-
Hello and welcome to the fifth domain of
-
the Certified Information Systems
-
Auditor, CISA, course offered by Simplilearn.
-
This domain will cover protection
-
of information assets. Let us look at the
-
objectives of this domain in the next
-
screen. By the end of this domain, you
-
should be able to understand and provide
-
assurance that the enterprise's security
-
policies, standards, procedures, and
-
controls ensure the confidentiality,
-
integrity, and availability of
-
information assets, detail the design,
-
implementation, and monitoring of
-
security controls, discuss the risks
-
associated with use of mobile and
-
wireless devices,
-
understand encryption techniques
-
such as public key infrastructure and
-
risks related to data leakage,
-
detail network detection tools and techniques,
-
discuss how confidential information can
-
be stored, retrieved, transported, and
-
disposed. The following screen gives an
-
overview of this domain. An information
-
asset is a component related to
-
provision of accurate data or
-
information for decision-making purposes
-
by an entity. It is considered to hold
-
value to that particular organization
-
and should therefore be protected by
-
ensuring confidentiality, integrity, and
-
availability, CIA.
-
Examples of information assets are
-
information or data, computer application
-
systems, computers, personal computers, PCs,
-
laptops, PDAs, phones, networks, local area
-
network, LAN, wide area network, WAN,
-
wireless networks, Human Resources,
-
facilities, main distribution facilities,
-
MDFs, data centers, server room, and other
-
technologies such as database
-
technologies among others. Let us
-
continue with the overview in the
-
following screen. The risks to business
-
include financial loss, electronic fraud,
-
legal repercussions, privacy issues, loss
-
of credibility or competitive edge,
-
blackmail, industrial espionage, sabotage,
-
and breach of
-
confidentiality. Security failures can be
-
costly to business as more costs are
-
incurred to secure systems and prevent
-
further failure. Further more costs are
-
incurred from losses from the failure
-
itself and when recovering from such
-
losses. Let us now look at threats to
-
information assets in the next slide. The
-
threats to information assets include
-
hackers, crackers, phreackers, authorized or
-
unauthorized employees, IS personnel, end
-
users, former employees, interested or
-
educated outsiders, competitors, organized
-
criminals, part-time and
-
temporary personnel, vendors and
-
consultants, and finally accidental
-
ignorance. Let us begin with the first
-
topic in this domain in the following
-
screen. In this topic, we will learn about
-
the concepts under the first Knowledge
-
Statement KS 5.1
-
We will begin with design,
-
implementation, and monitoring of
-
security controls in the next screen.
-
The key knowledge statement is to
-
understand the techniques for the design,
-
implementation, and monitoring of
-
security controls, including security
-
awareness programs. Security needs to be
-
aligned with business objectives to
-
provide reasonable reduction in risk.
-
Security objectives may include the following:
-
ensure the continued
-
availability of information systems,
-
ensure the integrity of information
-
stored on its computer systems and
-
security while the information is in
-
transit, preserve the confidentiality of
-
sensitive data while stored and in
-
transit, ensure compliance with
-
applicable laws, regulations, and
-
standards. Let us continue discussing
-
design, implementation, and monitoring of
-
security controls in the next screen.
-
Ensure adherence to trust and
-
obligation requirements for any
-
information assets accordance with the
-
applicable privacy policy or privacy
-
laws and regulations. Prudence in
-
application of control is important
-
because controls entail a cost either
-
directly or indirectly by impacting on
-
business operations. The business impact
-
analysis, BIA, is the process used to
-
establish the material adverse events
-
the business should be worried about. The
-
following screen lists the main areas to
-
be covered under this knowledge statement.
-
The main areas to cover here
-
are key elements of information security
-
management, critical success factors to
-
information security, inventory and
-
classifications of information assets,
-
network infrastructure security. In the
-
next screen, we will learn about
-
information security management.
-
Effective ISM is the most
-
critical factor in protecting
-
information assets and privacy. The
-
factors that raise the profile of
-
information and privacy risk include
-
electronic trading through service
-
providers and directly with customers,
-
loss of organizational barriers through
-
use of remote access facilities, and high
-
profile security exposures: viruses,
-
denial of service, DOS, attacks, intrusions,
-
unauthorized access, disclosures and
-
identity theft over the Internet, etc. Let
-
us continue discussing information
-
security management, ISM, in the next screen.
-
Security awareness and education
-
through training and regular updates:
-
written policies and procedures and
-
updates, non-disclosure statements signed
-
by employees,
-
newsletters, web pages, videos,
-
and other media, visible enforcement of
-
security rules, simulated security
-
incidents and simulated drills, rewards
-
for reporting suspicious events, periodic
-
audits. Monitoring and compliance: control
-
includes an element of monitoring and
-
usually relates to regulatory, legal
-
compliance, incident handling and response
-
In the next few screens, we will
-
learn about roles and responsibilities
-
under the information security
-
management. The security objectives to
-
meet business requirements are to ensure
-
continued availability of information
-
systems, to ensure integrity of
-
information stored in systems and while
-
in transit,
-
to preserve confidentiality of sensitive
-
data, to ensure conformity to applicable
-
laws, regulations, and standards, to ensure
-
adherence to trust and obligation
-
requirements, to ensure protection of
-
sensitive data. Data integrity, as it
-
relates to security objectives, generally
-
refers to accuracy, completeness,
-
consistency or neutrality, validity, and
-
verifiability of the data once loaded on
-
the system. Integrity refers to
-
reliability of data. Let us continue
-
discussing information security
-
management, ISM, in the next screen.
-
The key elements of
-
ISM. Senior management commitment and
-
support, the risk management begins at
-
the top. Policies and procedures, the
-
framework that captures top management
-
declaration of direction. Organization,
-
clearly defined and allocated roles and
-
responsibilities, supplemented with
-
guidance, usually relates to regulatory,
-
legal compliance. Let us continue
-
discussing information security
-
management, ISM, in the next screen.
-
Roles and responsibilities must be defined,
-
documented, and communicated to personnel
-
and management. IS security steering
-
committee is represented by individuals
-
from various management levels. It also
-
discusses and approves security policies
-
guidelines and procedures; with input
-
from end users, executive management,
-
auditors, security administration, IS
-
personnel, and legal counsel. The
-
committee is formally established with
-
appropriate Terms of Reference. Executive
-
management responsible for the overall
-
protection of information assets and
-
issuing and maintaining the policy framework.
-
Security advisory group is
-
responsible for defining information
-
risk management process and acceptable
-
level of risk and reviewing security
-
plans. It is comprised of people involved
-
in the business and provides comments on
-
security issues to chief security
-
officer, CSO. It also advises the business
-
whether the security programs meet
-
business objectives.
-
Chief information security
-
officer,
-
CISO, is a senior level corporate
-
official responsible for articulating
-
and enforcing policies used to protect
-
information assets. He has a much broader
-
role than CSO who is normally only
-
responsible for physical security within
-
the organization.
-
Information asset owners
-
and data owners are entrusted with the
-
responsibility for the owned asset,
-
including performance of a risk
-
assessment, selection of appropriate
-
controls to mitigate the risk and to
-
accept the residual risk.
-
Process owners ensure appropriate
-
security measures consistent with
-
organizational policy are maintained.
-
Users comply with procedures
-
set out in the security policy, and
-
adhere to privacy and security
-
regulations, often specific to sensitive
-
data, for example, health, legal, finance,
-
etc. Chief privacy officer, CPO, is a
-
senior level corporate official and is
-
responsible for articulating and
-
enforcing policies used to protect
-
customers' and employees' privacy rights.
-
External parties follow procedures set
-
out in the security policy. They adhere
-
to privacy and security regulations
-
often specific to sensitive data, for
-
example, health, legal, finance, etc.
-
Information security administrator is a
-
staff level position. He is responsible
-
for providing adequate physical and
-
logical security for IS programs, data
-
and equipment, normally guided by the
-
information security policies.
-
Security specialists and
-
advisors assist with the design,
-
implementation, management, and review of
-
security policies, standards, and
-
procedures. IT developers implements
-
information security within their
-
applications. IS auditors provide
-
independent assurance on appropriateness
-
and effectiveness of information
-
security objectives and controls related
-
to these objectives. In the next screen,
-
we will learn about system access
-
permissions. System access permission is
-
the ability to do something with a
-
computer resource. Read, create, modify, or
-
delete a file or data, execute a program
-
or use an external connection. It is
-
controlled at the physical and/or logical
-
level. Logical controls govern access to
-
information and programs. It is built
-
into operating systems
-
invoked through access control software,
-
and incorporated in application programs,
-
DBs, network control devices, and
-
utilities. Let us continue discussing
-
system access permissions in the next
-
screen. Physical controls restrict entry
-
and exit of personnel, movement of
-
equipment and media. They include badges,
-
memory cards, keys, and
-
biometrics. Access is granted on a
-
documented, need-to-know basis with
-
legitimate business requirement based on
-
least privilege and on segregation of
-
duties principles.
-
Access principles relate to
-
four layers of security. Namely network,
-
platform, typically the operating system,
-
database, and application. In the next
-
screen, we will learn about mandatory and
-
discretionary access
-
controls. The mandatory access controls,
-
MACs, are logical access controls, MACs,
-
that cannot be modified by normal users
-
or data owners. They act by default and
-
are used to enforce critical security
-
without possible exception. Only
-
administrators can grant a right of
-
access guided by an established policy
-
of the
-
organization. Discretionary access
-
controls, DACs, controls may be
-
configured or modified by the users or
-
data owners. Access may be activated or
-
modified by a data owner. DACs cannot
-
override MACs, and they act as
-
additional filters to restrict access
-
further. In the next few screens, we will
-
learn about privacy management issues
-
and role of IS auditors.
-
Privacy issues relates to
-
personally identifiable information, for
-
example, personal identification number,
-
PIN. Regulations generally restrict use
-
of such data by giving the subject individual
-
rights to access and correct that
-
data. It also governs how such data is
-
obtained, requiring knowledge and consent
-
of the data subject. Impact of risks
-
including marketing risks, transported
-
data flow and variations in regulations,
-
and may require privacy experts during
-
risk assessment.
-
The goals of a privacy impact
-
assessment are identifying the nature of
-
personally identifiable information
-
relating to business
-
processes. Documenting the collection, use,
-
disclosure, storage, and destruction of
-
personally identifiable information.
-
Providing management with an
-
understanding of privacy risk and
-
options to mitigate this risk. Ensuring
-
accountability for privacy. And
-
facilitating compliance with relevant regulations.
-
IS audit considerations
-
relating to privacy include adequacy of
-
privacy assessment, for example,
-
compliance with with privacy policy, laws,
-
and other regulations, and the manner in
-
which IT is used for competitive gain.
-
Another consideration is the ongoing
-
assessments conducted when new products
-
services, systems, operations, processes,
-
and third parties are under
-
consideration. Besides transborder and
-
multinational laws should also be considered.
