Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Page: ISACA ® The recognized global leaders in IT governance, control, security and assurance 1 of 132 Page: 2 of 132 2010 CISA Review Course Chapter 5 – Protection of Information Assets Page: Course Agenda • • • • • Learning Objectives Discuss Task and Knowledge Statements Discuss specific topics within the chapter Case studies Sample questions 3 of 132 Page: Exam Relevance Ensure that the CISA candidate… “Understands and can provide assurance that the security architecture (policies, standards, procedures and controls) ensures the confidentiality, integrity and availability of information assets.” % of Total Exam Questions The content area in this chapter will represent approximately 31% of the CISA examination (approximately 62 questions). Chapter 6 14% Chapter 1 10% Chapter 2 15% Chapter 5 31% Chapter 3 16% Chapter 4 14% 4 of 132 Page: Chapter 5 Learning Objectives • Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets • Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorized use of the network and the information transmitted • Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss • Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded • Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets 5 of 132 Page: 6 of 132 5.2 Importance of Information Security Management Security objectives to meet organization’s business requirements include : • Ensure the continued availability of their information systems • Ensure the integrity of the information stored on their computer systems • Preserve the confidentiality of sensitive data • Ensure conformity to applicable laws, regulations and standards • Ensure adherence to trust and obligation in relation to any information relating to an identified or identifiable individual • Preserve the confidentiality of sensitive data in store and in transit Page: 5.2.1 Key Elements of Information Security Management Key elements of information security management • Senior management commitment and support • Policies and procedures • Organization • Security awareness and education • Monitoring and compliance • Incident handling and response 7 of 132 Page: 5.2.2 Information Security Management Roles and Responsibilities Responsibilities to consider by position include: • • • • • • • • • • • • IS security steering committee Executive management Security advisory group Chief privacy officer (CPO) Chief security officer (CSO) Process owners Information assets owners and data owners Users External parties Security specialists / advisors IT developers IS auditors 8 of 132 Page: 5.2.3 Inventory and Classification of Information Assets The inventory record of each information asset should include: • • • • • • • Specific identification of assets Relative value to the organization Location Security / risk classification Asset group Owner Designated custodian 9 of 132 Page: 10 of 132 5.2.4 System Access Permission • Who has access rights and to what? • What is the level of access to be granted? • Who is responsible for determining the access rights and access levels? • What approvals are needed for access? Page: 11 of 132 Practice Question 5-1 A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the operating system (OS) prompt or as one of the menu options in an application. The BEST control to mitigate the risk of an unauthorized manipulation of data is to: A. delete the utility software and install it as and when required. B. provide access to the utility on a need-to-use basis. C. provide access to the utility to user management. D. define access so that the utility can be executed only in the menu option. Page: 12 of 132 5.2.5 Mandatory and Discretionary Access Controls • Mandatory – Enforces corporate security policy – Compares sensitivity of information resources • Discretionary – Enforces data owner-defined sharing of information resources Page: 13 of 132 5.2.6 Privacy Management Issues and the Role of IS Auditors Privacy impact analysis or assessments should: • Pinpoint the nature of personally identifiable information associated with business processes • Document the collection, use, disclosure and destruction of personally identifiable information • Ensure that accountability for privacy issues exists • Be the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk Page: 14 of 132 5.2.6 Privacy Management Issues and the Role of IS Auditors (continued) Compliance with privacy policy and laws • Identify and understand legal requirements regarding privacy from laws, regulations and contract agreements • Check whether personal data are correctly managed in respect to these requirements • Verify that the correct security measures are adopted • Review management’s privacy policy Page: 15 of 132 5.2.7 Critical Success Factors to Information Security Management • Strong commitment and support by the senior management on security training • Professional risk-based approach must be used systematically to identify sensitive and critical resources Page: 16 of 132 5.2.8 Information Security and External Parties Page: 17 of 132 5.2.8 Information Security and External Parties (continued) Page: 18 of 132 5.2.11 