Domain 5

Domain 5

Domain 5 focuses the key components that ensure confidentiality,

integrity and availability (CIA) of information assets. The design,
implementation and monitoring of logical and physical access
controls are explained. Network infrastructure security,
environmental controls, and processes and procedures used to
classify, enter, store, retrieve, transport and dispose of
confidential information assets are covered. The methods and
procedures followed by organizations are described, focusing on
the auditor’s role in evaluating these procedures for suitability
and effectiveness.
 On The CISA Exam

Domain 1: Auditing
Domain 5: Protection of Information Systems
Information Assets, 27% Process, 21%

Domain 2: Governance and

Management of IT, 17%
Domain 4: Information
Systems Operations and
Business Resilience, 23%

Domain 3: Information Systems

Acquisition, Development and
Implementation, 12%
 Learning Objectives

By the end of this lesson, you will be able to:

Conduct audit in accordance with IS audit standards and a

risk-based IS audit strategy

Evaluate problem and incident management policies and

practices

Evaluate the organization's information security and privacy

policies and practices

Evaluate physical and environmental controls to determine

whether information assets are adequately safeguarded

Evaluate logical security controls to verify the confidentiality,

integrity, and availability of information
 Learning Objectives

By the end of this lesson, you will be able to:

Evaluate data classification practices for alignment with the

organization’s policies and applicable external requirements

Evaluate policies and practices related to asset lifecycle

management

Evaluate the information security program to determine its

effectiveness and alignment with the organization’s strategies
and objectives

Perform technical security testing to identify potential threats

and vulnerabilities

Evaluate potential opportunities and threats associated with

emerging technologies, regulations, and industry practices
 Domain 5 Topics

• Information Asset Security and Control • Security Event Management

• Introduction • Security Awareness Training and Programs
• Information Asset Security Frameworks, • Information System Attack Methods and
Standards, and Guidelines Techniques
• Privacy Principles • Security Testing Tools and Techniques
• Physical Access and Environmental • Security Monitoring Tools and Techniques
Controls • Incident Response Management
• Identity and Access Management • Evidence Collection and Forensics
• Network and End-point Security
• Data Classification
• Data Encryption and Encryption-related
Techniques
• Public Key Infrastructure (PKI)
• Web-based Communication Technologies
• Virtualized Environments
• Mobile, Wireless, and Internet-of-Things
(IOT) Devices

6
 Ensure Confidentiality, Integrity and Availability

Confidentiality

Security

Integrity Availability

7
Information Asset Security Frameworks, Standards and Guidelines

8
 Auditing the Information Security Management Framework

• Reviewing Written Policies, Procedures and • New IT Users

Standards
• Data Users
• Formal Security Awareness and Training
• Documented Authorizations
• Data Ownership
• Terminated Employee Access
• Data Owners
• Security Baselines
• Data Custodians
• Access Standards
• Security Administrator

9
Privacy Principles

10
 Privacy Principles Good Practice

• Privacy should be considered from the outset and be built in by design. It should be systematically built into
policies, standards and procedures from the beginning.

• Private data should be collected fairly in an open, transparent manner. Only the data required for the purpose
should be collected in the first instance.

• Private data should be kept securely throughout their life cycle.

• Private data should only be used and/or disclosed for the purpose for which they were collected.

• Private data should be accurate, complete and up to date.

• Private data should be deleted when they are no longer required.

11
 Purpose of Privacy Impact Analysis

• Pinpoint the nature of personally identifiable information

associated with business processes.

• Document the collection, use, disclosure and destruction of

personally identifiable information.

• Ensure that accountability for privacy issues exists.

• Identify legislative, regulatory and contractual requirements for

privacy.

• Be the foundation for informed policy, operations and system

design decisions based on an understanding of privacy risk and
the options available for mitigating that risk.

12
 IS Audit to Assure Compliance Privacy Policy, Laws and Other Regulations

• Identify and understand compliance requirements regarding

privacy from laws, regulations and contract agreements.
Depending on the assignment, IS auditors may need to seek
legal or expert opinion on these.

• Review management’s privacy policy to ascertain whether it

takes into consideration the requirement of these privacy laws
and regulations.

• Check whether personal sensitive data are correctly managed

in respect to these requirements.

• Verify that the correct security measures are adopted.

13
 Audit Considerations for Privacy

• Choice and consent • Security safeguards

• Legitimate purpose specification and use • Monitoring, measuring and reporting

limitation
• Preventing harm
• Personal information and sensitive information
• Third-party/vendor management
life cycle
• Breach management
• Accuracy and quality
• Security and privacy by design
• Openness, transparency and notice
• Free flow of information and legitimate
• Individual participation
restriction
• Accountability

14
Physical Access and Environmental Controls

15
 Physical Access and Environmental Controls

Evaluate the design, implementation, maintenance, monitoring

and reporting of physical and environmental controls to
determine whether information assets are adequately
safeguarded.
 Security Controls

• An effective control is one that prevents, detects, and/or contains an incident and enables recovery from an
event.
• Controls can be:

Proactive
• Safeguards
Reactive
• Controls that attempt to
prevent an incident • Countermeasures
• Controls that allow the
detection, containment and
recovery from an incident
 Managerial, Technical and Physical Controls

Managerial Controls Technical Physical

• Related to the oversight, • Controls provided through • Devices installed to

reporting, procedures and the use of technology, piece physically restrict access to
operation of a process. of equipment or device. a facility or hardware.

18
 Physical Access Issues

• Unauthorized entry

• Damage, vandalism or theft to equipment or documents

• Copying or viewing of sensitive or copyrighted information

• Alteration of sensitive equipment and information

• Public disclosure of sensitive information

• Abuse of data processing resources

• Blackmail

• Embezzlement
 Physical Controls Examples

• Door locks (cipher, biometric, bolted, • Controlled visitor access

electronic)
• Computer workstation locks
• Manual or electronic logging
• Controlled single entry point
• Identification badges
• Alarm system
• CCTV
• Deadman doors
• Security guards

20
 Physical Access Audit

• The IS auditor should begin with a tour of the site and

then test physical safeguards.

• Physical tests can be completed through visual

observations and review of documents such as fire
system tests, inspection tags and key lock logs.
 Physical Access Audit

• The test should include all paths of physical entry, as well as the following locations:

• Computer and printer rooms

• UPS/generator
• Operator consoles
• Computer storage rooms
• Communication equipment
• Offsite backup storage facility
• Media storage
 Environmental Exposures

Power failure

• Total failure (blackout)

• Severely reduced voltage (brownout)
• Sags, spikes and surges
• Electromagnetic interference (EMI)

Water damage/flooding

Manmade concerns

• Terrorist threats/attacks
• Vandalism
• Equipment failure
 Environmental Controls

• Environmental exposures should be afforded the same level of protection as other types of exposures.
Possible controls include:

Alarm control Fire Fire alarms and

Water detectors
panels extinguishers smoke detectors

Fireproof and
Strategically
Fire suppression fire-resistant Electrical surge
located
systems building and protectors
computer rooms
office materials

Documented and
Uninterruptible Power leads
Emergency tested BCPs and
power supply/ from two
power-off switch emergency
generator substations
evacuation plans
 Environmental Control Audit

• The IS auditor should first establish the environmental risk by assessing the location of the data center.

