cisa study guide
DESCRIPTION
CISA Study GuideTRANSCRIPT
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 1 of 40
ITauditSecuritys CISA Study Guide
For a description of this guide, guidance on using it, and some warnings, see
http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/
Table of Contents on next page
Copyright 2012, ITauditSecurity
Rev 2.0
NOTE: When this guide was created, the main sections of the exam were as follows:
IS Audit process
IT Governance
Systems & Lifecycle Mgmt
IT Service Delivery & Support
Protection of Info Assets
BCP and DRP
ISACA has since reorganized the sections, but that doesnt affect the information itself.
Quick Review InfoYellow highlight notes where ISACA
emphasizes CISA must-know this
Blue highlight = good-to-know info
List of key items to recite from memory:
5 Task Statements - SPCCA 10 Knowledge Statements SPGE CRP - CCC 7 Code of Ethics IPS PC DE 3 types of Standards 6 Project Mgmt IP EMC Projects: Triple restraint: QRS & CDT 10 Audit Stages OSI PDNTSPA TCP/IP NDITA Capability Maturity Model zeroIRDMO 6 SDLC FRD DIP (dont forget differences if software purchased) 6 Benchmarking PROAAI
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 2 of 40
Quick Review Info ................................................................................................................................................... 1 > IS Audit Process...................................................................................................................................................... 5
5 Task Statements - SPCCA .................................................................................................................................. 5 10 Knowledge Statements SPGE CRP - CCC ................................................................................................. 5 7 Code of Ethics IPS PC DE ............................................................................................................................... 5 Information Tech Assurance Framework (ITAF) .................................................................................................... 6
3 types of Standards (+ Guidelines & Techniques = ITAF) .................................................................................................. 6 Policy/Standards .................................................................................................................................................................. 6
Misc Notes .............................................................................................................................................................. 6
Project Mgmt .......................................................................................................................................................... 6 Project Estimation ................................................................................................................................................................ 7
10 Audit Stages ...................................................................................................................................................... 7 Engagement Letter vs. Audit Charter ..................................................................................................................... 8
Charter - RAA ....................................................................................................................................................................... 8 Sampling .............................................................................................................................................................................. 8
Open Systems Interconnect (OSI) Model ............................................................................................................. 10 IP Addresses (32 bits) .......................................................................................................................................... 11
Packet Switching ................................................................................................................................................................ 11
> IT Governance ...................................................................................................................................................... 12 CMM vs. ISO 15504 (SPICE) PME PO ........................................................................................................................... 13 Risk Management .............................................................................................................................................................. 13 Business Process Reengineering (BPR) ............................................................................................................................ 13 Risk Management .............................................................................................................................................................. 14
Systems & System Development Life Cycle (SDLC) ............................................................................................... 15 Alternatives to SDLC Project Organization......................................................................................................................... 16 Alternative Development Methods ..................................................................................................................................... 17
Physical Architecture Analysis (RADFFP) .......................................................................................................................... 18 Change Control Procedures ................................................................................................................................. 19
Change Management Auditing ........................................................................................................................................... 19 Emergency Changes .......................................................................................................................................................... 19
Computer-aided Software Engineering (CASE) ................................................................................................... 19 Key CASE Audit Issues ...................................................................................................................................................... 19
Programming Languages ..................................................................................................................................... 19 Fourth-generation Languages ............................................................................................................................................ 19 4GL Types.......................................................................................................................................................................... 20
Application Controls ................................................................................................................................................. 20 Input Controls ....................................................................................................................................................... 20
Input Control Techniques ................................................................................................................................................... 21
Processing Controls ............................................................................................................................................. 22
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 3 of 40
Output Controls .................................................................................................................................................... 23 Data Integrity ............................................................................................................................................................ 24
Testing ............................................................................................................................................................................... 24 Data Integrity Requirements (ACID) ................................................................................................................................... 24 Application Testing Methods .............................................................................................................................................. 24
Continuous Auditing Techniques ............................................................................................................................. 24 E-commerce Risks ............................................................................................................................................................. 25
