Beruflich Dokumente
Kultur Dokumente
For a description of this guide, guidance on using it, and some warnings, see http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/ Table of Contents on next page Copyright 2012, ITauditSecurity NOTE: When this guide was created, the main areas of the exam were as follows: IS Audit process IT Governance Systems & Lifecycle Mgmt IT Service Delivery & Support Protection of Info Assets BCP and DRP ISACA has since reorganized the sections, but that doesnt affect the information itself.
1 of 40
Quick Review Info ................................................................................................................................................... 1 > IS Audit Process...................................................................................................................................................... 5 5 Task Statements - SPCCA .................................................................................................................................. 5 10 Knowledge Statements SPGE CRP - CCC ................................................................................................. 5 7 Code of Ethics IPS PC DE ............................................................................................................................... 5 Information Tech Assurance Framework (ITAF) .................................................................................................... 6
3 types of Standards (+ Guidelines & Techniques = ITAF) .................................................................................................. 6 Policy/Standards .................................................................................................................................................................. 6
> IT Service Delivery & Support ............................................................................................................................... 28 IS Operations ........................................................................................................................................................ 28 IS Hardware .......................................................................................................................................................... 28 IS Architecture & Software ................................................................................................................................... 28
Database Management System (DBMS) ........................................................................................................................... 28 Database Structures .......................................................................................................................................................... 29
Encryption ............................................................................................................................................................. 34
Digital signatures................................................................................................................................................................ 35 Digital Envelope ................................................................................................................................................................. 35 Encryption Risks ................................................................................................................................................................ 36 Viruses ............................................................................................................................................................................... 37
3 of 40
VOIP .................................................................................................................................................................................. 37 Auditing Infosec Management Framework ......................................................................................................................... 38 Computer Forensics (IPAP) ............................................................................................................................................... 38
> BCP/DRP .............................................................................................................................................................. 38 Difference between ISACA book and Sybex ........................................................................................................... 40
4 of 40
5 of 40
Policy/Standards
Policy, Standard, Procedure mandatory Guideline discretionary
Misc Notes
Purpose of audit: challenge mgmt assertions and determine whether evidence supports mgmt claims Types of audits:
Internal audit own organization, scope restrictions, cannot use for licensing External customer auditing your organization or you auditing supplier Independent 3rd party audit used for licensing, certification, product approval.
Compliance audit verify presence or absence Substantive audit - check the content/substance and integrity of a claim
Risk the potential that a given threat will exploit vulnerabilities of an asset (or group of assets) and thereby cause harm to the organization CobiT Control Objectives for Information and Related Technology. A framework consisting of strategies, processes, and procedures for leading IT organizations.
Project Mgmt
Project is unique, progressive (planning starts high-level and gets more detailed), and has start and end dates. Triple restraint: QRS Quality Resources (cost, time) Scope
3 project elements: CDT Cost/resources Deliverables Time/duration 5 Process groups/phases of project management IP EMC Initiating (2 components: scope & authorization) Planning (detail scope, goals, deliverables) Executing Monitoring & Controlling Closing Earned value current value of work already performed in a project
6 of 40
Project Estimation
Source Lines of Code (SLOC) traditional method (also Kilo LOC or KLOC) direct size-oriented measures Thousand Delivered Source Instructions (KDSI) better with structured programming languages like BASIC, COBOL Function Point Analysis (FPA) indirect measure Based on number and complexity of inputs, outputs, files, interfaces, and user queries Functions are weighted by complexity
Project Diagramming Gantt: resource details;-schedule & sequence in (MS Project); serial view w/bars & diamonds o Shows concurrent and sequential activities o Show project progress and impact of completing late PERT (Program Evaluation Review Technique)-illustrates between planned activities o Critical path (minimum steps, longest route, shortest time estimate for completion) Activities on critical path have no slack time; activities w/ no slack time are on critical path Route on which a project can be shortened (accelerated) or lengthened (delayed) o Quantitative measure for risk analysis: risk delays, failure, and likely completion o 3 hourly estimates for each tasks effort: Optimistic, Mostly likely, and Pessimistic PERT time estimate for each task: [O + P + 4 (M)] / 6
waterfall-style
a task early or
relationships
of
Timebox Management Define and deploy software deliverables in short/fixed period of time Prevents cost overruns or delays from scheduled delivery Design/development shortened due to newer development tools/techniques
10 Audit Stages
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Approving audit charter/engagement letter Preplanning audit Risk Assessment Determine whether audit is possible Performing the actual audit Gathering evidence Performing audit tests Analyzing results Report Results Follow-up activities
7 of 40
Charter - RAA
Responsibility scope with goals/objectives Authority right to access & audit Accountability agreement between auditor/Audit Committee; reporting requirements
2 foundational audit objectives: Test control implementation to determine if adequate safeguards implemented Comply with legal requirements Process technique Shewhart - PDCA 1. Plan plan or method? 2. Do work match the plan? 3. Check anyone monitoring the process? What is acceptable criterion? 4. Act how are differences identified and dealt with? Controls General overall controls; all depts. Pervasive (technology) Detailed IS controls (tasks) Application (most detailed, lowest level controls) Evidence Life Cycle ICI SAP PR Chain of custody Identification Collection Initial preservation Storage Analysis Post analysis preservation storage Presentation Return of evidence
Sampling
Statistical/Mathematical Random Cell random selection at defined intervals Fixed interval select every n + increment Non-statistical Haphazard
Compliance Testing presence/absence
Attribute sampling is attribute present in sample? Specified by rate of occurrence Stop & Go sampling used when few errors expected, reduces overall sample size. Reduces effort. Auditor determines whether to stop testing or continue testing. Discovery sampling 100 percent sampling to detect fraud (ex: forensics). Precision/expected error rate acceptable margin of error between samples and subject population. Low error rate requires large sample.
