to the user • system should enforce regular change of passwords – e.g. after every 30 days • no re-use of previous passwords for e.g. at least one year after being changed • deactivate dormant logon Ids • automatic session/inactivity time-outs • Powerful user-ids (accounts) such as Supervisor and Administrator accounts should be strictly controlled; these could have full access to the system. • Administrator password should be known only by one person; however, the password should be kept in a sealed envelope for business continuity. Let us proceed to the next slide for more on passwords. Identification and Authentication – Logon ID’s and Passwords (contd.) Token Devices and One-time Passwords is a two-factor authentication technique; e.g. a microprocessor-controlled smart card, which generates unique, time-dependent / one-time passwords (called “session passwords”). This is good for only one logon session. The users enter this password along with a password they have memorized to gain access to the system. It is characterized by unique session characteristic (ID or time) appended to the password. Technique involves ‘something you have’ (a device subject to theft) and ‘something you know’ (a PIN). In the next screen we will learn about Identification and Authentication – Biometric Access Control Identification and Authentication – Biometric Access Control. Biometric Security Access Control is the best means of authenticating a user’s identity based on a unique, measurable attribute or trait for verifying the identity of a human being. It restricts computer access based on a physical (something you are) or behavioural (something you do) feature of the user, e.g. a fingerprint or eye retina pattern. A reader interprets the individual’s biometric features before permitting authorized access. However, it is not a fool proof process: certain biometric features can change (e.g. scarred fingerprints, change in voice). The final template is derived through an iterative averaging process of acquiring samples. Let us continue discussing Identification and Authentication – Biometric Access Control Identification and Authentication – Biometric Access Control (contd.) Physically oriented biometrics are palm, Hand geometry, Iris, Retina, Fingerprint, Face. Behaviour oriented biometrics can be Signature recognition and Voice recognition. In the next few screens we will discuss about Identification and Authentication - Single Sign-on (SSO) Identification and Authentication – Single Sign-On. Single sign-on (SSO) is a consolidation of the organisation platform-based administration, authentication and authorization functions. It interfaces with client server and distributed systems, mainframe systems and network security including remote access. The primary domain handles the first instance where user credentials are entered and the secondary domain is any other resource that uses these credentials. Identification and Authentication - Single Sign-on (SSO) (contd.) Single sign on (SSO) Challenges: • Overcoming heterogeneous nature of diverse architecture (networks, platforms, databases, and applications) • Requires understanding of each systems authorisation rules, and audit logs and reports • Allowing host systems to control the set of users allowed access to particular host systems SSO Advantages: • Multiple passwords not required – users motivated to select stronger passwords • Efficiency in managing users and their authorisations • Reduced administrative overheads for resetting passwords • Efficiency of disabling/deactivating user accounts • Reduced logon time Identification and Authentication - Single Sign-on (SSO) (contd.) SSO Disadvantages: • Single point of network failure • Few software solutions accommodate all major OS • Substantial interface development required (development costly) In the next screen we will discuss about Logical Access Security Administration. Logical Access Security Administration. Logical Access Security Administration can be centralised or decentralised Advantages of decentralised administration:  Administration onsite at distributed location  Timely resolution of issues  More frequent monitoring Controlling remote and distributed sites  Software access controls  Physical access controls: lockable terminals, locked computer rooms  Control over dial-in facilities (modems, laptops)  Controls over access to system documentation  Controls over data transmission: access, accuracy, completeness  Controls over replicated files and their updates: accuracy and reduced duplication Let us continue discussion about Logical Access Security Administration. Logical Access Security Administration (contd.) Risks associated with decentralised administration. Local standards (rather than organisational) may be implemented. Level of security management may be below that of the central site. Unavailability of management checks and audits by the central site. In the next screen we will discuss about Remote Access Security Remote Access Security Business need of remote access provides users with the same functionality that exists within their offices. The components of remote access: • Remote environment: employees, branches, laptops • Telecommunication infrastructure: the carrier used. • Corporate computing infrastructure: corporate connecting devices, communications software. Remote Access Risks could be denial of service, malicious third-party access, misconfigured communication software, misconfigured devices, host systems not secured appropriately and physical security weaknesses at the remote stations. Let us continue discussing about Remote Access Security in the next screen Remote Access Security (contd.) Remote access methods are Analog modems and the public telephone network, dedicated network connections (proprietary circuits) and TCP/IP internet based remote access. The remote Access Controls are; • Policy and standards. • Proper authorisation. • Identification and authentication mechanisms. • Encryption tools and techniques. • System and network management. In the next scree we will discuss about PDAs and Mobile Technology PDAs and Mobile Technology PDAs augment desktops and laptops due to their ease of use and functionality. The Inherent risks is that they are easy to steal, easy to lose, ready access to information stored. Access issues with mobile technologies includes Flash disk and controls. Let us continue discussing about PDAs and Mobile Technology in the next screen PDAs and Mobile Technology (contd.) Control issues to address are;  Compliance with policies and procedures, including approval for PDA use  Awareness of responsibilities and due care  Compliance with security requirements  Authorisation and approval of use  Standard PDA applications, authorised and licensed  Synchronisation: backup and updating  Encryption  Virus detection and control  Device registration  Camera use Access issues with mobile technology: Include flash disks. Controls include policy, denial of use, disabling USB ports (using logon scripts) and encryption of data transported on these devices. In the next screen we will discuss about System Access System Access Audit logging in monitoring system access. Most access control software automatically log and report all access attempts – success and failures. It provides management with an audit trail to monitor activities. It facilitates accountability. Access rights to system logs should be for review purposes and it is a form of security against modification. Let us continue discussing about System Access in the next screen System Access (contd.) The tools for analysis of audit log information:  Audit reduction tools – filter out insignificant data  Trend/variance detection tools  Attack signature detection tools Reviewing audit logs monitors patterns or trends and violations and/or use of incorrect passwords. Restricting and Monitoring Access: Features that bypass security accessed by software programmers, include bypass label processing (BLP), System exits and Special system logon Ids. You will now attempt a question to test what you have learnt so far.