EDI Controls ....................................................................................................................................................................... 25 Auditing EDI ....................................................................................................................................................................... 26 Digital Signatures ............................................................................................................................................................... 26 Project Mgmt Organizational Alignment ............................................................................................................................. 28
> IT Service Delivery & Support ............................................................................................................................... 28 IS Operations ........................................................................................................................................................ 28 IS Hardware .......................................................................................................................................................... 28 IS Architecture & Software ................................................................................................................................... 28
Database Management System (DBMS) ........................................................................................................................... 28 Database Structures .......................................................................................................................................................... 29
Networking ............................................................................................................................................................ 29 Wireless ................................................................................................................................................................ 30
TCP/IP (32-bit) ...................................................................................................................................................... 30 System Control ................................................................................................................................................................... 30
> Protection of Information Assets ........................................................................................................................... 31 Key elements of Information Security Mgmt ....................................................................................................................... 31 Inventory Classification ...................................................................................................................................................... 31 Mandatory access control (MAC) ....................................................................................................................................... 31 Discretionary access control (DAC) ................................................................................................................................... 31 Biometrics .......................................................................................................................................................................... 31
Bypassing Security Controls .............................................................................................................................................. 32
Wireless Security .................................................................................................................................................. 32 Firewalls................................................................................................................................................................ 33
Application Firewalls - 2 levels/types .................................................................................................................................. 33 Stateful Inspection Firewalls............................................................................................................................................... 33 Firewall implementations .................................................................................................................................................... 34
Intrusion Detection Systems (IDS) ....................................................................................................................... 34 IDS Types .......................................................................................................................................................................... 34
Encryption ............................................................................................................................................................. 34 Digital signatures ................................................................................................................................................................ 35 Digital Envelope ................................................................................................................................................................. 35 Encryption Risks ................................................................................................................................................................ 36
Viruses ............................................................................................................................................................................... 37
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 4 of 40
VOIP .................................................................................................................................................................................. 37 Auditing Infosec Management Framework ......................................................................................................................... 38 Computer Forensics (IPAP) ............................................................................................................................................... 38
> BCP/DRP .............................................................................................................................................................. 38 Difference between ISACA book and Sybex ........................................................................................................... 40
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 5 of 40
> IS Audit Process
5 Task Statements - SPCCA Develop & implement risk-based IS audit strategy Plan specific audits Conduct audits Communicate issues, risks, results Advise on risk mgmt & control practices
10 Knowledge Statements SPGE CRP - CCC Standards/Code of Ethics Auditing practices/techniques Techniques to gather/preserve evidence Evidence lifecycle (collection, protection, chain of custody) Control objectives & controls Risk Assessment Audit planning & mgmt Reporting/Communication CSA Continuous audit techniques
7 Code of Ethics IPS PC DE Support the implementation of appropriate policies, standards, guidelines, and procedures for information systems. Perform your duties with objectivity, professional care, and due diligence in accordance with professional standards. Support the use of best practices. Serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon your profession. Maintain privacy and confidentiality of information obtained during your audit except for required disclosure to legal authorities. Undertake only those activities in which you are professionally competent; strive to improve your competency. Disclose accurate results of all work and significant facts to the appropriate parties. Support ongoing professional education to help stakeholders enhance their understanding of information systems security and control.
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 6 of 40
Information Tech Assurance Framework (ITAF) Provides guidance on design, conduct, and reporting of IT audit & assurance
Establishes IT audit standards
Consists of General, Performance, and Reporting standards; Guidelines; Tools & Techniques (TBA)
3 types of Standards (+ Guidelines & Techniques = ITAF) General guiding principles for IT assurance profession Performance how to conduct IT assurance engagements Reporting address types of reports, means of communication, and info to be communicated
Policy/Standards Policy, Standard, Procedure mandatory Guideline discretionary
Misc Notes Purpose of audit: challenge mgmt assertions and determine whether evidence supports mgmt claims Types of audits:
Internal audit own organization, scope restrictions, cannot use for licensing
External customer auditing your organization or you auditing supplier
Independent 3rd party audit used for licensing, certification, product approval.