-
Focus and extent of privacy
-
impact assessment may depend on changes
-
in technology, processes, or people as
-
shown by below. In the next few screens,
-
we will learn about information security
-
and external parties. Human Resources
-
security and third parties. Security
-
roles and responsibilities of employees,
-
contractors, and third-party users should
-
be defined and documented in accordance
-
with the organizational security policy.
-
Information security policies to guide
-
employees, contractors, and third-party
-
users. Information security and external
-
parties. Security of information and
-
processing facilities must be maintained
-
when external party services or products
-
are introduced. Controls must be agreed
-
to and defined in a formal agreement.
-
Organization must have right to audit
-
the implementation and operations.
-
The external party arrangements
-
include service providers, ISPs, network
-
providers, managed security services,
-
customers, outsourcing facilities and/or
-
operations, IT systems, data
-
collection services, management and
-
business consultants and auditors,
-
developers and suppliers, cleaning,
-
catering, and other outsourced support
-
services. Others include temporary
-
personnel, student placement, and other
-
casual short-term appointments.
-
The risks related to
-
external party access is information
-
processing facilities required to be
-
accessed by external parties. These types
-
of access include physical access, logical
-
access, network connectivity, organization
-
and external party, value and sensitivity
-
of information involved, and its
-
criticality for business operations, and
-
legal and other regulatory requirements.
-
Security in relation to
-
customers involve identifying security
-
requirements for customers access. The
-
customer access security
-
considerations: asset protection,
-
description of product or service to be
-
provided, reasons, requirements, and
-
benefits for customer access, access
-
control policy, arrangements for
-
reporting, notification, and investigation
-
of information
-
inaccuracies, target levels of service
-
and unacceptable levels of service, right
-
to monitor and revoke any activity
-
related to an organization's assets,
-
intellectual property rights and
-
copyright assignment. You will now
-
attempt a question to test what you have
-
learned so far. In this topic, we will
-
learn about the concepts in Knowledge
-
Statement 5.2.
-
Let us discuss monitoring and
-
responding to security incidents in the
-
following screens. The key knowledge
-
point is the processes related to
-
monitoring and responding to security
-
incidents, for example, escalation
-
procedures, emergency incident response
-
team. A formal incident response
-
capability should be established to
-
minimize the impact of security
-
incidents recovery in a timely and
-
controlled manner and learn from such
-
incidents. History should be kept through
-
properly recording of incidents. While
-
security management may be responsible
-
for monitoring and investigating events
-
and may have drafted or set a
-
requirement for escalation procedures,
-
other functions must be involved to
-
ensure proper response. These functions
-
must have well-defined and communicated
-
processes in place that are tested
-
periodically. The main areas covered here
-
are security incident handling and response.
-
In the next screen, we will
-
discuss about incident handling and response.
-
An incident is an adverse event
-
that threatens some aspect of
-
information security. To minimize damage
-
from security incidents and to recover
-
and to learn from such incidents, a
-
formal incident response capability had
-
to be established, and it includes
-
planning and preparation, detection,
-
initiation, recording, evaluation,
-
containment, eradication, escalation,
-
response, recovery, closure, and post
-
incident review. Let us continue
-
discussing incident handling and response.
-
Procedures are defined for
-
reporting different types of incidents.
-
The process involves quick reporting and
-
collection of evidence, and formal
-
disciplinary process, and where
-
applicable, automated intrusion detection
-
systems. Incident handling and response
-
roles involve coordinator who is the
-
liaison to business process owners,
-
director who oversees incident response
-
capability, managers who manage
-
individual incidents, security
-
specialists that detect, investigate,
-
contain, and recover from incidents,
-
non-security technical specialists that
-
provide assistance on subject matter
-
expertise, business unit leader liaison
-
which include legal, HR, and PR. Logical
-
access controls is another area we're
-
going to learn in subsequent slides. You
-
will now attempt a question to test what
-
you have learned so far. In this topic, we
-
will learn about the concepts in
-
Knowledge Statement 5.3
-
Let us discuss logical access
-
controls in the following
-
screens. Knowledge point to learn here is
-
logical access controls for the
-
identification, authentication, and
-
restriction of users to authorized
-
functions and data. logical access
-
controls are used to manage and protect
-
information assets. Controls enact and
-
substantiate policies and procedures
-
designed by management to protect
-
information assets. Controls exist at
-
both the operating system level and the
-
application level, so it is important to
-
understand logical access controls as
-
they apply to systems that may reside on
-
multiple operating system platforms and
-
involve more than one application system
-
or authentication point. Let us continue
-
the discussion about logical access
-
controls in the next few screens.
-
Logical security is often
-
determined based on the job function of
-
users. The success of logical access
-
controls is tied to the strength of the
-
authentication method, for example, strong
-
passwords. All user access to systems and
-
data should be appropriately authorized
-
and should be commensurate it with the
-
role of the individual. Authorization
-
generally takes the form of signatures,
-
physical or electronic, a relevant
-
management. The strength of the
-
authentication is proportional to the
-
quality of the method used. Strong
-
authentication may include dual or
-
multiactor authentication using user 10,
-
password tokens, and
-
biometrics. The main areas covered here
-
are logical access.
-
Logical access controls are the primary
-
means used to manage and protect
-
information assets. These exposures can
-
result in minor inconveniences to a
-
total shutdown of computer functions.
-
Logical access controls involve managing
-
and controlling access to information
-
resources. It is based on management
-
policies and procedures for information
-
security. Logical access controls must be
-
evaluated vis-à-vis information security
-
objectives. Familiarization with the IT
-
environment helps in determining which
-
areas, from a risk standpoint, warrant IS
-
auditing attention. This includes
-
reviewing security layers associated
-
with IS architecture: network, OS, database, application.
-
Paths of logical access,
-
points of entry to IS infrastructure:
-
back-end, front-end systems, internally based
-
users, externally-based users, and direct
-
access to specific servers. All points of
-
entry must be known. General points of
-
entry relate to network or telecomm
-
infrastructure in controlling access to
-
information
-
resources. Typical client-server
-
environment: primary domain controllers
-
network management devices, for example,
-
routers and firewalls. General modes of
-
access: network connectivity, remote
-
access, remotely dialing into a network
-
for services that can be performed
-
remotely, for example, email.
-
Traditional points of entry. Mainly applicable for
-
mainframe-based systems used for large
-
database systems or "legacy"
-
applications. Operator console, these are
-
privileged computer terminals that
-
control most computer operations and
-
functions. They provide high level of
-
system access but do not have strong
-
logical access controls. It is located in
-
a suitably controlled facility so that
-
physical access can only be gained by
-
authorized
-
personnel. Online workstations in client-server
-
environments. This method
-
typically requires at least a logon ID
-
and password to gain access to the host
-
computer system. It may also require
-
further entry of authentication or
-
identification data for access to
-
application specific systems.
-
IS resources are more accessible and
-
available anytime and anywhere. Computers
-
store large volumes of data. Sharing of
-
resources has increased from one system
-
to another. And accessibility has
-
increased through intranet and internet.
-
Logical access control software has
-
become critical in protecting IS
-
resources. It prevents unauthorized
-
access and modification to sensitive
-
data, and use of critical functions. It is
-
applied across all layers of IS
-
architecture, network, OS, DBs, and applications.
-
Common attributes of this
-
software is that it has some form of
-
identification and
-
authentication, provides access
-
authorization. It also checks specific
-
information resource and provide logs
-
and reporting of user
-
activities. Greatest degree of protection
-
is applied at the network and platform
-
OS level mainly because it is the
-
primary point of entry to systems.
-
Besides it is the foundation, primary
-
infrastructure, on which applications and
-
DBs will reside. Also an OS system access
-
control software interfaces with
-
databases and/or applications to protect
-
system libraries and datasets. These
-
network devices, for example, routers and
-
firewalls, manage external access to
-
networks, thus need the highest degree of protection.
-
General OS application access
-
control software functions include
-
creating or changing user profiles,
-
assigning user identification and
-
authentication, applying user logon
-
limitation rules, for example, restrict
-
logon IDs to specific workstations at
-
specific times, establishing rules for
-
access to specific resources, creating
-
individual accountability and
-
auditability by logging user activities,
-
logging events, and reporting capabilities.
-
Database or
-
application level controls creates or
-
changes data files and database profiles.
-
It also verifies user authorization at
-
the application and transaction level
-
within the application and at the field
-
level for changes within the database. It
-
also verifies subsystem authorization
-
for the user at the file level. In
-
addition, it logs database, data
-
communications access activities for
-
monitoring access by violations. You will
-
now attempt to question to test what you
-
have learned so far. In this topic, we
-
will learn about the concepts in
-
Knowledge Statement 5.4
-
Let us discuss security controls
-
related to hardware system software.
-
In this slide, we learn on the
-
security controls related to hardware,
-
system software, for example, applications,
-
operating systems, and database
-
management systems. Access control software
-
utilizes both identification and
-
authentication, I&A. Once
-
authenticated, the system then restricts
-
access based on the specific role of the user.
-
I&A is the process by which the
-
system obtains identity from a user, the
-
credentials needed to authenticate
-
identity, and validates both pieces of
-
information. I&A is a critical building
-
block of computer security since it is
-
needed for most types of access control
-
and is necessary for establishing user
-
accountability. For most systems, I&A is
-
the first line of defense because it
-
prevents unauthorized access or
-
unauthorized processes to a computer
-
system or an information asset. In the
-
next screen, we will discuss more about
-
security controls related to hardware
-
and system software. Logical access can
-
be implemented in various ways. The IS
-
auditor should be aware of the strengths
-
and weaknesses of various architectures
-
such as single sign-on, SSO, where a
-
single authentication will enable access
-
to all authorized applications, identity
-
management, multifactor
-
authentication. If this risk is
-
considered manageable, it should drive
-
the implementation of multiactor
-
authentication. The main areas covered
-
here are identification and
-
authentication, single sign-on. In the
-
next screen, we will discuss about
-
identification and authentication.
-
Identification and authentication
-
involves proving one's identity which is
-
authenticated prior to being granted
-
access. It is a critical building block
-
of IS Security in which the basis of
-
most access control systems: first line
-
of defense, preventing unauthorized
-
access. I&A also establishes user
-
accountability, linking activities to
-
users. Multifactor authentication is a
-
combination of more than one method, for
-
example, token and password or pin, token
-
and biometric device. Let us continue
-
discussing identification and
-
authentication in the next slide.
-
Categories can be something you know, for
-
example, password, something you have, for
-
example, token card, something you are or
-
do, a biometric feature, or where you
-
are. These techniques can be used
-
independently or in combination,
-
single-factor or two-factor
-
authentication. Some of the common
-
vulnerabilities expected are weak
-
authentication methods, potential for
-
bypassing authentication mechanism, lack
-
of confidentiality and integrity of
-
stored authentication information, lack
-
of encryption for transmitted
-
authentication information, lack of user
-
knowledge regarding risks of sharing
-
authentication elements, for example,
-
password. In the next few screens, we will
-
discuss about identification and
-
authentication, logon IDs and passwords.