5.10 Knowledge Statement 5.5

In this topic, we will learn about the concepts in knowledge statement, 5.5. Let us discuss Risks and Controls Associated With Virtualized Systems Risks and Controls Associated with virtualized systems. This slide endeavors to learn risks and controls associated with virtualization of systems Virtualization provides an organization with a significant opportunity to increase efficiency and decrease costs its IT operations. The IS auditor needs to know the different advantages and disadvantages and needs to consider whether the enterprise has considered the applicable risks in its decision to adopt, implement and maintain this technology. At a higher level virtualization allows multiple operating systems (OSs), or guests, to coexist on the same physical server, or host, in isolation of one another. Let us continue discussing about Risks and Controls Associated with virtualized systems in the next screen Risks and Controls Associated with virtualized systems (contd.) Virtualization creates a layer between the hardware and the guests OSs to managed shared processing and memory resources on the host machine. A management console often provides administrative access to manage the virtualized system. Virtualization introduce additional risks that the enterprise must manage effectively. Key risk is that the host represents a single point of failure within the system. A successful attack on the host could result in a compromise very large in impact. Hence our main topic of focus will be virtualisation. Main Areas Covered here are: • Virtualisation You will now attempt a question to test what you have learnt so far.

5.12 Knowledge Statement 5.6

In this topic, we will learn about the concepts in knowledge statement, 5.6. Let us discuss Network Security Controls in the next screen Network security controls Knowledge of the configuration, implementation, operation and maintenance of network security controls are what we’ll learn in this slide. Enterprises can effectively prevent and detect most attacks on their networks by employing perimeter security controls. Firewalls and intrusion detection system (IDS) provide protection and critical alert information at borders between trusted and untrusted networks. Proper implementation and maintenance of firewalls and IDS is critical to successful,in-depth security program.The IS auditor must understand the level of intruder detection provided by the different possible locations of the IDS and the importance of policies and procedures to determine the action required by security and technical staff when an intruder is reported. Our main areas of coverage will Internet Threats and Security. Main areas of covered here are: ● Internet Threats and Security In the next few screens we will discuss about Network Infrastructure Security Network infrastructure security The table demonstates network infrastructure security. Network Infrastructure Security (contd.) Auditing use of the Internet involves ensuring a business case for Email (communication), Marketing (customer communication), Sales channel or e-commerce, Channel for delivery of goods and services (online stores, Internet banking) and Information gathering (research). Network Infrastructure Security (contd.) Auditing Networks Review network diagrams to identify networking infrastructure and network design. Also, review network management: policies, procedures, standards, guidance distributed to staff. Besides, identify responsibility for security and operation and review staff training, duties and responsibilities. You will further review legal issues regarding the use of the Internet., service level agreements with third parties and network administrator procedures. Network infrastructure security (contd.) Auditing remote access invloves;  Identify all remote access facilities, ensuring they have been documented  Review policies governing the use of remote access  Review architecture, identifying points of entry and assessing their controls  Test dial-up access controls  Review relation to business requirements Network Infrastructure Security (contd.) General network controls are functions performed by technically qualified operators. These functions are separated and rotated regularly. Apply least-privilege access rights for operators. Audit trail of operator activities must be periodically reviewed by management. Network operations standards must documented. A review of workload balance, response times and system efficiency must also be perfomed. Further consider terminal authentication and data encryption. Some of the network management control software include Novell Netware, Windows NT/2000, UNIX. You will now attempt a question to test what you have learnt so far.

