Domain 5 - a

CISA - Protection of Information Assets Tutorial

5.1 Protection of Information Assets

Hello and welcome to the fifth domain of the Certified Information Systems Auditor (CISA) Course
offered by Simplilearn. This domain will cover Protection of Information Assets Let us look at the
objectives of this domain in the next screen. Objectives By the end of this domain, you should be
able to understand and provide assurance that the enterprise’s security policies, standards,
procedures and controls ensure the confidentiality, integrity and availability of information assets.
Detail the design, implementation and monitoring of security controls Discuss the risks associated
with use of mobile and wireless devices Understand encryption techniques such as public key
infrastructure and risks related to data leakage Detail network detection tools and techniques
Discuss how confidential information can be stored, retrieved, transported and disposed. The
following screen gives an overview of this domain. Overview An information asset is a component
related to provision of accurate data or information for decision making purposes by an entity. It is
considered to hold value to that particular organization and should therefore be protected by
ensuing Confidentiality, integrity and availability. (CIA) Examples of information Assets are
Information (or Data), Computer Application Systems, Computers (Personal Computers (PCs)
laptops , PDAs, phones) , Networks (Local Area Network (LAN), Wide Area Network (WAN), Wireless
Networks), Human Resources, Facilities (Main Distribution Facilities (MDFs), data centers, server
room) and Other Technologies such as database technologies among others Let us continue with the
overview in the folloiwng screen. Overview (contd.) The Risks to business include ; Financial loss
(electronic fraud), Legal repercussions (privacy issues), Loss of credibility or competitive edge,
Blackmail/industrial espionage, Sabotage and Breach of confidentiality Security failures can be costly
to business as more costs are incurred to secure systems and prevent further failure. Further more
cost are incurred from losses from the failure itself and when recovering from such losses. Let us now
look at threats to information assests in the next slide. Threats to Information Assets The threats to
Information Assets include; Hackers, Crackers Phreakers, authorized or unauthorized employees, IS
personnel, End users, Former employees, Interested or educated outsiders (competitors, organized
criminals), Part-time and temporary personnel, Vendors and consultants and finally accidental
ignorance. Let us begin with the first topic in this domain in the following screen.

5.2 Knowledge Statement 5.1

In this topic, we will learn about the concepts under the first knowledge statement, KS 5.1. We will
begin with design, implementation and monitoring of security controls in the next screen. . Design,
implementation and monitoring of security controls The key knowledge statement is to understand
the techniques for the design, implementation and monitoring of security controls, including security
awareness programs .Security needs to be aligned with business objectives to provide reasonable
reduction in risk. Security objectives may include the following:

• Ensure the continued availability of information systems.

• Ensure the integrity of information stored on its computer systems and Security while the
information is in transit.

• Preserve the confidentiality of sensitive data while stored and in transit.

• Ensure compliance with applicable laws, regulations and standards. Let us continue discussing
design, implementation and monitoring of security controls in the next screen Design,
implementation and monitoring of security controls (contd.)

• Ensure adherence to trust and obligation requirements for any information assets accordance with
the applicable privacy policy or privacy laws and regulations. Prudence in application of controls is
important because controls entail a cost either directly or indirectly by impacting on business
operations. The business impact analysis (BIA) is the process used to establish the material adverse
events the business should be worried about. The following screen lists the main areas to be covered
under this knowledge statement. Main Areas of Coverage The main areas to cover here are.

• Key elements of information security management • Critical success factors to information security

• Inventory and classifications of Information assets

• Network Infrastructure Security In the next screen, we will learn about Information Security
Management (ISM) Slide10: Information Security Management (ISM) Effective ISM is the most critical
factor in protecting information assets and privacy. The factors that raise the profile of information
and privacy risk include; electronic trading through service providers and directly with customers,
loss of organizational barriers through use of remote access facilities and high-profile security
exposures: viruses, denial of service (DOS) attacks, intrusions, unauthorized access, disclosures and
identity theft over the Internet, etc. Let us continue discussing Information Security Management
(ISM) in the next screen Information Security Management (ISM) (contd.)

The security objectives to meet business requirements are:

- To ensure continued availability of information systems

- To ensure integrity of information stored in systems and while in transit
- To preserve confidentiality of sensitive data
- To ensure conformity to applicable laws, regulations and standards
- To ensure adherence to trust and obligation requirements
- To ensure protection of sensitive data Data integrity, as it relates to security objectives,
generally refers to accuracy, completeness, consistency (or neutrality), validity and
verifiability of the data once loaded on the system Integrity refers to reliability of data.
Let us continue discussing Information Security Management (ISM) in the next screen Information
Security Management (ISM) (contd.) The Key elements of ISM:

 Senior management commitment and support. The risk management begins at the top.

 Policies and procedures. The framework that captures top management declaration of direction.

 Organization: clearly defined and allocated roles and responsibilities supplemented with guidance.
Let us continue discussing Information Security Management (ISM) in the next screen Information
Security Management (ISM) (contd.)