-
Logon IDs and passwords is a
-
two-phase user identification
-
authentication process based on
-
something you know: logon ID, individual
-
identification, password, individual
-
authentication. It is used to
-
restrict access to computerized
-
information, transactions, programs, and
-
system software. It may involve an
-
internal list of valid logon IDs and a
-
corresponding set of access rules for
-
each logon ID. The access rules can be
-
specified at OS level, controlling access
-
to files, or within individual
-
applications, controlling access to menu
-
functions and types of data. Features of
-
passwords include easy for the user to
-
remember but difficult for a perpetrator
-
to guess, when the user logs on for the
-
first time, the system should force a
-
password change to improve
-
confidentiality, limited number of logon
-
attempts, typically three, user
-
verification for forgotten passwords,
-
internal one-way encryption, and not
-
displayed in any form, changed
-
periodically, for example, every 30 days,
-
unique; if it is known by more than one
-
person, responsibility for activity
-
cannot be enforced. Password syntax
-
format rules: Ideally a minimum of eight
-
characters in length, a combination of at
-
least three of the following alpha,
-
numeric, upper and lower case, and special
-
characters, some prohibit use of vowels,
-
not particularly identifiable to the
-
user, system should enforce regular
-
change of passwords, for example, after
-
every 30 days, no re-use of previous
-
passwords, for example, at least one year
-
after being changed, deactivate dormant
-
logon IDs, automatic session inactivity
-
time-outs, powerful user IDs, accounts, such
-
as Supervisor and Administrator accounts
-
should be strictly controlled; these
-
could have full access to the system,
-
administrator password should be known
-
only by one person, however, the
-
password should be kept in a sealed
-
envelope for business
-
continuity. Let us proceed to the next
-
slide for more on passwords.
-
Token devices and one-time passwords is a
-
two-factor authentication technique, for
-
example, a microprocessor-controlled
-
smart card, which generates unique,
-
time-dependent, one-time passwords called
-
session passwords. This is good for only
-
one logon session. The users enter this
-
password along with the password they
-
have memorized to gain access to the
-
system. It is characterized by unique
-
session characteristic, ID or time,
-
appended to the password. Technique
-
involves something you have, a device
-
subject to theft, and something you know,
-
a pin. In the next screen, we will learn
-
about identification and authentication,
-
biometric access control.
-
Biometric security access control is the best
-
means of authenticating a user's
-
identity based on a unique, measurable
-
attribute or trait for verifying the
-
identity of a human being. It restricts
-
computer access based on a physical,
-
something you are, or behavioral,
-
something you do, feature of the user, for
-
example, a fingerprint or eye retina
-
pattern. A reader interprets the
-
individual's biometric features before
-
permitting authorized access, however, it
-
is not a fool-proof process. Certain
-
biometric features can change, for
-
example, scarred fingerprints, change in
-
voice. The final template is derived
-
through an iterative averaging process
-
of acquiring samples. Let us continue
-
discussing identification and authentication,
-
biometric access control continued.
-
Physically oriented biometrics
-
are palm, hand geometry, iris, retina,
-
fingerprint, face. Behavior oriented
-
biometrics can be signature recognition
-
and voice recognition.
-
In the next few screens, we
-
will discuss about identification and
-
authentication single sign-on, SSO.
-
Single sign-on, SSO, is a
-
consolidation of the organization
-
platform-based administration,
-
authentication, and authorization
-
functions. It interfaces with client
-
server and distributed systems, mainframe
-
systems, and network security including
-
remote access. The primary domain handles
-
the first instance where user
-
credentials are entered and the
-
secondary domain is any other resource
-
that uses these
-
credentials. Single sign-on, SSO,
-
challenges: overcoming heterogeneous
-
nature of diverse architecture, networks,
-
platforms, databases, and applications,
-
requires understanding of each system's
-
authorization rules, and audit logs, and
-
reports, allowing host systems to control
-
the set of users allowed access to
-
particular host
-
systems. SSO advantages: multiple
-
passwords not required, users motivated
-
to select stronger passwords, efficiency
-
in managing users and their
-
authorizations, reduced administrative
-
overheads for resetting passwords,
-
efficiency of disabling deactivating
-
user accounts, reduced logon time. SSO
-
disadvantages: single point of network
-
failure, few software solutions
-
accommodate all major OS, substantial
-
interface development required,
-
development costly. In the next screen, we
-
will discuss about logical access
-
security administration.
-
Logical access security
-
administration can be centralized or
-
decentralized. Advantages of
-
decentralized administration:
-
administration on site at
-
distributed location, timely resolution
-
of issues, more frequent monitoring,
-
controlling remote and distributed sites,
-
software access controls, physical access
-
controls, lockable terminals, locked
-
computer rooms, control over dial-in
-
facilities, modems, laptops, controls over
-
access to system
-
documentation, controls over data
-
transmission, access, accuracy,
-
completeness, controls over replicated
-
files and their updates, accuracy and
-
reduced duplication.
-
Let us continue our
-
discussion about logical access security
-
administration. Risks associated with
-
decentralized administration: local
-
standards, rather than organizational, may
-
be implemented, level of security
-
management may be below that of the
-
central site, unavailability of
-
management checks and audits by the
-
central site. In the next screen, we will
-
discuss about remote access security.
-
Business need of remote access
-
provides users with the same
-
functionality that exists within their
-
offices. The components of remote access:
-
remote environment, employees, branches
-
laptops, telecommunication infrastructure,
-
the carrier used, corporate computing
-
infrastructure, corporate connecting
-
devices, communication software.
-
Remote access risks could be denial of
-
service, malicious third-party access,
-
misconfigured communication software,
-
misconfigured devices, host systems not
-
secured appropriately, and physical
-
security weaknesses at the remote
-
stations. Let us continue discussing
-
about remote access security in the next screen.
-
Remote access methods are analog
-
modems and the public telephone network,
-
dedicated network connections,
-
proprietary circuits, and TCP IP
-
internet-based remote access. The remote
-
access controls are policy and standards,
-
proper authorization, identification and
-
authentication mechanisms, encryption
-
tools and techniques, system and network
-
management. In the next screen, we will
-
discuss about PDAs and mobile technology.
-
PDAs augment desktops and
-
laptops due to their ease of use and
-
functionality. The inherent risks is that
-
they are easy to steal, easy to lose,
-
ready access to information stored.
-
Access issues with mobile technologies
-
includes flash disks and controls. Let us
-
continue discussing about PDAs and
-
mobile technology in the next screen.
-
Control issues to address are
-
compliance with policies and procedures,
-
including approval for PDA use,
-
awareness of responsibilities and due
-
care, compliance with security
-
requirements, authorization and approval
-
of use, standard PDA applications,
-
authorized and licensed, synchronization,
-
backup and updating, encryption, virus
-
detection and control, device
-
registration, camera use. Audit logging in
-
monitoring system access. Most access
-
control software automatically log and
-
report all access attempts, success and
-
failures. It provides management with an
-
audit trail to monitor activities. It
-
facilitates accountability.
-
Access rights to system
-
logs should be for review purposes and
-
it is a form of security against modification.
-
Let us continue discussing
-
about system access in the next screen.
-
The tools for analysis of audit
-
log information: audit reduction tools
-
filter out insignificant data, trend
-
variance detection tools, attack
-
signature detection tools, reviewing
-
audit logs, monitors patterns or trends,
-
and violations and/or use of incorrect
-
passwords. Restricting and monitoring
-
access, features that bypass security
-
accessed by software programmers
-
including bypass label processing, BLP,
-
system exits, and special system logon IDs.
-
You will now attempt a question
-
to test what you have learned so far.
-
In this topic, we will learn about the
-
concepts in Knowledge Statement 5.5
-
Let us discuss risks and controls
-
associated with virtualized systems.
-
This slide endeavors to learn
-
risks and controls associated with
-
virtualization of systems.
-
Virtualization provides an organization
-
with a significant opportunity to
-
increase efficiency and decrease costs in
-
its IT operations.
-
The IS auditor needs to know
-
the different advantages and
-
disadvantages and needs to consider
-
whether the enterprise has considered
-
the applicable risks in its decision to
-
adopt, implement, and maintain this
-
technology. At a higher level,
-
virtualization allows multiple
-
operating systems, OSs, or guests, to
-
coexist on the same physical server, or
-
host, in isolation of one another. Let us
-
continue discussing about risks and
-
controls associated with virtualize
-
systems in the next screen.
-
Virtualization creates a layer
-
between the hardware and the guest OSs
-
to manage shared processing and memory
-
resources on the host machine. A management
-
console often provides administrative
-
access to manage the virtualized system.
-
Virtualization introduce additional
-
risks that the enterprise must manage
-
effectively. Key risk is that the host
-
represents a single point of failure
-
within the system. A successful attack on
-
the host could result in a compromise
-
very large in impact. Main areas covered
-
here are
-
virtualization. You will now attempt to
-
question to test what you have learned so far.
-
In this topic, we will learn about
-
the concepts in Knowledge Statement 5.6.
-
Let us discuss network security
-
controls in the next screen. Knowledge of
-
the configuration, implementation,
-
operation, and maintenance of network
-
security controls are what we'll learn
-
in this slide. Enterprises can
-
effectively prevent and detect most
-
attacks on their networks by employing
-
perimeter security controls.
-
Firewalls and intrusion detection system,
-
IDS, provide protection and critical
-
alert information at borders between
-
trusted and untrusted networks. Proper
-
implementation and maintenance of
-
firewalls and IDS is critical to
-
successful, in-depth security program. The
-
IS auditor must understand the level of
-
intruder detection provided by the
-
different possible locations of the IDS
-
and the importance of policies and
-
procedures to determine the action
-
required by security and technical staff
-
when an intruder is reported.
-
Main areas of covered here are
-
internet threats and security. In the
-
next few screens, we will discuss about
-
network infrastructure security.
-
The table demonstrates network
-
infrastructure security.
-
Auditing use of the Internet
-
involves ensuring a business case for
-
email, communication, marketing, customer
-
communication, sales channel or
-
e-commerce, channel for delivery of goods
-
and services, online stores, internet
-
banking, and information gathering,
-
research. Auditing networks. Review
-
network diagrams to identify networking
-
infrastructure and network design. Also
-
review network management, policies,
-
procedures, standards, guidance
-
distributed to staff. Besides identify
-
responsibility for security and
-
operation, and review staff training
-
duties and
-
responsibilities. You will further review
-
legal issues regarding the use of the
-
internet, service level agreements with
-
third parties, and network administrator
-
procedures. Auditing remote access
-
involves identify all remote access
-
facilities, ensuring they have been
-
documented, review policies governing the
-
use of remote access, review architecture,
-
identifying points of entry and
-
assessing their controls, test dial-up
-
access controls, review relation to
-
business requirements. General network
-
controls are functions performed by
-
technically qualified operators. These
-
functions are separated and rotated
-
regularly. Apply least-privilege access
-
rights for operators. Audit trail of
-
operator activities must be periodically
-
reviewed by management. Network operation
-
standards must be documented. A review of
-
workload balance, response times, and
-
system efficiency must also be performed.