5.14 Knowledge Statement 5.7

In this topic, we will learn about the concepts in knowledge statement, 5.7. Let us discuss Network & Internet Security Devices, Protocols and Techniques in the next screen Network & Internet Security Devices, Protocols and Techniques The key knowledge to learn in this topic is network and internet security devices, protocols and techniques. Application and evaluation of technologies to reduce risk and secure data is dependent on proper understanding of security devices, their functions and protocols used in delivering functionality. An organization implements specific applications of cryptographic systems in order to ensure confidentiality of important data. There are a number of cryptographic protocols which provide secure communications on the Internet. Additionally, the security landscape is filled with technologies and solutions to address many needs. Solutions include firewalls, intrusion detection and prevention devices, proxy devices, web filters, antivirus and antispam filters, data leak protection functionality, identity and access control mechanisms, secured remote access and wireless security. Understanding the solution's function and its application to the underlying infrastructure requires knowledge of the infrastructure itself and the protocols in use. In the next screen we will see the main areas to be covered under this topc Network & Internet Security Devices, Protocols and Techniques(contd.) Main Areas Covered here are: ● Encryption ● Network Infrastructure Security In the next few screens we will learn about Firewalls Firewalls. Firewall is a security perimeter for corporate networks connecting to the Internet aimed at preventing external intruders and untrusted internal users (internal hackers). It applies rules to control network traffic flowing in and out of a network: allowing users to access the Internet and stopping hackers or others on the Internet from gaining access to the network. The guiding principle used is least privilege (need-to-use basis) Firewalls (contd.) General functions of firewalls includes; Blocking access to particular sites , limiting traffic on public services to relevant ports, preventing access to certain servers and/or services, monitoring and recording communication between internal and external networks (Network penetration, Internal subversion), Encryption and VPN, and Single choke point –concentrating security on a single system. General Firewall features include; combination of hardware (routers, servers) and software. It should control the most vulnerable point between a corporate network and the Internet. Firewalls (contd.) General techniques used to control traffic are; • Service control –IP address TCP port • Direction control – direction of traffic • User control – based on user rights • Behaviour control – based on how services are being used e.g. filter email for spam In the next few screens we will discuss about Types of Firewalls Types of firewalls. The types of Firewalls are ; • Router packet filtering, • Application firewall systems and • Stateful inspection firewalls. Router packet filtering firewall is deployed between the private network and the Internet. Screening routers examine packet headers to acertain IP address (identity) of the sender and receiver and the authorised port numbers allowed to use the information transmitted – kind of Internet service being used. These information is used to prevent certain packets from being sent between the network and the Internet. Types of Firewalls (Contd.) The common attacks against packet filtering are IP spoofing, source routing specification and miniature fragment attack. This method is simple and stable. The demerit is that it is easily weakened by improperly configured filters. Also it is unable to prevent attacks tunneled over permitted service. The diagram in the slide describes this type of firewall. Types of Firewalls (Contd.) Application firewall systems. This type of firewall allows information flow between internal and external systems but do not allow direct exchange of packets. Host applications must be secured against threats posed by allowed packets. They rest on hardened operating systems, e.g. WinNT, UNIX. It works at the application layer of the OSI model. The firewall analyse packets through a series of proxies, one for each service. There are two types: Application-level firewalls and Circuit-level firewalls Types of Firewalls (Contd.) Application-level firewalls: analyze packets through a series of proxies, one for each service. Circuit-level firewalls validates TCP and UDP sessions through a single general-purpose proxy. The diagram in the slide demonstates this. Application firewall systems are set up as proxy servers acting on behalf of network users. It employs bastion hosting and it is heavily fortified against attack handling all incoming requests from the Internet to the network. Single host makes security maintenance easier as only the firewall system is compromised, not the network. In the next screen we will discuss about Types of Firewalls and Firewall Issues Slide 105: Types of Firewalls and Firewall Issues Stateful Inspection firewalls: Track destination IP address of each packet leaving the network and references responses to request that went out. It maps source IP addresses of incoming packets to destination IP addresses of outgoing requests. It prevents attacks initiated and originated by outsiders. Main advantage is that it is more efficient than application firewall systems. The disadvantage is that it is more complex to administer. Issues related to firewalls:  False sense of security. No additional internal controls are needed.  Weak against internal threats. For example, a disgruntled employee cooperating with an external attacker.  cannot protect against attacks that bypass the firewall e.g. modem dial-in  Misconfigured firewalls  Misunderstanding of what constitutes a firewall  Monitoring activities not done regularly In the next screen we will discuss about Implementation of Firewalls Firewalls Implementation. Firewall can be implemented in three ways; Screened-host firewall, Dual-homed firewall and Demilitarised zone (screened subnet firewall) In the next screen we will discuss about Screened-host firewall Screened Host Firewall Screened-host firewall. This method utilizes packet filtering and a bastion host (proxy services):  bastion host connects to the internal network  packet-filtering router installed between the Internet and the bastion host Intruder has to penetrate two systems before the network is compromised. Internal hosts reside on the same network as the bastion host - security policies determine whether: hosts connect directly to the Internet or hosts use proxy services of the bastion host. The diagram in the slide explains further on this. In the next screen we will discuss about Dual-Homed Firewall Dual-Homed firewall. This type of implemetation is more restrictive form of screened-host firewall. One interface is established for information servers, and a separate interface for private network hosts. Direct traffic to internal hosts is physically prevented as explained in the diagram. In the next screen we will discuss about Demilitarized zone (screened subnet firewall) - DMZ Demilitarised zone (screened subnet firewall) – DMZ This mode utilises two packet-filtering routers and a bastion host. It is the most secure firewall system and supports network and application-level security. The separate DMZ functions are an isolated network for public servers, proxy servers, and modem pools. Key benefits are that the intruder must penetrate three separate devicesThe private network addresses are not disclosed to the Internet. Also, internal systems do not have direct access to the Internet. In the next screen we will dicuss about Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) monitor network usage anomalies. It is used together with firewalls and routers. It continuously operates in the background and the administrator is alerted when intrusions are detected. It protects against external and internal misuse. IDS components • Sensor. This collects data (network packets, log files, system call traces). • Analyser. This receives input from sensors and determines intrusive activity. • Admin console • User interface Let us continue discussing about Intrusion Detection Systems (IDS) in the next screen Intrusion Detection Systems (IDS) (contd.) IDS are categorized into ; Network-based IDSs (NIDS) which identifies attacks within a network, and Host-based IDSs (HIDS) which is configured for a specific environment and monitor internal resources of systems. IDS types are; • Signature based. Intrusion patterns stored as signatures and limited by detection rules. • Statistical based. Monitoirs expected behaviour. • Neural networks. Similar to statistical, but added learning functionality. • A signature. Statistical combination offers better protection. In the next screen we will learn about IDS and Intrusion Prevention Systems (IPS) IDS and Intrusion Prevention Systems (IPS) The key features of intrusion detection systems: • Intrusion detection and alerts • Gathering evidence • Automated response (e.g. disconnect) • Security policy administration and monitoring • Interfaces with system tools (logging facilities) IDS limitations include; • Weaknesses in policy definition • Application-level vulnerabilities • Backdoors to applications • Weaknesses in identification and authentication schemes Let us continue discussing about IDS and Intrusion Prevention Systems (IPS) in the next screen IDS and Intrusion Prevention Systems (IPS) (contd.) Intrusion Prevention Systems (IPS) IPS is closely related to IDS. It is designed to detect and prevent attacks by predicting an attack before it happens hence, limiting damage or disruption to systems that are attacked. It must be properly configured and tuned to be effective. In the next scree we will learn about Honey Pots & Honey Nets Honey pots and Honey nets. Honeypot is a software application that pretends to be an unfortunate server on the Internet and is not set up to actively protect against break-ins. Rather, they act as decoy systems that lure hackers and, therefore, are attractive to hackers.The more a honeypot is targeted by an intruder, the more valuable it becomes. Honeypot is technically related to IDSs and firewalls but it has no real production value as an active sentinel of networks. The two basic types of Honeypots are; • High interaction –Give hackers a real environment to attack. • Low interaction – Emulate production environments. Honeynet is multiple honeypots networked together to simulate a larger network installation is known as a honeynet. Honeynet let hackers break into the false network while allowing investigators to watch their every move by a combination of surveillance technologies. You will now attempt a question to test what you have learnt so far.