8 of 40
Variable sampling designating $ value or effectiveness (weight) of entire subject by prorating from a smaller sample (ex: weigh $50 bill and calculate value of stack of bills by total weight). Unstratified mean estimation projects an estimated total for entire population Stratified mean estimation calculate average by grouping items (all males, all females, all over 30) Difference estimation determine difference between audited and unaudited claims of value. Audit coefficient level of confidence re: audit results. 95% & higher = high degree of confidence Attestation providing assurance via your signature that document contents are authentic & genuine. Type 1 events occur before balance sheet date; Type 2 after (not auditors responsibility to detect subsequent events)
9 of 40
Each layer communicates with the layer above and below it, as well as virtually with the same layer on the remote system
4 TCP/IP Layers Memory Phrase Headers & Data Communication Types Layer Controls/ Provides Protocol
Memory Phrase
7 OSI Layers
Gateway
Pizza
6 Presentation
4Application
Anchovi es
Sausage
Throw
4 Transport
-Standard interface to the network -Problem solving -Encryption Translate & Display. Screen formatting Communicati on sessions between applications -Login screen
-DNS
Not
3 Network
-RPC -SQL database session -NFS -TCP (confirmed delivery) -UDP(un-confirmed) -IP
Do
Do
Please
1 Physical
Nor
-Flow control -Error notification -Order sequence Control electrical link between systems
-NetBIOS -DHCP
-PPP
Coax 185 meters, 2 pairs of wires UTP < 200 ft, 4 twisted pairs Fiber dense wave multiplexing
10 of 40
Point-to-Point Protocol (PPP) Data link layer protocol for accessing remote network using IP over serial lines (replaced SLIP)
Packet Switching
Eliminated need for dedicated lines (Internet is PSd) Not limited by distance Source & destination known, path is not Charged according to packets transmitted, not distance
Examples X.25 foundation of modern switched networks (not popular today) o Quality of Service (QOS) o Permanent Virtual Circuits (PVCs) fixed path, replaced dedicated phone lines o Switched Virtual Circuits (SVCs) path dynamic, constantly changing Frame relay has PVC and SVC. 1.544 44.5 Mbps (replaced X.25) o Different format and functionality o Packets arrive out of sequence, are reassembled Asynchronous Transfer Mode (ATM) o High speed, 155 Mbps 1 GBps o Cell switching and multiplexing ensures solid delivery o Multiple concurrent data paths Multiprotocol Label Switching (MPLS) Protocol and routing table independent Packet headers examined once (versus every hop in traditional layer 3 switching) and then assigned a stream/label that contains forwarding information
FREE CISA Study Guide from http://wordpress.ITauditSecurity.com 11 of 40
Piconet one trillionth or very small Small wireless adhoc network Bluetooth (PAN) Syslog no message authentication/integrity; no message delivery verification Remote Monitoring Protocol (RMON1) monitors only Data Link/MAC layers and below Remote Monitoring Protocol 2 (RMON2) - unlike Sniffer that monitors layers 1-3, RMON2 monitors all 7 OSI layers
> IT Governance
IT Governance leading and monitoring IT performance & investment
Strategic alignment between IT & business Monitoring assurance practices for executive management Intervention to stop, modify, or fix practices as they occur 3 IT Governance management levels: Strategic (3+ yrs) Tactical (6 months 2 yrs) Operational (daily)
Balanced Scorecard CB FG
Customer Business process Financial Growth & Learning 3 layers that incorporate the 4 perspectives (MMS) Mission Metrics Strategy
5 Capability Maturity Model (CCM) Levels zero IRD MO 13 to 25 months to move up a level Idea started in auto assembly line
12 of 40
Repeatable
Documented
Managed
Defined
Established
Managed
Predictable
Optimized
Optimizing
Risk Management
Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) % Annual Loss Expectancy (ALE)$ = SLE * Annual Rate of Occurrence (ARO)
Guiding Principles Think big future process/end state Incremental Hybrid approach top down view of strategy, bottom-up research
13 of 40
Business Process Reengineering (BPR) vs. Project Mgmt vs. SDLC Chart
Task
Plan
Scope, sponsor, pick a process, goals Stakeholder buy-in, external customer needs Identify benchmarks, activities, resources, roles, costs, communication needs Design/Select* Determine solutions, alternatives Development/Configuration* Build prototypes Implementation Install systems, train, transition Post Implementation Monitor and review; goals obtained? Lessons learned, archive files, TQM
BPR Rules Fix only broken processes Calculate ROI Understand current process first No leftovers Role of IS in BRP Enable new processes by improving automation Provide IT project mgmt tools to analyze process and define requirements Provide IT support for collaboration tools, teleconference, and specialized business user software Help business integrate their processes with ERP Delphi technique blind interaction of ideas between group members 6 Benchmarking Steps PRO AAI Plan identify critical processes Research baseline data re: own processes, then that of other businesses Observe visit benchmark partner, collect data Analyze identify gaps between own and benchmark partners processes Adapt translate findings into principles strategies action plans Improve - link each process to improvement strategy and organizational goals Business Impact Analysis discovery of inner workings of a process Process value How process works, who does what Shortcomings Revenue created or supported Project process lifetime
Risk Management
Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) % Annual Loss Expectancy (ALE) = SLE * Annual Rate of Occurrence (ARO)
14 of 40
Identifies relationship between development and test phases Most granular test, unit test, validates detailed design phase