-
Further, consider terminal authentication
-
and data encryption. Some of the network
-
management control software include
-
Novel Netware, Windows
-
NT/2000, UNIX. You will now attempt a
-
question to test what you have learned so far.
-
In this topic we will learn about
-
the concepts in Knowledge Statement 5.7.
-
Let us discuss network and internet
-
security devices, protocols, and
-
techniques in the next screen. The key
-
knowledge to learn in this topic is
-
network and internet security devices,
-
protocols, and techniques. Application and
-
evaluation of technologies to reduce
-
risk and secure data is dependent on
-
proper understanding of security devices,
-
their functions, and protocols used in
-
delivering functionality. An organization
-
implements specific applications of
-
cryptographic systems in order to
-
ensure confidentiality of important data.
-
There are a number of cryptographic
-
protocols which provide secure
-
communications on the internet.
-
Additionally, the security landscape is
-
filled with technologies and solutions
-
to address many needs. Solutions include
-
firewalls, intrusion detection and
-
prevention devices, proxy devices, web
-
filters, antivirus and anti-spam filters,
-
data leak protection functionality,
-
identity and access control mechanisms,
-
secured remote access, and wireless
-
security. Understanding the solution's
-
function and its application to the
-
underlying infrastructure requires
-
knowledge of the infrastructure itself
-
and the protocols in use. In the next
-
screen, we will see the main areas to be
-
covered under this topic.
-
Main areas covered here are
-
encryption, network infrastructure
-
security. In the next few screens, we will
-
learn about firewalls. Firewall is a
-
security perimeter for corporate
-
networks connecting to the internet
-
aimed at preventing external intruders
-
and untrusted internal users, internal
-
hackers. It applies rules to control
-
network traffic flowing in and out of a
-
network, allowing users to access the
-
internet and stopping hackers or others
-
on the internet from gaining access to
-
the network. The guiding principle used
-
is least privilege, need-to-use basis.
-
General firewall features include
-
combination of hardware, routers, servers,
-
and software, it should control the most
-
vulnerable point between a corporate
-
network and the internet. General
-
functions of firewalls includes blocking
-
access to particular sites, limiting
-
traffic on public services to relevant
-
ports, preventing access to certain
-
servers and/or services, monitoring and
-
recording communication between internal
-
and external networks, network
-
penetration, internal subversion,
-
encryption and VPN, and single choke
-
point, concentrating security on a single
-
system. General firewall features include
-
combination of hardware, routers, servers,
-
and software, it should control the most
-
vulnerable point between a corporate
-
network and the internet. General
-
techniques used to control traffic are
-
service control, IP address TCP Port,
-
direction control, direction of traffic,
-
user control, based on user rights,
-
behavior control, based on how services
-
are being used, for example, filter email
-
for spam. In the next few screens, we will
-
discuss about types of firewalls.
-
The types of firewalls are
-
router packet filtering, application
-
firewall systems, and stateful inspection firewalls.
-
Router packet filtering
-
firewall is deployed between the private
-
network and the internet. Screening
-
routers examine packet headers to
-
ascertain IP address, identity, of the
-
sender and receiver, and the authorized
-
port numbers allowed to use the
-
information transmitted, kind of Internet
-
service being used. These information is
-
used to prevent certain packets from
-
being sent between the network and the
-
internet. The common attacks against
-
packet filtering are IP spoofing, source
-
routing specification, and miniature
-
fragment attack. This method is simple
-
and stable. The demerit is that it is
-
easily weakened by improperly configured
-
filters. Also, it is unable to prevent
-
attacks tunneled over permitted surface.
-
The diagram in the slide describes this
-
type of firewall. Application firewall
-
systems. This type of firewall allows
-
information flow between internal and
-
external systems, but do not allow direct
-
exchange of packets. Host applications
-
must be secured against threats posed by
-
allowed packets. They rest on hardened
-
operating systems, for example, WinNT,
-
UNIX. It works on the application layer
-
of the OSI model. The firewall analyze
-
packets through a series of proxies, one
-
for each surface. There are two types,
-
application-level firewalls and circuit-level
-
firewalls. Application-level firewalls
-
analyze packets through a series of
-
proxies, one for each service.
-
Circuit-level firewalls validates TCP and UDP
-
sessions through a single general-purpose
-
proxy. The diagram in the slide
-
demonstrates this. Application firewall
-
systems are set up as proxy servers
-
acting on behalf of network users. It
-
employs bastion hosting, and it is
-
heavily fortified against attack,
-
handling all incoming requests from the
-
internet to the network. Single host
-
makes security maintenance easier as
-
only the firewall system is compromised,
-
not the network. In the next screen, we
-
will discuss about types of firewalls
-
and firewall issues. Stateful inspection
-
firewalls track destination IP address
-
of each packet leaving the network and
-
references responses to requests that
-
went out. It maps source IP addresses of
-
incoming packets to destination IP
-
addresses of outgoing requests. It
-
prevents attacks initiated and
-
originated by outsiders. Main advantage
-
is that it is more efficient than
-
application firewall systems. The
-
disadvantage is that it is more complex
-
to administer.
-
Issues related to firewalls:
-
false sense of security, no additional
-
internal controls are needed, weak
-
against internal threats,
-
for example, a disgruntled employee
-
cooperating with an external attacker,
-
cannot protect against attacks that
-
bypass the firewall, for example, modem
-
dial-in, misconfigured firewalls,
-
misunderstanding of what constitutes a
-
firewall, monitoring activities not done
-
regularly. In the next screen, we will
-
discuss about implementation of
-
firewalls. Firewalls can be implemented
-
in three ways: screened-host firewall,
-
dual-homed firewall, and demilitarized
-
zone, screened subnet firewall. In the
-
next screen, we will discuss about
-
screened-host firewall.
-
Screened-host firewall, this
-
method utilizes packet filtering and a
-
bastion host, proxy services. Bastion host
-
connects to the internal network. Packet
-
filtering router installed between the
-
Internet and the bastion host. Intruder
-
has to penetrate two systems before the
-
network is compromised. Internal hosts
-
reside on the same network as the
-
bastion host. Security policies determine
-
whether hosts connect directly to the
-
internet or hosts use proxy services of
-
the bastion host. Next screen, we will
-
discuss about dual-homed firewall.
-
This type of implementation is
-
more restrictive form of screened-host
-
firewall. One interface is established
-
for information servers, and a separate
-
interface for private network hosts.
-
Direct traffic to internal hosts is
-
physically prevented as explained in the
-
diagram In the next screen, we will
-
discuss about demilitarized zone,
-
screened subnet firewall,
-
DMZ. This mode utilizes two packet-filtering
-
routers and a bastion host. It
-
is the most secure firewall system and
-
supports network and application-level
-
security. The separate DMZ functions are
-
an isolated network for public servers,
-
proxy servers, and modem pools. Key
-
benefits are that the intruder must
-
penetrate three separate devices. The
-
private network addresses are not
-
disclosed to the internet. Also, internal
-
systems do not have direct access to the
-
internet. In the next screen, we will
-
discuss about intrusion detection
-
systems, IDS.
-
Intrusion detection systems, IDS,
-
monitor network usage anomalies.
-
It is used together with firewalls and
-
routers. It continuously operates in the
-
background and the administrator is
-
alerted when intrusions are detected. It
-
protects against external and internal
-
misuse. IDS components: sensor, this
-
collects data, network packets, log files,
-
system call traces, analyzer, this
-
receives input from sensors and
-
determines intrusive activity, admin
-
console, user
-
interface. Let us continue discussing
-
about intrusion detection systems, IDS, in
-
the next screen. IDSs are categorized into
-
network-based IDSs, NIDS, which identifies
-
attacks within a network, and host-based
-
IDSs, HIDS, which is configured for a
-
specific environment and monitor
-
internal resources of systems. IDS types
-
are signature based, intrusion patterns
-
stored as signatures and limited by
-
detection rules, statistical based,
-
monitors expected behavior, neural
-
networks, similar to statistical, but
-
adding learning functionality, a
-
signature, statistical combination offers
-
better protection. In the next screen, we
-
will learn about IDS and intrusion
-
prevention systems,
-
IPS. The key features of intrusion
-
detection systems; intrusion detection
-
and alerts, gathering evidence, automated
-
response, for example, disconnect, security
-
policy administration and monitoring,
-
interfaces with system tools, logging
-
facilities. IDS limitations include
-
weaknesses in policy definition,
-
application-level
-
vulnerabilities, backdoors to
-
applications, weaknesses in
-
identification and authentication
-
schemes. Let us continue discussing about
-
IDS and intrusion prevention systems, IPS,
-
in the next screen. Intrusion prevention
-
systems, IPS. IPS is closely related to
-
IDS. It is designed to detect and prevent
-
attacks by predicting an attack before
-
it happens, hence, limiting damage or
-
disruption to systems that are attacked.
-
It must be properly configured and tuned
-
to be effective. In the next screen, we
-
will learn about honeypots and honeynets.
-
Honeypot is a software application
-
that pretends to be an unfortunate
-
server on the Internet and is not set up
-
to actively protect against break-ins.
-
Rather, they act as decoy systems that
-
lure hackers and, therefore, are
-
attractive to hackers. The more a
-
honeypot is targeted by an intruder, the
-
more valuable it becomes. Honeypot is
-
technically related to IDSs and
-
firewalls, but it has no real production
-
value as an active sentinel of networks.
-
The two basic types of honeypots are
-
high interaction, gives hackers a real
-
environment to attack, low interaction,
-
emulate production environments.
-
Honeynet is multiple honeypots networked
-
together to simulate a larger network
-
installation known as a honeynet.
-
Honeynet let hackers break into the false
-
network while allowing
-
investigators to watch their every move
-
by a combination of surveillance
-
technologies. You will now attempt a
-
question to test what you have learned so far.
-
In this topic, we will learn about
-
the concepts in Knowledge Statement 5.8.
-
Let us discuss about information
-
system attack methods and techniques in
-
the next screen. The candidate needs to
-
grasp the knowledge of information
-
system attack methods and techniques
-
covered under this topic. Risks arise
-
from vulnerabilities, whether
-
technical or human, within an environment.