• In addition, the IS auditor should verify that the following safeguards are in place:

• Water and smoke detectors

• Strategic and visible location of handheld fire extinguishers
• Fire suppression system documentation and inspection by fire department
• UPS/generator test reports
• Electrical surge protectors
• Documentation of fireproof building materials, use of redundant power lines and wiring located in fire-
resistant panels

• Documented and tested emergency evacuation plans and BCPs

• Humidity and temperature controls
 Activity

• The directory of facility operations has asked the IS audit team to perform a gap
analysis of the current policies and procedures at the headquarters building that also
houses the primary data center. You find that policies and procedures are currently
focused on operations and maintenance contracting activities.

• What is an example of an environmental exposure that controls should be in place to

mitigate?

• What would be a means to perform penetration testing of physical controls?

Knowledge
Check Which of the following environmental controls is appropriate to protect computer
1 equipment against short-term reductions in electrical power?

A. Power line conditioners

B. Surge protective devices

C. Alternative power supplies

D. Risk appetite is not quantified

 Knowledge
Check Which of the following environmental controls is appropriate to protect computer
1 equipment against short-term reductions in electrical power?

A. Power line conditioners

B. Surge protective devices

C. Alternative power supplies

D. Risk appetite is not quantified

The correct answer is A

Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the
power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment.
Knowledge
Check An IS auditor is reviewing the physical security measures of an organization.
2 Regarding the access card system, the IS auditor should be MOST concerned that:

A. Non personalized access cards are given to the cleaning staff, who use a sign-in sheet but
show no proof of identity

B. Access cards are not labeled with the organization’s name and address to facilitate easy
return of a lost card

C. Card issuance and rights administration for the cards are done by different departments,
causing unnecessary lead time for new cards

D.
The computer system used for programming the cards can only be replaced after three
weeks in the event of a system failure
 Knowledge
Check An IS auditor is reviewing the physical security measures of an organization.
2 Regarding the access card system, the IS auditor should be MOST concerned that:

A. Non personalized access cards are given to the cleaning staff, who use a sign-in sheet but
show no proof of identity

B. Access cards are not labeled with the organization’s name and address to facilitate easy
return of a lost card

C. Card issuance and rights administration for the cards are done by different departments,
causing unnecessary lead time for new cards

D.
The computer system used for programming the cards can only be replaced after three
weeks in the event of a system failure

The correct answer is A

Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost
importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name
without proof (e.g., identity card, driver’s license).
Identity and Access Management

31
 Security Objectives

• Security objectives to meet an organization’s business requirements should ensure the following:

• Continued availability of information systems and data

• Integrity of the information stored on computer systems and while in transit
• Confidentiality of sensitive data is preserved while stored and in transit
• Conformity to applicable laws, regulations and standards
• Adherence to trust and obligation requirements in relation to any information relating to an identified or
identifiable individual (i.e., data subject) in accordance with internal privacy policy or applicable privacy
laws and regulations

• Adequate protection for sensitive data while stored and when in transit, based on organizational
requirements
 System Access Permission

• System access permission generally refers to a technical privilege, such as the ability to read, create, modify or
delete a file or data; execute a program; or open or use an external connection.
• System access to computerized information resources is established, managed and controlled at the physical
and/or logical level.

Physical access controls Logical access controls

• Restrict the entry and exit of • Restrict the logical resources of the
personnel to an area, such as an system (transactions, data,
office building, suite, data center or programs, applications) and are
room, containing information applied when the subject resource
processing equipment. is needed.
 System Access Reviews

• Roles should be assigned by the information owner or manager.

• Access authorization should be regularly reviewed to ensure they are still valid.

• The IS auditor should evaluate the following criteria for defining permissions and granting access:

• Need-to-know
• Accountability
• Traceability
• Least privilege
• SoD
 Information Security and External Parties

• Identification of Risk Related to External Parties

• Access by external parties to the organization’s information should not be provided until the
appropriate controls have been implemented and, where feasible, a contract has been signed
defining the terms and conditions for the connection or access and the working arrangement.

• External parties might put information at risk if their security management is inadequate.
• NOTE – Controls should be identified and applied to administer external party access to
information processing facilities.

• Addressing Security When Dealing With Customers

• Asset protection and access control polices apply to customers to meet security requirements of
assets.

35
 Third-Party Access

• Third-party access to an organization’s

information processing facilities and processing
and communication of information must be
controlled.

• These controls must be agreed to and defined in

a contract with the third party.
 Third-Party Access Recommended Contract Terms

• Compliance with the organization’s information security policy

• A clear reporting structure and agreed reporting formats

• A clear and specified process for change management

• An access control policy

• Arrangements for reporting, notifying and investigating

information security incidents and security breaches

• Service continuity requirements

• The right to monitor and revoke any activity related to the

organization’s assets
 Human Resources Security and Third Parties

• Security roles and responsibilities of employees, contractors and third-party users should be defined and
documented in accordance with the organization’s information security policy.

• Screening

• All candidates for employment, contractors or third-party users should be subject to background
verification checks.

• Removal of Access Rights

• The access rights of all employees, contractors and third-party users to information and information
processing facilities should be removed upon termination of their employment, contract or agreement, or
adjusted upon change.
 Logical Access

• Logical access is the ability to interact with computer resources

granted using identification, authentication and authorization.

• Logical access controls are the primary means used to manage

and protect information assets.

• IS auditors should be able to analyze and evaluate the

effectiveness of a logical access control in accomplishing
information security objectives and avoiding losses resulting
from exposures.

• These exposures can result in minor inconveniences to a total

shutdown of computer functions.

39
 Logical Access Exposures

• Data leakage

• Involves siphoning or leaking information out of the

computer.

• Computer shutdown

• Initiated through terminals or personal computers

connected directly (online) or remotely (via the Internet) to
the computer.

40
 Paths of Logical Access

• Direct path
• Local network
• Remote access

41
 Activity

• During your ERP upgrade audit, you identify the following

findings:

• Logical access controls to the administrative application

server accounts are comprised of
non-complex single factor authentication with password
length required to be six characters changed every 360
days.

• There was no policy in place for classification of

information assets.

• What is the purpose of assigning classes or levels of

sensitivity and criticality to information resources and
establishing specific security rules for each class?
Knowledge
Check An information security policy stating that “the display of passwords must be
1 masked or suppressed” addresses which of the following attack methods?

A. Piggybacking

B. Dumpster diving

C. Shoulder surfing

D. Impersonation
 Knowledge
Check An information security policy stating that “the display of passwords must be
1 masked or suppressed” addresses which of the following attack methods?