Development methodology Organization-centric use SLDC End-user centric alternate approaches SDLC/Waterfall technique - FRD DIP See chart under Business Process Re-engineering Feasibility o Identify the alternatives for addressing the business need o Business case that justifies proceeding to the next phase o Calculate ROI o Impact assessment future effects on current projects/resources Requirements o Management/users must be involved o Identify stakeholders and expectations o Request for Proposal (RFP) process o Create project schedule and resource commitments o Create general preliminary design use entity relationship diagram (ERD) Design/Select (When software is purchased rather than developed in-house, the stages are Select and Configuration) o Establish baseline of system, program, database specifications o Implement change control for scope creep - software baselining (design freeze), version numbering o Address security considerations Development/Configuration* o Includes all unit and system testing, iterations of user acceptance testing (UAT) in secure environment to protect against changes o Develop data conversion strategies o Train super users o QA activities, software QA plan, Application QA function Focuses on documented specifications and technology used, application works as specified in logical design; performed by IT; not functionality related Implementation o Final UAT o Certification Assessment of management, operational, and technical controls; used to reassess risks and update security plan o Accreditation process Management decision to authorize operation Involves accepting responsibility and accountability for systems risks and system security Post Implementation o Assess whether system meets business requirements, has appropriate access controls, ROI achieved, lessons learned o ROI requires a few business cycles to be completed first o Info to be reviewed needs to be identified at project startup
15 of 40
Entity Relationship Diagram (ERD) Example: http://en.wikipedia.org/wiki/File:ER_Diagram_MMORPG.png Identifies relationships between system data Data modeling technique that describes information needs or the type of information to be stored in a database (helps design the data dictionary) Entity o Physical object such as a report, an event such as a sale or a repair service, or a concept such as a customer transaction or order (logical construct) NOUNS o Attributes form the keys of an entity o Primary key uniquely identifies each instance of an entity o Represented by rectangular boxes Relationships o How entities are associated VERBS o Foreign key is one or more entity attributes that map to primary key of related entity o Represented by diamonds Testing Regression rerunning a part of the test scenario to ensure changes have not introduced new errors Socialability can system operate in target environment without impacting existing systems (memory, shared DLLs)
Develop in iterations or increments, with feedback after each stage Now regarded as best practice; deals with development complexities and risks
Examples Evolutionary create prototype to gather/verify requirements, explore design issues (called prototyping) Spiral uses series of prototypes that become more detailed; risk analysis precedes each prototype Agile developed in short, time-boxed iterations; uses trace-bullet approach
Disadvantages Leads to system extras that were not included in initial requirements (could end up functionally rich but inefficient) Poor controls (that normally come out of traditional SDLC) Poor change control and documentation/approvals
Agile Development
Process designed to handle changes to the system being developed or the project itself Scrum, one of first processes, 1990s
Characteristics Small, time-boxed iterations (plan and do 1 phase at a time) Replanning at the end of each iteration (e.g., identify new requirements, reprioritizing) Relies on head knowledge (vs. project documentation), frequent team meetings Pair-wise programming: 2 people code same functions (knowledge share and quality check)
FREE CISA Study Guide from http://wordpress.ITauditSecurity.com 16 of 40
Planning and control by team members; project manager = facilitator/advocate Validate functionality via frequent build-test cycle to limit defects
Component-Based Development
Outgrowth of OOD Definition: assembling applications from packages of executable software that make their services available through defined interfaces (i.e., objects, which can interact with one another regardless of language written in or OS running) o In process client components run from within a container ( e.g., web browser) o Stand-alone client components applications that expose services to other software (e.g., Excel and Word).
17 of 40
Initiated by RPCs or other network calls. Supporting technologies: Microsofts Distributed Component Object Model (DCOM) basis for ActiveX Common Object Request Broker Architecture (CORBA) Java via Remote Method Invocation (RMI) All of the above are distributed object technologies, which all objects on distributed platforms to interact. Also called middleware, which provides run-time services whereby programs/objects/components can interact. o Stand-alone server components processes running on servers that provide standard services o In process server components run on servers within containers Microsofts Transaction Server (MTS) Enterprise Java Beans (EJB) Benefits o Reduces development time & cost. Only have to code unique parts of the system. o Improves quality. Prewritten components have already been tested. o Allows developers to focus more on business functionality. Increases abstraction and shields low-level programming details. o Promotes modularity. o Simplifies reuse. No source required, no need to know procedural or class libraries. o Supports multiple development environments as components can interact regardless of language or OS. o Allows combining build and buy components.
SOAP works with any OS or programming language that supports XML SOAP is simpler than RPCs in that modules are coupled loosely (can change one component without changing others) Web Services Description Language (WSDL) identifies the SOAP specification used for the modules API; formats the SOAP messages in/out of the module. Also identifies the web service available to be used Universal Description, Discovery, and Integration (UDDI) is used to make an entry in the UDDI directory, which allows others to find and use the available web services
Reengineering updating an existing system by extracting and reusing design and program components.
