-
Hello and welcome to the fifth domain of
-
the Certified Information Systems
-
Auditor, CISA, course offered by Simplilearn.
-
This domain will cover protection
-
of information assets. Let us look at the
-
objectives of this domain in the next
-
screen. By the end of this domain, you
-
should be able to understand and provide
-
assurance that the enterprise's security
-
policies, standards, procedures, and
-
controls ensure the confidentiality,
-
integrity, and availability of
-
information assets, detail the design,
-
implementation, and monitoring of
-
security controls, discuss the risks
-
associated with use of mobile and
-
wireless devices,
-
understand encryption techniques
-
such as public key infrastructure and
-
risks related to data leakage,
-
detail network detection tools and techniques,
-
discuss how confidential information can
-
be stored, retrieved, transported, and
-
disposed. The following screen gives an
-
overview of this domain. An information
-
asset is a component related to
-
provision of accurate data or
-
information for decision-making purposes
-
by an entity. It is considered to hold
-
value to that particular organization
-
and should therefore be protected by
-
ensuring confidentiality, integrity, and
-
availability, CIA.
-
Examples of information assets are
-
information or data, computer application
-
systems, computers, personal computers, PCs,
-
laptops, PDAs, phones, networks, local area
-
network, LAN, wide area network, WAN,
-
wireless networks, Human Resources,
-
facilities, main distribution facilities,
-
MDFs, data centers, server room, and other
-
technologies such as database
-
technologies among others. Let us
-
continue with the overview in the
-
following screen. The risks to business
-
include financial loss, electronic fraud,
-
legal repercussions, privacy issues, loss
-
of credibility or competitive edge,
-
blackmail, industrial espionage, sabotage,
-
and breach of
-
confidentiality. Security failures can be
-
costly to business as more costs are
-
incurred to secure systems and prevent
-
further failure. Further more costs are
-
incurred from losses from the failure
-
itself and when recovering from such
-
losses. Let us now look at threats to
-
information assets in the next slide. The
-
threats to information assets include
-
hackers, crackers, phreackers, authorized or
-
unauthorized employees, IS personnel, end
-
users, former employees, interested or
-
educated outsiders, competitors, organized
-
criminals, part-time and
-
temporary personnel, vendors and
-
consultants, and finally accidental
-
ignorance. Let us begin with the first
-
topic in this domain in the following
-
screen. In this topic, we will learn about
-
the concepts under the first knowledge
-
statement KS 5.1
-
We will begin with design,
-
implementation, and monitoring of
-
security controls in the next screen.
-
The key knowledge statement is to
-
understand the techniques for the design,
-
implementation, and monitoring of
-
security controls, including security
-
awareness programs. Security needs to be
-
aligned with business objectives to
-
provide reasonable reduction in risk.
-
Security objectives may include the following:
-
ensure the continued
-
availability of information systems,
-
ensure the integrity of information
-
stored on its computer systems and
-
security while the information is in
-
transit, preserve the confidentiality of
-
sensitive data while stored and in
-
transit, ensure compliance with
-
applicable laws, regulations, and
-
standards. Let us continue discussing
-
design, implementation, and monitoring of
-
security controls in the next screen.
-
Ensure adherence to trust and
-
obligation requirements for any
-
information assets accordance with the
-
applicable privacy policy or privacy
-
laws and regulations. Prudence in
-
application of control is important
-
because controls entail a cost either
-
directly or indirectly by impacting on
-
business operations. The business impact
-
analysis, BIA, is the process used to
-
establish the material adverse events
-
the business should be worried about. The
-
following screen lists the main areas to
-
be covered under this knowledge statement.
-
The main areas to cover here
-
are key elements of information security
-
management, critical success factors to
-
information security, inventory and
-
classifications of information assets,
-
network infrastructure security. In the
-
next screen, we will learn about
-
information security management.
-
Effective ISM is the most
-
critical factor in protecting
-
information assets and privacy. The
-
factors that raise the profile of
-
information and privacy risk include
-
electronic trading through service
-
providers and directly with customers,
-
loss of organizational barriers through
-
use of remote access facilities, and high
-
profile security exposures: viruses,
-
denial of service, DOS, attacks, intrusions,
-
unauthorized access, disclosures and
-
identity theft over the Internet, etc. Let
-
us continue discussing information
-
security management, ISM, in the next screen.
-
Security awareness and education
-
through training and regular updates:
-
written policies and procedures and
-
updates, non-disclosure statements signed
-
by employees,
-
newsletters, web pages, videos,
-
and other media, visible enforcement of
-
security rules, simulated security
-
incidents and simulated drills, rewards
-
for reporting suspicious events, periodic
-
audits. Monitoring and compliance: control
-
includes an element of monitoring and
-
usually relates to regulatory, legal
-
compliance, incident handling and response
-
In the next few screens, we will
-
learn about roles and responsibilities
-
under the information security
-
management. The security objectives to
-
meet business requirements are to ensure
-
continued availability of information
-
systems, to ensure integrity of
-
information stored in systems and while
-
in transit,
-
to preserve confidentiality of sensitive
-
data, to ensure conformity to applicable
-
laws, regulations, and standards, to ensure
-
adherence to trust and obligation
-
requirements, to ensure protection of
-
sensitive data. Data integrity, as it
-
relates to security objectives, generally
-
refers to accuracy, completeness,
-
consistency or neutrality, validity, and
-
verifiability of the data once loaded on
-
the system. Integrity refers to
-
reliability of data. Let us continue
-
discussing information security
-
management, ISM, in the next screen.
-
The key elements of
-
ISM. Senior management commitment and
-
support, the risk management begins at
-
the top. Policies and procedures, the
-
framework that captures top management
-
declaration of direction. Organization,
-
clearly defined and allocated roles and
-
responsibilities, supplemented with
-
guidance, usually relates to regulatory,
-
legal compliance. Let us continue
-
discussing information security
-
management, ISM, in the next screen.
-
Roles and responsibilities must be defined,
-
documented, and communicated to personnel
-
and management. IS security steering
-
committee is represented by individuals
-
from various management levels. It also
-
discusses and approves security policies
-
guidelines and procedures; with input
-
from end users, executive management,
-
auditors, security administration, IS
-
personnel, and legal counsel. The
-
committee is formally established with
-
appropriate Terms of Reference. Executive
-
management responsible for the overall
-
protection of information assets and
-
issuing and maintaining the policy framework.
-
Security advisory group is
-
responsible for defining information
-
risk management process and acceptable
-
level of risk and reviewing security
-
plans. It is comprised of people involved
-
in the business and provides comments on
-
security issues to chief security
-
officer, CSO. It also advises the business
-
whether the security programs meet
-
business objectives.
-
Chief information security
-
officer,
-
CISO, is a senior level corporate
-
official responsible for articulating
-
and enforcing policies used to protect
-
information assets. He has a much broader
-
role than CSO who is normally only
-
responsible for physical security within
-
the organization.
-
Information asset owners
-
and data owners are entrusted with the
-
responsibility for the owned asset,
-
including performance of a risk
-
assessment, selection of appropriate
-
controls to mitigate the risk and to
-
accept the residual risk.
-
Process owners ensure appropriate
-
security measures consistent with
-
organizational policy are maintained.
-
Users comply with procedures
-
set out in the security policy, and
-
adhere to privacy and security
-
regulations, often specific to sensitive
-
data, for example, health, legal, finance,
-
etc. Chief privacy officer, CPO, is a
-
senior level corporate official and is
-
responsible for articulating and
-
enforcing policies used to protect
-
customers' and employees' privacy rights.
-
External parties follow procedures set
-
out in the security policy. They adhere
-
to privacy and security regulations
-
often specific to sensitive data, for
-
example, health, legal, finance, etc.
-
Information security administrator is a
-
staff level position. He is responsible
-
for providing adequate physical and
-
logical security for IS programs, data
-
and equipment, normally guided by the
-
information security policies.
-
Security specialists and
-
advisors assist with the design,
-
implementation, management, and review of
-
security policies, standards, and
-
procedures. IT developers implements
-
information security within their
-
applications. IS auditors provide
-
independent assurance on appropriateness
-
and effectiveness of information
-
security objectives and controls related
-
to these objectives. In the next screen,
-
we will learn about system access
-
permissions. System access permission is
-
the ability to do something with a
-
computer resource. Read, create, modify, or
-
delete a file or data, execute a program
-
or use an external connection. It is
-
controlled at the physical and or logical
-
level. Logical controls govern access to
-
information and programs. It is built
-
into operating systems
-
invoked through access control software,
-
and incorporated in application programs,
-
DBs, network control devices, and
-
utilities. Let us continue discussing
-
system access permissions in the next
-
screen. Physical controls restrict entry
-
and exit of personnel, movement of
-
equipment and media. They include badges,
-
memory cards, keys, and
-
biometrics. Access is granted on a
-
documented, need-to-know basis with
-
legitimate business requirement based on
-
least privilege and on segregation of
-
duties principles.
-
Access principles relate to
-
four layers of security. Namely network,
-
platform, typically the operating system,
-
database, and application. In the next
-
screen, we will learn about mandatory and
-
discretionary access
-
controls. The mandatory access controls,
-
MACs, are logical access controls, MACs,
-
that cannot be modified by normal users
-
or data owners. They act by default and
-
are used to enforce critical security
-
without possible exception. Only
-
administrators can grant a right of
-
access guided by an established policy
-
of the
-
organization. Discretionary access
-
controls, DACs, controls may be
-
configured or modified by the users or
-
data owners. Access may be activated or
-
modified by a data owner. DACs cannot
-
override MACs, and they act as
-
additional filters to restrict access
-
further. In the next few screens, we will
-
learn about privacy management issues
-
and role of IS auditors.
-
Privacy issues relates to
-
personally identifiable information, for
-
example, personal identification number,
-
PIN. Regulations generally restrict use
-
of such data by giving the subject individual
-
rights to access and correct that
-
data. It also governs how such data is
-
obtained, requiring knowledge and consent
-
of the data subject. Impact of risks
-
including marketing risks, transported
-
data flow and variations in regulations,
-
and may require privacy experts during
-
risk assessment.
-
The goals of a privacy impact
-
assessment are identifying the nature of
-
personally identifiable information
-
relating to business
-
processes. Documenting the collection, use,
-
disclosure, storage, and destruction of
-
personally identifiable information.
-
Providing management with an
-
understanding of privacy risk and
-
options to mitigate this risk. Ensuring
-
accountability for privacy. And
-
facilitating compliance with relevant regulations.
-
IS audit considerations
-
relating to privacy include adequacy of
-
privacy assessment, for example,
-
compliance with with privacy policy, laws,
-
and other regulations, and the manner in
-
which IT is used for competitive gain.
