2002 Chap 4

CISA Review CourseCISA Review Course

Chapter 4Chapter 4

Protection of Protection of

Information AssetsInformation Assets

Chapter OverviewChapter Overview

Logical Access Exposures and ControlsLogical Access Exposures and Controls Network Infrastructure SecurityNetwork Infrastructure Security Auditing Network Infrastructure Auditing Network Infrastructure

SecuritySecurity Environmental Exposures and ControlsEnvironmental Exposures and Controls Physical Access Exposures and ControlsPhysical Access Exposures and Controls

Chapter ObjectiveChapter Objective

““This content area addresses the knowledge that This content area addresses the knowledge that an IS auditor must have in order to evaluate the an IS auditor must have in order to evaluate the

organization’s logical, environmental and IT organization’s logical, environmental and IT infrastructure security. Knowledge in this area infrastructure security. Knowledge in this area enables the IS auditor to determine whether the enables the IS auditor to determine whether the

security in place satisfies the organization’s security in place satisfies the organization’s business requirements for safeguarding business requirements for safeguarding

information assets.”information assets.”

Chapter 4 SummaryChapter 4 Summary

According to the Certification According to the Certification Board, this Content Area will Board, this Content Area will

represent approximately represent approximately 25%25% of of the CISA examination.the CISA examination. (approximately 50 questions) (approximately 50 questions)

Logical Access Exposures Logical Access Exposures and Controlsand Controls

To retain a competitive advantage and to meet basic To retain a competitive advantage and to meet basic business requirements, organizations must:business requirements, organizations must:

Ensure the integrity of the information stored on their Ensure the integrity of the information stored on their computer systemscomputer systems

Preserve the confidentiality of sensitive dataPreserve the confidentiality of sensitive data

Ensure the continued availability of their information Ensure the continued availability of their information systemssystems

Ensure conformity to laws, regulations and standardsEnsure conformity to laws, regulations and standards


Components of a Security PolicyComponents of a Security Policy Management support and commitmentManagement support and commitment Access philosophyAccess philosophy

Compliance with relevant legislation and regulationsCompliance with relevant legislation and regulations

Access authorizationAccess authorization Reviews of access authorizationReviews of access authorization Security awarenessSecurity awareness Role of the security officerRole of the security officer Security committeeSecurity committee


Paths of Logical AccessPaths of Logical Access

Network connectivityNetwork connectivityRemote accessRemote accessOperator consoleOperator consoleOnline terminalsOnline terminals


• Logic bombs

• Trap Doors

• Asynchronous attacks

• Data leakage

• Wire-tapping

• Piggybacking

• Computer shut down

• Denial of service

Logical Access Issues and ExposuresLogical Access Issues and Exposures Technical ExposuresTechnical Exposures

• Data diddling

• Trojan horses

• Rounding down

• Salami techniques

• Viruses

• Worms

Logical Access Issues and ExposuresLogical Access Issues and Exposures Viruses. Usually attack Viruses. Usually attack fourfour parts of the parts of the

computercomputer..• Executable program filesExecutable program files

• File-directory File-directory systemsystem which tracks the location which tracks the location of all the computer’s filesof all the computer’s files

• Boot and system areas that are needed to start Boot and system areas that are needed to start the computerthe computer

• Data files.Data files.


Controls over VirusesControls over Viruses Build any system from original, clean master copies. Build any system from original, clean master copies. Boot only from original diskettes whose write protection Boot only from original diskettes whose write protection

has always been in place.has always been in place. Allow no disk to be used until it has been scanned on a Allow no disk to be used until it has been scanned on a

stand-alone machine.stand-alone machine. Update virus scanning definitions/signatures frequently.Update virus scanning definitions/signatures frequently. Write-protect all diskettes.Write-protect all diskettes. Have vendors run demonstrations on their machines, not Have vendors run demonstrations on their machines, not

yours.yours.