Reverse Engineering
Risks software licenses usually prohibit it to protect trade secrets/programming techniques
Decompilers depends on specific computers, OSs, and programming languages. Any changes to these require a new decompiler. Review of existing architecture Analysis and design Draft functional requirements (start vendor selection) Function requirements Define final functional requirements Proof of Concept
18 of 40
Emergency Changes
Users are involved CASE methodology is defined and followed Integrity of data between CASE products and processes is controlled and monitored Changes to the application are reflected in stored CASE product data Application controls are designed and included CASE repository is secured and version control implemented
Programming Languages
1 machine lang
st
2nd assembly lang 3rd English-like 4th embedded database interface, prewritten utilities; programmer selects program actions (aka psuedocoding or bytecoding) 5th artificial intelligence; learning system/fuzzy logic/neural algorithms
Fourth-generation Languages
4GL Characteristics
Nonprocedural language event driven, uses OOP concepts of objects, properties, and methods Portable across OSs, computer architectures Software facilities allows design/paint of screens, help screens, and graphical outputs Programmer workbench concepts (integrated development environment) include filing facilities, temporary storage, text editing, OS commands Simple language subsets
19 of 40
4GL Types
Query and report generators Embedded database 4GLs FOCUS, RAMIS II, NOMAD 2 Relational database 4GLs included in vendor DBMS to allow better use of DBMS product: SQL+, MANTIS, NATURAL Application generators generate lower-level programming languages (3GL) like COBOL and C.
Application Controls
Definition: controls over input, processing, and output functions
Examples Edit tests Totals Reconciliations Identification/reporting of incorrect, missing, and exception data Auditor tasks Identify significant application components and flow of transactions Gaining understanding of the application through documentation review and interviews Identifying application control strengths and weaknesses Testing controls and evaluating control environment Reviewing application efficiency/effectiveness, and whether it meets management objectives
Input Controls
Input Authorization Signatures on batch forms/source documents Online access controls ensuring only authorized users can access data and perform sensitive functions Unique passwords Terminal/workstation identification to limit clients that can access the application Source documents should be prenumbered and controlled Batch Controls and Balancing Definition: Input transactions grouped together (batched) to provide control totals. Batch Controls Total $ amount Total items Total documents Hash totals total of a meaningless, predetermined field (e.g., customer account numbers or zip codes) used to detect errors or omissions; do not ensure correct employees, pay rates, etc., only errors or omissions Balancing Controls Batch registers comparing manual batch totals against system reported totals Control accounts control account use is performed via an initial edit to determine batch totals. After processing data to the master file, reconciliation is performed between the initial edit file totals and the master file. Computer agreement application compares the batch totals recorded in the batch header with the calculated totals and accepts/rejects the batch
FREE CISA Study Guide from http://wordpress.ITauditSecurity.com 20 of 40
Error Handling and Reporting Input Error Handing Reject only transactions (trx) with errors Reject the whole batch of trxs Hold the batch in suspense (until errors corrected) Accepting the batch and flagging error transactions
Batch Integrity Batch established by time of day, specific terminal of entry, or individual who entered data Supervisor reviews batch and releases for processing Data Validation/Editing Procedures Identifies errors, incomplete or missing data, and inconsistencies amount related items. Should occur as close to the time and point of origination as possible Edits and Controls (types of checks) Sequence control numbers are sequential Limit Range Validity Reasonableness Table lookups Existence Key verification two people key the data and both sets are compared Check digit detects transposition and transcription errors Completeness Duplicate Logical relationship
21 of 40
Processing Controls
Ensure completeness and accuracy of accumulated data Processing Control Techniques Manual recalculations Edit check Run-to-run totals Programmed controls (e.g., detects incorrect file or file version) Reasonable verification of calculated amounts Limit checks on calculated amounts check using predetermined limits Reconciliation of file totals Exception reports Data File Control Procedures Ensures only authorized processing occurs Data File Control Procedures Ensures only authorized processing occurs Data File Control Techniques Before and after image reporting shows impact trxs have on data Maintenance error reporting and handling Source documentation retention Internal and external labeling of files, batches, tapes Version usage (file or database) Data file security One-for-one checking documents processed equals source documents] Prerecorded input some data preprinted on blank input forms to reduce entry errors Trx logs File dating and maintenance authorization Parity checking for transmission errors o Vertical/column check check on single character o Horizontal/longitudinal/row check check on all the equivalent bits Use of both checks recommended 4 Categories of data files or database tables System control parameters controls edits and exception flags; changes to these files should be controlled same as program changes Standing data data that seldom changes, referred to during processing (e.g., vendor names & addresses). Changes should be authorized and logged. Master data/balance data running balances and totals should be adjusted only under strict approval/review controls and logged Trx files controlled via validation checks, control totals, exception reports, etc.