A. Piggybacking

B. Dumpster diving

C. Shoulder surfing

D. Impersonation

The correct answer is C

If a password is displayed on a monitor, any person or camera nearby could look over the shoulder of the user to
obtain the password.
Knowledge
Check
With the help of a security officer, granting access to data is the responsibility of:
1

A. Data owners

B. Programmers

C. System analysts

D. Librarians
 Knowledge
Check
With the help of a security officer, granting access to data is the responsibility of:
1

A. Data owners

B. Programmers

C. System analysts

D. Librarians

The correct answer is A

Data owners are responsible for the access to and use of data. Written authorization for users to gain access to computerized
information should be provided by the data owners. Security administration with the owners’ approval sets up access rules
stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or
update).
 Access Control Software

• Access control software is used to prevent the unauthorized access and modification to an
organization’s sensitive data and the use of system critical functions.

• Access controls must be applied across all layers of an organization’s IS architecture, including
networks, platforms or OSs, databases and application systems.

• Each access control usually includes:

• Identification and authentication

• Access authorization
• Verification of specific information resources
• Logging and reporting of user activities
 Access Control Software Functions

General operating and/or application systems Database and/or application-level access control
access control functions functions

• Create or change user profiles. • Create or change data files and database profiles.
• Assign user identification and authentication. • Verify user authorization at the application and
• Apply user logon limitation rules. transaction level.
• Notification concerning proper use and access • Verify user authorization within the application.
prior to initial login. • Verify user authorization at the field level for
• Create individual accountability and auditability changes within a database.
by logging user activities. • Verify subsystem authorization for the user at the
• Establish rules for access to specific information file level.
resources (e.g., system-level application resources • Log database/data communications access
and data). activities for monitoring access violations.
• Log events.
• Report capabilities.
 Access Control Types

• Logical access control filters used to validate access credentials

• Cannot be controlled or modified by normal users or data owners
Mandatory access controls (MACs)
• Act by default
• Prohibitive; anything that is not expressly permitted is forbidden

• Logical access controls that may be configured or modified by the

users or data owners
Discretionary access controls (DACs) • Cannot override MACs
• Act as an additional filter, prohibiting still more access with the
same exclusionary principle
 Identification and Authentication

• Logical access identification and authentication (I&A) is the process of establishing and proving a
user’s identity.

• For most systems, I&A is the first line of defense because it prevents unauthorized people (or
unauthorized processes) from entering a computer system or accessing an information asset.
 Identification and Authentication

• Some common I&A vulnerabilities include:

• Weak authentication methods

• Use of simple or easily guessed passwords
• The potential for users to bypass the authentication mechanism
• The lack of confidentiality and integrity for the stored authentication information
• The lack of encryption for authentication and protection of information transmitted over a
network

• The user’s lack of knowledge on the risk associated with sharing authentication elements
 Authentication Methods

• Multifactor authentication is the combination of more than one authentication method.

• Single sign-on (SSO) is the process for consolidating all of an organization’s platform-based administration,
authentication and authorization functions into a single centralized administrative function.

• The IS auditor should be familiar with the organization’s authentication policies.

Authentication Methods

Logon IDs and Passwords

Tokens

Biometrics
 Authorization

• Authorization refers to the access rules that specify who can access what.

• Access control is often based on least privilege, which refers to the granting to users of only those
accesses required to perform their duties.

• The IS auditor needs to know what can be done with the access and what is restricted.

• The IS auditor must review access control lists (ACLs). An ACL is a register of users who have
permission to use a particular system and the types of access permitted.
 Authorization Issues

Risks Controls

• Denial of service • Policy and standards

• Malicious third parties • Proper authorizations
• Misconfigured • Identification and
communications software authentication mechanisms
• Misconfigured devices on the • Encryption tools and
corporate computing techniques such as use of a
infrastructure VPN
• Host systems not secured • System and network
appropriately management
• Physical security issues over
remote users’ computers
 System Logs

• Audit trail records should be protected by strong access controls to help prevent unauthorized
access.
• The IS auditor should ensure that the logs cannot be tampered with, or altered, without leaving an
audit trail.
• When reviewing or performing security access follow-up, the IS auditor should look for:
• Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive
application
• Violations (such as attempting computer file access that is not authorized) and/or use of incorrect
passwords
 Access Control Lists

• To provide security authorizations for the files and facilities listed previously, logical access
control mechanisms use access authorization tables, also referred to as access control lists
(ACLs) or access control tables. ACLs refer to a register of:

• Users (including groups, machines, processes) who have permission to use a particular
system resource

• The types of access permitted

• When a user changes job roles within an organization, often their old access rights are not
removed before adding their new required accesses.

• Without removing the old access rights, there could be a potential SoD issue.

56
 Logical Access Security Administration

• Software controls over access to the computer, data files and remote access to the network should
be implemented.
• The physical control environment should be as secure as possible, with additions such as lockable
terminals and a locked computer room.
• Access from remote locations via modems and laptops to other microcomputers should be
controlled appropriately.
• Opportunities for unauthorized people to gain knowledge of the system should be limited by
implementing controls over access to system documentation and manuals.
• Controls should exist for data transmitted from remote locations such as sales in one location that
update accounts receivable files at another location. The sending location should transmit control
information, such as transaction control totals, to enable the receiving location to verify the update
of its files. When practical, central monitoring should ensure that all remotely processed data have
been received completely and updated accurately.
• When replicated files exist at multiple locations, controls should ensure that all files used are correct
and current and, when data are used to produce financial information, that no duplication arises.

57
 Remote Access Security

• Remote access risk includes: • Remote access controls include:

• Denial of service (DoS) • Policy and standards

• Malicious third parties • Proper authorizations

• Misconfigured communications software • Identification and authentication

• Misconfigured devices mechanisms

• Host systems not secured appropriately • Encryption tools and techniques such as
use of a VPN
• Physical security issues over remote users’
computers • System and network management

58
 Audit Logging in Monitoring System Access

• Access Rights to System Logs • IS Audit Review • Tools for Audit Trail (Logs)
• Access rights to system • The IS auditor should Analysis
logs for security ensure that the logs cannot • Audit reduction tools
administrators to perform be tampered with, or • Trend/variance-detection
the previous activities altered, without leaving an tools
should be strictly audit trail.
• Attack-signature-detection
controlled. • When reviewing or tools
• A periodic review of performing security access
• SIEM systems
system-generated logs follow-up, the IS auditor
can detect security should look for:
problems, including • Patterns or trends that
attempts to exceed indicate abuse of access
access authority or gain privileges, such as
system access during concentration on a
unusual hours. sensitive application
• Violations (such as
attempting computer
file access that is not
authorized) and/or use
of incorrect passwords

59
 Auditing Logical Access

• Obtain a general understanding of the security risk facing information processing, through a review
of relevant documentation, inquiry, observation, risk assessment and evaluation techniques.

• Document and evaluate controls over potential access paths into the system to assess their
adequacy, efficiency and effectiveness by reviewing appropriate hardware and software security
features and identifying any deficiencies or redundancies.

• Test controls over access paths to determine whether they are functioning and effective by applying
appropriate audit techniques.

• Evaluate the access control environment to determine if the control objectives are achieved by
analyzing test results and other audit evidence.