-
Several attack techniques exploit those
-
vulnerabilities and may originate either
-
within or outside the
-
organization. Computer attacks can result
-
in proprietary or confidential data
-
being stolen or modified, loss of
-
customer confidence and market share,
-
embarrassment to management and legal
-
actions against an
-
organization. Let us continue discussing
-
about information system attack methods
-
and techniques in the next screen.
-
Understanding the methods,
-
techniques, and exploits used to
-
compromise an environment provides the
-
IS auditor with a more complete context
-
for understanding the risk an
-
organization faces. The IS auditor should
-
understand enough of these attack types
-
to recognize their risk to the business
-
and how they should be addressed by
-
appropriate controls. The IS auditor
-
should understand the concept of social
-
engineering since these attacks can
-
circumvent the strongest technical
-
security. The only effective control is
-
regular user education. Main areas
-
covered here are computer crime issues
-
and exposures, wireless security threats
-
and risks mitigation. In the next few
-
screens, we will discuss about computer
-
crime issues and
-
exposures. Computer crimes can be
-
committed from various sources including
-
computer is the object of the crime,
-
perpetrator uses another computer to
-
launch an attack, computer is the subject
-
of the crime, perpetrator uses computer
-
to commit crime and the target is
-
another computer, computer is the tool of
-
the crime, perpetrator uses computer to
-
commit crime, but the target is not the
-
computer, but instead data stored on the
-
computer. Computer symbolizes the crime,
-
perpetrator lures the user of computers
-
to get confidential information,
-
for example, social engineering methods.
-
Common attack methods and techniques
-
include alteration attack, botnets,
-
brute-force attack, denial of service, DoS,
-
attack, dial-in penetration attack, war
-
dialing, eavesdropping, email bombing and
-
spamming, email spoofing. More common
-
attack methods and techniques include
-
flooding, interrupt attack, malicious
-
codes, man-in-the-middle attack,
-
masquerading, message
-
modification, network analysis, packet
-
replay, phishing, piggybacking, race
-
conditions, remote maintenance tools,
-
resource enumeration and browsing, salami,
-
spam, traffic analysis, unauthorized
-
access through the Internet and
-
World Wide Web,
-
WWW, viruses,
-
worms, and spyware, war driving, war
-
walking, war chalking. In the next few
-
screens, we will learn about local area
-
network, LAN, security. Local area network
-
is faced with a lot of risks. Examples of
-
these risks are unauthorized access and
-
changes to data and/or programs, inability
-
to maintain version control, limited user
-
verification and potential public
-
access, general access as opposed to
-
need-to-know access, impersonation or
-
masquerading as a legitimate LAN user,
-
internal user sniffing, internal user
-
spoofing, virus Infection, unlicensed or
-
excessive numbers of software copies,
-
destruction of logging and auditing data,
-
lack of LAN administrator experience,
-
expertise, varying media, protocol,
-
hardware, network software that make
-
standard management difficult, security
-
set aside for operational efficiency.
-
LAN administrative capabilities include
-
declaring ownership of programs and
-
files, limiting access to read-only, record
-
and file locking to prevent simultaneous
-
update, and enforcing user ID password
-
sign-on procedures.
-
In order to understand LANs,
-
it is paramount for a candidate to have
-
good knowledge of LAN topology and
-
network diagram, functions performed by
-
the LAN administrator owner, LAN users
-
and user groups, applications used on the
-
LAN, procedures and standards of network,
-
design, support, naming conventions, data security.
-
Dial-up access controls are
-
having encrypted passwords, portable PCs,
-
dial-back procedures, and one-time
-
password generators or tokens. Client
-
server risks include numerous access
-
routes and points, increased risk of
-
access to data and processing, weaker
-
access controls, password change controls
-
or access rules, weaker change control
-
and change management, inaccurate,
-
unauthorized access and changes to
-
systems or data, loss of network
-
availability, obsolescence of network
-
components, unauthorized connection of
-
the network to other networks through
-
modems, weak connection to public switched
-
telephone networks, application code and
-
data may not be stored on a secure
-
machine. Client server controls that will
-
ensure security include disabling floppy
-
drives, automatic boot or start-up batch
-
files, login scripts, network monitoring
-
devices, data encryption, environment-wide
-
authentication procedures,
-
application-level access control,
-
organization of users into functional
-
groups. In the next few screens, we will
-
discuss about the internet threats. The
-
internet is a global TCP IP-based system
-
that enables public and private
-
heterogeneous networks to communicate
-
with one another. Internet threats are
-
categorized into passive attacks,
-
involves probing for network information,
-
active attacks, intrusion or penetration
-
into a network, gaining full control or
-
enough to cause certain threats,
-
unauthorized access to modified data
-
and/or programs, obtaining sensitive
-
information for personal gain, escalating
-
privileges, denial of service, impact
-
could affect financial, legal, or
-
competitive edge. Types of passive
-
attacks are network analysis, involves
-
creating a profile of a network security
-
infrastructure, "foot printing", system
-
aliases, internal addresses, potential
-
gateways, firewalls, vulnerable operating
-
system services, eavesdropping, involves
-
gathering information flowing through
-
the network for personal analysis or
-
third parties, traffic analysis, entails
-
determining the nature of traffic flow
-
between defined hosts. Active attacks can
-
be in the following ways: brute-force
-
attack, this entails launching many
-
attacks to gain unauthorized access, for
-
example, password cracking. Masquerading,
-
this is presenting an identity other
-
than the original identity which is
-
unauthorized. Packet replay, passively
-
capturing data packets and actively
-
inserting them into the network. Replayed
-
packets treated as another genuine
-
stream, it is effective when data
-
received is interpreted and acted upon
-
without human intervention. Message
-
modification, making unauthorized changes
-
or deletions to captured messages.
-
Unauthorized access through the Internet,
-
telnet passwords transmitted in clear text,
-
releasing CGI scripts as shareware,
-
client-side execution of scripts (JAVA
-
applets). denial of service, flooding
-
servers with data requests, systems are
-
paralyzed, genuine users are frustrated
-
with unavailability of system. Dial-in
-
penetration attacks using phone number
-
ranges and social engineering. Email
-
bombing, repeating identical messages to
-
particular addresses. Email spamming,
-
sending messages to numerous users. Email
-
spoofing, altering the identity of the
-
source of the message. Trojan horses,
-
hiding malicious fraudulent code in an
-
authorized computer program. Rounding
-
down, drawing off small amounts of money
-
from a computerized transaction or
-
account to the perpetrator's account.
-
Salami technique, slicing off, truncating,
-
small amounts of money from a
-
computerized transaction or account,
-
similar to rounding down. Viruses,
-
malicious program code inserted into
-
other executable code that can
-
self-replicate and spread from
-
computer to computer. Worms, destructive
-
programs that may destroy data or
-
utilize tremendous computer and
-
communication resources do not replicate
-
like viruses.
-
Logic bombs, similar to computer
-
viruses, but do not self-replicate.
-
Destruction or modification of data is
-
programmed to a specific time in the
-
future difficult to detect before they
-
blow up. Trap doors are exits out of an
-
an authorized program. They allow
-
insertion of specific logic such as
-
program interrupts to permit a view of
-
data during processing. Used by
-
programmers to bypass OS integrity
-
during debugging and maintenance. They
-
are meant to be eliminated in final
-
editing of the code, but sometimes
-
forgotten or intentionally left for
-
future access.
-
Asynchronous attacks, these are
-
OS-based attacks in a multi-processing
-
environment. Job scheduling, resource
-
scheduling, checkpoint, restart
-
capabilities. Checkpoint copy, data, system
-
parameters, security levels. Attacks
-
involve access to and modification of
-
this data to allow higher-priority
-
security. Results in unauthorized access
-
to data, other programs, and the
-
OS. Data leakage involves siphoning or
-
leaking information out of the computer,
-
dumping files to paper, stealing tapes.
-
Wiretapping, this is eavesdropping on
-
information being transmitted over
-
telecommunication lines. Piggybacking is
-
following an authorized person through a
-
secured door. Also, it means electronically
-
attaching to an authorized
-
telecommunications link to intercept and
-
possibly alter transmissions.
-
Computer shutdown:
-
initiated through terminals or micro
-
computers connected directly, online, or
-
remotely, dial-up lines, to the computer.
-
Denial of service: disrupt or completely
-
deny service to legitimate users,
-
networks, systems, or other resources.
-
You will now attempt a
-
question to test what you have learned so far.
-
In this topic, we will learn about
-
the concepts in Knowledge Statement 5.9.
-
Let us discuss about virus detection
-
tools and control techniques in the next
-
screen. The key is understanding
-
detection tools and and control
-
techniques. For example malware, virus
-
detection, spyware.
-
Computer viruses and other
-
malware continue to emerge at increasing
-
rates and sophistication and present
-
significant threats to individuals and
-
organizations. Layered tools should be
-
implemented and distributed throughout
-
the environment in order to mitigate the
-
ability of this malware to adversely
-
impact the organization.
-
Antivirus and antispam
-
software is a necessary and critical
-
component of an organization's security
-
program, providing a mechanism to detect,
-
contain, and notify whenever malicious
-
code is detected. It is essential that
-
the IS auditor understand not only the
-
need for the implementation of
-
antimalware software, but that it should
-
be constantly be updated to ensure that
-
it will detect and eradicate the latest
-
attacks detected by the solutions providers.
-
Viruses is what we will focus
-
on next. Main areas are covered here are
-
viruses. In the next few screens, we will
-
learn about viruses.
-
Viruses are malicious programs
-
designed to self-propagate by appending
-
to other programs. They are easily
-
transmitted via the Internet, email
-
attachments, local area networks. Viruses
-
attack four parts of the computer:
-
executable program files, the file
-
directory system, which tracks the
-
location of all the computer's files,
-
another area is boot and systems areas
-
which are needed to start the computer,
-
data files is also a target for viruses.
-
Virus controls available are virus and
-
worm controls, management procedural
-
controls, technical controls, anti-virus
-
software, periodically updated, hardware
-
controls, remote booting, boot virus
-
protection, anti-virus software
-
implementation strategies,
-
dynamic anti-virus program, sound policies
-
and procedures. Let us continue to
-
discuss viruses on the next slide.
-
Anti-virus software implementation
-
strategies: detecting the virus at its
-
point of entry is crucial, at user,
-
workstation level through scheduled
-
continuous and manual, on-demand scans, at
-
corporate network level as part of the
-
firewall, virus wall, SMTP,
-
HTTP, and FTP protection, besides
-
automatically updating anti-virus software.
-
Features of anti-virus software:
-
it should be reliable and offer quality
-
of detection, it should be memory
-
resident to facilitate continuous
-
checking, it should as well have
-
efficient working speed and use of
-
resources. Types of anti-virus software:
-
scanners, virus masks or signatures, heuristic
-
scanners based on statistical
-
probability, active monitors looking for
-
virus-like activity,
-
integrity CRC checkers used to
-
detect changes in files and executable
-
code, behavior blockers focus on
-
detecting potentially abnormal behavior,
-
for example, writing to the boot sector,
-
immunizers append themselves to files
-
and continuously check for changes. You
-
will now attempt a question to test
-
what you have learned so far. In this
-
topic, we will learn about the concepts
-
in Knowledge Statement 5.10.