Compliance audit verify presence or absence Substantive audit - check the content/substance and integrity of a claim Risk the potential that a given threat will exploit vulnerabilities of an asset (or group of assets) and thereby cause harm to the
organization
CobiT Control Objectives for Information and Related Technology. A framework consisting of strategies, processes, and
procedures for leading IT organizations.
Project Mgmt Project is unique, progressive (planning starts high-level and gets more detailed), and has start and end dates. Triple restraint: QRS
Quality Resources (cost, time) Scope
3 project elements: CDT
Cost/resources
Deliverables
Time/duration
5 Process groups/phases of project management IP EMC
Initiating (2 components: scope & authorization)
Planning (detail scope, goals, deliverables)
Executing
Monitoring & Controlling
Closing
Earned value current value of work already performed in a project
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 7 of 40
Project Estimation
Source Lines of Code (SLOC) traditional method (also Kilo LOC or KLOC) direct size-oriented measures
Thousand Delivered Source Instructions (KDSI) better with structured programming languages like BASIC,
COBOL
Function Point Analysis (FPA) indirect measure
Based on number and complexity of inputs, outputs, files, interfaces, and user queries
Functions are weighted by complexity
Project Diagramming
Gantt: resource details;-schedule & sequence in waterfall-style (MS Project);
serial view w/bars & diamonds
o Shows concurrent and sequential activities
o Show project progress and impact of completing a task early or late
PERT (Program Evaluation Review Technique)-illustrates relationships
between planned activities
o Critical path (minimum steps, longest route, shortest time estimate for completion)
Activities on critical path have no slack
time; activities w/ no slack time are on
critical path
Route on which a project can be shortened
(accelerated) or lengthened (delayed)
o Quantitative measure for risk analysis: risk of
delays, failure, and likely completion
o 3 hourly estimates for each tasks effort:
Optimistic, Mostly likely, and Pessimistic
PERT time estimate for each task: [O + P +
4 (M)] / 6
Timebox Management
Define and deploy software deliverables in short/fixed period of time
Prevents cost overruns or delays from scheduled delivery
Design/development shortened due to newer development tools/techniques
10 Audit Stages 1. Approving audit charter/engagement letter
2. Preplanning audit
3. Risk Assessment
4. Determine whether audit is possible
5. Performing the actual audit
6. Gathering evidence
7. Performing audit tests
8. Analyzing results
9. Report Results
10. Follow-up activities
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 8 of 40
Engagement Letter vs. Audit Charter Diff is auditor independence (external vs. internal audit) Charter - RAA
Responsibility scope with goals/objectives
Authority right to access & audit
Accountability agreement between auditor/Audit Committee; reporting requirements
2 foundational audit objectives:
Test control implementation to determine if adequate safeguards implemented
Comply with legal requirements
Process technique Shewhart - PDCA
1. Plan plan or method?
2. Do work match the plan?
3. Check anyone monitoring the process? What is acceptable criterion?
4. Act how are differences identified and dealt with?
Controls
General overall controls; all depts.
Pervasive (technology)
Detailed IS controls (tasks)
Application (most detailed, lowest level controls)
Evidence Life Cycle ICI SAP PR Chain of custody
Identification
Collection
Initial preservation
Storage
Analysis
Post analysis preservation storage
Presentation
Return of evidence
Sampling
Statistical/Mathematical
Random
Cell random selection at defined intervals
Fixed interval select every n + increment
Non-statistical
Haphazard
Compliance Testing presence/absence Attribute sampling is attribute present in sample? Specified by rate of occurrence
Stop & Go sampling used when few errors expected, reduces overall sample size. Reduces effort. Auditor determines
whether to stop testing or continue testing.