 Security awareness and education through training and regular updates: • Written policies and
procedures, and updates • Non-disclosure statements signed by employees • Newsletters, web
pages, videos, and other media. • Visible enforcement of security rules • Simulated security
incidents and simulated drills • Rewards for reporting suspicious events • Periodic audits 
Monitoring and compliance. Control includes an element of monitoring and usually relates to
regulatory/legal compliance  Incident Handling and Response. In the next few screens we will learn
about roles and responsibilities under the Information Security Management. ISM Roles and
Responsibilities Roles and Responsibilities must be defined, documented and communicated to
personnel and management. IS security steering committee is represented by individuals from
various management levels. It also discusses and approves security policies, guidelines and
procedures; with input from end users, executive management, auditors, security administration, IS
personnel and legal counsel. The committee is formally established with appropriate Terms of
Reference. Executive management is responsible for the overall protection of information assets and
issuing ISM Roles and Responsibilities (contd.) Security advisory group is responsible for defining
information risk management process & acceptable level of risk and reviewing security plans. It is
comprised of people involved in the business and provides comments on security issues to chief
security officer (CSO). It also advises the business whether the security programs meet business
objectives. ISM Roles and Responsibilities (contd.) Chief information security officer (CISO) is a senior
level corporate official responsible for articulating and enforcing policies used to protect information
assets. He has a much broader role than CSO who is normally only responsible for physical security
within the organization. Information asset owners and data owners: are entrusted with the
responsibility for the owned asset, including performance of a risk assessment, selection of
appropriate controls to mitigate the risk and to accept the residual risk . ISM Roles and
Responsibilities (contd.) Process Owners ensure appropriate security measures consistent with
organizational policy are maintained. Users comply with procedures set out in the security policy and
adhere to privacy and security regulations – often specific to sensitive data (e.g., health, legal,
finance, etc.) Chief privacy officer (CPO) is a senior level corporate official and is responsible for
articulating and enforcing policies used to protect customers’ and employees’ privacy rights ISM
Roles and Responsibilities (contd.) External parties follow procedures set out in the security policy.
They adhere to privacy and security regulations – often specific to sensitive data (e.g.,health, legal,
finance, etc.) Information Security administrator is a staff level position. He is responsible for
providing adequate physical and logical security for IS programs, data and equipment. Normally
guided by the information security policies. ISM Roles and Responsibilities (contd.) Security
specialists /advisors assist with the design, implementation, management and review of security
policies, standards and procedures. IT developers implements information security within their
applications IS auditors provide independent assurance on appropriateness and effectiveness of
information security objectives and controls related to these objectives. In the next screen we will
learn about system access permissions. System Access Permission System Access Permission is the
ability to do something with a computer resource: read, create, modify or delete a file or data;
execute a program or use an external connection. It is controlled at the physical and/or logical level.
Logical controls govern access to information and programs. It is built into operating systems,
invoked through access control software, and incorporated in application programs, DBs, network
control devices and utilities Let us continue discussing system access permissions in the next screen
System Access Permission (contd.) Physical controls restrict entry and exit of personnel, movement
of equipment and media. They include badges, memory cards, keys and biometrics. Access is granted
on a documented, need-to-know basis; with legitimate business requirement based on least privilege
and on segregation of duties principles.

Access principles relate to 4 layers of security namely:

 Network
 Platform (typically the operating system),
 Database and
 Application.

In the next screen we will learn about Mandatory & Discretonary Access Controls Mandatory and
Discretionary Access Controls The Mandatory Access Controls (MACs) are logical access controls
(MACs) that cannot be modified by normal users or data owners. They act by default and are used to
enforce critical security without possible exception. Only administrators can grant a right of access
guided by an established policy of the organization. Discretionary Access Controls (DACs) controls
may be configured or modified by the users or data owners . Access may be activated or modified by
a data owner. DACs cannot override MACs and they act as additional filters to restrict access further.
In the next few screens we will learn about Privacy Management Issues and Role of IS Auditors
Privacy Management Issues and Role of IS Auditors Privacy Issues relates to personally identifiable
information ( e.g. Personal Identification No. – PIN). Regulations generally restrict use of such data by
give the subject individual rights to access and correct that data. It also governs how such data is
obtained, requiring knowledge and consent of the data subject. Impact of risks include marketing
risks, transborder data flow and variations in regulations and may require privacy experts during risk
assessment. Privacy Management Issues and Role of IS Auditors (contd.) The goals of a privacy
impact assessment are; identifying the nature of personally identifiable information relating to
business processes, documenting the collection, use, disclosure, storage, and destruction of
personally identifiable information, providing management with an understanding of privacy risk and
options to mitigate this risk, ensuring accountability for privacy and facilitating compliance with
relevant regulations. Privacy Management Issues and Role of IS Auditors (contd.) IS audit
considerations relating to privacy include adequacy of privacy assessment i.e compliance with
privacy policy, laws & other regulations and the manner in which IT is used for competitive gain.
Another consideration is the ongoing assessments conducted when new products, services, systems,
operations/processes, and third parties are under consideration. Besides, trans-boarder and
multinational laws should also be considered. Privacy Management Issues and Role of IS Auditors
(contd.) Focus and extent of privacy impact assessment may depend on changes in technology,
processes or people as shown below Technology Processes People New Programs Change
Management Business partners Change in existing programs Business process re-engineering
Vendors Additional system linkages Enhanced accessibility rules Service providers Data warehouse
New systems New products New operations In the next few screens we will learn about Information
Security and External Parties Information Security and External Parties Human Resources Security
and Third Parties: Security roles and responsibilities of employees, contractors and third-party users
should be defined and documented in accordance with the org security policy. Information Security
policies to guide employees, contractors and 3rd party users Information Security and External
Parties: Security of information and processing facilities must be maintained when external party
services or products are introduced. Controls must be agreed to and defined in a formal agreement.
Organization must have right to audit the implementation and operations. Information Security and
External Parties (contd.) External Party arrangements include: Service providers (ISPs, network
providers), Managed security services, Customers, Outsourcing facilities and/or operations (IT
systems, data collections services), Management and business consultants and auditors, Developers
and suppliers, cleaning, catering and other outsourced support services. Others include temporary
personnel, student placement and other casual short term appointments. Information Security and
External Parties (contd.) The risks related to External Party Access is information processing facilities
required to be accessed by external parties. These types of access include: Physical access, Logical
access, Network connectivity - organization and external party, Value and sensitivity of information
involved, and its criticality for business operations and Legal and other regulatory requirements
Information Security and External Parties (contd.) Security in relation to Customers involve
identifying security requirements for customers’ access. The customer access security
considerations:  Asset protection  Description of product or service to be provided  Reasons,
requirements and benefits for customer access  Access control policy  Arrangements for reporting,
notification and investigation of information inaccuracies  Target levels of service and unacceptable
levels of service  Right to monitor and revoke any activity related to an organization’s assets 
Intellectual property rights and copyright assignment You will now attempt a question to test what
you have learnt so far.