Logical Access Exposures and Logical Access Exposures and ControlsControls

Antivirus softwareAntivirus software ScannersScanners Active monitorsActive monitors Integrity checkersIntegrity checkers

Logical Access Exposures and Logical Access Exposures and ControlsControls


Logical Access Issues and ExposuresLogical Access Issues and ExposuresComputer crime exposuresComputer crime exposures

• Financial lossFinancial loss• Legal repercussionsLegal repercussions• Loss of credibility or competitive edgeLoss of credibility or competitive edge• Blackmail/industrial espionageBlackmail/industrial espionage• Disclosure of confidential, sensitive or embarrassing Disclosure of confidential, sensitive or embarrassing

informationinformation• SabotageSabotage

Logical Access Issues and ExposuresLogical Access Issues and Exposures

Computer crime exposuresComputer crime exposures

• Logical access violatorsLogical access violators– HackersHackers– Employees and former employeesEmployees and former employees– IS personnelIS personnel– End usersEnd users– Former employeesFormer employees– Interested or educated outsidersInterested or educated outsiders– Part-time and temporary personnelPart-time and temporary personnel– Vendors and consultantsVendors and consultants– Accidental ignorantAccidental ignorant


Access Control SoftwareAccess Control Software

Tasks they performTasks they perform Authorization functions they provideAuthorization functions they provide Standard functionsStandard functions


Access Control Software Access Control Software Continued…Continued…

Process of access requestsProcess of access requests List of computerized files and facilitiesList of computerized files and facilities Advantages of decentralized environmentAdvantages of decentralized environment


Access Control Software Access Control Software Continued…Continued…

Risks associated with distributed Risks associated with distributed responsibility for security administrationresponsibility for security administration

Ways to control remote and distributed Ways to control remote and distributed sitessites


Logical Security Features, Tools and ProceduresLogical Security Features, Tools and Procedures

Authentication techniques for logical access controlAuthentication techniques for logical access control

Logon-ids and passwordsLogon-ids and passwords

• Features of passwordsFeatures of passwords

• Password syntax (format) rulesPassword syntax (format) rules

• Logging computer accessLogging computer access


Logical Security Features, Tools and Logical Security Features, Tools and ProceduresProcedures

Logging Computer AccessLogging Computer Access

Performing security access follow-upPerforming security access follow-up Reported attempted violationsReported attempted violations



Logical Security Features, Tools and Logical Security Features, Tools and Procedures. Procedures.

Token devices--one time passwordsToken devices--one time passwordsBiometric security access controlBiometric security access controlWorkstation (PC or terminals) usage Workstation (PC or terminals) usage

restraintsrestraintsDial-back proceduresDial-back procedures


Logical Security Techniques Logical Security Techniques

Restrict and monitor access to computer Restrict and monitor access to computer features that bypass securityfeatures that bypass security

Logging of online activityLogging of online activity


Logical Security Features, Tools and Logical Security Features, Tools and ProceduresProcedures

Data classificationData classification Safeguards for confidential data on a PCSafeguards for confidential data on a PC Naming conventions for access controlsNaming conventions for access controls


Auditing Logical AccessAuditing Logical AccessFamiliarization with the IS processing Familiarization with the IS processing

environmentenvironment

Document access pathsDocument access pathsInterview systems personnelInterview systems personnelReview reports from access control softwareReview reports from access control software


Audit & Evaluation Features, Tools and Audit & Evaluation Features, Tools and Procedures.Procedures. Review application systems operations manualReview application systems operations manual Review written policies, procedures and standardsReview written policies, procedures and standards Logical access security policiesLogical access security policies Formal security awareness and trainingFormal security awareness and training Data ownershipData ownership Data ownersData owners Data custodiansData custodians


Audit and Evaluation Features, Tools Audit and Evaluation Features, Tools and Proceduresand Procedures Security administratorSecurity administrator Data usersData users Documented authorizationsDocumented authorizations Access standardsAccess standards