Security Incident Handling and Response • Planning and preparation • Detection • Initiation • Evaluation • Containment • Eradication • • • • • Response Recovery Closure Post incident review Lessons learned Page: 19 of 132 5.3 Logical Access Logical access controls are the primary means used to manage and protect information assets. Page: 20 of 132 5.3.1 Logical Access Exposures Technical exposures include: • • • • • • • Data leakage Wire tapping Trojan horses / backdoors Viruses Worms Logic bombs Denial-of-service attacks • • • • • • • Computer shutdown War driving Piggybacking Trap doors Asynchronous attacks Rounding down Salami technique Page: 21 of 132 5.3.2 Familiarization with the Organization’s IT Environment Security layers to be reviewed include: • The network • Operating system platform • Database and application layers Page: 22 of 132 5.3.3 Paths of Logical Access General points of entry • Network connectivity • Remote access • Operator console • Online workstations or terminals Page: 23 of 132 5.3.4 Logical Access Control Software Purpose • Prevents unauthorized access and modification to an organization’s sensitive data and use of system critical functions. Page: 24 of 132 5.3.4 Logical Access Control Software (continued) General operating systems access control functions include: • • • • • • • • User identification and authentication mechanisms Restricted logon IDs Rules for access to specific information resources Create individual accountability and auditability Create or change user profiles Log events Log user activities Report capabilities Page: 25 of 132 5.3.4 Logical Access Control Software (continued) Database and / or application-level access control functions include: • Create or change data files and database profiles • Verify user authorization at the application and transaction levels • Verify user authorization within the application • Verify user authorization at the field level for changes within a database • Verify subsystem authorization for the user at the file level • Log database / data communications access activities for monitoring access violations Page: 26 of 132 Practice Question 5-2 Which of the following BEST provides access control to payroll data being processed on a local server? A. Logging access to personal information B. Using separate passwords for sensitive transactions C. Using software that restricts access rules to authorized staff D. Restricting system access to business hours Page: 27 of 132 5.3.5 Identification and Authentication (continued) I&A common vulnerabilities • Weak authentication methods • Lack of confidentiality and integrity for the stored authentication information • Lack of encryption for authentication and protection of information transmitted over a network • User’s lack of knowledge on the risks associated with sharing passwords, security tokens, etc. Page: 28 of 132 5.3.5 Identification and Authentication Logon IDs and passwords • • • • Features of passwords Password syntax (format) rules Token devices, one-time passwords Biometric – Management of biometrics Page: 29 of 132 5.3.5 Identification and Authentication (continued) Best practices for logon IDs and passwords • Passwords should be a minimum of 8 characters • Passwords should be a combination of alpha, numeric, upper and lower case and special characters • Login IDs not used should be deactivated • System should automatically disconnect with no activity Page: 30 of 132 Practice Question 5-3 An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious? A. The security officer also serves as the database administrator. B. Password controls are not administered over the client-server environment. C. There is no business continuity plan for the mainframe system’s non-critical applications. D. Most local area networks (LANs) do not back up file server-fixed disks regularly. Page: 31 of 132 5.3.5 Identification and Authentication (continued) • Token devices, one-time passwords • Biometrics – Physically-oriented biometric – Behavior-oriented biometric Page: 32 of 132 5.3.5 Identification and Authentication (continued) Single sign-on (SSO) • The process for the consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function • A single sign-on interfaces with: – Client-server and distributed systems – Mainframe systems – Network security including remote access mechanisms Page: 33 of 132 5.3.5 Identification and Authentication (continued) Single sign-on (SSO) advantages • Multiple passwords are no longer required, therefore, whereby a user may be more inclined and motivated to select a stronger password • It improves an administrator’s ability to manage users’ accounts and authorizations to all associates systems • It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications • It reduces the time taken by users to log into multiple applications and platforms Page: 34 of 132 5.3.6 Identification and Authentication (continued) Single sign-on (SSO) disadvantages • Support for all major operating system environments is difficult • The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary • The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets Page: 35 of 132 