DOMAIN 5 – PROTECTION

OF INFORMATION ASSETS
CPIS606 - IS Auditing
5.2 INFORMATION SECURITY
MANAGEMENT (ISM)
Security objectives to meet organization’s business requirements include:

 Ensure continued availability of their information systems

 Ensure integrity of the information stored on their computer systems

 Preserve confidentiality of sensitive data in store and in transit

 Ensure conformity to applicable laws, regulations, and standards

 Ensure adherence to trust and obligation in relation to any information

relating to an identified or identifiable individual
2
5.2.1 KEY ELEMENTS OF ISM
Key elements of information security management are:

 Senior management commitment and support

 Policies and procedures

 Security awareness and education

 Monitoring and compliance

 Incident handling and response

3
5.2.2 ISM ROLES AND RESPONSIBILITIES
Responsibilities to consider by position include:

 Executive management
 IS security steering committee
 Security advisory group
 Chief Privacy Officer (CPO)
 Chief Security Officer (CSO)
 Process owners
 Information assets owners and data owners

4
5.2.2 ISM ROLES AND
RESPONSIBILITIES
 Users
 External parties
 Security administrator
 Specialists or advisors
 IT developers
 IS auditors

5
5.2.3 INVENTORY AND
CLASSIFICATION OF INFORMATION
ASSETS
The inventory record of each information asset should include:

 Specific identification of assets

 Relative value to the organization
 Location
 Security or risk classification
 Asset group
 Owner
 Designated custodian

6
5.2.4 SYSTEM ACCESS PERMISSION
 Who has access rights and to what?

 What is the level of access to be granted?

 Who is responsible for determining the access rights and access levels?

 What approvals are needed for access?

7
5.2.6 CRITICAL SUCCESS FACTORS TO ISM
 Strong commitment and support by the senior management on security
training

 Professional risk-based approach must be used systematically to identify

sensitive and critical resources

8
5.2.7 INFORMATION SECURITY AND
EXTERNAL PARTIES
 The information processing facilities an external party is required to access

 The type of access the external party will have the information and information processing
facilities, for example:

 Physical access, e.g., to offices, computer rooms and filing cabinets

 Logical access, e.g., to an organization’s database and information systems

 Network connectivity between the organization’s and the external party’s network(s),
e.g., permanent connection and remote access

 Whether the access is taking place onsite or offsite

 The value and sensitivity of the information 9

5.2.7 INFORMATION SECURITY AND
EXTERNAL PARTIES
 How the organization or personnel authorized to have access can be identified,
the authorization verified, and how often this needs to be reconfirmed

 The different means and controls employed by the external party when storing,
processing, communicating, sharing and exchanging information

 The impact of access not being available to the external party when required,
and the external party entering or receiving inaccurate or misleading
information

 Practices and procedures to deal with information security incidents and

potential damages, and the terms and conditions for the continuation of
external party access in the case of an information security incident

10
5.2.7 INFORMATION SECURITY AND EXTERNAL PARTIES

 Legal and regulatory requirements and other contractual obligations

relevant to the external party that should be taken into account

 How the interests of any other stakeholders may be affected by the

arrangements

11
5.2.8 SECURITY INCIDENT HANDLING AND
RESPONSE
A formal incident response capability should be established and should include the
following phases:
 Planning
 Detection
 Initiation
 Recording
 Evaluation
 Containment
 Eradication
 Escalation
 Response
 Closure
 Reporting
 Post incident review
 Lesson Learned 12
5.3 LOGICAL ACCESS CONTROLS
Logical access controls are the primary means used to manage and protect
information assets.

The advantages of using Logical Access Controls are:

 It ensure integrity of the information stored on the computer system

 It preserves the confidentiality of the sensitive data

 It ensure continued availability of their information systems.

13
5.3.1 LOGICAL ACCESS EXPOSURES
Technical exposures include:
 Data leakage
 Wire tapping
 Viruses and Worms
 Logic bombs
 Denial-of-Service (DoS) attacks
 Distributed DOS (using Trojan horses)
 Computer shutdown
 War driving

14
5.3.2 FAMILIARIZATION WITH THE
ORGANIZATION’S IT ENVIRONMENT
 It is important for the IS auditors to gain a technical and organizational
understanding of the organization’s IT environment.