5.16 Knowledge Statement 5.8

In this topic, we will learn about the concepts in knowledge statement, 5.8. Let us discuss about Information System Attack Methods and Techniques in the next screen Information System Attack Methods and Techniques. The candidate need to graps the knowledge of information system attack methods and techniques covered under this topic. Risks arise from vulnerabilities (whether technical or human) within an environment. Several attack techniques exploit those vulnerabilities and may originate either within or outside the organization. Computer attacks can result in proprietary or confidential data being stolen or modified, loss of customer confidence and market share, embarrassment to management and legal actions against an organization. Let us continue discussing about Information System Attack Methods and Techniques in the next screen Information System Attack Methods and Techniques (contd.) Understanding the methods, techniques and exploits used to compromise an environment provides the IS auditor with a more complete context for understanding the risks an organization faces. The IS auditor should understand enough of these attack types to recognize their risk to the business and how they should be addressed by appropriate controls. The IS auditor should understand the concept of "social engineering" since these attacks can circumvent the strongest technical security. The only effective control is regular user education. Main areas covered here are: ● Computer Crime issues and Exposures ● Wireless Security Threats and Risks Mitigation In the next few screens we will discuss about Computer Crime Issues and Exposures Computer Crime Issues and Exposures. Computer crimes can be committed from various sources, including: • Computer is the object of the crime: Perpetrator uses another computer to launch an attack • Computer is the subject of the crime: Perpetrator uses computer to commit crime and the target is another computer • Computer is the tool of the crime: Perpetrator uses computer to commit crime but the target is not the computer but instead data stored on the computer. • Computer symbolises the crime: Perpetrator lures the user of computers to get confidential information (e.g. Social engineering methods). Computer Crime Issues and Exposures (contd.) Common attack methods and techniques include; alteration attack, Botnets, Brute-force Attack, Denial of Service (DoS) Attack, Dial-in Penetration Attack, War Dialing, Eavesdropping, E-mail Bombing and Spamming, E-mail Spoofing. Computer Crime Issues and Exposures (contd.) More common attack methods and techniques include; • Flooding • Interrupt Attack • Malicious Codes • Man-in-the-middle Attack • Masquerading • Message Modification • Network Analysis • Packet Replay • Phishing • Piggybacking • Race Conditions • Remote Maintenance Tools • Resource Enumeration and Browsing • Salami • Spam • Traffic Analysis • Unauthorised Access Through the Internet and World Wide Web (WWW) • Viruses, Worms and Spyware • War Driving • War Walking • War Chalking In the next few screens we will learn about Local Area Network (LAN) Security Local Area Network (LAN) Security Local area network is faced with alot of risks. Example of these risks are; • Unauthorised access and changes to data and/or programs • Inability to maintain version control • Limited user verification and potential public access • General access as opposed to need-to-know access • Impersonation or masquerading as a legitimate LAN user • Internal user sniffing • Internal user spoofing • Virus infection • Unlicensed or excessive numbers of software copies • Destruction of logging and auditing data • Lack of LAN administrator experience, expertise • Varying media, protocol, hardware, network software that makes standard management difficult • Security set aside for operational efficiency Local Area Network (LAN) Security (contd.) LAN administrative capabilities include declaring ownership of programs and files, limiting access to read-only, record and file locking to prevent simultaneous update and enforcing user ID/password sign-on procedures. In order to understand LANs, it is paramount for a candidate to have a good knowledge of; • LAN topology and network diagram • Functions performed by the LAN administrator / owner • LAN users and user groups • Applications used on the LAN • Procedures and standards of network design, support, naming conventions, data security Local Area Network (LAN) Security (contd.) Dial-up access controls are having encrypted passwords, portable PCs, Dial-back procedures and One-time password generators or tokens. Local Area Network (LAN) Security (contd.) Client-server risks include; • Numerous access routes / points • Increased risk of access to data and processing • Weaker access controls (password change controls or access rules) • Weaker change control and change management • Inaccurate, unauthorised access and changes to systems or data • Loss of network availability • Obsolescence of network components • Unauthorised connection of the network to other networks through modems • Weak connection to public switched telephone networks • Application code and data may not be stored on a secured machine Local Area Network (LAN) Security (contd.) Client Server Controls that will ensure security include; • Disabling floppy drives • Automatic boot or start-up batch files (login scripts) • Network monitoring devices • Data encryption • Environment-wide authentication procedures • Application-level access control • Organisation of users into functional groups In the next few screen we will discuss about Internet Threats Internet Threats The Internet is a global TCP/IP-based system that enables public and private heterogeneous networks to communicate with one another. Internet threats are cateqorized into; • Passive attacks. Involves probing for network information. • Active attacks:  Intrusion or penetration into a network, gaining full control (or enough) to cause certain threats.  unauthorised access to modify data and/or programs.  obtaining sensitive information for personal gain.  escalating privileges.  denial of service.  Impact could affect financial, legal or competitive edge. Internet Threats (contd.) Types Passive attacks are ; • Network analysis. Involves creating a profile of a network security infrastructure (“foot printing”):  System aliases, internal addresses  Potential gateways, firewalls  Vulnerable operating system services • Eavesdropping. Involves gathering information flowing thru the network for personal analysis or third parties • Traffic analysis. Entails determining the nature of traffic flow between defined hosts Internet Threats (contd.) Active attacks can be in the following ways; • Brute-force attack. This entails launching many attacks to gain unauthorised access; e.g. password cracking. • Masquerading. This is presenting an identity other than the original identity (which is unauthorised). • Packet replay – passively capturing data packets and actively inserting them into the network: Replayed packets treated as another genuine stream; it is effective when data received is interpreted and acted upon without human intervention. • Message modification – making unauthorised changes/deletions to captured messages Internet Threats (contd.) • Unauthorised access through the Internet:  Telnet passwords transmitted in clear text  Releasing CGI scripts as shareware  Client-side execution of scripts (JAVA applets) • Denial of service – flooding servers with data/requests:  Systems are paralysed  Genuine users are frustrated with unavailability of system • Dial-in penetration attacks – using phone number ranges and social engineering • Email bombing – repeating identical messages to particular addresses • Email spamming – sending messages to numerous users • Email spoofing – altering the identity of the source of the message In the next few screens we will learn about Logical Access ExposuresSlide 133: Logical Access Exposures. Trojan Horses - hiding malicious fraudulent code in an authorized computer program. Rounding Down – drawing off small amounts of money from a computerized transaction or account to the perpetrator’s account. Salami Technique – slicing off (truncating) small amounts of money from a computerized transaction or account (similar to rounding down). Viruses – malicious program code inserted into other executable code that can self- replicate and spread from computer to computer. Worms - destructive programs that may destroy data or utilize tremendous computer and communication resources do not replicate like viruses. Logic Bombs - similar to computer viruses but do not self-replicate destruction or modification of data is programmed to a specific time in the future difficult to detect before they blow up. Logical Access Exposures (contd.) Trap Doors are exits out of an authorized program. They allow insertion of specific logic, such as program interrupts, to permit a view of data during processing. Used by programmers to bypass OS integrity during debugging and maintenance. There are meant to be eliminated in final editing of the code, but sometimes forgotten or intentionally left for future access. Asynchronous attacks. These are OS-based attacks in a multi-processing environment: job scheduling, resource scheduling, checkpoint/restart capabilities. Checkpoint copy: data, system parameters, security levels. Attacks involve access to and modification of this data to allow higher-priority security. Results in unauthorised access to data, other programs and the OS. Logical Access Exposures (contd.) Data Leakage involves siphoning or leaking information out of the computer: dumping files to paper, stealing tapes WireTapping. This is eavesdropping on information being transmitted over telecommunication lines Piggybacking is following an authorised person through a secured door. Also it means electronically attaching to an authorised telecommunications link to intercept and possibly alter transmissions. Computer Shut Down – initiated through terminals or microcomputers connected directly (online) or remotely (dial-up lines) to the computer Denial of service – disrupt or completely deny service to legitimate users, networks, systems or other resources. You will now attempt a question to test what you have learnt so far.