Practice Question 5-4 An organization is proposing to install a single signon facility giving access to all systems. The organization should be aware that: A. maximum unauthorized access would be possible if a password is disclosed. B. user access rights would be restricted by the additional security parameters. C. the security administrator’s workload would increase. D. user access rights would be increased. Page: 36 of 132 5.3.6 Authorization Issues Access restrictions at the file level include: • • • • Read, inquiry or copy only Write, create, update or delete only Execute only A combination of the above Page: 37 of 132 5.3.6 Authorization Issues (continued) Access control lists (ACLs) refer to a register of: • Users who have permission to use a particular system resource • The types of access permitted Page: 38 of 132 5.3.6 Authorization Issues (continued) Logical access security administration • Centralized environment • Decentralized environment Page: 39 of 132 5.3.6 Authorization Issues (continued) Advantages of conducting security in a decentralized environment • Security administration is onsite at the distributed location • Security issues resolved in a timely manner • Security controls are monitored frequently Page: 40 of 132 5.3.6 Authorization Issues (continued) Risks associated with distributed responsibility for security administration • Local standards might be implemented rather than those required • Levels of security management might be below what can be maintained by central administration • Unavailability of management checks and audits Page: 41 of 132 5.3.6 Authorization Issues (continued) Remote access security • Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives. Page: 42 of 132 5.3.6 Authorization Issues (continued) Remote access security risks include: • • • • Denial of service Malicious third parties Misconfigured communications software Misconfigured devices on the corporate computing infrastructure • Host systems not secured appropriately • Physical security issues over remote users’ computers Page: 43 of 132 5.3.6 Authorization Issues (continued) Remote access security controls include: • Policy and standards • Proper authorizations • Identification and authentication mechanisms • Encryption tools and techniques, such as the use of VPN • System and network management Page: 44 of 132 5.3.6 Authorization Issues (continued) Remote access using personal digital assistants (PDAs) • Address control issues • Inherent increased risks due to PDA lack of security Page: 45 of 132 5.3.6 Authorization Issues (continued) Access issues with mobile technology • These devices should be strictly controlled both by policy and by denial of use. Possible actions include: – Banning all use of transportable drives in the security policy – Where no authorized use of USB ports exists, disabling use with a logon script which removes them from the system directory – If they are considered necessary for business use, encrypting all data transported or saved by these devices Page: 46 of 132 5.3.6 Authorization Issues (continued) Audit logging in monitoring system access • Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID Page: 47 of 132 Practice Question 5-5 An IS auditor reviewing the log of failed logon attempts would be MOST concerned if which of the following accounts was targeted? A. Network administrator B. System administrator C. Data administrator D. Database administrator Page: 48 of 132 5.3.6 Authorization Issues (continued) Tools for audit trails (logs) analysis • Audit reduction tools • Trends/variance-detection tools • Attack signature-detection tools Page: 49 of 132 5.3.6 Authorization Issues (continued) • Intrusion detection system (IDS) • Intrusion prevention system (IPS) Page: 50 of 132 5.3.7 Storing, Retrieving, Transporting and Disposing of Confidential Information Policies required for: • Backup files of databases • Data banks • Disposal of media previously used to hold confidential information • Management of equipment sent for offsite maintenance • Public agencies and organizations concerned with sensitive, critical or confidential information • E-token electronic keys • Storage records Page: 51 of 132 5.3.7 Storing, Retrieving, Transporting and Disposing of Confidential Information (continued) Policies required for: • Backup files of databases • Data banks • Disposal of media previously used to hold confidential information • Management of equipment sent for offsite maintenance • Public agencies and organizations concerned with sensitive, critical or confidential information • E-token electronic keys • Storage records Page: 52 of 132 5.3.7 Storing, Retrieving, Transporting and Disposing of Confidential Information (continued) Preserving information during shipment or storage • Recommendations applicable to all types of media – Keep out of direct sunlight – Keep free of liquids – Keep free of dust – Keep media away from exposure to magnetic fields, radio equipment or any sources of vibration – Do not transport in areas and at times of exposure to strong magnetic storm Page: 53 of 132 5.3.7 Storing, Retrieving, Transporting and Disposing of Confidential