-
Another consideration is the ongoing
-
assessments conducted when new products
-
services, systems, operations, processes,
-
and third parties are under
-
consideration. Besides transborder and
-
multinational laws should also be considered.
-
Focus and extent of privacy
-
impact assessment may depend on changes
-
in technology, processes, or people as
-
shown by below. In the next few screens,
-
we will learn about information security
-
and external parties. Human Resources
-
security and third parties. Security
-
roles and responsibilities of employees,
-
contractors, and third-party users should
-
be defined and documented in accordance
-
with the organizational security policy.
-
Information security policies to guide
-
employees, contractors, and third-party
-
users. Information security and external
-
parties. Security of information and
-
processing facilities must be maintained
-
when external party services or products
-
are introduced. Controls must be agreed
-
to and defined in a formal agreement.
-
Organization must have right to audit
-
the implementation and operations.
-
The external party arrangements
-
include service providers, ISPs, network
-
providers, managed security services,
-
customers, outsourcing facilities and or
-
operations, IT systems, data
-
collection services, management and
-
business consultants and auditors,
-
developers and suppliers, cleaning,
-
catering, and other outsourced support
-
services. Others include temporary
-
personnel, student placement, and other
-
casual short-term appointments.
-
The risks related to
-
external party access is information
-
processing facilities required to be
-
accessed by external parties. These types
-
of access include physical access, logical
-
access, network connectivity, organization
-
and external party, value and sensitivity
-
of information involved, and its
-
criticality for business operations, and
-
legal and other regulatory requirements.
-
Security in relation to
-
customers involve identifying security
-
requirements for customers access. The
-
customer access security
-
considerations: asset protection,
-
description of product or service to be
-
provided, reasons, requirements, and
-
benefits for customer access, access
-
control policy, arrangements for
-
reporting, notification, and investigation
-
of information
-
inaccuracies, target levels of service
-
and unacceptable levels of service, right
-
to monitor and revoke any activity
-
related to an organization's assets,
-
intellectual property rights and
-
copyright assignment. You will now
-
attempt a question to test what you have
-
learned so far. In this topic, we will
-
learn about the concepts in Knowledge
-
Statement 5.2.
-
Let us discuss monitoring and
-
responding to security incidents in the
-
following screens. The key knowledge
-
point is the processes related to
-
monitoring and responding to security
-
incidents, for example, escalation
-
procedures, emergency incident response
-
team. A formal incident response
-
capability should be established to
-
minimize the impact of security
-
incidents recovery in a timely and
-
controlled manner and learn from such
-
incidents. History should be kept through
-
properly recording of incidents. While
-
security management may be responsible
-
for monitoring and investigating events
-
and may have drafted or set a
-
requirement for escalation procedures,
-
other functions must be involved to
-
ensure proper response. These functions
-
must have well-defined and communicated
-
processes in place that are tested
-
periodically. The main areas covered here
-
are security incident handling and response.
-
In the next screen, we will
-
discuss about incident handling and response.
-
An incident is an adverse event
-
that threatens some aspect of
-
information security. To minimize damage
-
from security incidents and to recover
-
and to learn from such incidents, a
-
formal incident response capability had
-
to be established, and it includes
-
planning and preparation, detection,
-
initiation, recording, evaluation,
-
containment, eradication, escalation,
-
response, recovery, closure, and post
-
incident review. Let us continue
-
discussing incident handling and response.
-
Procedures are defined for
-
reporting different types of incidents.
-
The process involves quick reporting and
-
collection of evidence, and formal
-
disciplinary process, and where
-
applicable, automated intrusion detection
-
systems. Incident handling and response
-
roles involve coordinator who is the
-
liaison to business process owners,
-
director who oversees incident response
-
capability, managers who manage
-
individual incidents, security
-
specialists that detect, investigate,
-
contain, and recover from incidents,
-
non-security technical specialists that
-
provide assistance on subject matter
-
expertise, business unit leader liaison
-
which include legal, HR, and PR. Logical
-
access controls is another area we're
-
going to learn in subsequent slides. You
-
will now attempt a question to test what
-
you have learned so far. In this topic, we
-
will learn about the concepts in
-
Knowledge Statement 5.3
-
Let us discuss logical access
-
controls in the following
-
screens. Knowledge point to learn here is
-
logical access controls for the
-
identification, authentication, and
-
restriction of users to authorized
-
functions and data. logical access
-
controls are used to manage and protect
-
information assets. Controls enact and
-
substantiate policies and procedures
-
designed by management to protect
-
information assets. Controls exist at
-
both the operating system level and the
-
application level, so it is important to
-
understand logical access controls as
-
they apply to systems that may reside on
-
multiple operating system platforms and
-
involve more than one application system
-
or authentication point. Let us continue
-
the discussion about logical access
-
controls in the next few screens.
-
Logical security is often
-
determined based on the job function of
-
users. The success of logical access
-
controls is tied to the strength of the
-
authentication method, for example, strong
-
passwords. All user access to systems and
-
data should be appropriately authorized
-
and should be commensurate it with the
-
role of the individual. Authorization
-
generally takes the form of signatures,
-
physical or electronic, a relevant
-
management. The strength of the
-
authentication is proportional to the
-
quality of the method used. Strong
-
authentication may include dual or
-
multiactor authentication using user 10,
-
password tokens, and
-
biometrics. The main areas covered here
-
are logical access.
-
Logical access controls are the primary
-
means used to manage and protect
-
information assets. These exposures can
-
result in minor inconveniences to a
-
total shutdown of computer functions.
-
Logical access controls involve managing
-
and controlling access to information
-
resources. It is based on management
-
policies and procedures for information
-
security. Logical access controls must be
-
evaluated vis-à-vis information security
-
objectives. Familiarization with the IT
-
environment helps in determining which
-
areas, from a risk standpoint, warrant IS
-
auditing attention. This includes
-
reviewing security layers associated
-
with IS architecture: network, OS, database, application.
-
Paths of logical access,
-
points of entry to IS infrastructure:
-
back-end, front-end systems, internally based
-
users, externally-based users, and direct
-
access to specific servers. All points of
-
entry must be known. General points of
-
entry relate to network or telecomm
-
infrastructure in controlling access to
-
information
-
resources. Typical client-server
-
environment: primary domain controllers
-
network management devices, for example,
-
routers and firewalls. General modes of
-
access: network connectivity, remote
-
access, remotely dialing into a network
-
for services that can be performed
-
remotely, for example, email.
-
Traditional points of entry. Mainly applicable for
-
mainframe-based systems used for large
-
database systems or "legacy"
-
applications. Operator console, these are
-
privileged computer terminals that
-
control most computer operations and
-
functions. They provide high level of
-
system access but do not have strong
-
logical access controls. It is located in
-
a suitably controlled facility so that
-
physical access can only be gained by
-
authorized
-
personnel. Online workstations in client-server
-
environments. This method
-
typically requires at least a logon ID
-
and password to gain access to the host
-
computer system. It may also require
-
further entry of authentication or
-
identification data for access to
-
application specific systems.
-
IS resources are more accessible and
-
available anytime and anywhere. Computers
-
store large volumes of data. Sharing of
-
resources has increased from one system
-
to another. And accessibility has
-
increased through intranet and internet.
-
Logical access control software has
-
become critical in protecting IS
-
resources. It prevents unauthorized
-
access and modification to sensitive
-
data, and use of critical functions. It is
-
applied across all layers of IS
-
architecture, network, OS, DBs, and applications.
-
Common attributes of this
-
software is that it has some form of
-
identification and
-
authentication, provides access
-
authorization. It also checks specific
-
information resource and provide logs
-
and reporting of user
-
activities. Greatest degree of protection
-
is applied at the network and platform
-
OS level mainly because it is the
-
primary point of entry to systems.
-
Besides it is the foundation, primary
-
infrastructure, on which applications and
-
DBs will reside. Also an OS system access
-
control software interfaces with
-
databases and or applications to protect
-
system libraries and datasets. These
-
network devices, for example, routers and
-
firewalls, manage external access to
-
networks, thus need the highest degree of protection.
-
General OS application access
-
control software functions include
-
creating or changing user profiles,
-
assigning user identification and
-
authentication, applying user logon
-
limitation rules, for example, restrict
-
logon IDs to specific workstations at
-
specific times, establishing rules for
-
access to specific resources, creating
-
individual accountability and
-
auditability by logging user activities,
-
logging events, and reporting capabilities.
-
Database or
-
application level controls creates or
-
changes data files and database profiles.
-
It also verifies user authorization at
-
the application and transaction level
-
within the application and at the field
-
level for changes within the database. It
-
also verifies subsystem authorization
-
for the user at the file level. In
-
addition, it logs database, data
-
communications access activities for
-
monitoring access by violations. You will
-
now attempt to question to test what you
-
have learned so far. In this topic, we
-
will learn about the concepts in
-
Knowledge Statement 5.4
-
Let us discuss security controls
-
related to hardware system software.
-
In this slide, we learn on the
-
security controls related to hardware,
-
system software, for example, applications,
-
operating systems, and database
-
management systems. Access control software
-
utilizes both identification and
-
authentication, I&A. Once
-
authenticated, the system then restricts
-
access based on the specific role of the user.
-
I&A is the process by which the
-
system obtains identity from a user, the
-
credentials needed to authenticate
-
identity, and validates both pieces of
-
information. I&A is a critical building
-
block of computer security since it is
-
needed for most types of access control
-
and is necessary for establishing user
-
accountability. For most systems, I&A is
-
the first line of defense because it
-
prevents unauthorized access or
-
unauthorized processes to a computer
-
system or an information asset. In the
-
next screen, we will discuss more about
-
security controls related to hardware
-
and system software. Logical access can
-
be implemented in various ways. The IS
-
auditor should be aware of the strengths
-
and weaknesses of various architectures
-
such as single sign-on, SSO, where a
-
single authentication will enable access
-
to all authorized applications, identity
-
management, multifactor
-
authentication. If this risk is
-
considered manageable, it should drive
-
the implementation of multiactor
-
authentication. The main areas covered
-
here are identification and
-
authentication, single sign-on. In the
-
next screen, we will discuss about
-
identification and authentication.
-
Identification and authentication
-
involves proving one's identity which is
-
authenticated prior to being granted
-
access. It is a critical building block
-
of IS Security in which the basis of
-
most access control systems: first line
-
of defense, preventing unauthorized
-
access. I&A also establishes user
-
accountability, linking activities to
-
users. Multifactor authentication is a
-
combination of more than one method, for
-
example, token and password or pin, token
-
and biometric device. Let us continue
-
discussing identification and
-
authentication in the next slide.