-
Let us discuss about security
-
testing techniques in the next
-
screen. It is paramount for CISA
-
candidates to have knowledge of security
-
testing techniques, for example, intrusion
-
testing, vulnerability scanning. Tools are
-
available to assess the effectiveness of
-
network infrastructure security. These
-
tools permit identification of real-time
-
risks to an information processing
-
environment and corrective actions taken
-
to mitigate these risks. Such risks often
-
involve the failure to stay updated on
-
patch management for operating systems
-
or the misconfiguration of security
-
settings. Assessment tools whether open
-
source or commercially produced can
-
quickly identify weaknesses that would
-
have taken hundreds of hours to identify
-
manually. The IS auditor should also be
-
aware that security testing may be
-
carried out by an approved third party,
-
for example, a company specializing in
-
penetration testing. Let us see the main
-
area to cover under this topic in the
-
next screen. Main areas covered here are
-
auditing network infrastructure security.
-
In the next few screens, we will learn
-
about network infrastructure security.
-
Network penetration testing is also
-
called intrusion tests or ethical
-
hacking. It involves using techniques
-
available to a hacker: open source
-
intelligence gathering and discovery,
-
attempting to guess passwords, searching
-
for backdoors into systems, exploiting
-
known operating system vulnerabilities.
-
It is popular for
-
testing firewalls, only performed by
-
skilled experienced professionals, it
-
requires permission from top-level
-
senior management, but without informing
-
IS security staff.
-
You will now attempt a question to test
-
what you have learned so far.
-
In this topic, we will learn about the concepts
-
in Knowledge Statement 5.11.
-
Let us discuss about risks and
-
controls associated data leakage in the
-
next screen.
-
Data leakage is the risk that
-
sensitive information may be
-
inadvertently made public. It occurs in
-
different ways such as job postings that
-
list the specific software and network
-
devices with which applicants should
-
have experience in to system
-
administrators posting questions on
-
technical web sites that include posting
-
with the specific details on the
-
firewall or database version they are
-
running and the IP addresses they are
-
trying to connect, posting organization
-
charts and strategic plans to externally
-
accessible websites, data classification
-
policies, security awareness training and
-
periodic audits of data leakage are
-
elements that the IS auditor will want
-
to ensure are in place. Main areas to be
-
covered here are computer crime issues
-
and exposures. Let us proceed to the next
-
topic in this domain. In this topic, we
-
will learn about the concepts in
-
Knowledge Statement 5.12.
-
Let us discuss about network
-
infrastructure security encryption in
-
the next few screens. It is important for
-
CISA candidates to have a good knowledge
-
of encryption-related techniques. One of
-
the best ways to protect the
-
confidentiality of information is
-
through the use of encryption. Effective
-
encryption systems depend on algorithm
-
strength, secrecy, and difficulty of
-
compromising a key, the nonexistence of
-
back doors by which an encrypted file
-
can be decrypted without knowing the key,
-
the inability to decrypt an entire
-
Cipher text message if one knows the way
-
a portion of it decrypts is known, this is
-
called known-text attack, properties of
-
the plaintext being known by a
-
perpetrator. Although the IS auditor is
-
not expected to be an expert in how
-
these algorithms are designed, the
-
auditor should be able to understand how
-
these techniques are used and the
-
relative advantages and disadvantages of
-
each. We will cover encryption techniques
-
in this section. Main areas to be covered
-
here are
-
encryption. Encryption means converting
-
plain text messages into secure-coded
-
text, Cipher text. It is done via a
-
mathematical function and a key, a
-
special encryption, decryption password.
-
Encryption is used to protect data in
-
transit over networks, protect
-
information stored on computers, deter
-
and detect alterations of data, and
-
verify authenticity of a transaction or
-
document. Note, we assume that the more
-
difficult it is to decrypt the cipher
-
text, the better. Key elements of
-
encryption systems: encryption algorithm,
-
mathematical function, calculation,
-
encryption key, piece of information used
-
in the algorithm to make the process
-
unique, key length, predetermined length
-
of key. Effectiveness of encryption is
-
based on secrecy and difficulty of
-
compromising the key, lack of other
-
means of decrypting without the key,
-
inability to perform a known text attack,
-
knowing how a portion of encrypted text
-
decrypts. Tradeoffs in encryption: if the
-
algorithm is too complex and it takes
-
too long to use or requires keys that
-
are too large to store easily, it becomes
-
impractical to use, the need to balance
-
between the strength of the encryption,
-
that is, how difficult it is for someone
-
to discover the algorithm and the key,
-
and ease of use. There are two main types
-
of encryption in use for computer
-
security referred to as symmetric and
-
asymmetric key encryption. These are
-
based on symmetric encryption algorithm,
-
same key, private, to encrypt plaintext
-
and decrypt ciphertext. Also called
-
private or secret key cryptography. The
-
common private key cryptographic systems
-
are Data Encryption Systems, DES, 64-bit,
-
Advanced Encryption Standard, AES, 128-bit
-
to 256-bit.
-
The advantage of this method is
-
that it uses one key to encrypt and
-
decrypt and hence, uses less processing
-
power. However getting the key to those
-
you want to exchange data with is the
-
problem. An illustration of symmetric key
-
cryptographic system is on the next
-
slide. Key management is an issue. Each
-
pair of communicating entities needs a
-
shared key. For an n-party system, there
-
are n, n minus 1 / 2 distinct keys in
-
the system and each party needs to
-
maintain n minus 1 distinct keys.
-
How to reduce the number of shared
-
keys in the system: centralized key
-
management, session keys, use public keys.
-
Asymmetric, public key cryptographic
-
systems. This system uses different keys
-
for encrypting and decrypting a message.
-
It solves the problem of getting the key
-
to those you want to exchange data with.
-
It involves two keys working as a pair,
-
one to encrypt and the other to decrypt.
-
Asymmetric equals inversely related to
-
each other. One key, secret, private, is
-
known only to one person. The other key,
-
public, is known to many people. Common
-
form of asymmetric encryption is RSA.
-
Smith has two keys, public and private.
-
Smith publishes her public key such that
-
the key is publicly known. Smith keeps
-
her private key secret. Other people use
-
Smith's public key to encrypt messages
-
for Smith. Smith uses her private key to
-
decrypt messages. Only Smith can decrypt
-
since only she has the private key.
-
Advantages of public key cryptography
-
are the necessity of distributing secret
-
keys to large numbers of users is
-
eliminated, the algorithm can be used for
-
authentication as well as for creating
-
cipher text. To compute the private key
-
from the public key is assumed difficult.
-
Public key cryptography ensures
-
authentication and non-repudiation,
-
encrypting with the sender's secret key,
-
confidentiality, encrypting with the
-
receiver's public key, authentication and
-
confidentiality, first encrypting
-
with the sender's secret key and
-
secondly with the receiver's public key.
-
Let us learn the differences between
-
symmetric key and public key in the next screen.
-
In symmetric key encryption, the
-
two parties must trust each other.
-
Typically both share the same key.
-
Symmetric key encryption is generally
-
100 times faster than public key
-
encryption. Examples include DES, IDEA,
-
RC5, AES.
-
In public key encryption, the two
-
parties do not need to trust each other.
-
There are two separate keys, a public key
-
and a private key. It is slower than
-
symmetric key encryption. Examples are
-
RSA, ElGamal Encryption, ECC.
-
Elliptical Curve Cryptography, ECC: a
-
variant and more efficient form of
-
public key cryptography, how to manage
-
more security out of minimum resources,
-
gaining prominence is the elliptical
-
curve cryptosystem. Quantum cryptography:
-
the next generation of cryptography that
-
will solve existing problems associated
-
with current cryptographic systems.
-
Advanced Encryption Standard, AES;
-
AES replaces Data Encryption
-
Standard, DES, as the cryptographic
-
algorithm standard. Due to its short key-length,
-
the former standard for symmetric
-
encryption, DES, reached the end of its
-
life cycle.