Information (continued) Media Storage Precautions Hard drives Store hard drives in antistatic bags, and be sure that the person removing them from the bag is static-free. If the original box and padding for the hard drive is available, use it for shipping. Avoid styrofoam packaging products or other materials that can cause static electricity. Quick drops or spikes in temperature are a danger, since such changes can lead to hard drive rashes. If the hard drive has been in a cold environment, bring it to room temperature prior to installing and using it. Avoid sudden mechanical shocks or vibrations. Magnetic media Store tapes vertically. Store tapes in acid-free containers. Write-protect tapes immediately. Floppy disks When handling the floppy, pick it up by the label. The mylar surface must never be touched. Write labels using a felt tip pen only. CDs and DVDs Handle by the edges or by the hole in the middle. Be careful not to bend the CD. Avoid long-term exposure to bright light. Store in a hard jewel case, not in soft sleeves. Page: 54 of 132 5.4 Network Infrastructure Security Communication network controls • Network control functions should be performed by technically qualified operators • Network control functions should be separated, and the duties should be rotated on a regular basis, where possible • Network control software must restrict operator access from performing certain functions (e.g., the ability to amend/delete operator activity logs) • Network control software should maintain an audit trail of all operator activities • Audit trails should be periodically reviewed by operations management to detect any unauthorized network operations activities Page: 55 of 132 5.4 Network Infrastructure Security (continued) Communication network controls (continued) • Network operation standards and protocols should be documented and made available to the operators, and should be reviewed periodically to ensure compliance • Network access by the system engineers should be monitored and reviewed closely to detect unauthorized access to the network • Analysis should be performed to ensure workload balance, fast response time and system efficiency • A terminal identification file should be maintained by the communications software to check the authentication of a terminal when it tries to send or receive messages • Data encryption should be used, where appropriate, to protect messages from disclosure during transmission Page: 56 of 132 5.4.1 LAN Security The IS auditor should identify and document: • • • • • • LAN topology and network design LAN administrator / LAN owner Functions performed by the LAN administrator/owner Distinct groups of LAN users Computer applications used on the LAN Procedures and standards relating to network design, support, naming conventions and data security Page: 57 of 132 5.4.2 Client-server Security Control techniques in place • • • • Securing access to data or application Use of network monitoring devices Data encryption techniques Authentication systems • Use of application level access control programs Page: 58 of 132 5.4.2 Client-server Security (continued) Client / server risks and issues • Access controls may be weak in a client-server environment • Change control and change management procedures. • The loss of network availability may have a serious impact on the business or service • Obsolescence of the network components • The use of modems to connect the network to other networks Page: 59 of 132 5.4.2 Client-server Security (continued) Client / server risks and issues (continued) • The connection of the network to public switched telephone networks may be weak • Changes to systems or data • Access to confidential data and data modification may be unauthorized • Application code and data may not be located on a single machine enclosed in a secure computer room, as with mainframe computing Page: 60 of 132 5.4.3 Wireless Security Threats and Risk Mitigation Threats categorization • Errors and omissions • Fraud and theft committed by authorized or unauthorized users of the system • Employee sabotage • Loss of physical and infrastructure support • Malicious hackers • Industrial espionage • Malicious code • Foreign government espionage • Threats to personal privacy Page: 61 of 132 5.4.3 Wireless Security Threats and Risk Mitigation (continued) Security requirements • • • • Authenticity Nonrepudiation Accountability Network availability Page: 62 of 132 5.4.3 Wireless Security Threats and Risk Mitigation (continued) Malicious access to WLANs • War driving • War walking • War chalking Page: 63 of 132 5.4.3 Wireless Security Threats and Risk Mitigation (continued) Malicious access to WLANs • War driving • War walking • War chalking Page: 64 of 132 5.4.4 Internet Threats and Security Network security attacks • Passive attacks • Active attacks Page: 65 of 132 5.4.4 Internet Threats and Security (continued) Passive attacks • Network analysis • Eavesdropping • Traffic analysis Page: 66 of 132 5.4.4 Internet Threats and Security (continued) Active attacks • Brute-force attack • Masquerading • Packet replay • Phishing • Message modification • Unauthorized access through