22 of 40
Output Controls
Ensures delivered data is presented, formatted, and delivered consistently and securely Logging and storage of negotiable, sensitive, and critical forms securely Computer generation of negotiable instruments, forms, and signatures Report distribution o All reports logged prior to distribution o Secure print spools to avoid deletion or redirection of print jobs o Restricted to certain IT resources, websites, or printers o Confidential disposal Balancing and reconciling Output error handling Output report retention Verification of receipt of reports
Risk Assessment of Application Controls Quality of internal controls Economic conditions Recent accounting system changes Time since last audit Prior audit results Complexity of operations Changes in operations/environment Changes in key positions Time in existence Competitive environment Assets as risk Staff turnover Trx volume and trends Regulatory agency impact Monetary volume Sensitivity of trxs Impact of application failure User Procedures Review SOD authority to do only one: origination, authorization, verification, distribution (DAVO) Authorization of input written approval or unique passwords o Supervisor overrides should be logged and reviewed by mgmt o Excessive overrides may indication validation/edit routines need improvement Balancing Error control and correction Distribution of reports Access authorizations and capabilities o Based on job description o Activity reports generated and reviewed (activities valid for user and occurs during authorized hours of operations) o Violation reports of unauthorized activities or unsuccessful access attempts
23 of 40
Data Integrity
Testing
Cyclical testing checking data against source documents, one section of data at a time. Whole file is eventually checked after multiple cycles. Data Integrity Tests o Relational at data element and record levels o Referential enforced through programmed data validation routines or by defining the input conditions (edits), or both Define existence relationships between database elements (primary and foreign keys) All references to a primary key from another file (foreign key) actually exist in the original file Atomicity trx is completed entirely or not at all Consistency maintained with each trx, taking the database from one consistent state to another Isolation Each trx isolated and accesses only data part of a consistent database state Durability trxs that are reported complete survive subsequent HW/software failures Snapshot records flow of designated trxs through logic paths within programs Mapping identifies untested program logic and whether program statements have been executed Tracing & tagging shows trail of instructions executed; tagging selected trxs and using tracing to track them Test data/deck Base case system evaluation uses test data to verify correct system operations (extensive test) Parallel operation Integrated test facility using fictitious file with test trxs that is processed with live data Parallel simulation processing production data against simulated program logic Trx selection programs uses audit software to screen and select trxs Embedded audit data collection software embedded in production system used to select input and generated trxs during production o System control audit review file (SCARF) auditor determines reasonableness of tests incorporated into normal processing; provides information for further review o Sample audit review file (SARF) randomly selects trxs for analysis Extended records gathers all data affected by a particular program for review
24 of 40
E-commerce Risks
Confidentiality Integrity Availability Authentication and non-repudiation Power shift to customers
E-commerce Audit/Control Issues (Best Practices) Security architecture (firewalls, encryption, PKI, certificates, password mgmt) Digital signatures Public Key Infrastructure (PKI) o Framework for issuing, maintaining, verifying and revoking public key certificates by a trusted party. o Key elements Digital certificates - Public key and info about the owner that authenticates the owner (issued by trusted 3rd party) Includes distinguishing username, public key, algorithm, certificate validity period Certificate Authority (CA) trusted provider of public/private key pairs that confirms authenticity of the owner of the certificate (business) by issuing/signing the requestors certificate with CAs private key Registration Authority (RA) optional entity that some CAs use to record/verify business information needed by a CA to issue/revoke certificates Certification revocation list Certification practice statement (CPS) Rules governing CAs operations, controls, validation methods, expectations of how certificates are to be used. Log monitoring Methods and procedures to identify security breaches Protecting customer data to ensure not used for other purposes or disclosed without permission Regular audits of security and controls EDI Risks Transaction authorization Business continuity Unauthorized access to transactions Deletion/manipulation of transactions before or after establishment of application controls Loss or duplication of EDI transmissions Loss of confidentiality or improper distribution of trx by 3rd parties
EDI Controls
Message format and content standards to avoid transmission errors Controls to ensure transmissions are converted properly for the application software Receiving organization controls to ensure reasonableness of messages received, based on trading partners trx history or documentation Controls to guard against manipulation of trxs in files and archives Procedures for ensuring messages are from authorized parties and were authorized Dedicated transmission channels between partners to prevent tapping Data is encrypted and digitally signed to identify source and destination Message authentication codes are used to ensure what was sent is received. Error handling for trxs that are nonstandard or from unauthorized parties
25 of 40
Business relationships are defined in trading partner agreement identifying trxs to be used, responsibilities of both parties in handling/processing trxs, and business terms of the trxs
Auditing EDI
Encryption processes ensure CIA and nonrepudiation of trxs Edit checks to identify erroneous, unusual, or invalid trxs prior to updating the application Edit checks to assess trx reasonableness and validity Trx are logged on receipt Control totals on receipt of trxs to verify number/value of trx to be passed to the application, and reconcile totals between applications and trading partners Segment count totals built into trx set trailers by sender Trx set count totals built into group headers by sender Validity of sender against trading partner details by: o Using control fields with a message at the trx, function, group, or interchange level, often within the EDI header, trailer, or control record o Using VAN sequential control numbers or reports, if applicable o Sending acknowledgement trx to sender to verify receipt; sender matches acks against a log of EDI messages sent.