• Evaluate the security environment to assess its adequacy by reviewing written policies, observing
practices and procedures, and comparing them with appropriate security standards or practices
and procedures used by other organizations.
60
 Auditing Logical Access Process

Reviewing
Familiarization Assessing and Reviewing Reports
Interviewing Application
with the IT Documenting the from Access
Systems Personnel Systems
Environment Access Paths Control Software
Operations Manual

61
 Data Leakage

• Data leakage involves the unauthorized transfer of sensitive or proprietary information from an internal
network to the outside world.

• Data leak prevention is a suite of technologies and associated processes that locate, monitor and protect
sensitive information from unauthorized disclosure.

• DLPs have three key objectives:

• Locate and catalog sensitive information stored throughout the enterprise.

• Monitor and control the movement of sensitive information across enterprise networks.
• Monitor and control the movement of sensitive information on end-user systems.
 DLP Solutions

• Data at rest

• Data in motion

• Data in use

• Policy creation and management

• Directory services integration

• Workflow management

• Backup and restore

• Reporting

• DLP risk, limitations and considerations

Network and End-point Security

64
 The Open Systems Interconnection (OSI) Model

• The OSI model defines groups of functionality required for network computers into layers, described as
follows:

1. Physical layer: Manages signals among network systems

2. Data link layer: Divides data into frames that can be transmitted by the physical layer

3. Network layer: Translates network addresses and routes data from sender to receiver

4. Transport layer: Ensures that data are transferred reliably in the correct sequence

5. Session layer: Coordinates and manages user connections

6. Presentation layer: Formats, encrypts and compresses data

7. Application layer: Mediates between software applications and other layers of network services

65
 Traditional OSI Model

66
 Associated LAN Risks

• Loss of data and program integrity through • Illegal access by impersonating or

unauthorized changes masquerading as a legitimate

• Lack of current data protection through • LAN user

inability to maintain version control • Internal user sniffing
• Exposure to external activity through poor • Internal user spoofing
user verification and potential public network
• Lack of enabled detailed automated logs of
access from remote connections
activity
• Virus and worm infection
• Destruction of the logging and auditing data
• Improper disclosure of data because of
general access rather than need-to-know
access provisions

67
 IS Audit’s Role in LAN Technology

• To gain a full understanding of the LAN, the IS auditor should

identify and document the following:

• Users or groups with privileged access rights

• LAN topology and network design
• LAN administrator/LAN owner
• Functions performed by the LAN administrator/owner
• Distinct groups of LAN users
• Computer applications used on the LAN
• Procedures and standards relating to network design,
support, naming conventions and data security

68
 Network Infrastructure Security

• The IS auditor should be familiar with risk and exposures related to network infrastructure.

• Network control functions should:

• Be performed by trained professionals, and duties should be rotated on a regular basis.

• Maintain an audit trail of all operator activities.
• Restrict operator access from performing certain functions.
• Periodically review audit trails to detect unauthorized activities.
• Document standards and protocols.
• Analyze workload balance, response time and system efficiency.
• Encrypt data, where appropriate, to protect messages from disclosure during transmission.
 Virtualization

• IS auditors need to understand the advantages and disadvantages of virtualization to determine whether
the enterprise has considered the applicable risk in its decision to adopt, implement and maintain this
technology.

• Some common advantages and disadvantages include:

Advantages Disadvantages

• Decreased server hardware costs. • Inadequate host configuration could create

• Shared processing capacity and storage vulnerabilities that affect not only the host,
space. but also the guests.
• Decreased physical footprint. • Data could leak between guests.
• Multiple versions of the same OS. • Insecure protocols for remote access could
result in exposure of administrative
credentials.
 Client-Server Security

• A client-server is a group of computers connected by a

communications network in which the client is the
requesting machine, and the server is the supplying
machine.
• Several access routes exist in a client-server environment.
 IS Auditor Role in Client-Server Security

• The IS auditor should ensure that:

• Application controls cannot be bypassed.

• Passwords are always encrypted.
• Access to configuration or initialization files is kept to a minimum.
• Access to configuration or initialization files are audited.
 Wireless Security

• Wireless security requirements include the

following:

• Authenticity: A third party must be able to verify

that the content of a message has not been
changed in transit.

• Nonrepudiation: The origin or the receipt of a

specific message must be verifiable by a third
party.

• Accountability: The actions of an entity must be

uniquely traceable to that entity.

• Network availability: The IT resource must be

available on a timely basis to meet mission
requirements or to avoid substantial losses.
 Internet Security

• The IS auditor must understand the risk and security factors needed to ensure that proper controls are in
place when a company connects to the Internet.

• Network attacks involve probing for network information.

• Examples of passive attacks include network analysis, eavesdropping and traffic analysis.
 Internet Security

• Once enough network information has been gathered, an intruder can launch an actual attack against a
targeted system to gain control.

• Examples of active attacks include denial of service (DoS), phishing, unauthorized access, packet replay,
brute force attacks and email spoofing.

• The IS auditor should have a good understanding of the following types of firewalls:

• Packet filtering
• Application firewall systems
• Stateful inspections
 Internet Security

• The IS auditor should also be familiar with common

firewall implementations, including:

• Screened-host firewall
• Dual-homed firewall
• Demilitarized zone (DMZ) or screened-subnet
firewall

• The IS auditor should be familiar with the types,

features and limitations of intrusion detection
systems and intrusion prevention systems.
 Firewalls

• A firewall is a system or combination of systems that enforces a boundary between two or more
networks.

• Typically forms a barrier between a secure and an open environment such as the Internet, apply
rules to control the type of networking traffic flowing in and out.

• Most commercial firewalls are built to handle commonly used Internet protocols.

77
 Firewall Features

• There are different types of firewalls, but most of them enable organizations to:

• Filter ingoing and outgoing traffic

• Can block access to particular sites on the Internet
• Limit traffic on an organization’s public services segment to relevant addresses and ports
• Prevent certain users from accessing certain servers or services
• Monitor and record communications between an internal and an external network in order to investigate
network penetrations or detect internal subversion

• Encrypt packets sent between different locations within an organization by creating a Virtual Private
Network (VPN) over the Internet (i.e., IPSec, VPN tunnels)

78
 Firewall Technologies

• Packet Filters
• Stateful Inspection
• Application Proxy
• Next Generation Firewall

79
 Packet-filtering Firewall Model

• A first-generation firewall, in packet filtering, a screening router examines the header of every data
packet traveling between the Internet and the organization’s network.

• Packet headers contain:

• Information, including the IP address of the sender and receiver

• The port numbers (application or service) authorized to use the information transmitted
• Based on that information, the router recognizes the kind of Internet service being used to send
the data and the identities of the sender and receiver of the data.

• With this, the router can prevent certain packets from being sent between the Internet and the
corporate network.

80
 Packet-filtering Firewalls

Advantages

• Simplicity of one network “choke point”

• Minimal impact on network performance
• Inexpensive or free

Disadvantages

• Vulnerable to attacks from improperly configured files

• Vulnerable to attacks tunneled over permitted services
• All private network systems vulnerable when a single packet filtering router is compromised

81
 Common Attacks Against Packet-filtering Firewalls

• The attacker fakes the IP address of either an internal network host or a

IP spoofing trusted network host, so the packet being sent may pass the rule base
of the firewall and penetrate the system perimeter.