5.18 Knowledge Statement 5.9

In this topic, we will learn about the concepts in knowledge statement, 5.9. Let us discuss about Virus Detection Tools and Control Techniques in the next screen Virus detection tools and control techniques. The key is understanding detection tools and control techniques (e.g., malware, virus detection, spyware). Computer viruses and other malware continue to emerge at increasing rates and sophistication and present significant threats to individuals and organizations. Layered tools should be implemented and distributed throughout the environment in order to mitigate the ability of this malware to adversely impact the organization. Antivirus and antispam software is a necessary and critical component of an organization's security program, providing a mechanism to detect, contain and notify whenever malicious code is detected. It is essential that the IS auditor understand not only the need for the implementation of antimalware software, but that it should be constantly be updated to ensure that it will detect and eradicate the latest attacks detected by the solutions providers. Viruses is what we will focus on next. Virus Detection Tools and Control Techniques (contd.) Main areas are covered here are: ● Viruses In the next few screen we will learn about viruses Viruses. Viruses are malicious programs designed to self-propagate by appending to other programs. They easily transmitted via the Internet, email attachments, local area networks. Viruses attack four parts of the computer: executable program files, the file directory system, which tracks the location of all the computer’s files. Another area is boot and system areas, which are needed to start the computer. Data files is also a target for viruses. Viruses (contd.) Virus Controls available are; • Virus and worm controls. • Management procedural controls. • Technical controls. Anti-virus software (periodically updated). Hardware controls (remote booting, boot virus protection). • Anti-virus software implementation strategies. • dynamic anti-virus program. • Sound policies and procedures. Let us continue to discuss viruses on the next slide. Viruses (contd.) Anti-virus software implementation strategies: Detecting the virus at its point of entry is crucial. At user/workstation level through scheduled, continuous and manual on-demand scans. At corporate network level , as part of the firewall (virus wall): SMTP, HTTP, and FTP protection. Besides, automatically updating anti-virus software. Features of anti-virus software: It should be reliable andoffer quality of detection. It should be memory resident to facilitating continuous checking. It should as well have efficient working speed and use of resources. Viruses (contd.) Types of anti-virus software: Scanners: Virus masks or signatures, heuristic scanners (based on statistical probability) Active monitors looking for virus-like activity Integrity CRC checkers - used to detect changes in files and executable code Behaviour blockers – focus on detecting potentially abnormal behaviour, e.g. writing to the boot sector. Immunisers – append themselves to files and continuously check for changes You will now attempt a question to test what you have learnt so far.

5.20 Knowledge Statement 5.10

In this topic, we will learn about the concepts in knowledge statement, 5.10. Let us discuss about Security Testing Techniques in the next screen Security testing techniques. It is paramount for CISA candidates to have knowledge of security testing techniques (e.g., intrusion testing, vulnerability scanning). Tools are available to assess the effectiveness of network infrastructure security. These tools permit identification of real-time risks to an information processing environment and corrective actions taken to mitigate these risks. Such risks often involve the failure to stay updated on patch management for operating systems or the misconfiguration of security settings. Assessment tools (whether open source or commercially produced) can quickly identify weaknesses that would have taken hundreds of hours to identify manually. The IS auditor should also be aware that security testing may be carried out by an approved third party, e.g., a company specializing in penetration testing. Let us see the main area to covere under this topic in next screen Security Testing Techniques (contd.) Main areas covered here are : ● Auditing Network Infrastructure Security In the next few screens we will learn about Network Infrastructure Security Network Infrastructure Security. Network penetration testing is also called intrusion tests or ethical hacking. It involves using techniques available to a hacker:  Open source intelligence gathering and discovery  Attempting to guess passwords  Searching for backdoors into systems  Exploiting known operating system vulnerabilities It is popular for testing firewalls. Only performed by skilled, experienced professionals. It requires permission from top-level senior management, but without informing IS security staff. You will now attempt a question to test what you have learnt so far.

5.22 Knowledge Statement 5.11

In this topic, we will learn about the concepts in knowledge statement, 5.11. Let us discuss about Risks and Controls Associated Data Leakage in the next screen Risks and controls associated data leakage. Data leakage is the risk that sensitive information may be inadvertently made public. It occurs in different ways such as job postings that list the specific software and network devices with which applicants should have experience in to system administrators posting questions on technical web sites that include posting with the specific details on the firewall or database version they are running and the IP addresses they are trying to connect. Posting organization charts and strategic plans to externally accessible websites Data classification policies, security awareness training and periodic audits of data leakage are elements that the IS auditor will want to ensure are in place. The main areas of coverage is computer Crime Issues and Exposures. Risks and Controls Associated Data Leakage (contd.) Main areas to be covered hereare: ● Computer Crime Issues and Exposures Let us proceed to the next topic in this domain