5.4 Knowledge Statement 5.2

In this topic, we will learn about the concepts in knowledge statement, 5.2. Let us discuss Monitoring
and responding to Security Incidents in the following screens Monitoring and responding to Security
Incidents The key knowledge point is the processes related to monitoring and responding to security
incidents (e.g., escalation procedures, emergency incident response team) A formal incident
response capability should be established to minimize the impact of security incidents recovery in a
timely and controlled manner and learn from such incidents. (History should be kept through
properly recording of incidents). While security management may be responsible for monitoring and
investigating events and may have drafted or set a requirement for escalation procedures, other
functions must be involved to ensure proper response. These functions must have well-defined and
communicated processes in place that are tested periodically. : The main areas covered here are:
Security incident handling and response. In the next screen we will discuss about Incident Handling
and Response Incident Handling and Response An incident is an adverse event that threatens some
aspect of information security. To minimize damage from security incidents and to recover and to
learn from such incidents, a formal incident response capability had to be established, and it
includes; planning and preparation, detection, initiation, recording, evaluation, containment,
eradication, escalation, response, recovery, closure and post-incident review Let us continue
discussing Incident Handling and Response Incident Handling and Response (contd.) Procedures are
defined for reporting different types of incidents. The process involves quick reporting and collection
of evidence and formal disciplinary process, and where applicable, automated intrusion detection
systems. Incident Handling and Response roles involve;  Coordinator who is the liaison to business
process owners.  Director who oversees incident response capability.  Manager(s) who manage
individual incidents.  Security specialists that detect, investigate, contain and recover from
incidents.  Non-security technical specialists that provide assistance on subject matter expertise. 
Business unit leader liaisons which include legal, HR and PR. Logical access controls is another are we
are going to learn in subsequent slide. You will now attempt a question to test what you have learnt
so far.

5.6 Knowledge Statement 5.3

In this topic, we will learn about the concepts in knowledge statement, 5.3. Let us discuss Logical
access controls in the following screens Logical Access Controls Knowledge point to learn here is
logical access controls for the identification, authentication and restriction of users to authorized
functions and data. Logical access controls are used to manage and protect information assets.
Controls enact and substantiate policies and procedures designed by management to protect
information assets. Controls exist at both the operating system level and the application level, so it is
important to understand logical access controls as they apply to systems that may reside on multiple
operating system platforms and involve more than one application system or authentication point.
Let us continue the discussion about Logical Access Controls in the next few screens Logical Access
Controls (contd.) Logical security is often determined based on the job function of users. The success
of logical access controls is tied to the strength of the authentication method (e.g., strong
passwords). All user access to systems and data should be appropriately authorized and should be
commensurate with the role of the individual. Authorization generally takes the form of signatures
(physical or electronic) of relevant management.

The strength of the authentication is proportional to the quality of the method used:

"strong authentication" may include dual or multifactor authentication using user 10, password,
tokens and biometrics.

The main areas covered here are:

• Logical Access Logical access controls

Logical access controls are the primary means used to manage and protect information assets. These
exposures can result in minor inconveniences to a total shutdown of computer functions. Logical
access controls involve managing and controlling access to information resources. It is based on
management policies and procedures for information security. Logical access controls must be
evaluated vis-à-vis information security objectives. Familiarization with the IT environment helps in
determining which areas, from a risk standpoint, warrant IS auditing attention. This includes
reviewing security layers associated with IS architecture: network, OS, database, application Logical
Access Controls (contd.) Paths of logical access (points of entry to IS infrastructure): Back-end, front-
end systems, Internally-based users, externally-based users and direct access to specific servers. All
points of entry must be known. General points of entry relate to network or telecomm infrastructure
in controlling access to information resources.

• Typical client-server environment: primary domain controllers network management devices e.g.
routers and firewalls. General modes of access: Network connectivity: Remote access: remotely
dialling into a network for services that can be performed remotely (e.g. email). Logical Access
Controls (contd.) Traditional Points of Entry: Mainly applicable for mainframe-based systems used for
large database systems or “legacy” applications.

• Operator Console. These are privileged computer terminals that control most computer operations
and functions. They provide high level of system access but do not have strong logical access
controls. It is located in a suitably controlled facility so that physical access can only be gained by
authorized personnel. On-Line workstations in client-server environments. This method typically
require at least a logon-ID and password to gain access to the host computer system. It may also
require further entry of authentication or identification data for access to application specific systems
Logical Access Controls (contd.) IS resources are more accessible and available anytime and
anywhere. Computers store large volumes of data. Sharing of resources has increased from one
system to another and accessibility has increased through intranet/internet. Logical access control
software has become critical in protecting IS resources. It prevents unauthorized access and
modification to sensitive data, and use of critical functions. It is applied across all layers of IS
architecture (network, OS, DBs and applications).

Logical Access Controls (contd.) Common attributes of these software is that it has some form of
identification and authentication. Provides access authorization. It also checks specific information
resource and provide logs and reporting of user activities. Greatest degree of protection is applied at
the network and platform/OS level mainly because it is the primary point of entry to systems.
Besides, it is the foundation (primary infrastructure) on which applications and DBs will reside. Also,
OS system access control software interfaces with databases and/or applications to protect system
libraries and datasets. These network devices (e.g. routers and firewalls) manage external access to
networks thus need highest degree of protection. Logical Access Controls (contd.) General
OS/application access control software functions include; creating or changing user profiles,
assigning user identification and authentication, applying user logon limitation rules (e.g. restrict
logon IDs to specific workstations at specific times), establishing rules for access to specific resources,
creating individual accountability and auditability by logging user activities, logging events and
reporting capabilities. Logical Access Controls (contd.) Database or application level controls creates
or changes data files and database profiles. It also verifies user authorization at the application and
transaction level, within the application and at the field level for changes within the database. It also
verifies subsystem authorization for the user at the file level. In addition it logs database/data
communications access activities for monitoring access violations. On the next three slides, we shall
attempt to answer another question to check on our knowledge on this area. You will now attempt a
question to test what you have learnt so far.