-
Categories can be something you know, for
-
example, password, something you have, for
-
example, token card, something you are or
-
do, a biometric feature, or where you
-
are. These techniques can be used
-
independently or in combination,
-
single-factor or two-factor
-
authentication. Some of the common
-
vulnerabilities expected are weak
-
authentication methods, potential for
-
bypassing authentication mechanism, lack
-
of confidentiality and integrity of
-
stored authentication information, lack
-
of encryption for transmitted
-
authentication information, lack of user
-
knowledge regarding risks of sharing
-
authentication elements, for example,
-
password. In the next few screens, we will
-
discuss about identification and
-
authentication, logon IDs and passwords.
-
Logon IDs and passwords is a
-
two-phase user identification
-
authentication process based on
-
something you know: logon ID, individual
-
identification, password, individual
-
authentication. It is used to
-
restrict access to computerized
-
information, transactions, programs, and
-
system software. It may involve an
-
internal list of valid logon IDs and a
-
corresponding set of access rules for
-
each logon ID. The access rules can be
-
specified at OS level, controlling access
-
to files, or within individual
-
applications, controlling access to menu
-
functions and types of data. Features of
-
passwords include easy for the user to
-
remember but difficult for a perpetrator
-
to guess, when the user logs on for the
-
first time, the system should force a
-
password change to improve
-
confidentiality, limited number of logon
-
attempts, typically three, user
-
verification for forgotten passwords,
-
internal one-way encryption, and not
-
displayed in any form, changed
-
periodically, for example, every 30 days,
-
unique; if it is known by more than one
-
person, responsibility for activity
-
cannot be enforced. Password syntax
-
format rules: Ideally a minimum of eight
-
characters in length, a combination of at
-
least three of the following alpha,
-
numeric, upper and lower case, and special
-
characters, some prohibit use of vowels,
-
not particularly identifiable to the
-
user, system should enforce regular
-
change of passwords, for example, after
-
every 30 days, no re-use of previous
-
passwords, for example, at least one year
-
after being changed, deactivate dormant
-
logon IDs, automatic session inactivity
-
time-outs, powerful user IDs, accounts, such
-
as Supervisor and Administrator accounts
-
should be strictly controlled; these
-
could have full access to the system,
-
administrator password should be known
-
only by one person, however, the
-
password should be kept in a sealed
-
envelope for business
-
continuity. Let us proceed to the next
-
slide for more on passwords.
-
Token devices and one-time passwords is a
-
two-factor authentication technique, for
-
example, a microprocessor-controlled
-
smart card, which generates unique,
-
time-dependent, one-time passwords called
-
session passwords. This is good for only
-
one logon session. The users enter this
-
password along with the password they
-
have memorized to gain access to the
-
system. It is characterized by unique
-
session characteristic, ID or time,
-
appended to the password. Technique
-
involves something you have, a device
-
subject to theft, and something you know,
-
a pin. In the next screen, we will learn
-
about identification and authentication,
-
biometric access control.
-
Biometric security access control is the best
-
means of authenticating a user's
-
identity based on a unique, measurable
-
attribute or trait for verifying the
-
identity of a human being. It restricts
-
computer access based on a physical,
-
something you are, or behavioral,
-
something you do, feature of the user, for
-
example, a fingerprint or eye retina
-
pattern. A reader interprets the
-
individual's biometric features before
-
permitting authorized access, however, it
-
is not a fool-proof process. Certain
-
biometric features can change, for
-
example, scarred fingerprints, change in
-
voice. The final template is derived
-
through an iterative averaging process
-
of acquiring samples. Let us continue
-
discussing identification and authentication,
-
biometric access control continued.
-
Physically oriented biometrics
-
are palm, hand geometry, iris, retina,
-
fingerprint, face. Behavior oriented
-
biometrics can be signature recognition
-
and voice recognition.
-
In the next few screens, we
-
will discuss about identification and
-
authentication single sign-on, SSO.
-
Single sign-on, SSO, is a
-
consolidation of the organization
-
platform-based administration,
-
authentication, and authorization
-
functions. It interfaces with client
-
server and distributed systems, mainframe
-
systems, and network security including
-
remote access. The primary domain handles
-
the first instance where user
-
credentials are entered and the
-
secondary domain is any other resource
-
that uses these
-
credentials. Single sign on, SSO,
-
challenges: overcoming heterogeneous
-
nature of diverse architecture, networks,
-
platforms, databases, and applications,
-
requires understanding of each system's
-
authorization rules, and audit logs, and
-
reports, allowing host systems to control
-
the set of users allowed access to
-
particular host
-
systems. SSO advantages: multiple
-
passwords not required, users motivated
-
to select stronger passwords, efficiency
-
in managing users and their
-
authorizations, reduced administrative
-
overheads for resetting passwords,
-
efficiency of disabling deactivating
-
user accounts, reduced logon time. SSO
-
disadvantages: single point of network
-
failure, few software solutions
-
accommodate all major OS, substantial
-
interface development required,
-
development costly. In the next screen, we
-
will discuss about logical access
-
security administration.
-
Logical access security
-
administration can be centralized or
-
decentralized. Advantages of
-
decentralized administration:
-
administration on site at
-
distributed location, timely resolution
-
of issues, more frequent monitoring,
-
controlling remote and distributed sites,
-
software access controls, physical access
-
controls, lockable terminals, locked
-
computer rooms, control over dial-in
-
facilities, modems, laptops, controls over
-
access to system
-
documentation, controls over data
-
transmission, access, accuracy,
-
completeness, controls over replicated
-
files and their updates, accuracy and
-
reduced duplication.
-
Let us continue our
-
discussion about logical access security
-
administration. Risks associated with
-
decentralized administration: local
-
standards, rather than organizational, may
-
be implemented, level of security
-
management may be below that of the
-
central site, unavailability of
-
management checks and audits by the
-
central site. In the next screen, we will
-
discuss about remote access security.
-
Business need of remote access
-
provides users with the same
-
functionality that exists within their
-
offices. The components of remote access:
-
remote environment, employees, branches
-
laptops, telecommunication infrastructure,
-
the carrier used, corporate computing
-
infrastructure, corporate connecting
-
devices, communication software.
-
Remote access risks could be denial of
-
service, malicious third-party access,
-
misconfigured communication software,
-
misconfigured devices, host systems not
-
secured appropriately, and physical
-
security weaknesses at the remote
-
stations. Let us continue discussing
-
about remote access security in the next screen.
-
Remote access methods are analog
-
modems and the public telephone network,
-
dedicated network connections,
-
proprietary circuits, and TCP IP
-
internet-based remote access. The remote
-
access controls are policy and standards,
-
proper authorization, identification and
-
authentication mechanisms, encryption
-
tools and techniques, system and network
-
management. In the next screen, we will
-
discuss about PDAs and mobile technology.
-
PDAs augment desktops and
-
laptops due to their ease of use and
-
functionality. The inherent risks is that
-
they are easy to steal, easy to lose,
-
ready access to information stored.
-
Access issues with mobile technologies
-
includes flash disks and controls. Let us
-
continue discussing about PDAs and
-
mobile technology in the next screen.
-
Control issues to address are
-
compliance with policies and procedures,
-
including approval for PDA use,
-
awareness of responsibilities and due
-
care, compliance with security
-
requirements, authorization and approval
-
of use, standard PDA applications,
-
authorized and licensed, synchronization,
-
backup and updating, encryption, virus
-
detection and control, device
-
registration, camera use. Audit logging in
-
monitoring system access. Most access
-
control software automatically log and
-
report all access attempts, success and
-
failures. It provides management with an
-
audit trail to monitor activities. It
-
facilitates accountability.
-
Access rights to system
-
logs should be for review purposes and
-
it is a form of security against modification.
-
Let us continue discussing
-
about system access in the next screen.
-
The tools for analysis of audit
-
log information: audit reduction tools
-
filter out insignificant data, trend
-
variance detection tools, attack
-
signature detection tools, reviewing
-
audit logs, monitors patterns or trends,
-
and violations and/or use of incorrect
-
passwords. Restricting and monitoring
-
access, features that bypass security
-
accessed by software programmers
-
including bypass label processing, BLP,
-
system exits, and special system logon IDs.
-
You will now attempt a question
-
to test what you have learned so far.
-
In this topic, we will learn about the
-
concepts in Knowledge Statement 5.5
-
Let us discuss risks and controls
-
associated with virtualized systems.
-
This slide endeavors to learn
-
risks and controls associated with
-
virtualization of systems.
-
Virtualization provides an organization
-
with a significant opportunity to
-
increase efficiency and decrease costs in
-
its IT operations.
-
The IS auditor needs to know
-
the different advantages and
-
disadvantages and needs to consider
-
whether the enterprise has considered
-
the applicable risks in its decision to
-
adopt, implement, and maintain this
-
technology. At a higher level,
-
virtualization allows multiple
-
operating systems, OSs, or guests, to
-
coexist on the same physical server, or
-
host, in isolation of one another. Let us
-
continue discussing about risks and
-
controls associated with virtualize
-
systems in the next screen.
-
Virtualization creates a layer
-
between the hardware and the guest OSs
-
to manage shared processing and memory
-
resources on the host machine. A management
-
console often provides administrative
-
access to manage the virtualized system.
-
Virtualization introduce additional
-
risks that the enterprise must manage
-
effectively. Key risk is that the host
-
represents a single point of failure
-
within the system. A successful attack on
-
the host could result in a compromise
-
very large in impact. Main areas covered
-
here are
-
virtualization. You will now attempt to
-
question to test what you have learned so far.
-
In this topic, we will learn about
-
the concepts in Knowledge Statement 5.6.
-
Let us discuss network security
-
controls in the next screen. Knowledge of
-
the configuration, implementation,
-
operation, and maintenance of network
-
security controls are what we'll learn
-
in this slide. Enterprises can
-
effectively prevent and detect most
-
attacks on their networks by employing
-
perimeter security controls.
-
Firewalls and intrusion detection system,
-
IDS, provide protection and critical
-
alert information at borders between
-
trusted and untrusted networks. Proper
-
implementation and maintenance of
-
firewalls and IDS is critical to
-
successful, in-depth security program. The
-
IS auditor must understand the level of
-
intruder detection provided by the
-
different possible locations of the IDS
-
and the importance of policies and
-
procedures to determine the action
-
required by security and technical staff
-
when an intruder is reported.
-
Main areas of covered here are
-
internet threats and security. In the
-
next few screens, we will discuss about
-
network infrastructure security.
-
The table demonstrates network
-
infrastructure security.