Digital Signatures
Unique to each document; cannot be transferred or reused Verifies sender and that document has not been altered Based on message digest, a short, fixed length number o Some messages have the same digest, but cant produce message from them o 128-bit cryptographic hash o Similar to checksum or fingerprint of the document DES (symmetric); RSA (asymmetric public key)
Risk Management for e-banking 1. Board & mgmt oversight 2. Security controls 3. Legal and reputational risk management Purchase Order Accounting functions Accounts payable processing Goods received processing Order processing
Artificial Intelligence
Languages: LISP and PROLOG Primary components o Inference engine o Knowledge base Contains subject matter facts and rules for interpreting them Decision trees questionnaires or choices users walk through Semantic notes graph which describes relationships between the nodes o Explanation module o Database
26 of 40
Also contains o Knowledge interface allows entry of knowledge without needing a programmer o Data interface Enables system to collect data from nonhuman sources (other systems, like temperatures) Used in auditing! Errors in system have a bigger impact, especially in health care
Decision Support Systems Emphasizes effectiveness (right task/right decision) over efficiency (performing tasks quickly and reducing costs) G. Gorry-M.S. Morton framework degree of structure in decision process & mgmt level making decision o Decision-structure: structured, semi-structured, unstructured Decision-structure depends on the extent it can be automated/programmed o Mgmt-level: operational control, mgmt control, and strategic planning Sprague-Carson framework family trees structure Motivated by end users Use 4GL Critical Success Factors (CSF) Productivity Quality Economic value Customer service Integrated Resource Management Systems ERP
American Standard Code for Information Interchange (ASCII) Extended Binary-Coded Decimal Interchange Code (EBCDIC)
Project Portfolio Management Objectives
Optimization of the results of the project portfolio Prioritizing and scheduling projects Resource coordination Knowledge transfer throughout the projects PPM requires a PP database Benefits Realization (Management) Techniques Describe benefits mgmt Assign measure/target Establish measuring/tracking regimen Document assumption Establish key responsibilities for realization Validate the benefits predicted in the business Planning the benefit to be realized
27 of 40
ISO 15504 PME PO / Software Process Improvement and Capability Determination (SPICE) see CCM ISO 9001 quality mgmt Requires quality manual, trained staff, managed to improve competency
ISO 9126 Software Quality Metrics FUR PEM
Functionality of the software processes Usability (Ease of use) Reliability with consistent performance Portability between environments Efficiency Maintainability for modifications
ISO 15489:2001 Records Mgmt/Retention Requires ISO 9001 quality and 140001 records mgmt compliant Includes fundraising campaigns Used to determine liability and sentencing during prosecution Requires data classification Decision Making Critical success factors Scenario planning
IS Hardware
CPU = arithmetic logic unit (ALU), control unit, and internal memory
Data Dictionary/Directory System Contains index and description of all items stored in database Defines and stores source and object forms of all data definitions in schemas and all associated mappings One DD/DS can be used across multiple databases
Database Structures
Hierarchical o data arranged in parent/child relationships o one-to-many mappings o results in duplicate data o easy to implement, modify, and search. o No high-level query capability; have to navigate the database Network o Data arranged in sets (owner record type, member record, name) o One-to-many or one-to-one mappings o Sets can have the same member record type o Very complex o No high-level query capability; have to navigate the database Relational o Based on sets and relational calculations (dynamic database) o Data organized in tables (collection of rows) Row/tuple = record Columns/domains/attributes = fields o Properties Values are atomic Rows are unique Sequence of columns and rows insignificant Allow control over sensitive data o Easy to understand, query, modify o Normalization minimizing amount of data needed and stored by eliminating data redundancy and ensuring reference integrity
Networking
Baseband single channel, half-duplex, entire capacity used to transmit one signal Broadband multiple channels, full duplex, multiple signals Bridge Data link layer 2 device used to connect LANs or create separate LAN or WAN segments to reduce collision domains Router Like bridges/switches, they link physical separate network segments. Block broadcast data. software-based, less efficient than switches. Can connect LAN and WAN. Router does packet-switching using microprocessor; layer 3 switch does switching using ASIC hardware Layer 4 switch switches based on layer 3 addresses and application information (such as port #s) to provide policybased switching Layer4-7 switches used for load balancing Gateways protocol converters; used between LANs and mainframes or LANs and Internet
FREE CISA Study Guide from http://wordpress.ITauditSecurity.com 29 of 40
Synchronous transmission bits transmitted at constant speed. Sending modem uses specific character when it starts sending data block to synchronize the receiving device. Provides maximum efficiency. Asynchronous transmission Sender uses start and stop bit before and after each data byte. Lower efficiency, but simpler. Multiplexing dividing physical circuit into multiple circuits by: Time-division regardless of whether data is ready to transmit Asynchronous time division dynamically assigned time slots as needed for transmission Frequency based on signal frequency Statistical dynamic allocation of any data channel based on criteria
Wireless
Wi-fi Protected Access (WPA) wireless security protocol Wireless Application Protocol (WAP) multi-layered protocol and technologies that provide Internet content to mobile wireless devices (phones and PDAs).
TCP/IP (32-bit)
Includes network and application support protocols Network layer 3 = IP Transport layer 4 = TCP/UDP
Common Gateway Interface (GFI) Script machine-independent code run on a server that can be called & executed by a web server; performs tasks such as processing input received from a web form Applets Programs downloaded from web servers that run applications in browsers (most popular ones use Java, JavaScript, Visual Basic) Servlet Small program that runs in web server, similar to CGI program. Unlike CGI, servlets stay in memory and can serve multiple requests Middleware software used by client/server applications to provide communications and other services between applications, systems, and devices. Services include identification, authentication, authorization, directories, and security Resides between the application and the network Manages the interaction between the GUI and the database back-end.