Test SecurityTest Security

Use of terminal cards and keysUse of terminal cards and keys

Terminal identificationTerminal identification

Logon-ids and passwordsLogon-ids and passwords

Controls over production resourcesControls over production resources

Logging and reporting of computer access Logging and reporting of computer access

violationsviolations


Test Security Test Security Continued…Continued…

Follow-up access violationsFollow-up access violations

Dial-up access controlsDial-up access controls

Authorization of network changesAuthorization of network changes

Identification of methods of bypassing security and Identification of methods of bypassing security and compensating controlscompensating controls

Review access controls and password administrationReview access controls and password administration


Network Infrastructure SecurityNetwork Infrastructure Security

LAN Security LAN Security

Controls over the communication networkControls over the communication network

Common network management/control Common network management/control

software packagessoftware packages

Local Area NetworksLocal Area Networks LAN securityLAN security LAN risk/issues LAN risk/issues Dial-up access controlsDial-up access controls

IS Network and Telecommunication IS Network and Telecommunication InfrastructureInfrastructure


Client/Server Security Client/Server Security

Control techniques in placeControl techniques in place

• Securing access to data or applicationSecuring access to data or application

• Use of network monitoring devicesUse of network monitoring devices

• Data encryption techniquesData encryption techniques

• Authentication systemsAuthentication systems

• Use of application level access control programsUse of application level access control programs

Client/Server Client/Server SecuritySecurity

Client/server Client/server risks and issuesrisks and issues

IS Network and Telecommunication IS Network and Telecommunication InfrastructureInfrastructure


Internet Threats and SecurityInternet Threats and Security

Areas of controlAreas of control

• Corporate internet policies and proceduresCorporate internet policies and procedures

• Firewall standardsFirewall standards

• Firewall securityFirewall security

• Data security controlsData security controls

Internet Threats and SecurityInternet Threats and Security Network analysisNetwork analysis EavesdroppingEavesdropping Traffic analysisTraffic analysis Brute-force attackBrute-force attack MasqueradingMasquerading Packet replayPacket replay Denial of serviceDenial of service Dial-in penetration attacksDial-in penetration attacks E-mail bombing and spammingE-mail bombing and spamming E-mail spoofingE-mail spoofing


Impact of Internet ThreatsImpact of Internet Threats

Loss of income Increased cost of recovery Increased cost of retrospectively securing systems Loss of information Loss of trade secrets Damage to reputation Legal and regulatory noncompliance Failure to meet contractual commitments


Internet Threats and SecurityInternet Threats and Security Causal factors for internet attacksCausal factors for internet attacks

Availability of tools and techniques on the InternetAvailability of tools and techniques on the Internet Lack of security awareness and trainingLack of security awareness and training Exploitation of security vulnerabilitiesExploitation of security vulnerabilities Inadequate security over firewallsInadequate security over firewalls

Internet security controlsInternet security controls



EncryptionEncryption

Key elements of encryption systemsKey elements of encryption systems

• Encryption algorithmEncryption algorithm

• Encryption keysEncryption keys

• Key lengthKey length

Private key cryptographic systemsPrivate key cryptographic systems

Public key cryptographic systemsPublic key cryptographic systems


Encryption Encryption Continued...Continued...

Elliptical curve cryptosystem (ECC)Elliptical curve cryptosystem (ECC)

Quantum cryptographyQuantum cryptography

Digital signaturesDigital signatures



Public key infrastructurePublic key infrastructure

• Digital certificateDigital certificate

• Certificate authority (CA)Certificate authority (CA)

• Registration authority (RA)Registration authority (RA)

• Certificate revocation listCertificate revocation list

• Certification practice statement (CPS)Certification practice statement (CPS)



Use of encryption in OSI protocolsUse of encryption in OSI protocols

• SSHSSH

• Secure sockets layer (SSL)Secure sockets layer (SSL)

• S-HTTPS-HTTP

• IP securityIP security

• Secure multipurpose Internet mail extensions (S/MIME)Secure multipurpose Internet mail extensions (S/MIME)