• The attacker defines the route the IP packet takes such that it will bypass
the firewall.
Source routing specification • This type of attack centers around the routing that an IP packet must
take when it traverses the Internet from the source host to the
destination host.

• The attacker fragments the IP packet pushes smaller packets through

the firewall.
Miniature fragment attack • This type of attack relies on only the first sequence of fragmented
packets being examined, with the hope that others to will be able to
pass without review.

82
 Application Firewall Systems

• Application firewall systems allow information to flow between systems but do not allow the direct exchange
of packets.

• There are two types of application firewall systems:

• Application-level gateways: Systems that analyze packets through a set of proxies—one for each service.

• The implementation of multiple proxies impacts network performance, so when network performance is a
concern, a circuit-level gateway may be a better choice.

• Circuit-level gateways: Systems that use one proxy server for all services.

• These are more efficient and also operate at the application level.
• TCP and UDP sessions are validated, typically through a single, general-purpose proxy before opening a
connection.

• Note that commercially, circuit-level gateways are quite rare.

83
 Application Firewalls

Advantages

• Provide security for commonly used protocols

• Generally hide the network from outside, untrusted networks
• Ability to protect the entire network by limiting break-ins to the firewall itself
• Ability to examine and secure program code

Disadvantages

• Poor performance and scalability as Internet usage grows

84
 Stateful Inspection Systems

• Also referred to as dynamic packet filtering, a stateful inspection system tracks the destination IP
address of each packet that leaves the organization’s internal network.

• The stateful system maps the source IP address of an incoming packet with a list of destination IP
addresses that is maintained and updated.

• When a response to a packet is received, its record is referenced to determine whether the
incoming message was made in response to a request that the organization sent out.

• This approach prevents any attack initiated and originated by an outsider.

 Stateful Inspection Firewalls

Advantages

• Provide greater control over the flow of IP traffic

• Greater efficiency in comparison to CPU-intensive, full-time application firewall systems

Disadvantages

• Complex to administer

86
 Stateless Vs. Stateful Firewalls

• Stateless filtering does not keep the state of ongoing TCP connection sessions.

• This contrasts with the action of stateful systems, which keep track of TCP connections.

• The stateless system has no memory of what source port numbers a session’s client selected.

• Stateless firewalls are quicker, but less sophisticated than stateful firewalls.

• Because UDP traffic is stateless, applications that require UDP to operate from the Internet into a corporate
network should be:

• Used sparingly
• Implemented with alternate controls
 Firewall Implementations

• Firewall implementations can take advantage of the functionality available in a variety of firewall designs to
provide a robust and layered approach to protect an organization’s information assets.

• Commonly used implementations available today include:

• Screened-host firewall: Implements basic network layer security (packet filtering) and application server
security (proxy services)

• Dual-homed firewall: Has two or more network interfaces, each of which is connected to a different
network.

• Demilitarized zone (DMZ) or screened-subnet firewall

 Firewall Implementations

• Another commonly used firewall implementation is

the Demilitarized zone (DMZ) or screened-subnet
firewall.

• This is a small, isolated network for an

organization’s public servers, bastion host
information servers and modem pools.

• The DMZ connects the untrusted network to the

trusted network, but exists in its own independent
space to limit access and availability of resources.
 DMZ Firewall Benefits

• The key benefits of the DMZ system are:

• An intruder must penetrate three separate devices
• Private network addresses are not disclosed to the
Internet
• Internal systems do not have direct access to the
Internet
 Firewall Issues

Configuration errors Monitoring demands

Vulnerability to application-based and

Policy maintenance
input-based attacks

91
 Firewall Platforms

• Firewalls may be implemented using hardware, software or virtual platforms.

• Implementing hardware provides performance with minimal system overhead.

• These are not as flexible or scalable as software-based firewalls.

• Software-based firewalls are generally slower with significant systems overhead.

• They are flexible and may include additional services such as virus protection.

• When server-based firewalls are used, operating systems in servers are often vulnerable to attacks.

• When attacks on operating systems succeed, the firewall may be compromised.

• An appliance is a device with all software and configurations pre-setup on a physical server that is plugged in
between two networks. It is generally better to use appliances, rather than normal servers, for the firewall.
 Next Generation Firewalls (NGFW)

• NGFWs are firewalls aimed at addressing two key limitations found in earlier firewalls:
• The firewall’s inability to inspect packet payload
• The firewall’s inability to distinguish between types of web traffic
• An NGFW is an adaptive network security system capable of detecting and blocking sophisticated attacks.

These perform traditional functions, such as: • Introduce application awareness

• Packet filtering • Incorporate deep packet inspection (DPI)
• Stateful inspection technology
• Network address translation (NAT) • Offer varying degrees of integrated threat
protection
 Web Application Firewalls (WAF)

• A web application firewall (WAF) is a server plug-in, appliance or additional filter

that can be used to apply rules to a specific web application (usually to an HTTP
conversation).

• The WAF operates at higher levels in the OSI model, generally at level 7.

• In contrast, network firewalls operate at level 3 or level 4.

• A WAF may be customized to identify and block many types of attacks, but
customization requires effort.

• When changes to the application are made, the WAF rules need changes as
well.

94
 Development and Authorization of Network Changes

• The IS auditor can test this change control by:

• Sampling recent change requests, looking for appropriate

authorization and matching the request to the actual
network device

• Matching recent network changes, such as new

telecommunication lines, to added terminals and
authorized change requests

• As an added control, the IS auditor should determine who can

access the network change software.

• This access should be restricted to senior network

administrators.

95
 Shadow IT

Shadow IT is an application, tool, service or system that is used

within an organization to collaborate, develop software, share
content, store and manipulate data or serve any number of other
purposes without having been reviewed, tested, approved,
implemented or secured by the organization’s IT and/or
information security functions, in accordance with written policies
and procedures.

96
 Shadow IT Controls

• IT department as a service-delivery organization

• IT budgeting and procurement

• IT system consolidation (where feasible)

• User access and administrative rights

• User education

• User activity monitoring

• User data exchange

• Shadow IT policy: A shadow IT policy that aligns with business objectives and support
security requirements.

97
 Activity

• You have been assigned to a network architecture review.

This is a large multi-campus wide area network that uses
the following technologies:

• External
• Standard ISP provided T1s and OS3

• VerSprinAT & Bell MPLS

• Satellite communications

• Point to Point RF

• Internal
• WIFI for corporate and guests

• Wired with fiber backbone

• When performing an audit of the network infrastructure,

what document should the IS auditor review?
 Activity

• The CIO and CISO state their objective is to prevent and

detect computer attacks that could result in proprietary or
confidential data being stolen or modified.

• What would be a risk specific to wireless networks?

Data Classification

100
 Data Classification

• In order to have effective controls, organizations must have a detailed inventory of information assets.

• Most organizations use a classification scheme with three to five levels of sensitivity.

• Data classification provides the following benefits:

• Defines level of access controls

• Reduces risk and cost of over- or under-protecting information resources
• Maintains consistent security requirements
• Enables uniform treatment of data by applying level-specific policies and procedures
• Identifies who should have access
 Data Classification

• The information owner should decide on the appropriate classification, based on the organization’s data
classification and handling policy.