the Internet or web-based services • Denial of service • Dial-in penetration attacks • E-mail bombing and spamming • E-mail spoofing Page: 67 of 132 5.4.4 Internet Threats and Security (continued) Active attacks • Brute-force attack • Masquerading • Packet replay • Phishing • Message modification • Unauthorized access through the Internet or web-based services • Denial of service • Dial-in penetration attacks • E-mail bombing and spamming • E-mail spoofing Page: 68 of 132 5.4.4 Internet Threats and Security (continued) Active attacks • Brute-force attack • Masquerading • Packet replay • Phishing • Message modification • Unauthorized access through the Internet or web-based services • Denial of service • Dial-in penetration attacks • E-mail bombing and spamming • E-mail spoofing Page: 69 of 132 5.4.4 Internet Threats and Security (continued) Causal factors for Internet attacks • Availability of tools and techniques on the Internet • Lack of security awareness and training • Exploitation of security vulnerabilities • Inadequate security over firewalls – Internet security controls Page: 70 of 132 5.4.4 Internet Threats and Security (continued) Causal factors for Internet attacks • Availability of tools and techniques on the Internet • Lack of security awareness and training • Exploitation of security vulnerabilities • Inadequate security over firewalls – Internet security controls Page: 71 of 132 5.4.4 Internet Threats and Security (continued) Firewall security systems • Firewall general features • Firewall types – Router packet filtering – Application firewall systems – Stateful inspection Page: 72 of 132 5.4.4 Internet Threats and Security (continued) Examples of firewall implementations • Screened-host firewall • Dual-homed firewall • Demilitarized zone (DMZ) Page: 73 of 132 5.4.4 Internet Threats and Security (continued) Examples of firewall implementations • Screened-host firewall • Dual-homed firewall • Demilitarized zone (DMZ) Page: 74 of 132 5.4.4 Internet Threats and Security (continued) Firewall issues • • • • • • A false sense of security The circumvention of firewall Misconfigured firewalls What constitutes a firewall Monitoring activities may not occur on a regular basis Firewall policies Page: 75 of 132 5.4.4 Internet Threats and Security (continued) • Firewall security systems • Firewall platforms – Using hardware or software – Appliances versus normal servers Page: 76 of 132 5.4.4 Internet Threats and Security (continued) Intrusion detection system (IDS) • An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies – Network-based IDS – Host-based IDS Page: 77 of 132 5.4.4 Internet Threats and Security (continued) Intrusion detection system (IDS) components • Sensors that are responsible for collecting data • Analyzers that receive input from sensors and determine intrusive activity • An administration console • A user interface Page: 78 of 132 5.4.4 Internet Threats and Security (continued) Intrusion detection systems (IDS) types include: • Signature-based • Statistical-based • Neural networks Page: 79 of 132 5.4.4 Internet Threats and Security (continued) Intrusion detection system (IDS) features • • • • • • Intrusion detection Gathering evidence on intrusive activity Automated response Security monitoring Interface with system tolls Security policy management Page: 80 of 132 Practice Question 5-6 A B-to-C e-commerce website as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? A. IDS’s B. Firewalls C. Routers D. Asymmetric Encryption Page: 81 of 132 5.4.4 Internet Threats and Security (continued) Honeypots and honeynets • High interaction – Give hackers a real environment to attack • Low interaction – Emulate production environments Page: 82 of 132 5.4.5 Encryption • Key elements of encryption systems – Encryption algorithm – Encryption key – Key length • Private key cryptographic systems • Public key cryptographic systems Page: 83 of 132 5.4.5 Encryption (continued) • • • • Elliptical curve cryptosystem (ECC) Quantum cryptography Advanced Encryption Standard (AES) Digital signatures Page: 84 of 132 5.4.5 Encryption (continued) Digital signatures • • • • Data integrity Authentication Nonrepudiation Replay protection Page: 85 of 132 5.4.5 Encryption (continued) Digital envelope • Used to send encrypted information and the relevant key along with it. • The message to be sent, can be encrypted by using either: – Asymmetric key – Symmetric key Page: 86 of 132 5.4.5 Encryption (continued) Public Key Infrastructure (PKI) • • • • • Digital certificates Certificate authority (CA) Registration authority (RA) Certificate revocation list (CRL) Certification practice statement (CPS) Page: 87 of 132 5.4.5 Encryption (continued) Use of encryption in OSI protocols • • • • • • Secure sockets layer (SSL) Secure Hypertext Transfer Protocol (S/HTTP) IP security SSH Secure multipurpose Internet mail extensions (S/MIME) Secure electronic transactions (SET) Page: 88 of 132 5.4.5 Encryption (continued) Use of encryption in OSI protocols • • • • • Secure sockets layer (SSL) Secure Hypertext Transfer Protocol (S/HTTP) IP security SSH Secure multipurpose Internet mail extensions (S/MIME) • Secure