-
Auditing use of the Internet
-
involves ensuring a business case for
-
email, communication, marketing, customer
-
communication, sales channel or
-
e-commerce, channel for delivery of goods
-
and services, online stores, internet
-
banking, and information gathering,
-
research. Auditing networks. Review
-
network diagrams to identify networking
-
infrastructure and network design. Also
-
review network management, policies,
-
procedures, standards, guidance
-
distributed to staff. Besides identify
-
responsibility for security and
-
operation, and review staff training
-
duties and
-
responsibilities. You will further review
-
legal issues regarding the use of the
-
internet, service level agreements with
-
third parties, and network administrator
-
procedures. Auditing remote access
-
involves identify all remote access
-
facilities, ensuring they have been
-
documented, review policies governing the
-
use of remote access, review architecture,
-
identifying points of entry and
-
assessing their controls, test dial-up
-
access controls, review relation to
-
business requirements. General network
-
controls are functions performed by
-
technically qualified operators. These
-
functions are separated and rotated
-
regularly. Apply least-privilege access
-
rights for operators. Audit trail of
-
operator activities must be periodically
-
reviewed by management. Network operation
-
standards must be documented. A review of
-
workload balance, response times, and
-
system efficiency must also be performed.
-
Further, consider terminal authentication
-
and data encryption. Some of the network
-
management control software include
-
Novel Netware, Windows
-
NT/2000, UNIX. You will now attempt a
-
question to test what you have learned so far.
-
In this topic we will learn about
-
the concepts in Knowledge Statement 5.7.
-
Let us discuss network and internet
-
security devices, protocols, and
-
techniques in the next screen. The key
-
knowledge to learn in this topic is
-
network and internet security devices,
-
protocols, and techniques. Application and
-
evaluation of technologies to reduce
-
risk and secure data is dependent on
-
proper understanding of security devices,
-
their functions, and protocols used in
-
delivering functionality. An organization
-
implements specific applications of
-
cryptographic systems in order to
-
ensure confidentiality of important data.
-
There are a number of cryptographic
-
protocols which provide secure
-
communications on the internet.
-
Additionally, the security landscape is
-
filled with technologies and solutions
-
to address many needs. Solutions include
-
firewalls, intrusion detection and
-
prevention devices, proxy devices, web
-
filters, antivirus and anti-spam filters,
-
data leak protection functionality,
-
identity and access control mechanisms,
-
secured remote access, and wireless
-
security. Understanding the solution's
-
function and its application to the
-
underlying infrastructure requires
-
knowledge of the infrastructure itself
-
and the protocols in use. In the next
-
screen, we will see the main areas to be
-
covered under this topic.
-
Main areas covered here are
-
encryption, network infrastructure
-
security. In the next few screens, we will
-
learn about firewalls. Firewall is a
-
security perimeter for corporate
-
networks connecting to the internet
-
aimed at preventing external intruders
-
and untrusted internal users, internal
-
hackers. It applies rules to control
-
network traffic flowing in and out of a
-
network, allowing users to access the
-
internet and stopping hackers or others
-
on the internet from gaining access to
-
the network. The guiding principle used
-
is least privilege, need-to-use basis.
-
General firewall features include
-
combination of hardware, routers, servers,
-
and software, it should control the most
-
vulnerable point between a corporate
-
network and the internet. General
-
functions of firewalls includes blocking
-
access to particular sites, limiting
-
traffic on public services to relevant
-
ports, preventing access to certain
-
servers and/or services, monitoring and
-
recording communication between internal
-
and external networks, network
-
penetration, internal subversion,
-
encryption and VPN, and single choke
-
point, concentrating security on a single
-
system. General firewall features include
-
combination of hardware, routers, servers,
-
and software, it should control the most
-
vulnerable point between a corporate
-
network and the internet. General
-
techniques used to control traffic are
-
service control, IP address TCP Port,
-
direction control, direction of traffic,
-
user control, based on user rights,
-
behavior control, based on how services
-
are being used, for example, filter email
-
for spam. In the next few screens, we will
-
discuss about types of firewalls.
-
The types of firewalls are
-
router packet filtering, application
-
firewall systems, and stateful inspection firewalls.
-
Router packet filtering
-
firewall is deployed between the private
-
network and the internet. Screening
-
routers examine packet headers to
-
ascertain IP address, identity, of the
-
sender and receiver, and the authorized
-
port numbers allowed to use the
-
information transmitted, kind of Internet
-
service being used. These information is
-
used to prevent certain packets from
-
being sent between the network and the
-
internet. The common attacks against
-
packet filtering are IP spoofing, source
-
routing specification, and miniature
-
fragment attack. This method is simple
-
and stable. The demerit is that it is
-
easily weakened by improperly configured
-
filters. Also, it is unable to prevent
-
attacks tunneled over permitted surface.
-
The diagram in the slide describes this
-
type of firewall. Application firewall
-
systems. This type of firewall allows
-
information flow between internal and
-
external systems, but do not allow direct
-
exchange of packets. Host applications
-
must be secured against threats posed by
-
allowed packets. They rest on hardened
-
operating systems, for example, WinNT,
-
UNIX. It works on the application layer
-
of the OSI model. The firewall analyze
-
packets through a series of proxies, one
-
for each surface. There are two types,
-
application-level firewalls and circuit-level
-
firewalls. Application-level firewalls
-
analyze packets through a series of
-
proxies, one for each service.
-
Circuit-level firewalls validates TCP and UDP
-
sessions through a single general-purpose
-
proxy. The diagram in the slide
-
demonstrates this. Application firewall
-
systems are set up as proxy servers
-
acting on behalf of network users. It
-
employs bastion hosting, and it is
-
heavily fortified against attack,
-
handling all incoming requests from the
-
internet to the network. Single host
-
makes security maintenance easier as
-
only the firewall system is compromised,
-
not the network. In the next screen, we
-
will discuss about types of firewalls
-
and firewall issues. Stateful inspection
-
firewalls track destination IP address
-
of each packet leaving the network and
-
references responses to requests that
-
went out. It maps source IP addresses of
-
incoming packets to destination IP
-
addresses of outgoing requests. It
-
prevents attacks initiated and
-
originated by outsiders. Main advantage
-
is that it is more efficient than
-
application firewall systems. The
-
disadvantage is that it is more complex
-
to administer.
-
Issues related to firewalls:
-
false sense of security, no additional
-
internal controls are needed, weak
-
against internal threats,
-
for example, a disgruntled employee
-
cooperating with an external attacker,
-
cannot protect against attacks that
-
bypass the firewall, for example, modem
-
dial-in, misconfigured firewalls,
-
misunderstanding of what constitutes a
-
firewall, monitoring activities not done
-
regularly. In the next screen, we will
-
discuss about implementation of
-
firewalls. Firewalls can be implemented
-
in three ways: screened-host firewall,
-
dual-homed firewall, and demilitarized
-
zone, screened subnet firewall. In the
-
next screen, we will discuss about
-
screened-host firewall.
-
Screened-host firewall, this
-
method utilizes packet filtering and a
-
bastion host, proxy services. Bastion host
-
connects to the internal network. Packet
-
filtering router installed between the
-
Internet and the bastion host. Intruder
-
has to penetrate two systems before the
-
network is compromised. Internal hosts
-
reside on the same network as the
-
bastion host. Security policies determine
-
whether hosts connect directly to the
-
internet or hosts use proxy services of
-
the bastion host. Next screen, we will
-
discuss about dual-homed firewall.
-
This type of implementation is
-
more restrictive form of screened-host
-
firewall. One interface is established
-
for information servers, and a separate
-
interface for private network hosts.
-
Direct traffic to internal hosts is
-
physically prevented as explained in the
-
diagram In the next screen, we will
-
discuss about demilitarized zone,
-
screened subnet firewall,
-
DMZ. This mode utilizes two packet-filtering
-
routers and a bastion host. It
-
is the most secure firewall system and
-
supports network and application-level
-
security. The separate DMZ functions are
-
an isolated network for public servers,
-
proxy servers, and modem pools. Key
-
benefits are that the intruder must
-
penetrate three separate devices. The
-
private network addresses are not
-
disclosed to the internet. Also, internal
-
systems do not have direct access to the
-
internet. In the next screen, we will
-
discuss about intrusion detection
-
systems, IDS.
-
Intrusion detection systems, IDS,
-
monitor network usage anomalies.
-
It is used together with firewalls and
-
routers. It continuously operates in the
-
background and the administrator is
-
alerted when intrusions are detected. It
-
protects against external and internal
-
misuse. IDS components: sensor, this
-
collects data, network packets, log files,
-
system call traces, analyzer, this
-
receives input from sensors and
-
determines intrusive activity, admin
-
console, user
-
interface. Let us continue discussing
-
about intrusion detection systems, IDS, in
-
the next screen. IDSs are categorized into
-
network-based IDSs, NIDS, which identifies
-
attacks within a network, and host-based
-
IDSs, HIDS, which is configured for a
-
specific environment and monitor
-
internal resources of systems. IDS types
-
are signature based, intrusion patterns
-
stored as signatures and limited by
-
detection rules, statistical based,
-
monitors expected behavior, neural
-
networks, similar to statistical, but
-
adding learning functionality, a
-
signature, statistical combination offers
-
better protection. In the next screen, we
-
will learn about IDS and intrusion
-
prevention systems,
-
IPS. The key features of intrusion
-
detection systems; intrusion detection
-
and alerts, gathering evidence, automated
-
response, for example, disconnect, security
-
policy administration and monitoring,
-
interfaces with system tools, logging
-
facilities. IDS limitations include
-
weaknesses in policy definition,
-
application-level
-
vulnerabilities, backdoors to
-
applications, weaknesses in
-
identification and authentication
-
schemes. Let us continue discussing about
-
IDS and intrusion prevention systems, IPS,
-
in the next screen. Intrusion prevention
-
systems, IPS. IPS is closely related to
-
IDS. It is designed to detect and prevent
-
attacks by predicting an attack before
-
it happens, hence, limiting damage or
-
disruption to systems that are attacked.
-
It must be properly configured and tuned
-
to be effective. In the next screen, we
-
will learn about honeypots and honeynets.
-
Honeypot is a software application
-
that pretends to be an unfortunate
-
server on the Internet and is not set up
-
to actively protect against break-ins.
-
Rather, they act as decoy systems that
-
lure hackers and, therefore, are
-
attractive to hackers. The more a
-
honeypot is targeted by an intruder, the
-
more valuable it becomes. Honeypot is
-
technically related to IDSs and
-
firewalls, but it has no real production
-
value as an active sentinel of networks.
-
The two basic types of honeypots are
-
high interaction, gives hackers a real
-
environment to attack, low interaction,
-
emulate production environments.