5.23 Knowledge Statement 5.12

In this topic, we will learn about the concepts in knowledge statement, 5.12. Let us discuss about Network Infrastructure Security-Encryptionin the next few screens Network Infrastructure Security-Encryption It is important for CISA candidate to have a good knowledge of encryption-related techniques. One of the best ways to protect the confidentiality of information is through the use of encryption. Effective encryption systems depend on  Algorithm strength, secrecy and difficulty of compromising a key  The nonexistence of back doors by which an encrypted file can be decrypted without knowing the key  The inability to decrypt an entire Ciphertext message if one knows the way a portion of it decrypts is known (this is called known-text attack)  Properties of the plaintext being known by a perpetrator Although the IS auditor is not expected to be an expert in how these algorithms are designed, the auditor should be able to understand how these techniques are used and the relative advantages and disadvantages of each. We will cover encryption techniques in this section. Network Infrastructure Security-Encryption (contd.) Main areas to be covered here are: ● Encryption Network Infrastructure Security-Encryption (contd.) Encryption means converting plaintext messages into secure-coded text (ciphertext). It is done via a mathematical function and a key (a special encryption/decryption password). Encryption is used to protect data in transit over networks, protect information stored on computers, deter and detect alterations of data and verify authenticity of a transaction or document. Note: We assume that the more difficult it is to decrypt the ciphertext, the better. Network Infrastructure Security-Encryption (contd.) Key elements of encryption systems; • Encryption algorithm – mathematical function / calculation. • Encryption key – piece of information used in the algorithm to make the process unique. • Key length – predetermined length of key. Effectiveness of encryption is based on; • Secrecy and difficulty of compromising the key. • Lack of other means of decrypting without the key. • Inability to perform a known text attack – knowing how a portion of encrypted text decrypts. Let us continue to discuss more in the next slide. Trade-offs in encryption, if the algorithm is too complex and it takes too long to use, or requires keys that are too large to store easily, it becomes impractical to use: The need to balance between the strength of the encryption; that is, how difficult it is for someone to discover the algorithm and the key, and ease of use. Network Infrastructure Security-Encryption (contd.) There are two main types of encryption in use for computer security, referred to as symmetric and asymmetric key encryption. Symmetric key cryptographic systems: This ar based on symmetric encryption algorithm - same key (private) to encrypt plaintext and decrypt ciphertext. Also called private or secret key cryptography. The common private key cryptographic systems are;  Data Encryption System (DES), 64-bit  Advanced Encryption Standard (AES), 128-bit to 256-bit The advantage of this method is that it uses one key to encrypt and decrypt and hence uses less processing power. However, getting the key to those you want to exchange data with is the problem. An illustration of symmetric key cryptographic system is on the next slide. Network Infrastructure Security-Encryption (contd.) Key management is an issue. Each pair of communicating entities needs a shared key: For an n-party system, there are n(n-1)/2 distinct keys in the system and each party needs to maintain n-1 distinct keys. Network Infrastructure Security-Encryption (contd.) How to reduce the number of shared keys in the system:  Centralized key management: Session keys.  Use Public keys. The other type of encryption is discussed in the next slide. Asymmetric (Public) key cryptographic systems: This systems uses different keys are used for encrypting and decrypting a message. It solves the problem of getting the key to those you want to exchange data with. It involves two keys working as a pair:  one to encrypt and the other to decrypt  Asymmetric = inversely related to each other  One key (secret/private) is known only to one person  The other key (public) is known to many people Network Infrastructure Security-Encryption (contd.) Common form of asymmetric encryption is RSA  Smith has two keys: public and private:  Smith publishes her public key - Such that the key is publicly known!  Smith keeps her private key secret.  Other people use Smith’s public key to encrypt messages for Smith.  Smith uses her private key to decrypt messages.  Only Smith can decrypt since only she has the private key. Advantages of public key cryptography are;  The necessity of distributing secret keys to large numbers of users is eliminated,  The algorithm can be used for authentication as well as for creating ciphertext. Network Infrastructure Security-Encryption (contd.) To compute the private key from the public key is assumed difficult. Public key cryptography ensures;  Authentication and non-repudiation - encrypting with the sender’s secret key  Confidentiality - encrypting with the receiver’s public key  Authentication and confidentiality - first encrypting with the sender’s secret key & secondly with the receiver’s public key Let us learn the differences between Symmetric Key & Public key in the next screen Network Infrastructure Security-Encryption (contd.) Symmetric key Public key Two parties MUST trust each other Two parties DO NOT need to trust each other Typically both share same key Two separate keys: a public and a private key Typically faster x100 Typically slower Examples:DES, IDEA, RC5, AES. Examples:RSA, ElGamal Encryption, ECC. Network Infrastructure Security-Encryption (contd.) Elliptical Curve Cryptography (ECC): A variant and more efficient form of public key cryptography (how to manage more security out of minimum resources) gaining prominence is the elliptical curve cryptosystem. Quantum Cryptography: The next generation of cryptography that will solve existing problems associated with current cryptographic systems. Advanced Encryption Standard (AES): AES replaces Data Encryption Standard (DES) as the cryptographic algorithm standard. Due to its short key-length, the former standard for symmetric encryption –DES – reached the end of its life cycle. Network Infrastructure Security-Encryption (contd.) Digital signatures: Electronic identification of a person or entity. Intended for the recipient to verify the integrity of the data and the identity of the sender. Data signatures ensures: • Data integrity – one-way cryptographic hashing algorithm (digital signature algorithms) • Sender identity (authentication) – public key cryptography • Non-repudiation • Replay protection – timestamps and sequence numbers are built into the messages. Digital Envelope: used to send encrypted information and the relevant key along with it. The message to be sent, can be encrypted by using either asymmetric key or symmetric key. You will now attempt a question to test what you have learnt so far.

5.25 Knowledge Statement 5.13

In this topic, we will learn about the concepts in knowledge statement, 5.13. Let us discuss about Public Key Infrastructure (PKI) and Digital Signature Techniques in the next few screens Public Key Infrastructure (PKI) and Digital Signature Techniques Encryption is the process of converting a plaintext message into a secure coded form of text, called cipher text, which cannot be understood without converting back via decryption (the reverse process) to plaintext. PKls use encryption to facilitate the following:  Protect data in transit over networks from unauthorized interception and manipulation  Protect information stored on computers from unauthorized viewing and manipulation  Deter and detect accidental or intentional alterations of data  Verify authenticity of a transaction or document- e.g., when transmitted over a web-based connection in online banking, share dealing, etc.  Protect data in such situations from unauthorized disclosure Understanding the business use of digital signatures is also expected, especially its use in providing non repudiation of and replay protection to messages. Public Key Infrastructure (PKI) and Digital Signature Techniques Main areas covered here are; ● Encryption ● Public Key Infrastructure (PKI) In the next few screens we will discuss about Public key infrastructure (PKI). Public key infrastructure (PKI). Public Key Infrastructure (PKI) framework by which a trusted party issues, maintains and revokes public key certificates. PKI Reasons:  Many applications need key distribution.  Digital signature vulnerability: sender’s private key and public key may be faked, or intercepted and changed. Anyone can derive keys so there is a need to have a mechanism to assure that keys belong to entities they claim to come from. In PKI, a Certification Authority (CA) validates keys. Distribution in PKI is done via a hierarchy of CAs. Public key infrastructure (PKI) (contd.) CA Process. The CA checks real-world credentials, gets key from user in person, signs Certificate (“cert”) validating key. Then a certificate is attached to assure an end point that an entity is who it claims to be if the end point trusts the CA, then it will trust that entity and who it claim to be. Elements of PKI include; • Digital Certificates • Certificate Authority (CA) • Registration Authority (RA) • Certificate Revocation List (CRL) • Certification Practice Statement (CPS) Public key infrastructure (PKI) (contd.) Digital certificates: Digital credential comprising: a public key of an individual and identifying information about the individual. It is digitally signed by the trusted entity with its private key. Receiver relies on the public key of the trusted party. It also include algorithm used and validity period. Certificate Authority (CA): • Trusted provider of public/private key pairs. • Attests to the authenticity of owner of public key. • Uses due diligence to issue certificate on evidence, or knowledge. • Upon verification of the user, the CA signs the certificate using its private key. • Responsible for managing the certificate throughout its life cycle. • Authoritative for the name or key space it represents. Public key infrastructure (PKI) (contd.) Certificate Revocation List (CRL) details digital certificates that are no longer valid. It is used for checking continued validity of certificates. Time gaps between two updates are very critical. Certification Practice Statement (CPS) is a detailed set of rules governing CA’s operations. It provides:  Understanding of the value and trustworthiness of certificates issued in terms of controls observed  Method used to authenticate applicants  CA’s expectations on how certificates may be used Registration Authority (RA): Optional entity separate from the CA that performs administrative tasks like Recording and verifying information needed by the CA to issue certifications or CRLs. Also perfoming certificate management functions. CA remains solely responsible for signing digital certificates or CRLs You will now attempt a question to test what you have learnt so far.