electronic transactions (SET) Page: 89 of 132 Practice Question 5-7 Which of the following BEST determines whether complete encryption and authentication protocols for protecting information while being transmitted exist? A. A digital signature with RSA has been implemented. B. Work is being done in tunnel mode with the nested services of authentication header (AH) and encapsulating security payload (ESP). C. Digital certificates with RSA are being used. D. Work is being done in transport mode with the nested services of AH and ESP. Page: 90 of 132 Practice Question 5-8 Which of the following concerns about the security of an electronic message would be addressed by digital signatures? A. Unauthorized reading B. Theft C. Unauthorized copying D. Alteration Page: 91 of 132 Practice Question 5.9 Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet? A. Digital signature B. Data Encryption Standard (DES) C. Virtual private network (VPN) D. Public key encryption Page: 92 of 132 5.4.6 Viruses Viruses attack four parts of the computer • Executable program files • The file directory system, which tracks the location of all the computer’s files • Boot and system areas, which are needed to start the computer • Data files Page: 93 of 132 5.4.6 Viruses (continued) • • • • Virus and worm controls Management procedural controls Technical controls Anti-virus software implementation strategies Page: 94 of 132 Practice Question 5-10 Which of the following is the MOST effective antivirus control? A. Scanning e-mail attachments on the mail server B. Restoring systems from clean copies C. Disabling USB ports D. An online antivirus scan with up-to-date virus definitions Page: 95 of 132 5.4.7 Voice-Over IP VoIP security issues • Inherent poor security – The current Internet architecture does not provide the same physical wire security as the phone lines • The key to securing VoIP – Security mechanisms such as those deployed in data networks (e.g., firewalls, encryption) to emulate the security level currently used by PSTN network users Page: 96 of 132 5.5.2 Auditing Logical Access When evaluating logical access controls the IS auditor should: • Obtain a general understanding of the security risks facing information processing • Document and evaluate controls over potential access paths into the system • Test controls over access paths to determine whether they are functioning and effective • Evaluate the access control environment to determine if the control objectives are achieved • Evaluate the security environment to assess its adequacy Page: 97 of 132 5.5.3 Techniques for Testing Security • • • • • • • Terminal cards and keys Terminal identification Logon IDs and passwords Controls over production resources Logging and reporting access violations Follow-up access violations Bypassing security and compensating controls Page: 98 of 132 5.5.3 Techniques for Testing Security (continued) • • • • • • • Terminal cards and keys Terminal identification Logon IDs and passwords Controls over production resources Logging and reporting access violations Follow-up access violations Bypassing security and compensating controls Page: 99 of 132 5.5.3 Techniques for Testing Security (continued) • • • • • • • Terminal cards and keys Terminal identification Logon IDs and passwords Controls over production resources Logging and reporting access violations Follow-up access violations Bypassing security and compensating controls Page: 100 of 132 5.6 Auditing Network Infrastructure Security • Review network diagrams • Identify the network design implemented • Determine that applicable security policies, standards, procedures and guidance on network management and usage exist • Identify who is responsible for security and operation of Internet connections • Identify legal problems arising from the Internet • Review service level agreements (SLAs) if applicable • Review network administrator procedures Page: 101 of 132 5.6.1 Auditing Remote Access • Assess remote access points of entry • Test dial-up access controls • Test the logical controls • Evaluate remote access approaches for cost-effectiveness, risk and business requirements Page: 102 of 132 5.6.1 Auditing Remote Access (continued) Audit Internet points of presence: • • • • • E-mail Marketing Sales channel / electronic commerce Channel of deliver for goods / services Information gathering Page: 103 of 132 5.6.1 Auditing Remote Access (continued) Audit scope should identify network penetration tests: • • • • • Precise IP addresses / ranges to be tested Host restricted Acceptable testing techniques Acceptance of proposed methodology from management Attack simulation details Page: 104 of 132 5.6.1 Auditing Remote Access (continued) Audit should also include: • • • • Full network assessment reviews Development and authorization of network changes Unauthorized changes Computer forensics Page: 105 of 132 5.7.1 Environmental Issues and Exposures Power failures: • • • • Total failure (blackout) Severely reduced voltage (brownout) Sags, spikes and surges Electromagnetic interference (EMI) Page: 106 of 132 5.7.2 Controls for Environmental Exposures • • • • • • • • Alarm control panels