System Control
First level of control in a computer is the privileged supervisory user (root/admin). Operating System States Supervisory security front end not loaded; requests are run at highest authority level without security controls. General user/problem security is active; system is solving problems for user. Wait computer busy and unable to respond to additional requests
30 of 40
Inventory Classification
Identification of the asset (hardware, software, data) Relative value to the organization Location Security risk/classification Asset group, if asset forms part of larger system Owner Custodian
Pharming redirecting web site traffic to a bogus site via changes in DNS or a users host file
Biometrics
Something you are (fingerprint) or do (typing behavior) Quantitative measures (% rate) o False rejection rate (FRR, type I) person falsely rejected access o Failure to enroll rate (FER) person fails to enroll successfully o False acceptance rate (FAR, type II) unauthorized person allowed access o Increase in type I rate decreases the type II rate & vice versa
31 of 40
Equal error rate (ERR) point at which FRR & FAR are equal. Lower the measure, the more effective the biometric o Best response times and lowest ERR: palm, hand, iris, retina, fingerprint, voice Palm* ridges and valleys Hand geometry* oldest, 3D, hand and fingers, 90 measurements Iris color patterns around pupil, 260 characteristics. No physical contact, high cost Retina blood vessel pattern, best FAR, requires close proximity, high cost Fingerprint low cost, size, ease of integration Face acceptable/friendly, but lack of uniqueness * Socially accepted, low storage cost o
Single Sign-on (SSO) Consolidation of platform-based administration, authentication, and authorization functions into a single, centralized function Example: Kerberos, developed at MIT, Project Athena
Wireless Security
9 categories of overall security threats 1. Errors and omissions 2. Fraud and theft by authorized/unauthorized users 3. Employee sabotage 4. Loss of physical and infrastructure support 5. Malicious hackers 6. Industrial espionage 7. Malicious code 8. Foreign government espionage 9. Personal privacy threats Main Wireless Threats 1. Theft 2. DOS 3. Malicious hackers 4. Industrial espionage 5. Malicious code 6. Foreign government espionage 7. Theft of service
32 of 40
Security Requirements Authenticity verification that message not changed in transit Nonrepudiation verification of origin or receipt of message Accountability actions traceable to an entity Network availability Scanners strobe, jakal, asmodeous Install local firewall, turn off scripting
Firewalls
3 types of firewalls
router packet filtering application stateful inspection first generation examines header (source/destination IP, port number) at network layer simple, stable performance allows direct exchange of packets between outside/inside systems
Miniature fragment attack - fragment the IP packet into smaller ones; the first packets will be examined, and the rest won't
Caused by default setting that passes residual packets Firewall should drop fragmented packets or offset value = 1
Application level
Circuit-level
33 of 40
Firewall implementations
Screened host
packet filtering router and bastion host Includes application firewall/proxy services bastion host is on private network, packet filtering router is between Internet and private network Requires compromise of two systems More restrictive version of the screened host firewall, a dual-home bastion host
Uses 2 packet filtering routers and bastion host Provides network (packet filtering) and application-level security with a DMZ network Insider router manages DMZ access to the internal network, accepting traffic only from the bastion host Requires compromise of 3 hosts; hides internal network addresses
Hardware firewalls faster, but not as flexible or scalable Software firewalls more slower, but more scalable
IDS Types
Signature-based Statistical-based must be configured with known and expected system behaviors Neural networks monitors general activity, similar to statistical-based, but capable of self-learning
IDS cannot help with Policy definition weaknesses Application-level vulnerabilities Backdoors in applications Identification and authentication scheme weaknesses
Encryption
Key elements Encryption Algorithm Encryption Keys Key length Private Key Systems
FREE CISA Study Guide from http://wordpress.ITauditSecurity.com 34 of 40
Symmetric 1 key encrypts and decrypts Less complicated, faster Problem is distributing key safely RC2, RC4, IDEA, DES, AES
Data Encryption Standard (DES) 64-bit block cipher 56-bit key (8 extra bits for parity checking) Replaced by AES 128-256 bit key (Rijndal invented by Rijmen and Daemen) o Symmetric block cipher o Unlike DES, Rijndal has variable block and key length o Based on round operations Public Key Systems Asymmetric 2 keys, one encrypts, other decrypts Keys created by integer factorization Used to encrypt symmetric keys and for digital signatures RSA (Rivest, Shamir, Adelman invented in 1977), Diffie-Hellman, DSA, Fortezza Encrypt with public key, decrypt only with private key confidentiality (read only by receiver) Encrypt with private key, decrypt with public key authentication and non-repudiation Encrypt with private key, then public key confidentiality, authentication, and non-repudiation Elliptical Curve Cryptography (ECC) Public key variation using discrete logarithm using elliptical curve (2 points on curve) Works with networked computers, smart cards, wireless phones, mobile devices Less computational power, more security per bit (160-bit ECC = 1024-bit RSA) Quantum Cryptography Uses interaction of light pulses, polarization metrics
Digital signatures
Uses public key algorithm to ensure identify of sender and integrity of the data Hash algorithm creates message digest, smaller version of the original message Changes variable length messages into a fixed, 128-bit length digest Hashes are one-way functions, can't reverse o MD5, SHA-1, SHA-256 Digital signature encrypted by sender's private key, receiver decrypts with public key, then recomputes a digital signature and compares it to the original signature Ensure data integrity, authentication, and non-repudiation (but not confidentiality) Vulnerable to man-in-the-middle attack
Digital Envelope
Contains data encrypted with symmetric key and the session key (which is the symmetric key, encrypted with the receiver's public/asymmetric key) Receivers' private key used to decrypt session key (symmetric key); symmetric key used to decrypt data. Uses asymmetric keys to protect the data integrity, authentication, and non-repudiation gained by symmetric key
35 of 40
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Session or connection-layered protocol Provides end point authentication and confidentiality Typically, only the server is authenticated (including the client requires PKI deployment) Phases o Algorithm negotiation o Exchange of Public key and certificate-based authentication o Symmetric cipher-based traffic encryption Runs on layers beneath application protocols HTTP, SMTP, NNTP and above the TCP protocol Uses hybrid of hashed, private, and public key cryptography to provide confidentiality, integrity, authentication (between client & server), and non-repudiation IPSec
Runs at the network layer Used for communicating between two or more hosts, subnets, or hosts and subnets (establishes VPNs) Transport mode only data portion of packet (encapsulation security payload (ESP)) is encrypted confidentiality Tunnel mode ESP payload (data) and header are encrypted. Additional authentication header (AH) provides non-repudiation Uses security associations (SAs) to define the security parameters to use (algorithms, keys, initialization vectors, etc.) Using asymmetric encryption via Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) increases ISPsec security by using key management, public keys, negotiation, uses of SAs, etc.