• Internet key exchange (IKE)Internet key exchange (IKE)

• Secure electronic transactions (SET)Secure electronic transactions (SET)

• KerberosKerberos


Encryption Encryption Continued…Continued…

Applications of the public/private key encryption processApplications of the public/private key encryption process

E-mail securityE-mail security

Internet securityInternet security

Encryption risks and password protection demystifiedEncryption risks and password protection demystified


Firewall Security SystemsFirewall Security Systems

Firewall TypesFirewall Types

Router packet filteringRouter packet filtering

Application firewalls systemsApplication firewalls systems

Stateful InspectionStateful Inspection


Firewall Security Systems Continued...Firewall Security Systems Continued...

Examples of Firewall ImplementationsExamples of Firewall Implementations

Screened host firewallScreened host firewall

Dual homed firewallDual homed firewall

Demilitarized zone (DMZ) or screened subnet firewallDemilitarized zone (DMZ) or screened subnet firewall

Firewall IssuesFirewall Issues

Network Infrastructure SecurityNetwork Infrastructure Security Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)

Element to securing networks complementing firewall implementationsElement to securing networks complementing firewall implementations ..

Broad categoriesBroad categories• Network-basedNetwork-based

• Host-basedHost-based

Types of IDSTypes of IDS• Signature-basedSignature-based

• Statistical-basedStatistical-based

• Neural networksNeural networks

FeaturesFeatures

LimitationsLimitations

Auditing Network Auditing Network Infrastructure SecurityInfrastructure Security

Auditing Internet ConnectionsAuditing Internet Connections

Review network diagramsReview network diagrams

Remote access securityRemote access security

InfrastructureInfrastructure

Auditing Network Infrastructure Auditing Network Infrastructure SecuritySecurity

Auditing Internet ConnectionsAuditing Internet Connections

Development and change controlDevelopment and change control

• FirewallsFirewalls

• RoutersRouters

• BridgesBridges

Logical securityLogical security

Environmental Exposures and Environmental Exposures and ControlsControls

Environmental Issues and ExposuresEnvironmental Issues and Exposures

FireFire

Natural disastersNatural disasters

Power failure and spikePower failure and spike

Air conditioning failureAir conditioning failure

OthersOthers


Environmental Issues and ExposuresEnvironmental Issues and Exposures Power supply properly controlled?Power supply properly controlled? Air conditioning humidity and ventilation within Air conditioning humidity and ventilation within

specifications?specifications? Computer equipment protected from effect of Computer equipment protected from effect of

static electricity?static electricity? Consumption of food prohibited around the Consumption of food prohibited around the

equipment?equipment? Backup media protected?Backup media protected?

Environmental Exposures Environmental Exposures and Controlsand Controls

Controls for Environmental ExposuresControls for Environmental Exposures Water detectorsWater detectors

Hand-held fire extinguishersHand-held fire extinguishers

Manual fire alarmsManual fire alarms

Smoke detectorsSmoke detectors

Fire suppression systemsFire suppression systems• Water-basedWater-based• Dry pipe sprinklingDry pipe sprinkling• HalonHalon• Carbon DioxideCarbon Dioxide


Controls for Environmental Controls for Environmental Exposures Continued...Exposures Continued... Computer room locationComputer room location Fire department inspectionsFire department inspections Fireproof walls, floors and ceilingsFireproof walls, floors and ceilings Electrical surge protectorsElectrical surge protectors Uninterruptible power supply (UPS)Uninterruptible power supply (UPS) Emergency power-off switchEmergency power-off switch