-
Honeynet is multiple honeypots networked
-
together to simulate a larger network
-
installation known as a honeynet.
-
Honeynet let hackers break into the false
-
network while allowing
-
investigators to watch their every move
-
by a combination of surveillance
-
technologies. You will now attempt a
-
question to test what you have learned so far.
-
In this topic, we will learn about
-
the concepts in Knowledge Statement 5.8.
-
Let us discuss about information
-
system attack methods and techniques in
-
the next screen. The candidate needs to
-
grasp the knowledge of information
-
system attack methods and techniques
-
covered under this topic risks arise
-
from vulnerable abilities whether
-
technical or human within an environment
-
several attack techniques exploit those
-
vulnerabilities and may originate either
-
within or outside the
-
organization computer attacks can result
-
in proprietary or confidential data
-
being stolen or modified loss of
-
customer confidence and market share
-
embarrassment to management and legal
-
actions against an
-
organization let us continue discussing
-
about information system attack methods
-
and techniques in the next
-
screen understanding the methods
-
techniques and exploits used to
-
compromise an environment provides the
-
is auditor with a more complete context
-
for understanding the risk and
-
organization faces the is auditor should
-
understand enough of these attack types
-
to recognize their risk to the business
-
and how they should be addressed by
-
appropriate controls the is auditor
-
should understand the concept of social
-
engineering since these attacks can
-
circumvent the strongest technical
-
security the only effective control is
-
regular user education main areas
-
covered here are computer crime issues
-
and exposures wireless security threats
-
and risks mitigation in the next few
-
screens we will discuss about computer
-
crime issues and
-
exposures computer crimes can be
-
committed from various sources including
-
computer is the object of the crime
-
perpetrator uses another computer to
-
launch an attack computer is the subject
-
of the crime perpetrator uses computer
-
to commit crime and the target is
-
another computer computer is the tool of
-
the crime perpetrator uses computer to
-
commit crime but the target is not the
-
computer but instead data stored on the
-
computer computer symbolizes the crime
-
perpetrator lures the user of computers
-
to get confidential information
-
for example social engineering methods
-
common attack methods and techniques
-
include alteration attack botn Nets
-
Brute Force attack denial of service dos
-
attack dial-in penetration attack War
-
dialing eavesdropping email bombing and
-
spamming email spoofing more common
-
attack methods and techniques include
-
flooding interrupt attack malicious
-
codes man in the- Middle attack
-
masquerading message
-
modification network analysis packet
-
replay fishing piggybacking race
-
conditions remote maintenance tools
-
resource enumeration and browsing salami
-
spam traffic analysis unauthorized
-
access through the internet and
-
worldwide web
-
www virus
-
worms and spyware War driving War
-
walking War chalking in the next few
-
screens we will learn about local area
-
network land security local area network
-
is faced with a lot of risks examples of
-
these risks are unauthorized access and
-
changes to data Andor programs inability
-
to maintain Version Control limited user
-
verification and potential public Public
-
Access General access as opposed to need
-
to know access impersonation or
-
masquerading as a legitimate landan user
-
internal user sniffing internal user
-
spoofing Virus Infection unlicensed or
-
excessive numbers of software copies
-
destruction of logging and auditing data
-
lack of land administrator experience
-
expertise varying media protocol
-
Hardware network software that make
-
standard management difficult security
-
set aside for operational efficiency
-
land administrative capabilities include
-
declaring ownership of programs and
-
files limiting access to readon record
-
and file locking to prevent simultaneous
-
update and enforcing user ID password
-
sign on
-
procedures in order to understand lands
-
it is Paramount for a candidate to have
-
good knowledge of land topology and
-
network diagram functions performed by
-
the land administrator owner Lan users
-
and user groups applications used on the
-
Lan procedures and standards of network
-
design support naming conventions data
-
security dialup access controls are
-
having encrypted passwords portable PCS
-
dialback procedures and one-time
-
password generators or tokens client
-
server risks include numerous access
-
routes and points increased risk of
-
access to data and processing weaker
-
access controls password change controls
-
or access rules weaker change control
-
and change management inaccurate
-
unauthorized access and changes to
-
systems or data loss of network
-
availability obsolescence of network
-
components unauthorized connection of
-
the network to other networks through
-
modems weak connection to public switch
-
telephone networks application code and
-
data may not be stored on a secure
-
machine client server controls that will
-
ensure security include disabling floppy
-
drives automatic boot or startup batch
-
files login scripts network monitoring
-
devices data encryption environment-wide
-
authentication procedures and
-
application Level Access Control
-
organization of users into functional
-
groups in the next few screens we will
-
discuss about the internet threats the
-
internet is a global TCP IP based system
-
that enables public and private
-
heterogeneous networks to communicate
-
with one another internet threats are
-
categorized into passive attacks
-
involves probing for Network information
-
active attacks intrusion or penetration
-
into a network gaining full control or
-
enough to cause certain threats
-
unauthorized access to modified data
-
Andor programs obtaining sensitive
-
information for personal gain escalating
-
privileges denial of service impact
-
could affect financial legal or
-
Competitive Edge types of passive
-
attacks are network analysis involves
-
creating a profile of a network security
-
infrastructure footprinting system
-
aliases internal addresses potential
-
gateways firewalls vulnerable operating
-
system Services eavesdropping involves
-
gathering information flowing through
-
the network for personal analysis or
-
third parties traffic analysis entails
-
determining the nature of traffic flow
-
between defined hosts active attacks can
-
be in the following ways Brute Force
-
attack this entails launching many
-
attacks to gain unauthorized access for
-
example password cracking masquerading
-
this is presenting an identity other
-
than the original identity which is
-
unauthorized packet replay passively
-
capturing data packets and actively
-
inserting them into the network replayed
-
packets treated as another genuine
-
stream it is effective when data
-
received is interpreted and acted upon
-
without human intervention message
-
modification making unauthorized changes
-
or deletions to captured messages
-
unauthorized access through the Internet
-
tnet passwords transmitted in clear text
-
releasing CGI scripts as shareware
-
client side execution of scripts Java
-
applets denial of service flooding
-
servers with data requests systems are
-
paralyzed genuine users are frustrated
-
with unavailability of system dial in
-
penetration attacks using phone number
-
ranges and social engineering email
-
bombing repeating identical messages to
-
particular addresses email spamming
-
sending messages to numerous users email
-
spoofing altering the identity of the
-
source of the message Trojan horses
-
hiding malicious fraudulent code in an
-
authorized computer program rounding
-
down drawing off small amounts of money
-
from a computerized transaction or
-
account to the perpetrator's account
-
salami technique slicing off truncating
-
small amounts of money from a
-
computerized transaction or account
-
similar to rounding down viruses
-
malicious program code inserted into
-
other executable code that can
-
self-replicate and spread for from
-
computer to computer worms destructive
-
programs that may destroy data or
-
utilize tremendous computer and
-
communication resources do not replicate
-
like
-
viruses logic bombs similar to computer
-
viruses but do not self-replicate
-
destruction or modification of data is
-
programmed to a specific time in the
-
future difficult to detect before they
-
blow up trap doors are exits out of an
-
an authorized program they allow
-
insertion of specific logic such as
-
program interrupts to permit a view of
-
data during processing used by
-
programmers to bypass OS Integrity
-
during debugging and maintenance they
-
are meant to be eliminated in final
-
editing of the code but sometimes
-
forgotten or intentionally left for
-
future
-
access asynchronous attacks these are
-
os-based attacks in a multi-processing
-
environment job scheduling resource
-
scheduling checkpoint restart
-
capabilities checkpoint copy data system
-
parameters security levels attacks
-
involve access to and modification of
-
this data to allow higher priority
-
security results in unauthorized access
-
to data other programs and the
-
OS data leakage involves siphoning or
-
leaking information out of the computer
-
dumping files to paper stealing tape
-
wiretapping this is evees dropping on
-
information being transmitted over
-
telecommunication lines piggybacking is
-
following an authorized person through a
-
secure door also it means electronically
-
attaching to an authorized
-
telecommunications link to intercept and
-
possibly alter
-
Transmissions computer shutdown
-
initiated through terminals or micro
-
computers connected directly online or
-
remotely dialup line to the computer
-
denial of service disrupt or completely
-
deny service to legitimate users
-
networks systems or other
-
resources you will now attempt a
-
question to test what you have learned
-
so far in this topic we will learn about
-
the concepts in knowledge statement
-
5.9 let us discuss about virus detection
-
tools and control techniques in the next
-
screen the key is understanding
-
detection tools and and control
-
techniques for example malware virus
-
detection
-
spyware computer viruses and other
-
malware continue to emerge at increasing
-
rates and sophistication and present
-
significant threats to individuals and
-
organizations layered tools should be
-
implemented and distributed throughout
-
the environment in order to mitigate the
-
ability of this malware to adversely
-
impact the
-
organization antivirus and anti-spam
-
software is an necessary and critical
-
component of an organization security
-
program providing a mechanism to detect
-
contain and notify whenever malicious
-
code is detected it is essential that
-
the is auditor understand not only the
-
need for the implementation of
-
antimalware software but that it should
-
be constantly be updated to ensure that
-
it will detect and eradicate the latest
-
attacks detected by the solutions
-
providers viruses is what we will focus
-
on next main areas are covered here are
-
viruses in the next few screens we will
-
learn about
-
viruses viruses are malicious programs
-
designed to self-propagate by appending
-
to other programs they are easily
-
transmitted via the Internet email
-
attachments local area networks viruses
-
attack four parts of the computer
-
executable program files the file
-
directory system which tracks the
-
location of all the computer's files
-
another area is Boot and systems areas
-
which are needed to start the computer
-
data files is also a target for viruses
-
virus controls available are virus and
-
worm controls management procedural
-
controls technical controls antivirus
-
software periodically updated Hardware
-
controls remote booting boot virus
-
protection antivirus software
-
implementation strategies
-
Dynamic antivirus program sound policies
-
and procedures let us continue to
-
discuss viruses on the next slide
-
antivirus software implementation
-
strategies detecting the virus at its
-
point of entry is crucial at user
-
workstation level through scheduled
-
continuous and manual OnDemand scans at
-
corporate Network level as part of the
-
firewall virus wall SMTP
-
HTTP and FTP protection besides
-
automatically updating antivirus
-
software features of antivirus software
-
it should be reliable and offer quality
-
of detection it should be Memory
-
resident to facilitate continuous
-
checking it should as well have
-
efficient working speed and use of
-
resources types of antivirus software
-
scanners virus masks or signatures heris
-
scanners based on statistical
-
probability active monitors looking for
-
virus-like
-