• Data classification should define:

• The importance of the information asset

• The information asset owner
• The process for granting access
• The person responsible for approving the access rights and access levels
• The extent and depth of security controls

• Data classification must also take into account legal, regulatory, contractual and internal requirements for
maintaining privacy, confidentiality, integrity and availability.
 Activity

• You have been assigned to assist the incident response team in

evaluating post-incident lessons learned and remediation
activities to prevent recurrence of the root causes. Your team
has completed the response to data leakage that resulted in
compromising firewall network administrative access.

• When the firewall was sent off site for vendor maintenance,
what actions should have been taken?
Knowledge
Check
The FIRST step in data classification is to:
1

A. Establish ownership.

B. Perform a criticality analysis.

C. Define access rules.

D. Create a data dictionary.

 Knowledge
Check
The FIRST step in data classification is to:
1

A. Establish ownership.

B. Perform a criticality analysis.

C. Define access rules.

D. Create a data dictionary.

The correct answer is A

Data classification is necessary to define access rules based on a need-to-do and need-to know basis. The data
owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data
classification.
Knowledge
Check From a control perspective, the PRIMARY objective of classifying information assets
2 is to:

A. Establish guidelines for the level of access controls that should be assigned.

B. Ensure access controls are assigned to all information assets.

C. Assist management and auditors in risk assessment.

D. Identify which assets need to be insured against losses.

 Knowledge
Check From a control perspective, the PRIMARY objective of classifying information assets
2 is to:

A. Establish guidelines for the level of access controls that should be assigned.

B. Ensure access controls are assigned to all information assets.

C. Assist management and auditors in risk assessment.

D. Identify which assets need to be insured against losses.

The correct answer is A

Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of
sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that
should be assigned. End user management and the security administrator will use these classifications in their risk assessment
process to assign a given class to each asset.
Data Encryption and Encryption-related Techniques

108
 Encryption

• Encryption generally is used to:

• Protect data in transit over networks from

unauthorized interception and manipulation.

• Protect information stored on computers

from unauthorized viewing and
manipulation.

• Deter and detect accidental or intentional

alterations of data.

• Verify authenticity of a transaction or

document.
 Key Elements of Encryption Systems

Encryption algorithm

• A mathematically based function that encrypts/decrypts data

Encryption key

• A piece of information that is used by the encryption algorithm to make the encryption or
decryption process unique

Key length

• A predetermined length for the key; the longer the key, the more difficult it is to
compromise
 Encryption Schemes

• There are two types of encryption schemes:

• Symmetric—a unique key (usually referred to as the “secret key”) is

used for both encryption and decryption.

• Asymmetric—the decryption key is different than the one used for

encryption.

• There are two main advantages of symmetric key systems over

asymmetric ones.

• The keys are much shorter and can be easily remembered.

• Symmetric key cryptosystems are generally less complicated and,
therefore, use less processing power.
 Public Key Cryptography

• In a public key cryptography system, two keys work together as a

pair. One of the keys is kept private, while the other one is publicly
disclosed.

• The underlying algorithm works even if the private key is used for
encryption and the public key for decryption.
 Digital Signature Schemes

• Digital signature schemes ensure:

• Data integrity— Any change to the plaintext message would result in

the recipient failing to compute the same document hash.

• Authentication—The recipient can ensure that the document has been

sent by the claimed sender because only the claimed sender has the
private key.

• Nonrepudiation—The claimed sender cannot later deny generating the

document.

• The IS auditor should be familiar with how a digital signature functions to

protect data.
Knowledge
Check Which of the following BEST determines whether complete encryption and
1 authentication protocols for protecting information while being transmitted exist?

A. A digital signature with RSA has been implemented.

B. Work is being done in tunnel mode with the nested services of authentication header (AH)
and encapsulating security payload (ESP).

C. Digital certificates with RSA are being used.

D. Work is being done in transport mode with the nested services of AH and ESP.
 Knowledge
Check Which of the following BEST determines whether complete encryption and
1 authentication protocols for protecting information while being transmitted exist?

A. A digital signature with RSA has been implemented.

B. Work is being done in tunnel mode with the nested services of authentication header (AH)
and encapsulating security payload (ESP).

C. Digital certificates with RSA are being used.

D. Work is being done in transport mode with the nested services of AH and ESP.

The correct answer is B

Tunnel mode provides encryption and authentication of the complete IP package. To accomplish this, the
authentication header and encapsulating security payload services can be nested.
Public Key Infrastructure

116
 Public Key Infrastructure

• Public key infrastructure (PKI) allows a trusted third party to issue, maintain and revoke public key certificates.

ELEMENTS OF PKI
A digital certificate is composed of
Digital a public key and identifying
Certificates information about the owner of

the public key.

The CA is an authority in a
network that issues and An RA is an authority in a
manages security credentials network that verifies user
Certificate Registration
and public keys for message requests for a digital certificate
Authority (CA) Authority (RA)
signature verification or
and tells the CA to issue it.
encryption.
Web-based Communications Technologies

118
 VOIP Security

• The key to securing VoIP is to use the security mechanisms such as those deployed in data networks (e.g.,
firewalls, encryption) to emulate the security level currently used by public switched telephone network
(PSTN) network users.

• OS patches and virus signature updates must be promptly applied to prevent a potential system outage. To
enhance the protection of the telephone system and data traffic, the VoIP infrastructure should be
segregated using virtual local area networks (VLANs).

• Any connections between these two infrastructures should be protected using firewalls that can interpret
VoIP protocols.

119
 Email Security

• Issues • Control Considerations

• Phishing attacks • Address the security aspects of the

• DoS attacks deployment of a mail server through
maintenance and administration standards
• Unencrypted emails intercepted
• Ensure that the mail server application is
• Viruses
deployed, configured and managed to
• Email exposure and integrity issues
meet the security policy and guidelines
instituted by management

• Consider the implementation of encryption

technologies to protect user authentication
and mail data

120
 Peer-to-Peer Computing

121
 Instant Messaging

122
 Social Media

• Along with the corporate social

media risk there are risks of
employee personal use of social
media that should be considered.

123
 Cloud Computing Service Models

124
 Cloud Computing Deployment Models

125
 Cloud Computing Essential Characteristics

126
 Cloud Security Objectives

• Ensure the continued availability of their information systems and data.

• Ensure the integrity and preserve the confidentiality information and sensitive data while stored and in
transit.

• Ensure conformity to applicable laws, regulations and standards.

• Ensure adherence to trust and obligation requirements in relation to any information relating to an
identified or identifiable individual (i.e., data subject) in accordance with its privacy policy or applicable
privacy laws and regulations.

127
 IS Auditor and Cloud Computing

• Some considerations for the IS auditor regarding cloud computing include:

• Data ownership, data custody and security administration related to cloud deployment models: The CSA
provides a questionnaire that organizations can use to ascertain a service providers compliance to the
Controls Matrix.

• Legal requirements and unique risks in the cloud environment: Regulations such as GDPR can present
unique challenges for data stored in the cloud.