Controls for Environmental Controls for Environmental Exposures Exposures ContinuedContinued...... Power leads from two substationsPower leads from two substations Wiring placed in electrical panels and Wiring placed in electrical panels and

conduitconduit Prohibitions against eating, drinking Prohibitions against eating, drinking

and smoking within the IPFand smoking within the IPF Fire resistant office materialsFire resistant office materials Documented and tested emergency Documented and tested emergency

evacuation plansevacuation plans

Environmental Exposures and ControlsEnvironmental Exposures and Controls

Auditing Environmental ControlsAuditing Environmental Controls

Water and smoke detectorsWater and smoke detectors Hand-held fire extinguishersHand-held fire extinguishers Fire suppression systemsFire suppression systems Regular Fire department inspectionsRegular Fire department inspections Fireproof walls, floors and ceilings Fireproof walls, floors and ceilings

surrounding the computer roomsurrounding the computer room

Environmental Exposures and ControlsEnvironmental Exposures and Controls

Auditing Environmental Controls Auditing Environmental Controls Continued…Continued…

Electrical surge protectorsElectrical surge protectors Power leads from two substationsPower leads from two substations Fully documented and tested business continuity Fully documented and tested business continuity

planplan Wiring placed in electrical panels and conduitWiring placed in electrical panels and conduit UPS/GeneratorUPS/Generator Documented and tested emergency evacuation Documented and tested emergency evacuation

plansplans Humidity/temperature controlHumidity/temperature control

Physical Access Exposures Physical Access Exposures and Controlsand Controls

Physical Access Issues and ExposuresPhysical Access Issues and Exposures

Physical access exposuresPhysical access exposures

Possible perpetratorsPossible perpetrators

PhysicalPhysical Access Exposures Access Exposures and Controlsand Controls

Physical Access ControlsPhysical Access Controls Bolting door locksBolting door locks Combination door locks (cipher locks)Combination door locks (cipher locks) Electronic door locksElectronic door locks Biometric door locksBiometric door locks Manual loggingManual logging Electronic loggingElectronic logging


Physical Access Controls Physical Access Controls Continued…Continued… Identification badges (photo IDs)Identification badges (photo IDs) Video camerasVideo cameras Security guardsSecurity guards Controlled visitor accessControlled visitor access Bonded personnelBonded personnel Deadman doorsDeadman doors


Physical Access Controls Physical Access Controls Continued…Continued…Not advertising the location of sensitive facilitiesNot advertising the location of sensitive facilitiesComputer terminal locksComputer terminal locksControlled single entry pointControlled single entry pointAlarm systemAlarm systemSecured report/document distribution cartSecured report/document distribution cart


Audit Physical AccessAudit Physical Access

Touring the information processing Touring the information processing facility (IPF)facility (IPF)

Testing of physical safeguardsTesting of physical safeguards

Chapter Chapter 44: Glossary: Glossary

Access Control Table Asymmetric Key (Public Key) Key) Authentication Biometrics Card Swipes Challenge/Response Token

Chapter Chapter 44: Glossary: Glossary

Digital Signature Dry-pipe Fire Extinguisher System Encryption Trojan Horse

Chapter 4: RecapChapter 4: Recap

Group discussionGroup discussion QuestionsQuestions

Chapter 4: QuestionsChapter 4: Questions

1.1. Which of the following BEST provides access Which of the following BEST provides access control to payroll data being processed on a control to payroll data being processed on a local server?local server?

A.A. Logging of access to personal information Logging of access to personal information B.B. Separate password for sensitive transactions Separate password for sensitive transactions C.C. Software restricts access rules to authorized staff Software restricts access rules to authorized staff D.D. System access restricted to business hours System access restricted to business hours


2. Which of the following concerns about the 2. Which of the following concerns about the security of an electronic message would be security of an electronic message would be addressed by digital signatures?addressed by digital signatures?

A.A. Unauthorized reading Unauthorized readingB.B. Theft TheftC.C. Unauthorized copying Unauthorized copyingD.D. Alteration Alteration


3. The MOST effective method for limiting the 3. The MOST effective method for limiting the damage of an attack by a software virus is:damage of an attack by a software virus is:

A.A. software controls. software controls.B.B. policies, standards and procedures. policies, standards and procedures.C.C. logical access controls. logical access controls.D.D. data communication standards. data communication standards.