Discovery sampling 100 percent sampling to detect fraud (ex: forensics).
Precision/expected error rate acceptable margin of error between samples and subject population. Low error rate
requires large sample.
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 9 of 40
Substantive Testing content/integrity Variable sampling designating $ value or effectiveness (weight) of entire subject by prorating from a smaller sample
(ex: weigh $50 bill and calculate value of stack of bills by total weight).
Unstratified mean estimation projects an estimated total for entire population
Stratified mean estimation calculate average by grouping items (all males, all females, all over 30)
Difference estimation determine difference between audited and unaudited claims of value.
Audit coefficient level of confidence re: audit results. 95% & higher = high degree of confidence
Attestation providing assurance via your signature that document contents are authentic & genuine.
Type 1 events occur before balance sheet date; Type 2 after (not auditors responsibility to detect subsequent events)
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 10 of 40
Open Systems Interconnect (OSI) Model Provides standard interface at each layer; ensures each layer does not have to be concerned about the details of how other layers operate Each layer is self-contained and can be updated without affecting other layers
Each layer communicates with the layer above and below it, as well as virtually with the same layer on the
remote system
Memory Phrase 7 OSI Layers
4 TCP/IP Layers
Memory Phrase
Headers & Data
Communication Types
Layer Controls/ Provides Protocol
Away 7 Application
4 - Application
Anchovies
To Application
Gateway -Standard interface to the network -Problem solving -Encryption
-DNS
Pizza 6 Presentation
Format & Data Structure
Translate & Display. Screen formatting
Sausage 5 Session
App to App Communication sessions between applications
-RPC -SQL database session -NFS
Throw 4 Transport 3 Transport Throw
Message Host to Host -Login screen -TCP (confirmed
delivery) -UDP(un-confirmed)
Not 3 Network 2 Internet/ Network
I Packet Router
Routing Address to Address
-IP
Do 2 - Data Link 1 Link (LAN/WAN Interface)
Do
-Frame -MAC address Switch/Bridge
Transmit & Receive
-Flow control -Error notification -Order sequence
-NetBIOS -DHCP -PPP
Please 1 Physical Nor
Signal Cable/Wireless
Hub/Repeater
Wifi Transmitter
Cable & voltage requirements
Control electrical link between systems
MAC Address = 48-bit
Cables Coax 185 meters, 2 pairs of wires
UTP < 200 ft, 4 twisted pairs
Fiber dense wave multiplexing
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 11 of 40
Point-to-Point Protocol (PPP)
Data link layer protocol for accessing remote network using IP over serial lines (replaced SLIP)
IP Addresses (32 bits) Four IPs in each subnet are lost/reserved
Numeric name (e.g., 192.0.0.0) for routing table/network path
Starting IP
Ending IP (IPs in between start & end = IP address space)
Broadcast IP
ARP = MAC address to IP address
VLANs (requires router to access other subnets)
Port-based: specific port configured to a specific VLAN. Small networks
MAC-based: ties MAC address into VLAN, reconfigures network port on switch
Policy or rule-based: Rule based on IP address or protocol in header. Switch ports reconfigure automatically
DNS Bootp using RARP!
Dedicated Phone Circuits
POTS 56Kbs (half of ISDN circuit)
Integrated Services Digital Network (ISDN) 128Kbs, 23 channels of data, voice, video (conference); runs on
POTS
Primary trunk line (T1) 28 POTS circuits, 1.544 Mbps. Charged by the mile.
Digital Subscriber Line (DSL) over POTS. 368 Kbps-1.544 Mbps.