 This helps them to identify the risk areas where IS auditing should be
focused on in planning current and future work and finally assess the
logical control effectively

 The work includes reviewing of:

 The network
 Operating system platform
 Database and application security layers

15
5.3.3 PATHS OF LOGICAL ACCESS
 Access or points of entry to an organization's IS infrastructure can be
gained through several avenues.

 The general points of entry and/or the modes of access into this
infrastructures happens through the following:

 Network connectivity
 Remote access
 Operator console
 Online workstations or terminals

16
5.3.4 LOGICAL ACCESS CONTROL SOFTWARE

General operating and/or application systems access control functions

include the following:
 Create or change user profiles
 Assign user identification and authentication
 Apply user logon limitation rules
 Notification concerning proper use and access prior to initial login
 Create individual accountability and auditability by logging user activities
 Establish rules for access to specific information resources (for example,
system-level application resources and data)
 Log events
 Report capabilities

17
5.3.4 LOGICAL ACCESS CONTROL SOFTWARE

Database and/or application-level access control functions include:

 Create or change data files and database profiles

 Verify user authorization at the application and transaction levels
 Verify user authorization within the application
 Verify user authorization at the field level for changes within a database
 Verify subsystem authorization for the user at the file level
 Log database or data communications access activities for monitoring
access violations

18
5.3.5 IDENTIFICATION AND AUTHENTICATION (I&A)

Some of I &A's common vulnerabilities that may be exploited to gain

unauthorized system access include

 Weak authentication methods

 Lack of confidentiality and integrity for the stored authentication
information
 Lack of encryption for authentication and protection of information
transmitted over a network
 User’s lack of knowledge on the risks associated with sharing passwords,
security tokens, etc

19
5.3.5 IDENTIFICATION AND AUTHENTICATION (I&A)

 Logon IDs and passwords (something you know)

 Features of passwords
 Password syntax (format) rules

 Token devices , one-time passwords (something you have and something you
know)
 Two-factor authentication technique

 Biometric (something you are or you do)

 Management of biometrics

 Single Sign-on (SSO)

 Advantage and Disadvantage

20
5.3.5 IDENTIFICATION AND AUTHENTICATION (I&A)

Some of the best practices for login IDs are:

 To enforce strict lock-out policy
 Deactivate IDs that are not used
 Set the system to automatically disconnect when there is no activity

Some rules to follow for passwords are:

 They should be of minimum of 8 characters
 They should be a combination of alpha, numeric, upper and lower case and
special characters
 They should be changed periodically (password history or no re-use policy)

21
5.3.5 IDENTIFICATION AND AUTHENTICATION (I&A)

 Token devices and one-time passwords

 Two-factor authentication technique (e.g., Token card or USB - something
you have; and a PIN - something you know

 Biometrics
 Quantitative measures (FRR, FAR, and EER)
 Physically-oriented biometric (something you are)

- Retina scan (highly reliable, lowest FAR)

- Face or hand or palm (less reliable due to lack of uniqueness)

 Behavior-oriented biometric (something you do)

- Signature and voice recognition

22
5.3.5 SINGLE SIGN-ON (SSO) IN I&A
 SSO is the process for consolidating all organizational platform-based
administration, authentication, and authorization functions into a single
centralized administrative function.

 An SSO interfaces with:

 Client-server and distributed systems
 Mainframe systems
 Network security including remote access mechanisms

23
5.3.5 ADVANTAGES AND DISADVANTAGES OF SSO IN I&A

Advantages of SSO are:

 Multiple passwords are no longer required, therefore, a user may be more
inclined and motivated to select a stronger password.

 It improves an administrator’s ability to manage users’ accounts and

authorizations to all associates systems.

 It reduces administrative overhead in resetting forgotten passwords over

multiple platforms and applications.

 It reduces the time taken by users to log into multiple applications and
platforms

24
5.3.5 ADVANTAGES AND
DISADVANTAGES OF SSO IN I&A
Disadvantages of SSO are:

 Support for all major operating system environments is difficult.