SSH
Runs at application layer Client/server program for encrypting command-line shell traffic used for remote logon and management. Used to secure telnet and ftp
Secure Multipurpose Internet Mail Extensions (S/MIME) Email protocol authenticating sender and receiver Verifies message integrity and confidentiality, including attachments Secure Electronic Transactions (SET) Visa/MasterCard protocol used to secure credit card transactions Application protocol using PKI of trusted 3rd party
Encryption Risks
Secrecy of keys is paramount Randomness of key generation relates to how easy a key can be compromised Tying passwords to key generation weakens the keys randomness, so important to use strong passwords
36 of 40
Viruses
Worms
Attached to programs Self-propagating to other programs Attack EXEs, file directory system, boot & system areas, data files
Virus/Worm controls policies (preventative) and antivirus software (detective) Backups = vital control
VOIP
Replaces circuit switching (and associated waste of bandwidth) with packet switching Secure VOIP similar to data networks (firewalls, encryption) Network issues take down phones also, so backup availability a big issue VLANS should be used to segregate VOIP infrastructure/traffic Session Border Controllers (SBCs) provide VOIP security similar to firewalls by monitoring VOIP protocols, monitor for DoS, provide network address and protocol transition features
Private Branch Exchange (PBX) In-house phone company for organization, allows 4-digit dialing, save cost of individual phone lines to phone companys central office PBX security different from normal OS security o External access/control by 3rd party for updates/maintenance o Richness of features available for attacks PBX Controls Physically secure PBX and telephone closets Configure and secure separate and dedicated admin ports Control direct inward dial (DID) lines to avoid external parties getting dial tone for free long-distance calls Block certain long-distance numbers Control numbers destined for faxes and modems Use call-tracking logs Maintenance out of Service (MOS) signaling communication is terminated on PBX, but line may be left open for eavesdropping Embedded passwords can be restored when system rebooted during crash recovery
37 of 40
> BCP/DRP
Starts with risk assessment People, data, infrastructure, and other resources that support key business processes Dangers and threats to the organization Estimated probability of threat occurrence BCP includes DRP plan Plan to restore operations to normal following disaster Improvement of security operations BCP Lifecycle Create BCP policy Businesses Impact Analysis (BIA) Classify of operations and criticality Identify IS processes that support business criticality Develop BCP and IS DRP Develop resumption procedures Training and awareness programs Test and implement plan Monitoring
FREE CISA Study Guide from http://wordpress.ITauditSecurity.com 38 of 40
BCP Policy Should encompass preventative, detective, and corrective controls BCP most critical corrective control Incident management control Main severity criterion is service downtime Media backup control BIA identifies: Different business processes & criticality Critical IS resources supporting critical business processes Critical recovery period before significant or unacceptable loses occur
Recovery point objective (RPO) based on acceptable data loss; earliest time in which it is acceptable to recover; date/time or synchronization point to which systems/data will be restored.
Recovery time objective (RTO) based on acceptable downtime; earliest time when business operations must resume. Interruption window how long a business can wait before operations resume (after this point, losses are unaffordable) Maximum Tolerable outage (MTO) maximum time business can operate in alternate processing mode before other problems occur Service delivery objective (SDO) acceptable level of services required during alternate processing Recovery Alternatives Hot site fully configured and ready to operate within hours. Not for extended use. Warm site partially configured (network and peripheral devices, but no main computers). Site ready in hours, operations ready in days or weeks. Cold site has basic utilities, ready in weeks. Redundant site dedicated, self-developed sites. Mobile site data center in a box Reciprocal agreements with other businesses Redundant Array of Inexpensive/Independent Disks (RAID) Level 0 -striped disk array, no fault tolerance; stripes multiple disks into one volume (faster when software based) Level 1 mirroring; 2 drives, half the space (faster when software based) Level 2 Hamming code ECC interweaving data based on hamming code (EXPENSIVE and rare; HW based, resource intensive) Level 3 parallel transfer with parity; at least 2 striped data drives with 1 for parity (faster in HW) Level 5 block level; independent disks with distributed parity blocks; at least 3 drives, stripes data and parity (faster in HW) mirrored sets Level 6 Level 5 with 2 independent distributed parity schemes (faster in HW) Level 10 high reliability & performance; at least 4 drives, stripes level 1 segments; hi I/O Level ) 0 + 1 High transfer rate; striped plus mirror; losing 2 drives = major data loss
39 of 40
Insurance Coverage IS equipment/facilities software media reconstruction Extra expense of continuing operations after disaster; loss due to computer media damage Business interruption Valuable papers and records Errors and omissions Fidelity coverage loss due to dishonest/fraudulent acts Media transportation Covers loss based on historical performance, not existing No compensation for loss of image/goodwill Grandfather (monthly), father (weekly), son (daily) backup rotation scheme
40 of 40