activity Integrity CRC Checkers used to
-
detect changes in files and executable
-
code Behavior blockers focus on
-
detecting potentially abnormal behavior
-
for example writing to the boot sector
-
immunizers append themselves to files
-
and continuously check for changes you
-
will now attempt to question to test
-
what you have learned so far in this
-
topic we will learn about the concepts
-
in knowledge statement
-
5.10 let us discuss about security
-
testing techniques in the next
-
screen it is Paramount for cesa
-
candidates to have knowledge of security
-
testing techniques for example intrusion
-
testing vulnerability scanning tools are
-
available to assess the effectiveness of
-
network infrastructure security these to
-
tools permit identification of real-time
-
risks to an information processing
-
environment and corrective actions taken
-
to mitigate these risks such risks often
-
involve the failure to stay updated on
-
patch management for operating systems
-
or the misconfiguration of security
-
settings assessment tools whether open-
-
Source or commercially produced can
-
quickly identify weaknesses that would
-
have taken hundreds of hours to identify
-
manually the is auditor should also be
-
aware that security testing may be
-
carried out by an approved third party
-
for example a company specializing in
-
penetration testing let us see the main
-
area to cover under this topic in the
-
next screen main areas covered here are
-
auditing Network infrastructure Security
-
in the next few screens we will learn
-
about Network infrastructure security
-
network penetration testing is also
-
called intrusion tests or ethical
-
hacking it involves using techniques
-
available to a hacker open-source
-
intelligence gathering and Discovery
-
attempting to guess passwords searching
-
for back doors into systems exploiting
-
known operating system
-
vulnerabilities it is popular for
-
testing firewalls only performed by
-
skilled experienced professionals it
-
requires permission from top level
-
Senior Management but without informing
-
is security staff
-
you will now attempt a question to test
-
what you have learned so far in this
-
topic we will learn about the concepts
-
in knowledge statement
-
5.11 let us discuss about risks and
-
controls Associated data leakage in the
-
next
-
screen data leakage is the risk that
-
sensitive information may be
-
inadvertently made public it occurs in
-
different ways such as job postings that
-
list the specific software and network
-
devices with which applicants should
-
have experience in to system
-
administrators posting questions on
-
technical websites that include posting
-
with the specific details on the
-
firewall or database version they are
-
running and the IP addresses they are
-
trying to connect posting organization
-
charts and strategic plans to externally
-
accessible websites data classification
-
policies security awareness training and
-
periodic audits of data leakage are
-
elements that the is auditor will want
-
to ensure are in place main areas to be
-
covered here are computer crime issues
-
and exposures let us proceed to the next
-
Topic in this domain in this topic we
-
will learn about the concepts in
-
knowledge statement
-
5.12 let us discuss about Network
-
infrastructure security encryption in
-
the next few screens it is important for
-
cesa candidates to have a good knowledge
-
of encryption related techniques one of
-
the best ways to protect the
-
confidentiality of information is
-
through the use of encryption effective
-
encryption systems depend on algorithm
-
strength secrecy and difficulty of
-
compromising a key the non-existence of
-
back doors by which an encrypted file
-
can be decrypted without knowing the key
-
the inability to decrypt an entire
-
Cipher text message if one knows the way
-
a portion of it Crypts is known this is
-
called known text attack properties of
-
the plain text being known by a
-
perpetrator although the is auditor is
-
not expected to be an expert in how
-
these algorithms are designed the
-
auditor should be able to understand how
-
these techniques are used and the
-
relative advantages and disadvantages of
-
each we will cover encryption techniques
-
in this section main areas to be covered
-
here are
-
encryption encryption means converting
-
plain text messages into secure coded
-
text Cipher text it is done via a
-
mathematical function and a key a
-
special encryption decryption password
-
encryption is used to protect data in
-
transit over networks protect
-
information stored on computers deter
-
and detect alterations of data and
-
verify authenticity of a transaction or
-
do document note we assume that the more
-
difficult it is to decrypt the cipher
-
text the better key elements of
-
encryption systems encryption algorithm
-
mathematical function calculation
-
encryption key piece of information used
-
in the algorithm to make the process
-
unique key length predetermined length
-
of key effectiveness of encryption is
-
based on secrecy and difficulty of
-
compromise iing the key lack of other
-
means of decrypting without the key
-
inability to perform a known text attack
-
knowing how a portion of encrypted text
-
decrypts tradeoffs in encryption if the
-
algorithm is too complex and it takes
-
too long to use or requires keys that
-
are too large to store easily it becomes
-
impractical to use the need to balance
-
between the strength of the encryption
-
that is how difficult it is for someone
-
to discover the algorithm and the key
-
and ease of use there are two main types
-
of encryption in use for computer
-
security referred to as symmetric and
-
asymmetric key encryption these are
-
based on symmetric encryption algorithm
-
same key private to encrypt plain text
-
and decrypt Cipher text also called
-
private or secret key cryptography the
-
common private Key cryptographic Systems
-
are data encryption systems Dees 64-bit
-
Advanced encryption standard AES 128bit
-
to
-
256bit the advantage of this method is
-
that it uses one key to encrypt and
-
decrypt and hence uses less processing
-
power however getting the key to those
-
you want to exchange data with is the
-
problem an illustration of symmetric key
-
cryptographic system is on the next
-
slide Key Management is an issue each
-
pair of communicating entities needs a
-
shared key for an N party system there
-
are n n minus one/ two distinct keys in
-
the system and each party needs to
-
maintain n minus one distinct
-
Keys how to reduce the number of shared
-
keys in the system centralized Key
-
Management session Keys use public Keys
-
asymmetric public Key cryptographic
-
Systems this system uses different keys
-
for encrypting and decrypting a message
-
it solves the problem of getting the key
-
to those you want to exchange data with
-
it involves two keys working as a pair
-
one to encrypt and the other to decrypt
-
a symmetric equals inversely related to
-
each other one key secret private is
-
known only to one person the other key
-
public is known to many people common
-
form of asymmetric encryption is RSA
-
Smith has two keys public and private
-
Smith publishes her public key such that
-
the key is publicly known Smith keeps
-
her private key secret other people use
-
Smith's public key to encrypt messages
-
for Smith Smith uses her private key to
-
decrypt messages only Smith can decrypt
-
since only she has the private key
-
advantages of public key cryptography
-
are the necessity of Distributing Secret
-
keys to large numbers of users is
-
eliminated the algorithm can be used for
-
authentication as well as for creating
-
Cipher text to compute the private key
-
from the public key is assumed difficult
-
public key cryptography ensures
-
authentication and non-repudiation
-
encrypting with the sender's secret key
-
confidentiality encrypting with the
-
receiver's public key authentication and
-
confidentiality for first encrypting
-
with the sender's secret key and
-
secondly with the receiver's public key
-
let us learn the differences between
-
symmetric key and public key in the next
-
screen in symmetric key encryption the
-
two parties must trust each other
-
typically both share the same key
-
symmetric key encryption is generally
-
100 times faster than public key
-
encryption examples include Dees Ida or
-
rc5
-
AES in public key encryption the two
-
parties do not need to trust each other
-
there are two separate Keys a public key
-
and a private key it is slower than
-
symmetric key encryption examples are
-
RSA elgamal encryption
-
ECC elliptical curve cryptography ECC a
-
variant and more efficient form of
-
public key cryptography how to manage
-
more security out of minimum resources
-
gaining prominence is the elliptical
-
curve crypto system Quantum cryptography
-
the next generation of cryptography that
-
will solve existing problems associated
-
with current cryptographic systems
-
Advanced encryption standard
-
AES AES replaces data encryption
-
standard Dees as the cryptographic
-
algorithm standard due to its short key
-
length the former standard for symmetric
-
encryption Dees reach the end of its
-
life
-
cycle digital signatures electronic
-
identification of a person or entity
-
intended for the recipient to verify the
-
Integrity of the data and the identity
-
of the sender data signature ensures
-
data Integrity one-way cryptographic
-
hashing algorithm digital signature
-
algorithms server identity
-
authentication public key cryptography
-
non-repudiation replay protection
-
timestamps and sequence numbers are
-
built into the messages digital envelope
-
used to send encrypted information and
-
the relevant key along with it the
-
message to be sent can be encrypted by
-
using either asymmetric key or symmetric
-
key you will now attempt a question to
-
test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement 5.1
-
three let us discuss about public key
-
infrastructure pki and digital signature
-
techniques in the next few screens
-
encryption is the process of converting
-
a plain text message into a secure coded
-
form of text called Cipher text which
-
cannot be understood without converting
-
back via decryption the reverse process
-
to plane text pkis use encryption to
-
facilitate the following prect prot data
-
in transit over networks from
-
unauthorized interception and
-
manipulation protect information stored
-
on computers from unauthorized viewing
-
and manipulation deter and detect
-
accidental or intentional alterations of
-
data verify authenticity of a
-
transaction or document for example when
-
transmitted over a web-based connection
-
in online banking share dealing Etc
-
protect data in such situations from
-
unauthorized
-
disclosure understanding the business
-
use of digital signatures is also
-
expected especially its use in providing
-
non-repudiation of and replay protection
-
to messages main areas covered here are
-
encryption public key infrastructure pki
-
in the next few screens we will discuss
-
about public key infrastructure
-
pki public key infrastructure pki
-
framework by which a trust Ed party
-
issues maintains and revokes public key
-
certificates pki reasons many
-
applications need key distribution
-
digital signature vulnerability senders
-
private key and public key may be faked
-
or intercepted and changed anyone can
-
derive keys so there is a need to have a
-
mechanism to assure that Keys belong to
-
entities they claim to come from in pki
-
a certification Authority CA validates
-
Keys distribution in pki is done via a
-
hierarchy of
-
Casa CA process the ca checks real world
-
credentials gets key from user iners
-
signs certificate seert validating key
-
then a certificate is attached to assure
-
an endpoint that an entity is who it
-
claims to be if the endpoint trusts the
-
ca then it will trust that entity and
-
who it claimed to be elements of pki
-
include digital certificates certificate
-
Authority CA registration Authority ra
-
certificate revocation list
-
crl certification practice statement
-
CPS digital
-
certificates digital credential
-
compromising a public key of an
-
individual and identifying information
-
about the individual it is is digitally
-
signed by The Trusted entity with its
-
private key receiver relies on the
-
public key of The Trusted party it also
-
includes algorithm used and validity
-
period certificate Authority CA trusted
-
provider of public and private key pairs
-
attest to the authenticity of owner of
-
public key uses due diligence to issue
-
certificate on evidence or knowledge
-
upon on verification of the user the ca
-
signs the certificate using its private
-
key responsible for managing the
-
certificate throughout its life cycle
-
authoritative for the name or key space
-
it
-
represents certificate revocation list
-
crl details digital certificates that
-
are no longer valid it is used for
-