 The centralized nature of SSO presents the possibility of a single point of

failure and total compromise of an organization’s information assets

25
5.3.6 AUTHORIZATION ISSUES
Access restrictions at the file level include:
 Read, inquiry, or copy only
 Write, create, update, or delete only
 Execute only
 A combination of the above

Access Control Lists (ACLs) refer to a register of:

 Users who have permission to use a particular system resource
 The types of access permitted

Logical access security administration happens through either of the following:

 Centralized environment
 Decentralized environment

26
5.3.6 AUTHORIZATION ISSUES
The advantages of conducting security in a decentralized
environment are:
 Security administration is onsite at the distributed location
 Security issues are resolved in a timely manner
 Security controls are monitored frequently

Some of the risks associated with distributed responsibility for

security administration are:
 Local standards might be implemented rather than those required
 Levels of security management might be below than what can be
maintained by central administration
 Unavailability of management checks and audits

27
5.3.6 AUTHORIZATION ISSUES
Remote access security
 Today’s organizations require remote access connectivity to their
information resources for different types of users such as employees,
vendors, consultants, business partners, and customer representatives.

 TCP or IP Internet -based remote access is a cost-effective and inexpensive

approach.

28
5.3.6 AUTHORIZATION ISSUES
Remote access security risks include:

 Denial of service
 Malicious third parties
 Misconfigured communications software
 Misconfigured devices on the corporate computing infrastructure
 Host systems that are not secured appropriately
 Physical security issues over remote users’ computers

29
5.3.6 AUTHORIZATION ISSUES
Remote access security controls include:

 Policies and standards

 Proper authorizations
 Identification and authentication mechanisms
 Encryption tools and techniques (for example, the use of VPN)
 System and network management

30
5.3.6 AUTHORIZATION ISSUES
Remote access using Personal Digital Assistants (PDAs) addresses control issues
including the following:
 Compliance
 Approval
 Standard PDA applications
 Due care
 Awareness training
 PDA applications
 Synchronization
 Encryption
 Virus detection and control
 Device registration
 Camera use

31
5.3.6 AUTHORIZATION ISSUES
 There can be several access issues with mobile technology. Therefore,
these devices should be strictly controlled both by policy and by denial of
use.

 Some of the possible actions to deal with the access issues include:

 Banning all use of transportable drives in the security policy

 Disabling use of mobiles with a logon script which removes them from
the system directory, where no authorized use of USB ports exists

 If they are considered necessary for business use, encrypting all data
transported or saved by these devices

32
5.3.6 AUTHORIZATION ISSUES
Audit logging in monitoring system access provides management an audit trail
to monitor activities of a suspicious nature, such as a hacker attempting brute
force attacks on a privileged logon ID.

Access rights to system logs:

 Security and administration personnel who maintain logical access functions

may have no need for access to audit logs

 Confidentiality of audit trail information needs to be protected

 A periodic review of system-generated logs can detect security issues,

including inappropriate access rights
33
5.3.6 AUTHORIZATION ISSUES
Tools for audit trails (logs) analysis

 Audit reduction tools

 Trends or variance-detection tools
 Attack signature -detection tools

34
5.3.6 AUTHORIZATION ISSUES
Attempted security violations can be detected or prevented by implementing
the following:
 Intrusion Detection System (IDS)
 Intrusion Prevention System (IPS)

Restricting and Monitoring Access

 Bypass Label Processing (BLP)
 System Exits
 Special system logon IDs (vendor default IDs)

Naming Conventions for Logical Access Controls

 Reduce the number of access rules required to protect system resources

35
5.3.7 HANDLING CONFIDENTIAL INFORMATION

Storing, retrieving, transporting and disposing of confidential information in

a proper way is crucial for our business. Therefore, it is important to have
policies for:
 Backup files of databases
 Data banks
 Disposal of media previously used to hold confidential information
(example, Degaussing magnetic tapes)
 Management of equipment sent for offsite maintenance
 Public agencies and organizations concerned with sensitive, critical or
confidential information
 Storage records

36
5.3.7 HANDLING CONFIDENTIAL INFORMATION

There are chances of loosing information during shipment or storage. Some

of the recommendations applicable to all types of media are:
 To keep media out of direct sunlight
 To keep them free of liquids
 To keep them free of dust
 To minimize exposure to magnetic fields , radio equipment , or any sources
of vibration
 Not to transport in areas and/or at times of exposure to strong magnetic
storm

37
5.3.7 HANDLING CONFIDENTIAL INFORMATION

38
5.4 NETWORK INFRASTRUCTURE SECURITY
Some of the controls over communication network are as follows:
 Network control functions should be performed by technically qualified operators.

 Network control functions should be separated and the duties should be rotated
on a regular basis, where possible.

 Network control software must restrict operator access from performing certain
functions (example, the ability to amend or delete operator activity logs).