Water detectors Handheld fire extinguishers Manual fire alarms Smoke detectors Fire suppression systems Strategically locating the computer room Regular inspection by fire department Page: 107 of 132 5.7.2 Controls for Environmental Exposures (continued) • • • • • • • • • Fireproof walls, floors and ceilings of the computer room Electrical surge protectors Uninterruptible power supply / generator Emergency power-off switch Power leads from two substations Wiring placed in electrical panels and conduit Inhibited activities within the IPF Fire-resistant office materials Documented and tested emergency evacuation plans Page: 108 of 132 5.8.1 Physical Access Issues and Exposures • • • • • • • • Unauthorized entry Damage, vandalism or theft to equipment or documents Copying or viewing of sensitive or copyrighted information Alteration of sensitive equipment and information Public disclosure of sensitive information Abuse of data processing resources Blackmail Embezzlement Page: 109 of 132 5.8.1 Physical Access Issues and Exposures (continued) Possible perpetrators include employees who are: • • • • • • Disgruntled On strike Threatened by disciplinary action or dismissal Addicted to a substance or gambling Experiencing financial or emotional problems Notified of their termination Page: 110 of 132 5.8.2 Physical Access Controls • Bolting door locks • • • • • Combination door locks (cipher locks) Electronic door locks Biometric door locks Manual logging Electronic logging Page: 111 of 132 5.8.2 Physical Access Controls (continued) • • • • • • Identification badges (photo IDs) Video cameras Security guards Controlled visitor access Bonded personnel Deadman doors Page: 112 of 132 5.8.2 Physical Access Controls (continued) • • • • • • Not advertising the location of sensitive facilities Computer workstation locks Controlled single entry point Alarm system Secured report / document distribution cart Windows Page: 113 of 132 5.8.3 Auditing Physical Access • Touring the information processing facility (IPF) • Testing of physical safeguards Page: 114 of 132 5.10.1 Case Study A Scenario Management is currently considering ways in which to enhance the physical security and protection of its data center. The IS auditor has been asked to assist in this process by evaluating the current environment and making recommendations for improvement. The data center consists of 15,000 square feet (1,395 square meters) of raised flooring on the ground floor of the corporate headquarters building. Page: 115 of 132 5.10.1 Case Study A Scenario (continued) A total of 22 operations personnel require regular access. Currently, access to the data center is obtained using a proximity card, which is assigned to each authorized individual. There are three entrances to the data center, each of which utilizes a card reader and has a camera monitoring the entrance. These cameras feed their signals to a monitor at the building reception desk, which cycles through these images along with views from other cameras inside and outside the building. Page: 116 of 132 5.10.1 Case Study A Scenario (continued) Two of the doors to the data center also have key locks that bypass the electronic system so that a proximity card is not required for entry. Use of proximity cards is written to an electronic log. This log is retained for 45 days. During the review, the IS auditor noted that 64 proximity cards are currently active and issued to various personnel. The data center has no exterior windows, although one wall is glass and overlooks the entry foyer and reception area for the building. Page: 117 of 132 Case Study A Question 1. Which of the following risks would be mitigated by supplementing the proximity card system with a biometric scanner to provide two-factor authentication? A. Piggybacking or tailgating B. Sharing access cards C. Failure to log access D. Copying of keys Page: 118 of 132 Case Study A Question 2. Which of the following access mechanisms would present the GREATEST difficulty in terms of user acceptance? A. Hand geometry recognition B. Fingerprints C. Retina scanning D. Voice recognition Page: 119 of 132 5.10.2 Case Study B Scenario A company needed to enable remote access to one of its servers for remote maintenance purposes. Firewall policy did not allow any external access to the internal systems. Therefore, it was decided to install a modem on that server and to activate the remote access service to permit dial-up access. As a control, a policy has been implemented to manually power on the modem only when the third party was requesting access to the server and powered off by the company’s system administrator when the access is no longer needed. As more and more systems are being maintained remotely, the company is asking an IS auditor to evaluate the current risks of the existing solution and to propose the best strategy for addressing future connectivity requirements. Page: 120 of 132 Case Study B Question 1. What test is MOST important for the IS auditor to perform as part of the review of dial-up access controls? A. Dial the server from authorized and unauthorized telephone lines B. Determine bandwidth requirements