5.27 Knowledge Statement 5.14

In this topic, we will learn about the concepts in knowledge statement, 5.14. Let us discuss about Peer-to-peer computing, instant messaging, and web-based technologies in the next screen Peer-to-peer Computing, Instant Messaging and Web-based Technologies CISA candidates must have a knowledge of risks and controls associated with peer-to-peer computing, instant messaging, and web-based technologies (e.g., social networking, message boards, blogs). Peer-to-peer computing, instant messaging and web-based technologies (e.g. social networks, message boards, blogs) are technologies that introduce new risks to the enterprise. Information posted on social network sites may inadvertently disclose confidential nonpublic information that may violate financial security laws or violate customer privacy laws. Peer-to-peer computing is inherently insecure and may lead to the introduction of malicious code into an otherwise secure environment. Main areas to be covered here are: ● Computer Crime Issues and Exposures ● Peer-to-peer computing, instant messaging, and web-based technologies In the next screen, we’ll lean more about peer-to-peer computing. Peer-to-peer computing. In peer-to-peer computing no specific server to which a user connects. Generally, connection is between two peers. As a result, there are risks associated with peer-to-peer, which include; • No central server, hence the risks include: virus-infected files can be directly shared with others; • Trojans and spyware may be inadvertently copied across systems • Users may expose their IP addresses that could result in e.g., IP spoofing, traffic sniffing and other IP-based attacks a user from the peer network may access sensitive data in unprotected folders. Peer-to-peer computing (contd.) Proper security policies and control measures are required for peer-to-peer computing. Safest approach is to deny such connections unless there is a business need. In the next screen we will learn about Instant Messaging Instant Messaging Instant Messaging (IM) is a popular mechanism for collaboration and keeping in touch. Involves two or more users connecting and chatting on topics of interest, with prompt acknowledgement and response (rather than e-mails). Risks of instant messaging are; • Eavesdropping if sensitive information is sent over unencrypted channels. • Exchange of virus-infected files and other malicious codes. • Data leakage if the file is sent unmonitored over IM channels. • Exploitation of vulnerabilities if the Public IM client software is not adequately patched. Let us continue discussing about Instant Messaging in the next screen Instant Messaging (contd.) Controls: Good IM policy & user awareness required; advisable to use internal IM software instead of public software; only enterprise employees should be allowed to connect; and adequate monitoring of IM use to minimise risk of data leakage of confidential information. In the next slide we will discuss about Social Networking Sites Social Networking Sites Social Networking Sites (SNS) include sites such as Facebook and LinkedIn that help establish connection with colleagues, friends and relatives. Risks: Uploading of personal and private information, Phishing, URL spoofing, Cyber-stalking Controls: Policies on what information can be shared on such sites, Education and awareness to staff on what information to share or not share on such sites. Also having a policy banning use of such sites in the office. Let us continue discussing Social Networking Sites in the next screen Social Networking Sites (contd.) Example of an incidence: A hacker was able to gather information about names of friends and date of birth of an employee. They used this information to do email spoofing and managed to receive money from the friends by impersonating him and claiming to be stranded in another country with no passport and money. You will now attempt a question to test what you have learnt so far.

5.29 Knowledge Statement 5.15

In this topic, we will learn about the concepts in knowledge statement, 5.15. Let us discuss about Controls and risks associated with the use of mobile and wireless devices in the next screen Controls and risks associated with the use of mobile and wireless devices The CISA candidate must have a knowledge of controls and risks associated with the use of mobile and wireless devices. Portable and wireless devices present a new threat to an organization's information assets and must be properly controlled. Policies and procedures as well as additional protection mechanisms must be put into place to ensure that data are protected to a greater extent on portable devices since such devices will most likely operate in environments where physical controls are lacking or nonexistent. Most transportable media, including PDAs, BlackBerry® devices, etc. are easily lost or stolen and thus require the use of encryption technologies as well as strong authentication. It also may be necessary to classify some data as inappropriate for storage on a mobiledevice. The IS auditor should understand that all such media and devices, which may include personal music (MP3) devices, can also be used by an individual to steal both data and programs for personal use or gain. We will focus of Mobile Computing. Controls and risks associated with the use of mobile and wireless devices (contd.) Main areas covered here are: ● Mobile Computing In the next screen we will discuss about Laptop Security Laptop security. The risk of using laptops is the difficulty to implement logical and physical security in a mobile environment. Laptop Security Controls: • Laptop security measures: • Engraving the serial number, company name • Cable locks, monitor detectors • Regular backup of sensitive data • Encryption of data • Allocating passwords to individual files • Theft response procedures You will now attempt a question to test what you have learnt so far.