 Network control software should maintain an audit trail of all operator activities.

 Audit trails should be periodically reviewed by operations management to detect

any unauthorized network operations activities.

39
5.4.1 LAN SECURITY
The IS auditor should identify and document:

 LAN topology and network design

 LAN administrator or LAN owner
 Functions performed by the LAN administrator or owner
 Distinct groups of LAN users
 Computer applications used on the LAN
 Procedures and standards relating to network design, support, naming
conventions, and data security

40
5.4.2 CLIENT-SERVER SECURITY
The control techniques that should be in place are:

 Securing access to data or application

 Use of network monitoring devices
 Data encryption techniques
 Authentication systems

41
5.4.3 WIRELESS SECURITY
THREATS AND RISK MITIGATION
Some of the common threats are:
 Errors and omissions
 Fraud and theft committed by authorized or unauthorized users of the
system
 Employee sabotage
 Loss of physical and infrastructure support
 Malicious hackers
 Industrial espionage
 Malicious code
 Threats to personal privacy

42
5.4.3 WIRELESS SECURITY THREATS
AND RISK MITIGATION
 To mitigate these risks, an organization must adopt security measures and
practices that help bring their risks to a manageable level.

 Some of the security requirements are:

o Authenticity
o Nonrepudiation
o Accountability
o Network availability

43
5.4.3 WIRELESS SECURITY
THREATS AND RISK MITIGATION
 Malicious access to WLANs include:

o War driving
o War walking
o War chalking

 Malicious access to WPAN include:

o Man-in-the-middle attack

44
5.4.4 INTERNET THREATS AND SECURITY
Network security attacks could be of two types:

Passive attacks- Examples of passive attacks that gather network

information include network analysis, eavesdropping and traffic analysis.

Active attacks- Once enough network information has been gathered, the
intruder will launch an actual attack against a targeted system to either gain
complete control over that system or enough control to cause certain threats
to be realized.

45
5.4.4 INTERNET THREATS AND SECURITY
Passive attacks:
 Network analysis
 Eavesdropping
 Traffic analysis

Active attacks:
- Brute-force attack - Unauthorized access
- Masquerading - Denial of Service
- Packet replay - Email spamming
Phishing - Email Spoofing
- Message Modification

46
5.4.4 INTERNET THREATS AND SECURITY
Causal factors for Internet attacks are:

 Availability of tools and techniques on the Internet

 Lack of security awareness and training
 Exploitation of security vulnerabilities
 Inadequate security over firewalls

o Internet security controls

47
5.4.4 INTERNET THREATS AND SECURITY
Firewalls enable organizations to:
 Block access to particular sites on the Internet
 Limit traffic on an organization’s public services segment to relevant
addresses and ports
 Prevent certain users from accessing certain servers or services
 Monitor communications between an internal and an external network
 Monitor and record all communications between an internal network and
the outside world to investigate network penetrations or detect internal
subversion
 Encrypt packets that are sent between different physical locations within
an organization by creating a VPN over the Internet (IP security [IPSec],
VPN tunnels)

48
5.4.4 INTERNET THREATS AND SECURITY
Firewall implementations can take advantage of the functionality available in
a variety of firewall designs, to provide a robust layered approach in
protecting an organization’s information assets.

Examples of firewall implementations are:

 Screened-host firewall
 Dual-homed firewall
 De-militarized Zone (DMZ)

49
 5.4.4 INTERNET THREATS AND SECURITY

Some of the common firewall issues are:

 A false sense of security

 The circumvention of firewall
 Misconfigured firewalls

 Monitoring activities may not occur on a regular basis

 Firewall policies

Firewall Types
 Router packet filtering
 Application firewall systems

 Statefull inspection

50
5.4.4 INTERNET THREATS AND SECURITY
Intrusion Detection System (IDS)
 An IDS works in conjunction with routers and firewalls by monitoring
network usage anomalies.

 The two types of IDS are:

o Network-based IDS
o Host-based IDS
Components of an IDS are:
 Sensors that are responsible for collecting data
 Analyzers that receive input from sensors and determine intrusive activity
 An administration console
 A user interface
51
5.4.4 INTERNET THREATS AND SECURITY
Features of an IDS are:

 Intrusion detection
 Gathering evidence on intrusive activity
 Automated response
 Security monitoring
 Interface with system tolls
 Security policy management

52
5.4.4 INTERNET THREATS AND SECURITY
 Honeypots act as decoy systems to detect active Internet attacks.