-
Digital signatures: electronic
-
identification of a person or entity
-
intended for the recipient to verify the
-
Integrity of the data and the identity
-
of the sender data signature ensures
-
data Integrity one-way cryptographic
-
hashing algorithm digital signature
-
algorithms server identity
-
authentication public key cryptography
-
non-repudiation replay protection
-
timestamps and sequence numbers are
-
built into the messages digital envelope
-
used to send encrypted information and
-
the relevant key along with it the
-
message to be sent can be encrypted by
-
using either asymmetric key or symmetric
-
key you will now attempt a question to
-
test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement 5.1
-
three let us discuss about public key
-
infrastructure pki and digital signature
-
techniques in the next few screens
-
encryption is the process of converting
-
a plain text message into a secure coded
-
form of text called Cipher text which
-
cannot be understood without converting
-
back via decryption the reverse process
-
to plane text pkis use encryption to
-
facilitate the following prect prot data
-
in transit over networks from
-
unauthorized interception and
-
manipulation protect information stored
-
on computers from unauthorized viewing
-
and manipulation deter and detect
-
accidental or intentional alterations of
-
data verify authenticity of a
-
transaction or document for example when
-
transmitted over a web-based connection
-
in online banking share dealing Etc
-
protect data in such situations from
-
unauthorized
-
disclosure understanding the business
-
use of digital signatures is also
-
expected especially its use in providing
-
non-repudiation of and replay protection
-
to messages main areas covered here are
-
encryption public key infrastructure pki
-
in the next few screens we will discuss
-
about public key infrastructure
-
pki public key infrastructure pki
-
framework by which a trust Ed party
-
issues maintains and revokes public key
-
certificates pki reasons many
-
applications need key distribution
-
digital signature vulnerability senders
-
private key and public key may be faked
-
or intercepted and changed anyone can
-
derive keys so there is a need to have a
-
mechanism to assure that Keys belong to
-
entities they claim to come from in pki
-
a certification Authority CA validates
-
Keys distribution in pki is done via a
-
hierarchy of
-
Casa CA process the ca checks real world
-
credentials gets key from user iners
-
signs certificate seert validating key
-
then a certificate is attached to assure
-
an endpoint that an entity is who it
-
claims to be if the endpoint trusts the
-
ca then it will trust that entity and
-
who it claimed to be elements of pki
-
include digital certificates certificate
-
Authority CA registration Authority ra
-
certificate revocation list
-
crl certification practice statement
-
CPS digital
-
certificates digital credential
-
compromising a public key of an
-
individual and identifying information
-
about the individual it is is digitally
-
signed by The Trusted entity with its
-
private key receiver relies on the
-
public key of The Trusted party it also
-
includes algorithm used and validity
-
period certificate Authority CA trusted
-
provider of public and private key pairs
-
attest to the authenticity of owner of
-
public key uses due diligence to issue
-
certificate on evidence or knowledge
-
upon on verification of the user the ca
-
signs the certificate using its private
-
key responsible for managing the
-
certificate throughout its life cycle
-
authoritative for the name or key space
-
it
-
represents certificate revocation list
-
crl details digital certificates that
-
are no longer valid it is used for
-
checking continued validity of
-
certificates time gaps between two
-
updates are very critical
-
certification practice statement CPS is
-
a detailed set of rules governing ca's
-
operations it provides understanding of
-
the value and trustworthiness of
-
certificates issued in terms of controls
-
observed method used to authenticate
-
applicants ca's expectations on how
-
certificates may be used registration
-
Authority R A optional entity separate
-
from the ca that performs admin
-
ministrative tasks like recording and
-
verifying information needed by the ca
-
to issue certifications or
-
crls also performing certificate
-
management functions CA remains solely
-
responsible for signing digital
-
certificates or
-
crls you will now attempt to question to
-
test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement
-
5.14 let us discuss about peer-to-peer
-
Computing inst messaging and web-based
-
Technologies in the next screen cesa
-
candidates must have a knowledge of
-
risks and controls associated with
-
peer-to-peer Computing instant messaging
-
and web-based Technologies for example
-
social networking message boards blogs
-
peer-to-peer Computing instant messaging
-
and web-based Technologies for example
-
social networks message boards blogs are
-
technologies that introduce new risk to
-
the Enterprise information posted on
-
social network sites May inadvertently
-
disclose confidential non-public
-
information that may violate Financial
-
Security laws or violate customer
-
privacy laws peer-to-peer Computing is
-
inherently insecure and may lead to the
-
introduction of malicious code into an
-
otherwise secure environment main areas
-
to be covered here are computer crime
-
issues and exposures peer-to-peer
-
Computing instant messaging and
-
web-based Technologies in the next
-
screen we'll learn more about
-
peer-to-peer
-
Computing in peer-to-peer Computing no
-
specific server to which a user connects
-
generally connection is between two
-
peers as a result there are risks
-
associated with peer-to-peer which
-
include no Central server hence the
-
risks include virus infected files can
-
be directly shared with others Trojans
-
and spyware may be inadvertently copied
-
across systems
-
users May expose their IP addresses that
-
could result in for example IP spoofing
-
traffic sniffing and other IP based
-
attacks a user from the pier network May
-
access sensitive data in unprotected
-
folders proper security policies and
-
control measures are required for
-
peer-to-peer Computing safest approach
-
is to deny such connections unless there
-
is a business need in the next screen we
-
will learn about instant messaging
-
instant messaging I am is a popular
-
mechanism for collaboration and keeping
-
in touch involves two or more users
-
connecting and chatting on topics of
-
Interest with prompt acknowledgement and
-
response rather than emails risks of
-
instant messaging are eavesdropping if
-
sensitive information is sent over
-
unencrypted channels exchange of virus
-
infected files and other malicious codes
-
data leakage if the file is and
-
unmonitored over IM channels
-
exploitation of vulnerabilities if the
-
public IM client software is not
-
adequately
-
patched controls good IM policy and user
-
awareness required advisable to use
-
internal IM software instead of public
-
software only Enterprise employees
-
should be allowed to connect and
-
adequate monitoring of IM use to
-
minimize risk of data leakage of
-
confidential information
-
in the next slide we will discuss about
-
social networking sites social
-
networking sites SNS include sites such
-
as Facebook and Linkedin that help
-
establish connection with colleagues
-
friends and relatives risks uploading of
-
personal and private information fishing
-
URL spoofing
-
cyberstalking controls policies on what
-
information can be shared on such sites
-
educ ation and awareness to staff on
-
what information to share or not share
-
on such sites also having a policy
-
Banning use of such sites in the office
-
let us continue discussing social
-
networking sites in the next
-
screen example of an incident a hacker
-
was able to gather information about
-
names of friends and date of birth of an
-
employee they use this information to do
-
email spoofing and manag to receive
-
money from the Friends by impersonating
-
him and claiming to be stranded in
-
another country with no passport and
-
money you will now attempt to question
-
to test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement
-
5.15 let us discuss about controls and
-
risks associated with the use of mobile
-
and wireless devices in the next screen
-
the cesa candidate must have a knowledge
-
of controls and risks associated with
-
the use of mobile and wireless devices
-
portable and wireless devices present a
-
new threat to an organization's
-
information assets and must be properly
-
controlled policies and procedures as
-
well as additional protection mechanisms
-
must be put into place to ensure that
-
data are protected to a greater extent
-
on portable devices since such devices
-
will most likely operate in environments
-
where physical controls are lacking or
-
non-existent most transportable media
-
including including pdas Blackberry
-
devices Etc are easily lost or stolen
-
and thus require the use of encryption
-
Technologies as well as strong
-
authentication it also may be necessary
-
to classify some data as inappropriate
-
for storage on a mobile device the is
-
auditor should understand that all such
-
media and devices which may include
-
personal music MP3 devices can also be
-
used by an individual to steal both data
-
and programs for personal use or gain we
-
will focus on mobile Computing main
-
areas covered here are mobile Computing
-
in the next screen we will discuss about
-
the risk of using laptops is the
-
difficulty to implement logical and
-
physical security in a mobile
-
environment laptop security controls
-
laptop security measures engraving the
-
serial number company name cable locks
-
monitor detectors regular backup of
-
sensitive data encryption of data
-
allocating passwords to individual files
-
theft response
-
procedures you will now attempt a
-
question to test what you have learned
-
so far in this topic we will learn about
-
the concepts in knowledge statement
-
5.16 let us discuss about voice
-
communication Security in the next
-
screen it is key to no voice
-
communication security for example PBX
-
VoIP the incre increasing complexity and
-
convergence of voice and data
-
Communications introduces additional
-
risks that must be taken into account by
-
the is auditor VoIP and PBX environments
-
involve many security risks both within
-
and outside the organization that must
-
be addressed to ensure the security and
-
reliability of voice
-
Communications main areas to be covered
-
here are Voiceover IP private Branch
-
Exchange in the next slide we will
-
discuss about
-
VoIP IP telepon internet telepon is the
-
technology that makes it possible to
-
have a voice conversation over the
-
Internet protocols used to carry the
-
signal over the IP network are referred
-
to as VoIP VoIP is a technology where
-
voice traffic is carried on top of
-
existing data
-
infrastructure in VoIP sounds are
-
digitized into IP packets and
-
transferred through the network layer
-
before being decoded back into the
-
original voice VoIP has reduced
-
long-distance call costs in a number of
-
organizations thus we will focus on
-
voice over IP and private Branch
-
exchange let us continue to discuss VoIP
-
in the next slide VoIP advantages over
-
traditional telepon VoIP Innovation
-
progresses at Market rates rather than
-
at the rates of itu international
-
telecommunications Union lower costs per
-
call or even free calls for longdistance
-
calls lower infrastructure costs the
-
risk associated with the use of VoIP are
-
the need to protect two assets the data
-
and the voice inherent or security the
-
current Internet architecture does not
-
provide the same physical wire security
-
as the phone lines controls for securing
-
vo is implementing security mechanisms
-
such as those deployed in data networks
-
for for example firewalls encryption to
-
emulate the security level currently
-
used by pstn Network users in the next
-
screen we will discuss about private
-
Branch exchange
-
PBX PBX is a sophisticated
-
computer-based phone system from the
-
early
-
1920s originally it was analog but is
-
now digital principal purpose was to
-
save the cost of providing each person
-
with a line attributes incl include
-
multiple telephone lines digital phones
-
for both voice and data switching calls
-
within pvx non-blocking configuration
-
that allows simultaneous calls operator
-
console or
-
switchboard let us continue discussing
-
private Branch exchange PBX in the next
-
screen the risks associated with use of
-
PBX are theft of service and toll fraud
-
disclosure of information through
-
eavesdropping unauthorized access to
-
resources denial of service traffic
-
analysis passive attack you will now
-
attempt a question to test what you have
-
learned so far in this topic we will
-
learn about the concepts in knowledge
-
statement
-
5.17 let us discuss about evidence
-
preservation techniques in the next
-
screen cea candidate must have a
-
knowledge of the evidence preservation
-
techniques and processes followed in
-
forensic
-
investigations for example it process
-
chain of custody audit conclusions
-
should be supported by reliable and
-
relevant evidence evidence is collected
-
during the course of an audit follows a
-
life cycle the life cycle introduces
-
collection analysis and preservation and
-
destruction of evidence the source of
-
evidence should be reliable and
-
qualified that is from an appropriate
-
original Source rather than obtained as
-
a common or hearsay evidence should
-
originate directly from a trusted source
-
to help ensure objectivity in fraud
-
investigations or legal proceedings
-
maintaining the Integrity of evidence
-
throughout the evidence life cycle may
-
be referred to as the chain of custody
-
when the evidence is classified as
-
forensic audit evidence should include
-
information regarding date of
-
creation main areas covered here are
-
evidence audit documentation
-
investigation techniques continuous
-
auditing in the next few screens we will
-
discuss about investigation
-
techniques investigation techniques
-
include the investigation of computer
-
crime and the protection of evidence and
-
chain of custody among others
-
investigation of computer crime computer
-
crimes are not reported in most cases
-
simply because they are not detected or
-
of the negative publicity they generate
-
in many countries laws are directed
-
toward protecting physical property
-
making it very difficult to use such
-
laws against computer crime it is very
-
important that proper procedures are
-
used to collect evidence from a crime
-
scene the environment and evidence must
-
be left unaltered and specialist law
-