checking continued validity of
-
certificates time gaps between two
-
updates are very critical
-
certification practice statement CPS is
-
a detailed set of rules governing ca's
-
operations it provides understanding of
-
the value and trustworthiness of
-
certificates issued in terms of controls
-
observed method used to authenticate
-
applicants ca's expectations on how
-
certificates may be used registration
-
Authority R A optional entity separate
-
from the ca that performs admin
-
ministrative tasks like recording and
-
verifying information needed by the ca
-
to issue certifications or
-
crls also performing certificate
-
management functions CA remains solely
-
responsible for signing digital
-
certificates or
-
crls you will now attempt to question to
-
test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement
-
5.14 let us discuss about peer-to-peer
-
Computing inst messaging and web-based
-
Technologies in the next screen cesa
-
candidates must have a knowledge of
-
risks and controls associated with
-
peer-to-peer Computing instant messaging
-
and web-based Technologies for example
-
social networking message boards blogs
-
peer-to-peer Computing instant messaging
-
and web-based Technologies for example
-
social networks message boards blogs are
-
technologies that introduce new risk to
-
the Enterprise information posted on
-
social network sites May inadvertently
-
disclose confidential non-public
-
information that may violate Financial
-
Security laws or violate customer
-
privacy laws peer-to-peer Computing is
-
inherently insecure and may lead to the
-
introduction of malicious code into an
-
otherwise secure environment main areas
-
to be covered here are computer crime
-
issues and exposures peer-to-peer
-
Computing instant messaging and
-
web-based Technologies in the next
-
screen we'll learn more about
-
peer-to-peer
-
Computing in peer-to-peer Computing no
-
specific server to which a user connects
-
generally connection is between two
-
peers as a result there are risks
-
associated with peer-to-peer which
-
include no Central server hence the
-
risks include virus infected files can
-
be directly shared with others Trojans
-
and spyware may be inadvertently copied
-
across systems
-
users May expose their IP addresses that
-
could result in for example IP spoofing
-
traffic sniffing and other IP based
-
attacks a user from the pier network May
-
access sensitive data in unprotected
-
folders proper security policies and
-
control measures are required for
-
peer-to-peer Computing safest approach
-
is to deny such connections unless there
-
is a business need in the next screen we
-
will learn about instant messaging
-
instant messaging I am is a popular
-
mechanism for collaboration and keeping
-
in touch involves two or more users
-
connecting and chatting on topics of
-
Interest with prompt acknowledgement and
-
response rather than emails risks of
-
instant messaging are eavesdropping if
-
sensitive information is sent over
-
unencrypted channels exchange of virus
-
infected files and other malicious codes
-
data leakage if the file is and
-
unmonitored over IM channels
-
exploitation of vulnerabilities if the
-
public IM client software is not
-
adequately
-
patched controls good IM policy and user
-
awareness required advisable to use
-
internal IM software instead of public
-
software only Enterprise employees
-
should be allowed to connect and
-
adequate monitoring of IM use to
-
minimize risk of data leakage of
-
confidential information
-
in the next slide we will discuss about
-
social networking sites social
-
networking sites SNS include sites such
-
as Facebook and Linkedin that help
-
establish connection with colleagues
-
friends and relatives risks uploading of
-
personal and private information fishing
-
URL spoofing
-
cyberstalking controls policies on what
-
information can be shared on such sites
-
educ ation and awareness to staff on
-
what information to share or not share
-
on such sites also having a policy
-
Banning use of such sites in the office
-
let us continue discussing social
-
networking sites in the next
-
screen example of an incident a hacker
-
was able to gather information about
-
names of friends and date of birth of an
-
employee they use this information to do
-
email spoofing and manag to receive
-
money from the Friends by impersonating
-
him and claiming to be stranded in
-
another country with no passport and
-
money you will now attempt to question
-
to test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement
-
5.15 let us discuss about controls and
-
risks associated with the use of mobile
-
and wireless devices in the next screen
-
the cesa candidate must have a knowledge
-
of controls and risks associated with
-
the use of mobile and wireless devices
-
portable and wireless devices present a
-
new threat to an organization's
-
information assets and must be properly
-
controlled policies and procedures as
-
well as additional protection mechanisms
-
must be put into place to ensure that
-
data are protected to a greater extent
-
on portable devices since such devices
-
will most likely operate in environments
-
where physical controls are lacking or
-
non-existent most transportable media
-
including including pdas Blackberry
-
devices Etc are easily lost or stolen
-
and thus require the use of encryption
-
Technologies as well as strong
-
authentication it also may be necessary
-
to classify some data as inappropriate
-
for storage on a mobile device the is
-
auditor should understand that all such
-
media and devices which may include
-
personal music MP3 devices can also be
-
used by an individual to steal both data
-
and programs for personal use or gain we
-
will focus on mobile Computing main
-
areas covered here are mobile Computing
-
in the next screen we will discuss about
-
the risk of using laptops is the
-
difficulty to implement logical and
-
physical security in a mobile
-
environment laptop security controls
-
laptop security measures engraving the
-
serial number company name cable locks
-
monitor detectors regular backup of
-
sensitive data encryption of data
-
allocating passwords to individual files
-
theft response
-
procedures you will now attempt a
-
question to test what you have learned
-
so far in this topic we will learn about
-
the concepts in knowledge statement
-
5.16 let us discuss about voice
-
communication Security in the next
-
screen it is key to no voice
-
communication security for example PBX
-
VoIP the incre increasing complexity and
-
convergence of voice and data
-
Communications introduces additional
-
risks that must be taken into account by
-
the is auditor VoIP and PBX environments
-
involve many security risks both within
-
and outside the organization that must
-
be addressed to ensure the security and
-
reliability of voice
-
Communications main areas to be covered
-
here are Voiceover IP private Branch
-
Exchange in the next slide we will
-
discuss about
-
VoIP IP telepon internet telepon is the
-
technology that makes it possible to
-
have a voice conversation over the
-
Internet protocols used to carry the
-
signal over the IP network are referred
-
to as VoIP VoIP is a technology where
-
voice traffic is carried on top of
-
existing data
-
infrastructure in VoIP sounds are
-
digitized into IP packets and
-
transferred through the network layer
-
before being decoded back into the
-
original voice VoIP has reduced
-
long-distance call costs in a number of
-
organizations thus we will focus on
-
voice over IP and private Branch
-
exchange let us continue to discuss VoIP
-
in the next slide VoIP advantages over
-
traditional telepon VoIP Innovation
-
progresses at Market rates rather than
-
at the rates of itu international
-
telecommunications Union lower costs per
-
call or even free calls for longdistance
-
calls lower infrastructure costs the
-
risk associated with the use of VoIP are
-
the need to protect two assets the data
-
and the voice inherent or security the
-
current Internet architecture does not
-
provide the same physical wire security
-
as the phone lines controls for securing
-
vo is implementing security mechanisms
-
such as those deployed in data networks
-
for for example firewalls encryption to
-
emulate the security level currently
-
used by pstn Network users in the next
-
screen we will discuss about private
-
Branch exchange
-
PBX PBX is a sophisticated
-
computer-based phone system from the
-
early
-
1920s originally it was analog but is
-
now digital principal purpose was to
-
save the cost of providing each person
-
with a line attributes incl include
-
multiple telephone lines digital phones
-
for both voice and data switching calls
-
within pvx non-blocking configuration
-
that allows simultaneous calls operator
-
console or
-
switchboard let us continue discussing
-
private Branch exchange PBX in the next
-
screen the risks associated with use of
-
PBX are theft of service and toll fraud
-
disclosure of information through
-
eavesdropping unauthorized access to
-
resources denial of service traffic
-
analysis passive attack you will now
-
attempt a question to test what you have
-
learned so far in this topic we will
-
learn about the concepts in knowledge
-
statement
-
5.17 let us discuss about evidence
-
preservation techniques in the next
-
screen cea candidate must have a
-
knowledge of the evidence preservation
-
techniques and processes followed in
-
forensic
-
investigations for example it process
-
chain of custody audit conclusions
-
should be supported by reliable and
-
relevant evidence evidence is collected
-
during the course of an audit follows a
-
life cycle the life cycle introduces
-
collection analysis and preservation and
-
destruction of evidence the source of
-
evidence should be reliable and
-
qualified that is from an appropriate
-
original Source rather than obtained as
-
a common or hearsay evidence should
-
originate directly from a trusted source
-
to help ensure objectivity in fraud
-
investigations or legal proceedings
-
maintaining the Integrity of evidence
-
throughout the evidence life cycle may
-
be referred to as the chain of custody
-
when the evidence is classified as
-
forensic audit evidence should include
-
information regarding date of
-
creation main areas covered here are
-
evidence audit documentation
-
investigation techniques continuous
-
auditing in the next few screens we will
-
discuss about investigation
-
techniques investigation techniques
-
include the investigation of computer
-
crime and the protection of evidence and
-
chain of custody among others
-
investigation of computer crime computer
-
crimes are not reported in most cases
-
simply because they are not detected or
-
of the negative publicity they generate
-
in many countries laws are directed
-
toward protecting physical property
-
making it very difficult to use such
-
laws against computer crime it is very
-
important that proper procedures are
-
used to collect evidence from a crime
-
scene the environment and evidence must
-
be left unaltered and specialist law
-
enforcement officials must be called in
-
after a
-
crime computer forensics is the process
-
of identifying preserving and analyzing
-
and presenting digital evidence in a
-
manner that is legally acceptable in any
-
legal proceedings for example Court
-
includes activities involving
-
exploration and application of methods
-
to gather process interpret and use
-
digital evidence loss of preservation of
-
Integrity of evidence means loss of
-
value in legal proceedings the chain of
-
evidence contains information regarding
-
who had access to the evidence cross
-
chronological manner procedures followed
-
in working with the evidence proving
-
analysis is based on copies identical to
-
original
-
evidence considerations regarding
-
evidence identify identify information
-
that may form evidence preserve practice
-
of retrieving identified information and
-
preserving it as evidence involves
-
Imaging of original data and documenting
-
chain of custody analyze involves
-
extracting processing and interpreting
-
the evidence analysis performed on image
-
of the media not the
-
original present involves a presentation
-
to the various audiences such as
-
management attorneys presenter to be
-
qualified and the process of
-
preservation and Analysis
-
credible key elements of computer
-
forensics the is auditor should consider
-
data protection measures to ensure
-
sought-after information isn't altered
-
data acquisition all required data
-
transferred to controlled location and
-
writable media right protected Imaging
-
process allowing for bit forbit
-
replication of data on disk that avoids
-
damage to original data extraction
-
process of identification and selection
-
of relevant data from the imaged data
-
set
-
interrogation used to obtain prior
-
indicators or relationships from
-
extracted data ingestion
-
normalization process of converting