5.8 Knowledge Statement 5.4

In this topic, we will learn about the concepts in knowledge statement, 5.4. Let us discuss Security
Controls Related to Hardware, System Software Security controls related to hardware, system
software. In this slide, we learn on the security controls related to hardware, system software (e.g.,
applications, operating systems), and database management systems. Access control software
utilizes both identification and authentication (I&A). Once authenticated, the system then restricts
access based on the specific role of the user. I&A is the process by which the system obtains identity
from a user, the credentials needed to authenticate identity, and validates both pieces of
information. I&A is a critical building block of computer security since it is needed for most types of
access control and is necessary for establishing user accountability. For most systems, I&A is the first
line of defense because it prevents unauthorized access (or unauthorized processes) to a computer
system or an information asset. In the next screen we will discuss more about Security Controls
Related to Hardware and System Software. Security Controls Related to Hardware, System Software
(contd.) Logical access can be implemented in various ways. The IS auditor should be aware of the
strengths and weaknesses of various architectures such as single sign-on (SSO), where a single
authentication will enable access to all authorized applications; identity management; multifactor
authentication. If this risk is considered manageable, it should drive the implementation of
multifactor authentication. The main areas covered here are: ● Identification and Authentication ●
Single Sign-on In the next screen we will discuss about Identification & Authentication Identification
and Authentication. Identification and Authentication involves proving one’s identity, which is
authenticated prior to being granted access. It is a critical building block of IS security in which the
basis of most access control systems: first line of defense – preventing unauthorized access. I&A also
establishes user accountability – linking activities to users. Multifactor authentication is a
combination of more than one method e.g. token and password or PIN, token and biometric device.
Let us continue discussing Identification and Authentication in the next slide Identification and
Authentication (contd.) Categories can be something you know (e.g., password), something you have
(e.g., token card), something you are or do (a biometric feature) or where you are. These techniques
can be used independently or in combination (single-factor or two-factor authentication). Some of
the common vulnerabilities expected are; • Weak authentication methods. • Potential for bypassing
authentication mechanism. • Lack of confidentiality and integrity of stored authentication
information. • Lack of encryption for transmitted authentication information. • Lack of user
knowledge regarding risks of sharing authentication elements e.g.password. In the next few screens
we will discuss about Identification and Authentication-Logon IDs and Passwords Identification and
Authentication – Logon ID’s and Passwords. Logon IDs and Passwords is a two-phase user
identification/authentication process based on something you know:  Logon ID – individual
identification  Password – individual authentication It is used to restrict access to computerized
information, transactions, programs, and system software. It may involve an internal list of valid
logon-IDs and a corresponding set of access rules for each logon-ID. The access rules can be specified
at OS level (controlling access to files), or within individual applications controlling access to menu
functions and types of data). Identification and Authentication – Logon ID’s and Passwords (contd.)
Features of Passwords include; • Easy for the user to remember but difficult for a perpetrator to
guess. • when the user logs on for the first time, the system should force a password change to
improve confidentiality. • limited number of logon attempts, typically three. • user verification for
“forgotten” passwords. • internal one-way encryption, and not displayed in any form. • changed
periodically, e.g. every 30 days. • unique; if it is known by more than one person, responsibility for
activity cannot be enforced. Identification and Authentication – Logon ID’s and Passwords (contd.)
Password syntax (format) rules: • ideally, a minimum of eight characters in length • a combination of
at least three of the following: alpha, numeric, upper & lower case, and special characters; some
prohibit use of vowels • not particularly identifiable to the user • system should enforce regular
change of passwords – e.g. after every 30 days • no re-use of previous passwords for e.g. at least one
year after being changed • deactivate dormant logon Ids • automatic session/inactivity time-outs •
Powerful user-ids (accounts) such as Supervisor and Administrator accounts should be strictly
controlled; these could have full access to the system. • Administrator password should be known
only by one person; however, the password should be kept in a sealed envelope for business
continuity. Let us proceed to the next slide for more on passwords. Identification and Authentication
– Logon ID’s and Passwords (contd.) Token Devices and One-time Passwords is a two-factor
authentication technique; e.g. a microprocessor-controlled smart card, which generates unique,
time-dependent / one-time passwords (called “session passwords”). This is good for only one logon
session. The users enter this password along with a password they have memorized to gain access to
the system. It is characterized by unique session characteristic (ID or time) appended to the
password. Technique involves ‘something you have’ (a device subject to theft) and ‘something you
know’ (a PIN). In the next screen we will learn about Identification and Authentication – Biometric
Access Control Identification and Authentication – Biometric Access Control. Biometric Security
Access Control is the best means of authenticating a user’s identity based on a unique, measurable
attribute or trait for verifying the identity of a human being. It restricts computer access based on a
physical (something you are) or behavioural (something you do) feature of the user, e.g. a fingerprint
or eye retina pattern. A reader interprets the individual’s biometric features before permitting
authorized access. However, it is not a fool proof process: certain biometric features can change (e.g.
scarred fingerprints, change in voice). The final template is derived through an iterative averaging
process of acquiring samples. Let us continue discussing Identification and Authentication –
Biometric Access Control Identification and Authentication – Biometric Access Control (contd.)
Physically oriented biometrics are palm, Hand geometry, Iris, Retina, Fingerprint, Face. Behaviour
oriented biometrics can be Signature recognition and Voice recognition. In the next few screens we
will discuss about Identification and Authentication - Single Sign-on (SSO) Identification and
Authentication – Single Sign-On. Single sign-on (SSO) is a consolidation of the organisation platform-
based administration, authentication and authorization functions. It interfaces with client server and
distributed systems, mainframe systems and network security including remote access. The primary
domain handles the first instance where user credentials are entered and the secondary domain is
any other resource that uses these credentials. Identification and Authentication - Single Sign-on
(SSO) (contd.) Single sign on (SSO) Challenges: • Overcoming heterogeneous nature of diverse
architecture (networks, platforms, databases, and applications) • Requires understanding of each
systems authorisation rules, and audit logs and reports • Allowing host systems to control the set of
users allowed access to particular host systems SSO Advantages: • Multiple passwords not required –
users motivated to select stronger passwords • Efficiency in managing users and their authorisations
• Reduced administrative overheads for resetting passwords • Efficiency of disabling/deactivating
user accounts • Reduced logon time Identification and Authentication - Single Sign-on (SSO) (contd.)
SSO Disadvantages: • Single point of network failure • Few software solutions accommodate all
major OS • Substantial interface development required (development costly) In the next screen we
will discuss about Logical Access Security Administration. Logical Access Security Administration.
Logical Access Security Administration can be centralised or decentralised Advantages of
decentralised administration:  Administration onsite at distributed location  Timely resolution of
issues  More frequent monitoring Controlling remote and distributed sites  Software access
controls  Physical access controls: lockable terminals, locked computer rooms  Control over dial-in
facilities (modems, laptops)  Controls over access to system documentation  Controls over data
transmission: access, accuracy, completeness  Controls over replicated files and their updates:
accuracy and reduced duplication Let us continue discussion about Logical Access Security
Administration. Logical Access Security Administration (contd.) Risks associated with decentralised
administration. Local standards (rather than organisational) may be implemented. Level of security
management may be below that of the central site. Unavailability of management checks and audits
by the central site. In the next screen we will discuss about Remote Access Security Remote Access
Security Business need of remote access provides users with the same functionality that exists within
their offices. The components of remote access: • Remote environment: employees, branches,
laptops • Telecommunication infrastructure: the carrier used. • Corporate computing infrastructure:
corporate connecting devices, communications software. Remote Access Risks could be denial of
service, malicious third-party access, misconfigured communication software, misconfigured devices,
host systems not secured appropriately and physical security weaknesses at the remote stations. Let
us continue discussing about Remote Access Security in the next screen Remote Access Security
(contd.) Remote access methods are Analog modems and the public telephone network, dedicated
network connections (proprietary circuits) and TCP/IP internet based remote access. The remote
Access Controls are; • Policy and standards. • Proper authorisation. • Identification and
authentication mechanisms. • Encryption tools and techniques. • System and network management.
In the next scree we will discuss about PDAs and Mobile Technology PDAs and Mobile Technology
PDAs augment desktops and laptops due to their ease of use and functionality. The Inherent risks is
that they are easy to steal, easy to lose, ready access to information stored. Access issues with
mobile technologies includes Flash disk and controls. Let us continue discussing about PDAs and
Mobile Technology in the next screen PDAs and Mobile Technology (contd.) Control issues to address
are;  Compliance with policies and procedures, including approval for PDA use  Awareness of
responsibilities and due care  Compliance with security requirements  Authorisation and approval
of use  Standard PDA applications, authorised and licensed  Synchronisation: backup and updating
 Encryption  Virus detection and control  Device registration  Camera use Access issues with
mobile technology: Include flash disks. Controls include policy, denial of use, disabling USB ports
(using logon scripts) and encryption of data transported on these devices. In the next screen we will
discuss about System Access System Access Audit logging in monitoring system access. Most access
control software automatically log and report all access attempts – success and failures. It provides
management with an audit trail to monitor activities. It facilitates accountability. Access rights to
system logs should be for review purposes and it is a form of security against modification. Let us
continue discussing about System Access in the next screen System Access (contd.) The tools for
analysis of audit log information:  Audit reduction tools – filter out insignificant data 
Trend/variance detection tools  Attack signature detection tools Reviewing audit logs monitors
patterns or trends and violations and/or use of incorrect passwords. Restricting and Monitoring
Access: Features that bypass security accessed by software programmers, include bypass label
processing (BLP), System exits and Special system logon Ids. You will now attempt a question to test
what you have learnt so far.