 There are two basic types of honeypots:

o High interaction — Give hackers a real environment to attack

o Low interaction — Emulate production environments

 Honeynet is multiple honeypots networked together to let hackers break

into a false network.

53
5.4.5 ENCRYPTION
 The key elements of encryption systems are:

o Encryption algorithm
o Encryption key
o Key length

 There are two types of cryptographic systems. They are:

o Symmetric key systems (Private key cryptographic systems)

o Asymmetric key systems (Public key cryptographic systems)

54
5.4.5 ENCRYPTION
Types of encryption are:

 Elliptical Curve Cryptosystem (ECC)

 Quantum Cryptography
 Advanced Encryption Standard (AES)

 Digital Signatures

Features of digital signature are:

 Data integrity

 Authentication
 Nonrepudiation

 Replay protection

55
5.4.5 ENCRYPTION
Use of encryption in OSI protocols are:
 Secure Sockets Layer (SSL)
 Secure Hypertext Transfer Protocol (S/HTTP)
 IP Security
 SSH
 Secure Multipurpose Internet Mail Extensions (S/MIME)
 Secure Electronic Transactions (SET)

56
5.5 AUDITING LOGICAL ACCESS
When evaluating logical access controls, the IS auditor should:

 Obtain a general understanding of the security risks facing information

processing.
 Document and evaluate controls over potential access paths into the
system.
 Test control over access paths to determine whether they are functioning
and effective
 Evaluate the access control environment to determine if the control
objectives are achieved
 Evaluate the security environment to assess its adequacy

57
5.5.1 TECHNIQUES FOR TESTING SECURITY
 Terminal cards and keys
 Terminal identification
 Login IDs and passwords
 Controls over production resources
 Logging and reporting access violations
 Follow-up access violations
 Bypassing security and compensating controls

58
5.6 AUDITING NETWORK
INFRASTRUCTURE SECURITY
When performing an audit of the network infrastructure, the IS auditor
should:
 Review network diagrams
 Identify the network design implemented
 Determine the applicable security policies, standards, procedures, and
guidance on network management and usage exist
 Identify who is responsible for security and operation of Internet
connections
 Identify legal problems arising from the Internet
 Review Service Level Agreements (SLAs), if applicable
 Review network administrator procedures

59
5.7.1 ENVIRONMENTAL ISSUES
AND EXPOSURES
Environmental exposures are primarily due to naturally occurring events
such as lightning storms, earthquakes, volcanic eruptions, hurricanes,
tornados and other types of extreme weather conditions.

Power failures can be grouped into the following categories:

 Total failure (blackout)
 Severely reduced voltage (brownout)
 Sags, spikes and surges
 Electromagnetic interference (EMI)

60
5.7.2 CONTROL FOR
ENVIRONNEMENTAL
EXPOSURES
Ways to control environmental exposures are:
 Alarm control panels
 Water detectors
 Handheld fire extinguishers
 Manual fire alarms
 Smoke detectors
 Fire suppression systems

o Dry-pipe sprinkling systems (most effective and environmentally

friendly)
 Strategically locating the computer room
 Regular inspection by fire department
 Documented and tested emergency evacuation plans
61
5.8.1 PHYSICAL ACCESS
ISSUES AND EXPOSURES
Exposures that exist from accidental or intentional violation of these access
paths include:

 Unauthorized entry
 Damage or theft to equipment or documents
 Copying or viewing of sensitive or copyrighted information
 Alteration of sensitive equipment and information
 Public disclosure of sensitive information
 Abuse of data processing resources
 Blackmail
 Embezzlement

62
5.8.2 PHYSICAL ACCESS CONTROLS
Examples of some of the more common access controls are:
 Bolting door locks
 Combination door locks (cipher locks)
 Electronic door locks
 Biometric door locks
 Manual logging
 Electronic logging
 Identification badges (photo IDs)
 Video cameras
 Security guards
 Controlled visitor access
 Deadman doors
 Alarm System
 Windows

63
5.8.3 AUDITING PHYSICAL ACCESS
 Touring the Information Processing Facility (IPF) is useful.
 Testing should extend beyond IPF to include the following related facilities:

o Location of all operator consoles

o Printer rooms, computer storage rooms
o UPS or generator
o Location of all communications equipment identified on the network
diagram
o Tape library
o Off-site backup storage facility

64