• Potential limitations to the right-to-audit in a cloud environment: An auditor may not be able to
physically investigate a vendor’s facilities.

128
Virtualized Environments

129
 Virtualized Environments

• Bare metal/native virtualization occurs when the hypervisor runs directly on the underlying hardware,
without a host OS.

• Hosted virtualization occurs when the hypervisor runs on top of the host OS (Windows, Linux or
MacOS). The hosted virtualization architectures usually have an additional layer of software (the
virtualization application) running in the guest OS that provides utilities to control the virtualization while
in the guest OS, such as the ability to share files with the host OS.

• Containerization: Containers include the application and all of its dependencies but share the kernel
with other containers. They run as an isolated process in user space on the host operating system.

130
 Virtualization Risk

• The following types of high-level risk are representative of the majority of • Virtualization products
virtualized systems in use: rarely have hypervisor
access controls:
• Rootkits
Therefore, anyone who
• Improper configuration
can launch an
• Guest tools
application on the host
• Snapshot/images
OS can run the
hypervisor.

• The only access control

is whether someone
can log into the host
OS.

131
 Virtualization Typical Controls

• An IS auditor should understand the following concepts:

• Hypervisors and guest images (OS and networks) are securely configured according to industry standards.
Apply hardening to these virtual components as closely as one would to a physical server, switch, router,
firewall or other computing device.
• Hypervisor management communications should be protected on a dedicated management network.
Management communications carried on untrusted networks should be encrypted, and encryption should
encapsulate the management traffic.
• The hypervisor should be patched as the vendor releases the fixes.
• The virtualized infrastructure should be synchronized to a trusted authoritative timeserver.
• Unused physical hardware should be disconnected from the host system.
• All hypervisor services, such as clipboard- or file-sharing between the guest OS and the host OS, should be
disabled unless they are needed.
• Host inspection capabilities should be enabled to monitor the security of each guest OS. Hypervisor
security services can allow security monitoring even when the guest OS is compromised.
• Host inspection capabilities should be enabled to monitor the security of activity occurring between guest
OSs. Of special focus is communications in a non-virtualized environment carried

132
Mobile, Wireless and Internet of things

133
 Mobile Computing

• Mobile computing refers to devices that are transported or moved

during normal usage, including tablets, smartphones and laptops.

• Mobile computing makes it more difficult to implement logical and

physical access controls.

• Common mobile computing vulnerabilities include the following:

• Information may travel across unsecured wireless networks.

• The enterprise may not be managing the device.
• Unencrypted information may be stored on the device.
• The device may have a lack of authentication requirements.
• The device may allow for the installation of unsigned
third-party applications.
 Mobile Computing Controls

• The following controls will reduce the risk of disclosure of sensitive data stored on mobile devices:

Virus
Device Physical
Tagging Data storage detection and
registration security
control

Acceptable
Encryption Compliance Approval Due care
use policy

Awareness Network Secure Standard Geolocation

training authentication transmission applications tracking

Remote wipe BYOD Secure remote

and lock agreement support
 BYOD Security and Control Issues

• Protection of sensitive data and intellectual property

• Protection of networks to which BYOD devices connect

• Responsibility and accountability for the device and information

contained on it

• Removal of the organization’s data from employee-owned devices

upon termination of employment or loss of the device

• Malware protection
 BYOD Risks

• Risks related to BYOD are similar to mobile computing risks.

Some specific BYOD-related risks are:

• Access controls and control over device security.

• Ability to eliminate sensitive enterprise data upon
termination of employment or loss of the device.

• Management issues related to supporting many different

types of devices, operating systems and applications.

• Ensuring that employee-owned BYOD devices are properly

backed up at all times .
 Internet Access on Mobile Devices Risks

• The interception of sensitive information • Possible health effects of device usage

• The loss or theft of devices • OS vulnerabilities

• The loss of data contained in the devices • Applications

• The misuse of devices • Wireless user authentication

• Distractions caused by the devices • File security

• Wired equivalent privacy (WEP) security

encryption

138
 Wireless Security Threats and Risk Mitigation

• Classification of threats: • Mitigation strategies

• Errors and omissions • Authenticity
• Fraud and theft committed by authorized • Nonrepudiation
or unauthorized users of the system • Accountability
• Employee sabotage • Network availability
• Loss of physical and infrastructure support
• Malicious hackers
• Industrial espionage
• Malicious code
• Foreign government espionage
• Threats to personal privacy

139
 Internet of Things Risk

• Health and safety

• Regulatory compliance
Business risk: • User privacy
• Unexpected costs

• Inappropriate access to functionality

Operational risk • Shadow usage
• Performance

• Device vulnerabilities
Technical risk: • Device updates
• Device management

140
Security Event Management

141
Security Awareness Training and Programs

142
 Security Awareness Training

• An active security awareness program can greatly reduce risk by addressing the behavioral element of
security through education and consistent application of awareness techniques.

• All employees of an organization and third-party users must receive appropriate training and regular
updates on the importance of security policies, standards and procedures in the organization.

• In addition, all personnel must be trained in their specific responsibilities related to information security.
Knowledge
Check Which of the following is the BEST way for an IS auditor to determine the
1 effectiveness of a security awareness and training program?

A. Review the security training program.

B. Ask the security administrator.

C. Interview a sample of employees

D. Review the security reminders to employees.

 Knowledge
Check Which of the following is the BEST way for an IS auditor to determine the
1 effectiveness of a security awareness and training program?

A. Review the security training program.

B. Ask the security administrator.

C. Interview a sample of employees

D. Review the security reminders to employees.

The correct answer is C

Interviewing a sample of employees is the best way to determine the effectiveness of a security awareness and
training program because overall awareness must be determined and effective security is dependent on people.
Reviewing the security training program would not be the ultimate indicator of the effectiveness of the awareness
training.
Information System Attack Methods and Techniques

146
 Fraud Risk Factors

Motivation

Fraud
Risk
Factors

Rationalization Opportunity

147
 Computer Crimes

• Financial loss

• Legal repercussions

• Loss of credibility or competitive edge

• Blackmail/industrial espionage/organized crime

• Disclosure of confidential, sensitive or embarrassing

information

• Sabotage

148
 Computer Crimes

• It is important that the IS auditor knows and understands the differences between computer crime and
computer abuse to support risk analysis methodologies and related control practices. Examples of computer
crimes include:

Malware,
Denial of
Hacking viruses and Fraud
service (DoS)
worms

Unauthorized Brute force Malicious

Phishing
access attacks codes

Network
Packet replay Masquerading Eavesdropping
analysis
 Malware Controls

Virus and Worm

Controls

System Management
monitoring vs Procedural
target attacks Controls

Anti-malware
Software Technical
Implementation Controls
Strategies

150
Security Testing Tools and Techniques

151
 Security Testing Techniques

• The IS auditor can use sample cards and keys to attempt to gain access
Terminal cards and keys beyond what is authorized.
• The IS auditor should follow up on any unsuccessful attempted violations.

• The IS auditor can inventory terminals to look for incorrectly logged, missing
Terminal identification
or additional terminals.