enforcement officials must be called in
-
after a
-
crime computer forensics is the process
-
of identifying preserving and analyzing
-
and presenting digital evidence in a
-
manner that is legally acceptable in any
-
legal proceedings for example Court
-
includes activities involving
-
exploration and application of methods
-
to gather process interpret and use
-
digital evidence loss of preservation of
-
Integrity of evidence means loss of
-
value in legal proceedings the chain of
-
evidence contains information regarding
-
who had access to the evidence cross
-
chronological manner procedures followed
-
in working with the evidence proving
-
analysis is based on copies identical to
-
original
-
evidence considerations regarding
-
evidence identify identify information
-
that may form evidence preserve practice
-
of retrieving identified information and
-
preserving it as evidence involves
-
Imaging of original data and documenting
-
chain of custody analyze involves
-
extracting processing and interpreting
-
the evidence analysis performed on image
-
of the media not the
-
original present involves a presentation
-
to the various audiences such as
-
management attorneys presenter to be
-
qualified and the process of
-
preservation and Analysis
-
credible key elements of computer
-
forensics the is auditor should consider
-
data protection measures to ensure
-
sought-after information isn't altered
-
data acquisition all required data
-
transferred to controlled location and
-
writable media right protected Imaging
-
process allowing for bit forbit
-
replication of data on disk that avoids
-
damage to original data extraction
-
process of identification and selection
-
of relevant data from the imaged data
-
set
-
interrogation used to obtain prior
-
indicators or relationships from
-
extracted data ingestion
-
normalization process of converting
-
extracted information to a format that
-
can be understood by
-
investigators reporting information
-
should be collected and reported in a
-
proper way for it to be valuable you
-
will now attempt a question to test what
-
you have learned so far in this topic we
-
will learn about the concepts in
-
knowledge statement 5.18 let us discuss
-
about data classification standards and
-
supporting procedures in the next screen
-
cesa candidate must have a knowledge of
-
data classification standards and
-
supporting
-
procedures information assets have
-
varying degrees of sensitivity and
-
criticality in meeting business
-
objectives data is classified and
-
protected according to the set degree an
-
important first step to data
-
classification is Discovery inventory
-
and risk assessment once this is
-
accomplished data classification can
-
then be put into use by assigning
-
classes or levels of sensitivity and
-
criticality to information resources and
-
establishing specific security rules for
-
each class Enterprises can Define the
-
level of access controls and the
-
retention time and destruction
-
requirements that should be applied to
-
each information asset the is auditor
-
should understand the process of
-
classification and the interrelationship
-
between data classification and the need
-
for inventorying information assets and
-
assigning responsibility to data owners
-
data owner responsibilities should be
-
clearly identified documented and
-
implemented main areas to be covered
-
here are inventory and classification of
-
information assets in the next screens
-
we will learn about inventory and
-
classification of information assets a
-
detailed inventory of information assets
-
is required for Effective control the
-
inventory is the first step in
-
classifying the assets and determining
-
level of protection required inventory
-
record should include specific
-
identification of the asset relative
-
value to the organization location
-
security risk classific ification asset
-
group where the asset forms part of a
-
larger is owner designated
-
custodian classification should be
-
simple and employed during risk
-
assessment by end user managers and
-
system admins use ISO IEC
-
27012
-
2005 reduce risk and cost of over or
-
under protection used to identify who
-
has access to what who determines access
-
rights and levels approvals required for
-
Access classification done by differing
-
degrees for data sensitivity and mission
-
criticality of the business
-
applications let us continue discussing
-
inventory and classification of
-
information Assets in the next
-
screen classification of assets
-
information assets have varying degrees
-
of sensitivity criticality which
-
determine appropriate levels of control
-
application database criticality
-
classification for example Mission
-
critical significant moderate or low you
-
will now attempt a question to test what
-
you have learned so far in this topic we
-
will learn about the concepts in
-
knowledge statement
-
5.19 let us discuss about physical
-
access controls in the next screen
-
candidates should know of physical
-
access controls for the identification
-
authentication and restriction of users
-
to authorized facilities physical
-
security weaknesses can result in
-
financial loss legal repercussions loss
-
of credibility or loss of Competitive
-
Edge thus information assets must be
-
protected against physical attacks such
-
as vandalism and theft through controls
-
that restrict access to sensitive areas
-
containing computer equipment or
-
confidential data files such controls
-
usually employ the use of a access door
-
locks that require the use of a password
-
key token or biometric authentication of
-
the person attempting entry in high
-
security areas access may require
-
authentication through multiple means
-
and the use of strong security measures
-
such as the airlock type or Man Trap
-
entrances the is auditor should
-
understand the nature of physical
-
controls and the ways in which they can
-
be circumvented as well as the con
-
concept of the security boundary to
-
establish where such devices should be
-
placed and how effective they must be
-
main areas covered here are physical
-
access controls and exposures physical
-
access controls and exposures is our
-
main focus in the next
-
screen physical access controls door
-
locks bolting combination electronic
-
biometric dead man doors logging manual
-
elect ronic identification badges video
-
cameras security guards controlled
-
visitor access bonded Personnel not
-
advertising locations of sensitive
-
facilities computer workstation locks
-
controlled single entry points alarm
-
systems secured report documentation
-
distribution cards primarily originate
-
from natural and man-made hazards Expos
-
ures include unauthorized entry damage
-
vandalism theft viewing or copying
-
sensitive information alteration of data
-
public disclosure of sensitive
-
information abuse of processing
-
facilities blackmail and
-
embezzlement let us continue discussing
-
physical access exposures in the next
-
screen auditing physical access involves
-
during the information process ing
-
facility visibly observing physical
-
access controls reviewing physical
-
security
-
documentation evaluating General
-
cleanliness doors windows walls curtains
-
ceilings raised floors and
-
ventilation you will now attempt a
-
question to test what you have learned
-
so far in this topic we will learn about
-
the concepts in knowledge statement
-
5.20 let us discuss about Environmental
-
Protection devices and supporting
-
practices in the next screen cea
-
candidate has to have a knowledge of
-
Environmental Protection devices and
-
supporting practices certain natural and
-
man-made events have the ability to do
-
great damage to an organization's
-
information systems and business
-
processes most data centers have
-
mechanisms to prevent detect or mitigate
-
the impact of these threats however it
-
is important that the Readiness and
-
sufficiency of these controls be
-
periodically tested by management to
-
ensure that they will function as
-
intended the is auditor should
-
understand the nature of these controls
-
and how to ensure that they are
-
functioning properly and are adequate to
-
protect the
-
organization let us continue discussing
-
about Environmental Protection devices
-
and supporting
-
practices environmental controls
-
generally include fire and smoke
-
detectors fire suppression systems water
-
detectors and temperature and humidity
-
controls the is auditor should know the
-
relative merits of different fire
-
suppression systems and in what
-
circumstances one type is more
-
appropriate than another main areas of
-
coverage are environmental exposures and
-
controls in the next few screens we will
-
discuss about environmental exposures
-
and
-
controls the environmental exposures
-
include natural events like lightning
-
storms earthquakes Etc power failures is
-
of particular concern total failure
-
blackouts severely reduced voltage
-
brownouts sags spikes and surges
-
electromagnetic interference Emi caused
-
by electrical storms or noisy electrical
-
equipment static electricity magnetic
-
fields water damage and flooding Fire
-
Man and terrorism vandalism smoke food
-
natural elements humidity dust
-
temperature environmental controls power
-
continuity power generators long-term
-
power interruptions surge protectors at
-
least on all expensive equipment UPS
-
devices sags spikes surges emergency
-
power off switch redundant power lines
-
for example leads from two
-
substations fire controls fire
-
extinguishers strategically plac
-
throughout facility fire suppression
-
systems either waterbased sprinklers
-
damages equipment or dry pipe sprinklers
-
Halon systems or CO2 based regular
-
inspection by the fire department also
-
use of audible fire alarms smoke
-
detectors having defined
-
responsibilities marked locations
-
fireproof walls floors and
-
ceilings more however environmental
-
controls that can be applied are
-
strategically locating the computer room
-
not basement raised floors and water
-
detectors water proper ventilation
-
humidity and temperature control wiring
-
placed in fire resistant panels and
-
conduits prohibit eating drinking and
-
smoking within information processing
-
facilities documented and tested
-
emergency evacuation plan auditing
-
environmental controls involve checking
-
that systems work as specified and are
-
inspected and tested at least once a
-
year placing and assigning
-
responsibility to concerned persons
-
maintaining communication and awareness
-
having a business continuity plan that
-
will be used in case of a disaster this
-
plan should be fully documented and
-
tested you will now attempt a question
-
to test what you have learned so far in
-
this topic we will learn about the
-
concepts in knowledge statement
-
5.21 let us discuss about handling
-
confidential information Assets in the
-
next few
-
screens knowledge of the processes and
-
procedures used to store retrieve
-
transport and disposal of confidential
-
information assets is key for a cesa
-
candidate to learn confidential
-
information assets are vulnerable during
-
storage retrieval and transport and must
-
be disposed of properly management
-
should Define and Implement procedures
-
to prevent unauthorized access to or
-
loss of sensitive information and
-
software from computers Diss and other
-
equipment or media when they are stored
-
transported or transmitted during
-
processing retrieval and output the is
-
auditor should also understand the need
-
for correct disposal of information and
-
media in order to ensure that no
-
unauthorized person gain access to the
-
information by restoration or
-
Recreation thus we will mainly discuss
-
about storing retrieving transport and
-
disposing of confidential information
-
Assets in the next slide let us discuss
-
about handling confidential information
-
storing retrieving transporting and
-
disposing of confidential information
-
need procedures to prevent access to or
-
loss of sensitive information and
-
software further controls are required
-
for backup files and databases data
-
banks disposal of media previously used
-
to hold confidential information
-
management of equipment sent for
-
off-site maintenance public agencies and
-
organizations concerned with sensitive
-
critical or confidential information e
-
toen electronic Keys storage records let
-
us continue discussing handling
-
confidential information in the next
-
screen preserving information during
-
shipment or storage by keeping out of
-
direct sunlight keeping free of dust
-
keep free of liquids minimize exposure
-
to magnetic fields radio equipment or
-
any sources of vibration do not Air
-
transport in areas and at times of
-
exposure to a strong magnetic storm you
-
will now attempt a question to test what
-
you have learned so far protection of
-
information assets
-
one a long asymmetric encryption key
-
public key encryption increases
-
encryption overhead cost two creating
-
user accounts that automatically expire
-
by predetermined date is an effective
-
control for granting temporary access to
-
vendors and external support Personnel
-
three worms are malicious programs that
-
can run independently and can propagate
-
without the aid of a carrier program
-
such as email four identifying Network
-
applications such as mail web of FTP
-
servers to be externally accessed is an
-
initial step in creating a proper
-
firewall
-
policy five SSL protocol provides
-
confidentiality through symmetric
-
encryption such as data encryption
-
standard six intrusion detection systems
-
IDs are used to gather evidence of
-
network attacks seven time stamps are an
-
effective control for detecting
-
duplicate transactions such as payment
-
made or received eight traffic analysis
-
is a passive attack method used by
-
Intruders to determine potential Network
-
attacks nine file encryption is a good
-
control for protecting confidential data
-
that resides on a PC 10 although many
-
methods of fire suppression exist dry
-
pipe sprinklers are considered to be the
-
most environmentally friendly 11 logical
-
access controls should be reviewed to
-
ensure that access is granted on a least
-
privilege basis for the organization's
-
data owners 12 a callback system is a
-
remote access control in which the user
-
initially connects to the network
-
systems via dialup access only to have
-
the connection terminated by the server
-
which then subsequently dials back the
-
user at a predetermined number stored in
-
the server's configuration database 13
-
information system security policies are
-
used as the framework for developing
-
logical
-
access this concludes the domain on
-
protection of information assets this is
-
the last domain to be covered in this
-
course with this we've come to the end
-
of this course happy learning