-
extracted information to a format that
-
can be understood by
-
investigators reporting information
-
should be collected and reported in a
-
proper way for it to be valuable you
-
will now attempt a question to test what
-
you have learned so far in this topic we
-
will learn about the concepts in
-
knowledge statement 5.18 let us discuss
-
about data classification standards and
-
supporting procedures in the next screen
-
cesa candidate must have a knowledge of
-
data classification standards and
-
supporting
-
procedures information assets have
-
varying degrees of sensitivity and
-
criticality in meeting business
-
objectives data is classified and
-
protected according to the set degree an
-
important first step to data
-
classification is Discovery inventory
-
and risk assessment once this is
-
accomplished data classification can
-
then be put into use by assigning
-
classes or levels of sensitivity and
-
criticality to information resources and
-
establishing specific security rules for
-
each class Enterprises can Define the
-
level of access controls and the
-
retention time and destruction
-
requirements that should be applied to
-
each information asset the is auditor
-
should understand the process of
-
classification and the interrelationship
-
between data classification and the need
-
for inventorying information assets and
-
assigning responsibility to data owners
-
data owner responsibilities should be
-
clearly identified documented and
-
implemented main areas to be covered
-
here are inventory and classification of
-
information assets in the next screens
-
we will learn about inventory and
-
classification of information assets a
-
detailed inventory of information assets
-
is required for Effective control the
-
inventory is the first step in
-
classifying the assets and determining
-
level of protection required inventory
-
record should include specific
-
identification of the asset relative
-
value to the organization location
-
security risk classific ification asset
-
group where the asset forms part of a
-
larger is owner designated
-
custodian classification should be
-
simple and employed during risk
-
assessment by end user managers and
-
system admins use ISO IEC
-
27012
-
2005 reduce risk and cost of over or
-
under protection used to identify who
-
has access to what who determines access
-
rights and levels approvals required for
-
Access classification done by differing
-
degrees for data sensitivity and mission
-
criticality of the business
-
applications let us continue discussing
-
inventory and classification of
-
information Assets in the next
-
screen classification of assets
-
information assets have varying degrees
-
of sensitivity criticality which
-
determine appropriate levels of control
-
application database criticality
-
classification for example Mission
-
critical significant moderate or low you
-
will now attempt a question to test what
-
you have learned so far in this topic we
-
will learn about the concepts in
-
knowledge statement
-
5.19 let us discuss about physical
-
access controls in the next screen
-
candidates should know of physical
-
access controls for the identification
-
authentication and restriction of users
-
to authorized facilities physical
-
security weaknesses can result in
-
financial loss legal repercussions loss
-
of credibility or loss of Competitive
-
Edge thus information assets must be
-
protected against physical attacks such
-
as vandalism and theft through controls
-
that restrict access to sensitive areas
-
containing computer equipment or
-
confidential data files such controls
-
usually employ the use of a access door
-
locks that require the use of a password
-
key token or biometric authentication of
-
the person attempting entry in high
-
security areas access may require
-
authentication through multiple means
-
and the use of strong security measures
-
such as the airlock type or Man Trap
-
entrances the is auditor should
-
understand the nature of physical
-
controls and the ways in which they can
-
be circumvented as well as the con
-
concept of the security boundary to
-
establish where such devices should be
-
placed and how effective they must be
-
main areas covered here are physical
-
access controls and exposures physical
-
access controls and exposures is our
-
main focus in the next
-
screen physical access controls door
-
locks bolting combination electronic
-
biometric dead man doors logging manual
-
elect ronic identification badges video
-
cameras security guards controlled
-
visitor access bonded Personnel not
-
advertising locations of sensitive
-
facilities computer workstation locks
-
controlled single entry points alarm
-
systems secured report documentation
-
distribution cards primarily originate
-
from natural and man-made hazards Expos
-
ures include unauthorized entry damage
-
vandalism theft viewing or copying
-
sensitive information alteration of data
-
public disclosure of sensitive
-
information abuse of processing
-
facilities blackmail and
-
embezzlement let us continue discussing
-
physical access exposures in the next
-
screen auditing physical access involves
-
during the information process ing
-
facility visibly observing physical
-
access controls reviewing physical
-
security
-
documentation evaluating General
-
cleanliness doors windows walls curtains
-
ceilings raised floors and
-
ventilation you will now attempt a
-
question to test what you have learned
-
so far in this topic we will learn about
-
the concepts in knowledge statement
-
5.20 let us discuss about Environmental
-
Protection devices and supporting
-
practices in the next screen cea
-
candidate has to have a knowledge of
-
Environmental Protection devices and
-
supporting practices certain natural and
-
man-made events have the ability to do
-
great damage to an organization's
-
information systems and business
-
processes most data centers have
-
mechanisms to prevent detect or mitigate
-
the impact of these threats however it
-
is important that the Readiness and
-
sufficiency of these controls be
-
periodically tested by management to
-
ensure that they will function as
-
intended the is auditor should
-
understand the nature of these controls
-
and how to ensure that they are
-
functioning properly and are adequate to
-
protect the
-
organization let us continue discussing
-
about Environmental Protection devices
-
and supporting
-
practices environmental controls
-
generally include fire and smoke
-
detectors fire suppression systems water
-
detectors and temperature and humidity
-
controls the is auditor should know the
-
relative merits of different fire
-
suppression systems and in what
-
circumstances one type is more
-
appropriate than another main areas of
-
coverage are environmental exposures and
-
controls in the next few screens we will
-
discuss about environmental exposures
-
and
-
controls the environmental exposures
-
include natural events like lightning
-
storms earthquakes Etc power failures is
-
of particular concern total failure
-
blackouts severely reduced voltage
-
brownouts sags spikes and surges
-
electromagnetic interference Emi caused
-
by electrical storms or noisy electrical
-
equipment static electricity magnetic
-
fields water damage and flooding Fire
-
Man and terrorism vandalism smoke food
-
natural elements humidity dust
-
temperature environmental controls power
-
continuity power generators long-term
-
power interruptions surge protectors at
-
least on all expensive equipment UPS
-
devices sags spikes surges emergency
-
power off switch redundant power lines
-
for example leads from two
-
substations fire controls fire
-
extinguishers strategically plac
-
throughout facility fire suppression
-
systems either waterbased sprinklers
-
damages equipment or dry pipe sprinklers
-
Halon systems or CO2 based regular
-
inspection by the fire department also
-
use of audible fire alarms smoke
-
detectors having defined
-
responsibilities marked locations
-
fireproof walls floors and
-
ceilings more however environmental
-
controls that can be applied are
-
strategically locating the computer room
-
not basement raised floors and water
-
detectors water proper ventilation
-
humidity and temperature control wiring
-
placed in fire resistant panels and
-
conduits prohibit eating drinking and
-
smoking within information processing
-
facilities documented and tested
-
emergency evacuation plan auditing
-
environmental controls involve checking
-
that systems work as specified and are
-
inspected and tested at least once a
-
year placing and assigning
-
responsibility to concerned persons
-
maintaining communication and awareness
-
having a business continuity plan that
-
will be used in case of a disaster this
-
plan should be fully documented and
-
tested you will now attempt a question
-
to test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement
-
5.21 let us discuss about handling
-
confidential information Assets in the
-
next few
-
screens knowledge of the processes and
-
procedures used to store retrieve
-
transport and disposal of confidential
-
information assets is key for a cesa
-
candidate to learn confidential
-
information assets are vulnerable during
-
storage retrieval and transport and must
-
be disposed of properly management
-
should Define and Implement procedures
-
to prevent unauthorized access to or
-
loss of sensitive information and
-
software from computers Diss and other
-
equipment or media when they are stored
-
transported or transmitted during
-
processing retrieval and output the is
-
auditor should also understand the need
-
for correct disposal of information and
-
media in order to ensure that no
-
unauthorized person gain access to the
-
information by restoration or
-
Recreation thus we will mainly discuss
-
about storing retrieving transport and
-
disposing of confidential information
-
Assets in the next slide let us discuss
-
about handling confidential information
-
storing retrieving transporting and
-
disposing of confidential information
-
need procedures to prevent access to or
-
loss of sensitive information and
-
software further controls are required
-
for backup files and databases data
-
banks disposal of media previously used
-
to hold confidential information
-
management of equipment sent for
-
off-site maintenance public agencies and
-
organizations concerned with sensitive
-
critical or confidential information e
-
toen electronic Keys storage records let
-
us continue discussing handling
-
confidential information in the next
-
screen preserving information during
-
shipment or storage by keeping out of
-
direct sunlight keeping free of dust
-
keep free of liquids minimize exposure
-
to magnetic fields radio equipment or
-
any sources of vibration do not Air
-
transport in areas and at times of
-
exposure to a strong magnetic storm you
-
will now attempt a question to test what
-
you have learned so far protection of
-
information assets
-
one a long asymmetric encryption key
-
public key encryption increases
-
encryption overhead cost two creating
-
user accounts that automatically expire
-
by predetermined date is an effective
-
control for granting temporary access to
-
vendors and external support Personnel
-
three worms are malicious programs that
-
can run independently and can propagate
-
without the aid of a carrier program
-
such as email four identifying Network
-
applications such as mail web of FTP
-
servers to be externally accessed is an
-
initial step in creating a proper
-
firewall
-
policy five SSL protocol provides
-
confidentiality through symmetric
-
encryption such as data encryption
-
standard six intrusion detection systems
-
IDs are used to gather evidence of
-
network attacks seven time stamps are an
-
effective control for detecting
-
duplicate transactions such as payment
-
made or received eight traffic analysis
-
is a passive attack method used by
-
Intruders to determine potential Network
-
attacks nine file encryption is a good
-
control for protecting confidential data
-
that resides on a PC 10 although many
-
methods of fire suppression exist dry
-
pipe sprinklers are considered to be the
-
most environmentally friendly 11 logical
-
access controls should be reviewed to
-
ensure that access is granted on a least
-
privilege basis for the organization's
-
data owners 12 a callback system is a
-
remote access control in which the user
-
initially connects to the network
-
systems via dialup access only to have
-
the connection terminated by the server
-
which then subsequently dials back the
-
user at a predetermined number stored in
-
the server's configuration database 13
-
information system security policies are
-
used as the framework for developing
-
logical
-
access this concludes the domain on
-
protection of information assets this is
-
the last domain to be covered in this
-
course with this we've come to the end
-
of this course happy learning