of remote maintenance and the maximum line capacity C. Check if the availability of the line is guaranteed to allow remote access any time D. Check if call back is not used and the cost of calls is charged to the third party Page: 121 of 132 Case Study B Question 2. What is the MOST significant risk that the IS auditor should evaluate regarding the existing remote access practice? A. Modem is not powered on / off whenever it is needed B. A non-disclosure agreement was not signed by the third party C. Data exchanged over the line is not encrypted D. Firewall controls are bypassed Page: 122 of 132 Case Study B Question 3. Which of the following recommendations is MOST likely to reduce the current level of remote access risks? A. Maintain an access log with the date and time when the modem was powered on / off B. Encrypt the traffic over the telephone line C. Migrate the dial-up access to an Internet VPN solution D. Update firewall policies and implement an IDS system Page: 123 of 132 Case Study B Question 4. What control should be implemented to prevent an attack on the internal network being initiated through an Internet VPN connection? A. Firewall rules are periodically reviewed B. All VPNs terminate at a single concentrator C. An IDS capable to analyze encrypted traffic is implemented D. Antivirus software is installed on all production servers Page: 124 of 132 5.10.3 Case Study C Scenario “My Music” is a company dedicated to the production and distribution of video clips specializing in jazz music. Born in the Internet era, the company has actively supported the use of notebook computers by its staff so they can use them when traveling and when working from home. Through the Internet they can access the company databases and provide online information to customers. This decision has resulted in an increase in productivity and high morale among employees who are allowed to work up to two days a week from home. Page: 125 of 132 5.10.3 Case Study C Scenario (continued) Based on written procedures and a training course, employees learn security procedures to avoid the risk of unauthorized access to company data. Employees’ access to the company data includes using logon IDs and passwords to the application server through a VPN. Initial passwords are assigned by the security administrator. When the employee logs on for the first time, the system forces a password change to improve confidentiality. Management is currently considering ways to improve security protection for remote access by employees. The IS auditor has been asked to assist in this process by evaluating the current environment and making recommendations for improvement. Page: 126 of 132 Case Study C Question 1. Which of the following levels provides a higher degree of protection in applying access control software to avoid unauthorized access risks? A. Network and operating system level B. Application level C. Database level D. Log file level Page: 127 of 132 Case Study C Question 2. When an employee notifies the company that he has forgotten his password, what should be done FIRST by the security administrator? A. Allow the system to randomly generate a new password B. Verify the user’s identification through a challenge / response system C. Provide the employee with the default password and explain that it should be changed as soon as possible D. Ask the employee to move to the administrator terminal to generate a new password in order to assure confidentiality Page: 128 of 132 5.10.4 Case Study D Scenario A major financial institution has just implemented a centralized banking solution (CBS) in one of its branches. It has a secondary concern to look after marketing of the bank. Employees of a separate legal entity work on the bank premises, but they have no access to the bank’s solution software. Employees of other branches get training on this solution from this branch and for training purposes temporary access credentials are also given to such employees. Page: 129 of 132 5.10.4 Case Study D Scenario (continued) IS auditors observed that employees of the separate legal entity also access the CBS software through the branch employees access credentials. IS auditors also observed that there are numerous active IDs of employees who got training from the branch and have since been transferred to their original branch. Page: 130 of 132 Case Study D Question 1. Which of the following should an IS auditor recommend to effectively eliminate such password sharing? A. Assimilation of security need to keep passwords secret B. Stringent rules prohibiting sharing of passwords C. Use of smart cards along with strong passwords D. Use of smart cards along with an employee’s terminal ID Page: 131 of 132 Case Study D Question 2. Which of the following BEST addresses user ID management of trainee employees? A. Unused user IDs shall be automatically deleted periodically B. To integrate access rights with the human resource process C. Passwords of unused but active user IDs shall be suspended D. Active user ID register shall be checked frequently Page: 132 of 132 Conclusion • Quick Reference Review – Page 292 of the CISA Review Manual 2010