5.10 Knowledge Statement 5.5

In this topic, we will learn about the concepts in knowledge statement, 5.5. Let us discuss Risks and
Controls Associated With Virtualized Systems Risks and Controls Associated with virtualized systems.
This slide endeavors to learn risks and controls associated with virtualization of systems Virtualization
provides an organization with a significant opportunity to increase efficiency and decrease costs its IT
operations. The IS auditor needs to know the different advantages and disadvantages and needs to
consider whether the enterprise has considered the applicable risks in its decision to adopt,
implement and maintain this technology. At a higher level virtualization allows multiple operating
systems (OSs), or guests, to coexist on the same physical server, or host, in isolation of one another.
Let us continue discussing about Risks and Controls Associated with virtualized systems in the next
screen Risks and Controls Associated with virtualized systems (contd.) Virtualization creates a layer
between the hardware and the guests OSs to managed shared processing and memory resources on
the host machine. A management console often provides administrative access to manage the
virtualized system. Virtualization introduce additional risks that the enterprise must manage
effectively. Key risk is that the host represents a single point of failure within the system. A successful
attack on the host could result in a compromise very large in impact. Hence our main topic of focus
will be virtualisation. Main Areas Covered here are: • Virtualisation You will now attempt a question
to test what you have learnt so far.
5.12 Knowledge Statement 5.6