• To test confidentiality, the IS auditor can attempt to guess passwords, find

passwords by searching the office or get a user to divulge a password.
• To test encryption, the IS auditor should attempt to view the internal
Logon IDs and passwords
password table.
• To test authorization, the IS auditor should review a sample of authorization
documents to determine if proper authority was provided.
 Security Testing Techniques

Computer access • The IS auditor should work with the system software analyst to determine if all
controls access is on a need-to-know basis.

Computer access • The IS auditor should attempt to access computer transactions or data for
violations logging and which access is not authorized. The unsuccessful attempts should be identified
reporting on security reports.

Follow-up access • The IS auditor should select a sample of security reports and look for evidence
violations of follow-up and investigation of access violations.

• The IS auditor should work with the system software analyst, network
Bypassing security and
manager, operations manager and security administrator to determine ways
compensating controls to bypass security.
 Penetration Testing

• During penetration testing, an auditor attempts to circumvent the security features of a system and exploits
the vulnerabilities to gain access that would otherwise be unauthorized.

Additional
Discovery

Planning Discovery Attack

Reporting
 Types of Penetration Tests

External testing Refers to attacks and control circumvention attempts on the target’s network
perimeter from outside the target’s system

Internal testing Refers to attacks and control circumvention attempts on the target from
within the perimeter

Blind testing Refers to the condition of testing when the penetration tester is provided
with limited or no knowledge of the target’s information systems

Double blind Refers to an extension of blind testing, because the administrator and
testing security staff at the target are also not aware of the test

Targeted testing Refers to attacks and control circumvention attempts on the target, while
both the target’s IT team and penetration testers are aware of the testing
activities
 Threat Intelligence

• Threat intelligence is organized, analyzed and refined

information about potential or current attacks that threaten
an organization provided by the service providers and some
CERTs.

156
Knowledge An IS auditor is evaluating network performance for an organization that is
Check considering increasing its Internet bandwidth due to a performance degradation
1 during business hours. Which of the following is MOST likely the cause of the
performance degradation?

A. Malware on servers

B. Firewall misconfiguration

C. Increased spam received by the email server

D. Unauthorized network activities

 Knowledge An IS auditor is evaluating network performance for an organization that is
Check considering increasing its Internet bandwidth due to a performance degradation
1 during business hours. Which of the following is MOST likely the cause of the
performance degradation?

A. Malware on servers

B. Firewall misconfiguration

C. Increased spam received by the email server

D. Unauthorized network activities

The correct answer is D

Unauthorized network activities—such as employee use of file or music sharing sites or online gambling or personal
email containing large files or photos—could contribute to network performance issues. Because the IS auditor
found the degraded performance during business hours, this is the most likely cause.
Security Monitoring Tools and Techniques

159
 Intrusion Detection Systems

• Categories

• Network-based IDSs
• Host-based IDSs
• A combination of
• Types
signature- and
• Signature-based
statistical-based
• Statistical-based
models provides
• Neural networks better protection.
• Policy

• Terminate the access

• Trace the access

 Intrusion Prevention Systems

• Honeypots

• High-interaction
• Low-interaction

• Honeynet – a set of linked honeypots • IPSs prevent the

• A full review of all network system vulnerabilities should occur to determine intended victim

whether the threats to confidentiality, integrity and availability have been hosts from being

identified. affected by the

attacks.
• Review:

• Security policies and procedures

• Access controls
• Network configuration (firewalls and segmentation)
 Security Information and Event Management

• SEM systems automatically aggregate and correlate security event log

data across multiple security devices.

• Security information and event management (SIEM) systems take the

SEM capabilities and combine them with the historical analysis and
reporting features of security information management (SIM)
systems.

• A SOC consists of an organized team created to improve the security

posture of an organization and to respond to cybersecurity incidents.

162
Knowledge
Check
Neural networks are effective in detecting fraud because they can:
1

A. Discover new trends because they are inherently linear.

B. Solve problems where large and general sets of training data are not obtainable.

C. Attack problems that require consideration of a large number of input variables.

D. Make assumptions about the shape of any curve relating variables to the output.
 Knowledge
Check
Neural networks are effective in detecting fraud because they can:
1

A. Discover new trends because they are inherently linear.

B. Solve problems where large and general sets of training data are not obtainable.

C. Attack problems that require consideration of a large number of input variables.

D. Make assumptions about the shape of any curve relating variables to the output.

The correct answer is C

Neural networks can be used to attack problems that require consideration of numerous input variables. They are
capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover
new trends.
Incident Response Management

165
 Incident Response Management Plan

166
Evidence Collection and Forensics

167
 Computer Forensics

• The IS auditor should give consideration to key elements of

computer forensics during audit planning, including the
following:

• Data protection
• Data acquisition
• Imaging
• Extraction
• Interrogation
• Ingestion/normalization
• Reporting
 Protection of Evidence and Chain of Custody

• The evidence of a computer crime exists in the form of log files,

file time stamps, contents of memory, etc.

• Make a copy or more image of the attacked system.

• Memory content should also be dumped to a file before
rebooting the system.

• Preserve the chain of custody.

169
Knowledge
Check The CSIRT of an organization disseminates detailed descriptions of recent threats. An
1 IS auditor’s GREATEST concern should be that the users may:

A. Use this information to launch attacks.

B. Forward the security alert.

C. Implement individual solutions.

D. Fail to understand the threat.

 Knowledge
Check The CSIRT of an organization disseminates detailed descriptions of recent threats. An
1 IS auditor’s GREATEST concern should be that the users may:

A. Use this information to launch attacks.

B. Forward the security alert.

C. Implement individual solutions.

D. Fail to understand the threat.

The correct answer is A

An organization’s computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security
updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the
users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved
with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from
the same threat.
Knowledge
Check A hard disk containing confidential data was damaged beyond repair. What should
2 be done to the hard disk to prevent access to the data residing on it?

A. Rewrite the hard disk with random 0s and 1s.

B. Low-level format the hard disk.

C. Demagnetize the hard disk.

D. Physically destroy the hard disk.

 Knowledge
Check A hard disk containing confidential data was damaged beyond repair. What should
2 be done to the hard disk to prevent access to the data residing on it?

A. Rewrite the hard disk with random 0s and 1s.

B. Low-level format the hard disk.

C. Demagnetize the hard disk.

D. Physically destroy the hard disk.

The correct answer is D

Physically destroying the hard disk is the most effective way to ensure that the data cannot be recovered.
 Key Takeaways

Conduct audit in accordance with IS audit standards and a

risk-based IS audit strategy

Evaluate problem and incident management policies and

practices

Evaluate the organization's information security and privacy

policies and practices

Evaluate physical and environmental controls to determine

whether information assets are adequately safeguarded

Evaluate logical security controls to verify the confidentiality,

integrity, and availability of information
 Key Takeaways

Evaluate data classification practices for alignment with the

organization’s policies and applicable external requirements

Evaluate policies and practices related to asset lifecycle

management

Evaluate the information security program to determine its

effectiveness and alignment with the organization’s strategies
and objectives

Perform technical security testing to identify potential threats

and vulnerabilities

Evaluate potential opportunities and threats associated with

emerging technologies, regulations, and industry practices