4. Which of the following BEST determines that 4. Which of the following BEST determines that complete encryption and authentication complete encryption and authentication protocols exist for protecting information protocols exist for protecting information while transmitted?while transmitted?A.A. A digital signature with RSA has been implemented. A digital signature with RSA has been implemented.B.B. Work is being done in tunnel mode with the nested Work is being done in tunnel mode with the nested

services of AH and ESPservices of AH and ESPC.C. Digital certificates with RSA are being used. Digital certificates with RSA are being used.D.D. Work is being done in transport mode, with the nested Work is being done in transport mode, with the nested

services of AH and ESP services of AH and ESP


5. Which of the following would be MOST 5. Which of the following would be MOST appropriate to ensure the confidentiality of appropriate to ensure the confidentiality of transactions initiated via the Internet?transactions initiated via the Internet?

A. A. Digital signature Digital signature

B. B. Data encryption standard (DES) Data encryption standard (DES)

C.C. Virtual private network (VPN) Virtual private network (VPN)

D.D. Public key encryption Public key encryption


6. The PRIMARY objective of a firewall is to 6. The PRIMARY objective of a firewall is to protect:protect:A.A. Internal systems from exploitation by external Internal systems from exploitation by external

threats.threats.B.B. External systems from exploitation by internal External systems from exploitation by internal

threats.threats.C.C. Internal systems from exploitation by internal Internal systems from exploitation by internal

threatsthreatsD.D. Itself and attached systems against being used Itself and attached systems against being used

to attack other systems.to attack other systems.


7. Access authorization to computerized 7. Access authorization to computerized information should be provided by the:information should be provided by the:A.A. data owner. data owner.B.B. data administrator. data administrator.C.C. database administrator. database administrator.D.D. security administrator. security administrator.

8. An IS auditor has just completed a review of an 8. An IS auditor has just completed a review of an organization that has a mainframe and a client-server organization that has a mainframe and a client-server environment where all production data reside. Which of environment where all production data reside. Which of the following weaknesses would be considered the MOST the following weaknesses would be considered the MOST serious?serious?

A.A. The security officer also serves as the database administrator The security officer also serves as the database administrator ( DBA.)( DBA.)

B.B. Password controls are not administered over the client/server Password controls are not administered over the client/server environment.environment.

C.C. There is no business continuity plan for the mainframe system’s There is no business continuity plan for the mainframe system’s noncritical applications.noncritical applications.

D.D. Most LANs do not back up file server fixed disks regularly. Most LANs do not back up file server fixed disks regularly.


9. An organization is proposing to install a single sign-on 9. An organization is proposing to install a single sign-on facility giving access to all systems. The organization facility giving access to all systems. The organization should be aware that:should be aware that:

A.A. maximum unauthorized access would be possible if maximum unauthorized access would be possible if a password is disclosed.a password is disclosed.

B.B. user access rights would be restricted by the user access rights would be restricted by the additional security parameters.additional security parameters.

C.C. the security administrator’s workload would the security administrator’s workload would increase.increase.

D.D. user access rights would be increased. user access rights would be increased.



10. During a review of system access rules, an IS 10. During a review of system access rules, an IS auditor noted that technical support personnel auditor noted that technical support personnel have unlimited access to all data and program have unlimited access to all data and program files. Such access authority is:files. Such access authority is:

A.A. appropriate, but all access should be logged. appropriate, but all access should be logged.B.B. appropriate, because technical support personnel appropriate, because technical support personnel

can access all data and program files.can access all data and program files.C.C. inappropriate, since access should be limited to a inappropriate, since access should be limited to a

need-to-know basis, regardless of position.need-to-know basis, regardless of position.D.D. Inappropriate, because technical support personnel Inappropriate, because technical support personnel

have the capacity to run the system.have the capacity to run the system.

2002 Chap 4

Documents

Transcript of 2002 Chap 4