In this topic, we will learn about the concepts in knowledge statement, 5.6. Let us discuss Network
Security Controls in the next screen Network security controls Knowledge of the configuration,
implementation, operation and maintenance of network security controls are what we’ll learn in this
slide. Enterprises can effectively prevent and detect most attacks on their networks by employing
perimeter security controls. Firewalls and intrusion detection system (IDS) provide protection and
critical alert information at borders between trusted and untrusted networks. Proper
implementation and maintenance of firewalls and IDS is critical to successful,in-depth security
program.The IS auditor must understand the level of intruder detection provided by the different
possible locations of the IDS and the importance of policies and procedures to determine the action
required by security and technical staff when an intruder is reported. Our main areas of coverage will
Internet Threats and Security. Main areas of covered here are: ● Internet Threats and Security In the
next few screens we will discuss about Network Infrastructure Security Network infrastructure
security The table demonstates network infrastructure security. Network Infrastructure Security
(contd.) Auditing use of the Internet involves ensuring a business case for Email (communication),
Marketing (customer communication), Sales channel or e-commerce, Channel for delivery of goods
and services (online stores, Internet banking) and Information gathering (research). Network
Infrastructure Security (contd.) Auditing Networks Review network diagrams to identify networking
infrastructure and network design. Also, review network management: policies, procedures,
standards, guidance distributed to staff. Besides, identify responsibility for security and operation
and review staff training, duties and responsibilities. You will further review legal issues regarding the
use of the Internet., service level agreements with third parties and network administrator
procedures. Network infrastructure security (contd.) Auditing remote access invloves;  Identify all
remote access facilities, ensuring they have been documented  Review policies governing the use of
remote access  Review architecture, identifying points of entry and assessing their controls  Test
dial-up access controls  Review relation to business requirements Network Infrastructure Security
(contd.) General network controls are functions performed by technically qualified operators. These
functions are separated and rotated regularly. Apply least-privilege access rights for operators. Audit
trail of operator activities must be periodically reviewed by management. Network operations
standards must documented. A review of workload balance, response times and system efficiency
must also be perfomed. Further consider terminal authentication and data encryption. Some of the
network management control software include Novell Netware, Windows NT/2000, UNIX. You will
now attempt a question to test what you have learnt so far.

5.14 Knowledge Statement 5.7

In this topic, we will learn about the concepts in knowledge statement, 5.7. Let us discuss Network &
Internet Security Devices, Protocols and Techniques in the next screen Network & Internet Security
Devices, Protocols and Techniques The key knowledge to learn in this topic is network and internet
security devices, protocols and techniques. Application and evaluation of technologies to reduce risk
and secure data is dependent on proper understanding of security devices, their functions and
protocols used in delivering functionality. An organization implements specific applications of
cryptographic systems in order to ensure confidentiality of important data. There are a number of
cryptographic protocols which provide secure communications on the Internet. Additionally, the
security landscape is filled with technologies and solutions to address many needs. Solutions include
firewalls, intrusion detection and prevention devices, proxy devices, web filters, antivirus and
antispam filters, data leak protection functionality, identity and access control mechanisms, secured
remote access and wireless security. Understanding the solution's function and its application to the
underlying infrastructure requires knowledge of the infrastructure itself and the protocols in use. In
the next screen we will see the main areas to be covered under this topc Network & Internet Security
Devices, Protocols and Techniques(contd.) Main Areas Covered here are: ● Encryption ● Network
Infrastructure Security In the next few screens we will learn about Firewalls Firewalls. Firewall is a
security perimeter for corporate networks connecting to the Internet aimed at preventing external
intruders and untrusted internal users (internal hackers). It applies rules to control network traffic
flowing in and out of a network: allowing users to access the Internet and stopping hackers or others
on the Internet from gaining access to the network. The guiding principle used is least privilege
(need-to-use basis) Firewalls (contd.) General functions of firewalls includes; Blocking access to
particular sites , limiting traffic on public services to relevant ports, preventing access to certain
servers and/or services, monitoring and recording communication between internal and external
networks (Network penetration, Internal subversion), Encryption and VPN, and Single choke point –
concentrating security on a single system. General Firewall features include; combination of
hardware (routers, servers) and software. It should control the most vulnerable point between a
corporate network and the Internet. Firewalls (contd.) General techniques used to control traffic are;
• Service control –IP address TCP port • Direction control – direction of traffic • User control – based
on user rights • Behaviour control – based on how services are being used e.g. filter email for spam
In the next few screens we will discuss about Types of Firewalls Types of firewalls. The types of
Firewalls are ; • Router packet filtering, • Application firewall systems and • Stateful inspection
firewalls. Router packet filtering firewall is deployed between the private network and the Internet.
Screening routers examine packet headers to acertain IP address (identity) of the sender and receiver
and the authorised port numbers allowed to use the information transmitted – kind of Internet
service being used. These information is used to prevent certain packets from being sent between
the network and the Internet. Types of Firewalls (Contd.) The common attacks against packet filtering
are IP spoofing, source routing specification and miniature fragment attack. This method is simple
and stable. The demerit is that it is easily weakened by improperly configured filters. Also it is unable
to prevent attacks tunneled over permitted service. The diagram in the slide describes this type of
firewall. Types of Firewalls (Contd.) Application firewall systems. This type of firewall allows