5.31 Knowledge Statement 5.16

In this topic, we will learn about the concepts in knowledge statement, 5.16. Let us discuss about Voice Communications Security in the next screen Voice Communications Security. It is key to know voice communications security (e.g., PBX, VoIP). The increasing complexity and convergence of voice and data communications introduces additional risks that must be taken into account by the IS auditor. VolP and PBX environments involve many security risks, both within and outside the organization, that must be addressed to ensure the security and reliability of voice communications. Main areas to be covered here are; ● Voice-over IP ● Private Branch Exchange In the next slide we will discuss about VOIP Voice-over IP VOIP IP telephony (Internet telephony) is the technology that makes it possible to have a voice conversation over the Internet. Protocols used to carry the signal over the IP network are referred to as VOIP. VOIP is a technology where voice traffic is carried on top of existing data infrastructure. In VOIP sounds are digitized into IP packets and transferred through the network layer before being decoded back into the original voice. VOIP has reduced long-distance call costs in a number of organisations. Thus we will focus on Voice-over IP and Private Branch Exchange. Let us continue to discuss VOIP in the next slide. Voice-over IP (contd.) VoIP Advantages over traditional telephony: • VOIP innovation progresses at market rates rather than at the rates of ITU (International Telecommunications Union). • Lower costs per call or even free calls for long-distance calls. • Lower infrastructure costs. The risks associated with use of VOIP are; the need to protect two assets ( the data and the voice). Inherent poor security. The current Internet architecture does not provide the same physical wire security as the phone lines. Controls for securing VoIP is implementing security mechanisms such as those deployed in data networks (e.g., firewalls, encryption) to emulate the security level currently used by PSTN network users. In the next screen we will discuss about Private Branch Exchange (PBX). Private Branch Exchange (PBX). PBX is a sophisticated computer-based phone system from early 1920s. Originally it was analog but is now digital. Principle purpose it to save the cost of providing each person with a line. Attributes include: • multiple telephone lines; • digital phones for both voice and data; • switching calls within PBX; • non-blocking configuration that allows simultaneous calls; • operator console or switchboard Let us continue discussing Private Branch Exchange (PBX) in the next screen Private Branch Exchange (PBX) (contd.) The risks associated with use of PBX are; • Theft of service and toll fraud • Disclosure of information through eavesdropping • Unauthorised access to resources • Denial of service • Traffic analysis (passive attack). You will now attempt a question to test what you have learnt so far.

5.33 Knowledge Statement 5.17

In this topic, we will learn about the concepts in knowledge statement, 5.17. Let us discuss about Evidence preservation techniques in the next screen Evidence preservation techniques CISA candidate must have a knowledge of the evidence preservation techniques and processes followed in forensics investigations (e.g., IT, process, chain of custody). Audit conclusions should be supported by reliable and relevant evidence. Evidence is collected during the course of an audit follows a life cycle. This life cycle introduces collection, analysis , and preservation and destruction of evidence. The source of evidence should be reliable and qualified. That is, from an appropriate original source rather than obtained as a “comment” or “hearsay”. Evidence should originate directly from a trusted source to help ensure objectivity in fraud investigations or legal proceedings, maintaining the integrity of evidence throughout the evidence life cycle may be referred to as the chain of custody when the evidence is classified as forensic. Audit evidence should include information regarding date of creation. Evidence Preservation Techniques (contd.) Main areas covered here are: ● Evidence ● Audit Documentation ● Investigation Techniques ● Continuous Auditing In the next few screen we will discuss about Investigation techniques Investigation Techniques Investigation techniques include the investigation of computer crime and the protection of evidence and chain of custody, among others. Investigation of Computer Crime Computer crimes are not reported in most cases simply because they are not detected or of the negative publicity they generate. In many countries laws are directed toward protecting physical property making it very difficult to use such laws against computer crime. It is very important that proper procedures are used to collect evidence from a crime scene. The environment and evidence must be left unaltered and specialist law enforcement officials must be called in after a crime. Investigation Techniques (contd.) Computer Forensics is process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e court). Includes activities involving exploration and application of methods to gather, process, interpret and use digital evidence. Loss of preservation of integrity of evidence means loss of value in legal proceedings. The chain of evidence contains information regarding:  Who had access to the evidence (chronological manner)  Procedures followed in working with the evidence  Proving analysis is based on copies identical to original evidence Investigation Techniques (contd.) Considerations regarding evidence: • Identify – identify information that may form evidence. • Preserve – practice of retrieving identified information and preserving it a evidence. Involves imaging of original data and documenting chain-of-custody. • Analyze – involves extracting, processing, and interpreting the evidence. Analysis performed on image of the media not the original. • Present – involves a presentation to the various audiences such as management, attorneys, presenter to be qualified; & the process of preservation and analysis credible. Investigation Techniques (contd.) Key elements of computer forensics The IS auditor should consider: • Data Protection – measures to ensure sought-after information isn’t altered. • Data Acquisition – all required data transferred to controlled location and writable media write-protected. • Imaging – process allowing bit-for-bit replication of data on disk that avoids damage to original data. • Extraction – process of identification and selection of relevant data from the imaged data set. • Interrogation – used to obtain prior indicators or relationships from extracted data. • Ingestion/Normalization – process of converting extracted information to a format that can be understood by investigators. • Reporting – information should be collected and reported in a proper way for it to be valuable. You will now attempt a question to test what you have learnt so far.

5.35 Knowledge Statement 5.18

In this topic, we will learn about the concepts in knowledge statement, 5.18. Let us discuss about Data classification standards and supporting the next screen Data classification standards and supporting procedures CISA candidate must have a knowledge of data classification standards and supporting procedures. Information assets have varying degrees of sensitivity and criticality in meeting business objectives. Data is classified and protected according to the set degree. An important first step to data classification is discovery, inventory and risk assessment. Once this is accomplished, data classification can then be put into use. By assigning classes or levels of sensitivity and criticality to information resources and establishing specific security rules for each class, enterprises can define the level of access controls and the retention time and destruction requirements that should be applied to each information asset. The IS auditor should understand the process of classification and the interrelationship between data classification and the need for inventorying information assets and assigning responsibility to data owners. Data owner responsibilities should be clearly identified, documented and implemented. Data classification standards and supporting procedures (contd.)Main areas to be covered here are:. ● Inventory and classification of information assets In the next screens we will learn about Inventory and Classification of Information Assets. Inventory and Classification of Information Assets. A detailed inventory of information assets is required for effective control. The inventory is the first step in classifying the assets and determining level of protection required. Inventory record should include: • Specific identification of the asset. • Relative value to the organization. • Location • Security risk classification • Asset group (where the asset forms part of a larger IS) • Owner • Designated custodian • Classification should be simple, and employed during risk assessment (by end-user managers and system admins) – use ISO/IEC 27001:2005 • Reduce risk and cost of over- or under-protection • Used to identify:  Who


... ...



Published on {{detail.created_at| date}} {{detail.duration}}

  • {{}}
  • Views {{detail.downloads}}
  • {{detail.time}} {{detail.time_zone_code}}



About the On-Demand Webinar

About the Webinar

Hosted By





About the E-book

View On-Demand Webinar

Register Now!

First Name*
Last Name*
Phone Number*

View On-Demand Webinar

Register Now!

Webinar Expired

Download the Ebook

{{ queryPhoneCode }}
Phone Number {{ detail.getCourseAgree?'*':'(optional)'}}

Show full article video

About the Author


About the Author