information flow between internal and external systems but do not allow direct exchange of packets.
Host applications must be secured against threats posed by allowed packets. They rest on hardened
operating systems, e.g. WinNT, UNIX. It works at the application layer of the OSI model. The firewall
analyse packets through a series of proxies, one for each service. There are two types: Application-
level firewalls and Circuit-level firewalls Types of Firewalls (Contd.) Application-level firewalls: analyze
packets through a series of proxies, one for each service. Circuit-level firewalls validates TCP and UDP
sessions through a single general-purpose proxy. The diagram in the slide demonstates this.
Application firewall systems are set up as proxy servers acting on behalf of network users. It employs
bastion hosting and it is heavily fortified against attack handling all incoming requests from the
Internet to the network. Single host makes security maintenance easier as only the firewall system is
compromised, not the network. In the next screen we will discuss about Types of Firewalls and
Firewall Issues Slide 105: Types of Firewalls and Firewall Issues Stateful Inspection firewalls: Track
destination IP address of each packet leaving the network and references responses to request that
went out. It maps source IP addresses of incoming packets to destination IP addresses of outgoing
requests. It prevents attacks initiated and originated by outsiders. Main advantage is that it is more
efficient than application firewall systems. The disadvantage is that it is more complex to administer.
Issues related to firewalls:  False sense of security. No additional internal controls are needed. 
Weak against internal threats. For example, a disgruntled employee cooperating with an external
attacker.  cannot protect against attacks that bypass the firewall e.g. modem dial-in  Misconfigured
firewalls  Misunderstanding of what constitutes a firewall  Monitoring activities not done regularly
In the next screen we will discuss about Implementation of Firewalls Firewalls Implementation.
Firewall can be implemented in three ways; Screened-host firewall, Dual-homed firewall and
Demilitarised zone (screened subnet firewall) In the next screen we will discuss about Screened-host
firewall Screened Host Firewall Screened-host firewall. This method utilizes packet filtering and a
bastion host (proxy services):  bastion host connects to the internal network  packet-filtering
router installed between the Internet and the bastion host Intruder has to penetrate two systems
before the network is compromised. Internal hosts reside on the same network as the bastion host -
security policies determine whether: hosts connect directly to the Internet or hosts use proxy
services of the bastion host. The diagram in the slide explains further on this. In the next screen we
will discuss about Dual-Homed Firewall Dual-Homed firewall. This type of implemetation is more
restrictive form of screened-host firewall. One interface is established for information servers, and a
separate interface for private network hosts. Direct traffic to internal hosts is physically prevented as
explained in the diagram. In the next screen we will discuss about Demilitarized zone (screened
subnet firewall) - DMZ Demilitarised zone (screened subnet firewall) – DMZ This mode utilises two
packet-filtering routers and a bastion host. It is the most secure firewall system and supports network
and application-level security. The separate DMZ functions are an isolated network for public servers,
proxy servers, and modem pools. Key benefits are that the intruder must penetrate three separate
devicesThe private network addresses are not disclosed to the Internet. Also, internal systems do not
have direct access to the Internet. In the next screen we will dicuss about Intrusion Detection
Systems (IDS) Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) monitor network
usage anomalies. It is used together with firewalls and routers. It continuously operates in the
background and the administrator is alerted when intrusions are detected. It protects against
external and internal misuse. IDS components • Sensor. This collects data (network packets, log files,
system call traces). • Analyser. This receives input from sensors and determines intrusive activity. •
Admin console • User interface Let us continue discussing about Intrusion Detection Systems (IDS) in
the next screen Intrusion Detection Systems (IDS) (contd.) IDS are categorized into ; Network-based
IDSs (NIDS) which identifies attacks within a network, and Host-based IDSs (HIDS) which is configured
for a specific environment and monitor internal resources of systems. IDS types are; • Signature
based. Intrusion patterns stored as signatures and limited by detection rules. • Statistical based.
Monitoirs expected behaviour. • Neural networks. Similar to statistical, but added learning
functionality. • A signature. Statistical combination offers better protection. In the next screen we will
learn about IDS and Intrusion Prevention Systems (IPS) IDS and Intrusion Prevention Systems (IPS)
The key features of intrusion detection systems: • Intrusion detection and alerts • Gathering
evidence • Automated response (e.g. disconnect) • Security policy administration and monitoring •
Interfaces with system tools (logging facilities) IDS limitations include; • Weaknesses in policy
definition • Application-level vulnerabilities • Backdoors to applications • Weaknesses in
identification and authentication schemes Let us continue discussing about IDS and Intrusion
Prevention Systems (IPS) in the next screen IDS and Intrusion Prevention Systems (IPS) (contd.)
Intrusion Prevention Systems (IPS) IPS is closely related to IDS. It is designed to detect and prevent
attacks by predicting an attack before it happens hence, limiting damage or disruption to systems
that are attacked. It must be properly configured and tuned to be effective. In the next scree we will
learn about Honey Pots & Honey Nets Honey pots and Honey nets. Honeypot is a software
application that pretends to be an unfortunate server on the Internet and is not set up to actively
protect against break-ins. Rather, they act as decoy systems that lure hackers and, therefore, are
attractive to hackers.The more a honeypot is targeted by an intruder, the more valuable it becomes.
Honeypot is technically related to IDSs and firewalls but it has no real production value as an active
sentinel of networks. The two basic types of Honeypots are; • High interaction –Give hackers a real
environment to attack. • Low interaction – Emulate production environments. Honeynet is multiple
honeypots networked together to simulate a larger network installation is known as a honeynet.
Honeynet let hackers break into the false network while allowing investigators to watch their every
move by a combination of surveillance technologies. You will now attempt a question to test what
you have learnt so far.

5.16 Knowledge Statement 5.8

In this topic, we will learn about the concepts in knowledge statement, 5.8. Let us discuss about
Information System Attack Methods and Techniques in the next screen Information System Attack
Methods and Techniques. The candidate need to graps the knowledge of information system attack
methods and techniques covered under this topic. Risks arise from vulnerabilities (whether technical
or human) within an environment. Several attack techniques exploit those vulnerabilities and may
originate either within or outside the organization. Computer attacks can result in proprietary or
confidential data being stolen or modified, loss of customer confidence and market share,
embarrassment to management and legal actions against an organization. Let us continue discussing
about Information System Attack Methods and Techniques in the next screen Information System
Attack Methods and Techniques (contd.) Understanding the methods, techniques and exploits used
to compromise an environment provides the IS auditor with a more complete context for
understanding the risks an organization faces. The IS auditor should understand enough of these
attack types to recognize their risk to the business and how they should be addressed by appropriate
controls. The IS auditor should understand the concept of "social engineering" since these attacks
can circumvent the strongest technical security. The only effective control is regular user education.
Main areas covered here are: ● Computer Crime issues and Exposures ● Wireless Security Threats
and Risks Mitigation In the next few screens we will discuss about Computer Crime Issues and
Exposures Computer Crime Issues and Exposures. Computer crimes can be committed from various
sources, including: • Computer is the object of the crime: Perpetrator uses another computer to
launch an attack • Computer is the subject of the crime: Perpetrator uses computer to commit crime
and the target is another computer • Computer is the tool of the crime: Perpetrator uses computer
to commit crime but the target is not the computer but instead data stored on the computer. •
Computer symbolises the crime: Perpetrator lures the user of computers to get confidential
information (e.g. Social engineering methods). Computer Crime Issues and Exposures (contd.)
Common attack methods and techniques include; alteration attack, Botnets, Brute-force Attack,
Denial of Service (DoS) Attack, Dial-in Penetration Attack, War Dialing, Eavesdropping, E-mail
Bombing and Spamming, E-mail Spoofing. Computer Crime Issues and Exposures (contd.) More
common attack methods and techniques include; • Flooding • Interrupt Attack • Malicious Codes •
Man-in-the-middle Attack • Masquerading • Message Modification • Network Analysis • Packet
Replay • Phishing • Piggybacking • Race Conditions • Remote Maintenance Tools • Resource
Enumeration and Browsing • Salami • Spam • Traffic Analysis • Unauthorised Access Through the
Internet and World Wide Web (WWW) • Viruses, Worms and Spyware • War Driving • War Walking •
War Chalking In the next few screens we will learn about Local Area Network (LAN) Security Local
Area Network (LAN) Security Local area network is faced with alot of risks. Example of these risks are;
• Unauthorised access and changes to data and/or programs • Inability to maintain version control •
Limited user verification and potential public access • General access as opposed to need-to-know
access • Impersonation or masquerading as a legitimate LAN user • Internal user sniffing • Internal
user spoofing • Virus infection • Unlicensed or excessive numbers of software copies • Destruction of
logging and auditing data • Lack of LAN administrator experience, expertise • Varying media,
protocol, hardware, network software that makes standard management difficult • Security set aside
for operational efficiency Local Area Network (LAN) Security (contd.) LAN administrative capabilities
include declaring ownership of programs and files, limiting access to read-only, record and file
locking to prevent simultaneous update and enforcing user ID/password sign-on procedures. In order
to understand LANs, it is paramount for a candidate to have a good knowledge of; • LAN topology
and network diagram • Functions performed by the LAN administrator / owner • LAN users and user
groups • Applications used on the LAN • Procedures and standards of network design, support,
naming conventions, data security Local Area Network (LAN) Security (contd.) Dial-up access controls
are having encrypted passwords, portable PCs, Dial-back procedures and One-time password
generators or tokens. Local Area Network (LAN) Security (contd.) Client-server risks include; •
Numerous access routes / points • Increased risk of access to data and processing • Weaker access
controls (password change controls or access rules) • Weaker change control and change
management • Inaccurate, unauthorised access and changes to systems or data • Loss of network
availability • Obsolescence of network components • Unauthorised connection of the network to
other networks through modems • Weak connection to public switched telephone networks •
Application code and data may not be stored on a secured machine Local Area Network (LAN)
Security (contd.) Client Server Controls that will ensure security include; • Disabling floppy drives •
Automatic boot or start-up batch files (login scripts) • Network monitoring devices • Data encryption
• Environment-wide authentication procedures • Application-level access control • Organisation of
users into functional groups In the next few screen we will discuss about Internet Threats Internet
Threats The Internet is a global TCP/IP-based system that enables public and private heterogeneous
networks to communicate with one another. Internet threats are cateqorized into; • Passive attacks.
Involves probing for network information. • Active attacks:  Intrusion or penetration into a network,
gaining full control (or enough) to cause certain threats.  unauthorised access to modify data and/or
programs.  obtaining sensitive information for personal gain.  escalating privileges.  denial of
service.  Impact could affect financial, legal or competitive edge. Internet Threats (contd.) Types
Passive attacks are ; • Network analysis. Involves creating a profile of a network security
infrastructure (“foot printing”):  System aliases, internal addresses  Potential gateways, firewalls 
Vulnerable operating system services • Eavesdropping. Involves gathering information flowing thru
the network for personal analysis or third parties • Traffic analysis. Entails determining the nature of
traffic flow between defined hosts Internet Threats (contd.) Active attacks can be in the following
ways; • Brute-force attack. This entails launching many attacks to gain unauthorised access; e.g.
password cracking. • Masquerading. This is presenting an identity other than the original identity
(which is unauthorised). • Packet replay – passively capturing data packets and actively inserting
them into the network: Replayed packets treated as another genuine stream; it is effective when
data received is interpreted and acted upon without human intervention. • Message modification –
making unauthorised changes/deletions to captured messages Internet Threats (contd.) •
Unauthorised access through the Internet:  Telnet passwords transmitted in clear text  Releasing
CGI scripts as shareware  Client-side execution of scripts (JAVA applets) • Denial of service –
flooding servers with data/requests:  Systems are paralysed  Genuine users are frustrated with
unavailability of system • Dial-in penetration attacks – using phone number ranges and social
engineering • Email bombing – repeating identical messages to particular addresses • Email
spamming – sending messages to numerous users • Email spoofing – altering the identity of the
source of the message In the next few screens we will learn about Logical Access ExposuresSlide 133:
Logical Access Exposures. Trojan Horses - hiding malicious fraudulent code in an authorized
computer program. Rounding Down – drawing off small amounts of money from a computerized
transaction or account to the perpetrator’s account. Salami Technique – slicing off (truncating) small
amounts of money from a computerized transaction or account (similar to rounding down). Viruses –
malicious program code inserted into other executable code that can self- replicate and spread from
computer to computer. Worms - destructive programs that may destroy data or utilize tremendous
computer and communication resources do not replicate like viruses. Logic Bombs - similar to
computer viruses but do not self-replicate destruction or modification of data is programmed to a
specific time in the future difficult to detect before they blow up. Logical Access Exposures (contd.)
Trap Doors are exits out of an authorized program. They allow insertion of specific logic, such as
program interrupts, to permit a view of data during processing. Used by programmers to bypass OS
integrity during debugging and maintenance. There are meant to be eliminated in final editing of the
code, but sometimes forgotten or intentionally left for future access. Asynchronous attacks. These
are OS-based attacks in a multi-processing environment: job scheduling, resource scheduling,
checkpoint/restart capabilities. Checkpoint copy: data, system parameters, security levels. Attacks
involve access to and modification of this data to allow higher-priority security. Results in
unauthorised access to data, other programs and the OS. Logical Access Exposures (contd.) Data
Leakage involves siphoning or leaking information out of the computer: dumping files to paper,
stealing tapes WireTapping. This is eavesdropping on information being transmitted over
telecommunication lines Piggybacking is following an authorised person through a secured door. Also
it means electronically attaching to an authorised telecommunications link to interce