Packet Switching
Eliminated need for dedicated lines (Internet is PSd)
Not limited by distance
Source & destination known, path is not
Charged according to packets transmitted, not distance
Examples
X.25 foundation of modern switched networks (not popular today)
o Quality of Service (QOS)
o Permanent Virtual Circuits (PVCs) fixed path, replaced dedicated phone lines
o Switched Virtual Circuits (SVCs) path dynamic, constantly changing
Frame relay has PVC and SVC. 1.544 44.5 Mbps (replaced X.25)
o Different format and functionality
o Packets arrive out of sequence, are reassembled
Asynchronous Transfer Mode (ATM)
o High speed, 155 Mbps 1 GBps
o Cell switching and multiplexing ensures solid delivery
o Multiple concurrent data paths
Multiprotocol Label Switching (MPLS)
Protocol and routing table independent
Packet headers examined once (versus every hop in traditional layer 3 switching) and then assigned a
stream/label that contains forwarding information
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 12 of 40
Piconet one trillionth or very small Small wireless adhoc network Bluetooth (PAN)
Syslog no message authentication/integrity; no message delivery verification
Remote Monitoring Protocol (RMON1) monitors only Data Link/MAC layers and below
Remote Monitoring Protocol 2 (RMON2) - unlike Sniffer that monitors layers 1-3, RMON2 monitors all 7 OSI layers
> IT Governance IT Governance leading and monitoring IT performance & investment
Strategic alignment between IT & business
Monitoring assurance practices for executive management
Intervention to stop, modify, or fix practices as they occur
3 IT Governance management levels:
Strategic (3+ yrs)
Tactical (6 months 2 yrs)
Operational (daily)
Balanced Scorecard CB FG
Customer
Business process
Financial
Growth & Learning
3 layers that incorporate the 4 perspectives (MMS)
Mission
Metrics
Strategy
5 Capability Maturity Model (CCM) Levels zero IRD MO
13 to 25 months to move up a level
Idea started in auto assembly line
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 13 of 40
CMM vs. ISO 15504 (SPICE) PME PO
# Level Description Process ISO
0 Nothing Incomplete
1 Initial adhoc, firefighting unique and chaotic (people
have most freedom and
decision making)
Performed
2 Repeatable Documented Inspected quality
Project mgmt
Basic standards, processes,
procedures documented
Managed
3 Defined well documented
and understood
Lessons learned
Standardization between
departments
Objectives, qualitative
measurements,
improvement procedures
Established
4 Managed mgmt controls
processes &
adjusts
Portfolio mgmt
PMO
Predictable by quantitative
measure (numeric measure
of quality)
Predictable
5 Optimized continually
improved to
reflect business
needs
least freedom, decision
making
statistical process control
Optimizing
Risk Management
Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %
Annual Loss Expectancy (ALE)$ = SLE * Annual Rate of Occurrence (ARO)
Business Process Reengineering (BPR) 3 areas of improvement
1. Business efficiency
2. Improved techniques
3. New requirements
Guiding Principles
Think big future process/end state
Incremental
Hybrid approach top down view of strategy, bottom-up research
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 14 of 40
Business Process Reengineering (BPR) vs. Project Mgmt vs. SDLC Chart 6 BPR
EIDRRE
5 Project Mgmt
IP EMC
6 SDLC
FRD DIP
Waterfall method
Task
Envision Initiate Feasibility Scope, sponsor, pick a process, goals
Initiate Requirements Stakeholder buy-in, external customer
needs
Diagnose Plan Identify benchmarks, activities, resources,
roles, costs, communication needs
Redesign Design/Select* Determine solutions, alternatives
Execute Development/Configuration* Build prototypes
Reconstruct Implementation Install systems, train, transition
Evaluate Manage and Control Post Implementation Monitor and review; goals obtained?
Close Lessons learned, archive files, TQM * When software is purchased rather than developed in-house
BPR Rules
Fix only broken processes
Calculate ROI
Understand current process first
No leftovers
Role of IS in BRP
Enable new processes by improving automation
Provide IT project mgmt tools to analyze process and define requirements
Provide IT support for collaboration tools, teleconference, and specialized business user software
Help business integrate their processes with ERP
Delphi technique blind interaction of ideas between group members
6 Benchmarking Steps PRO AAI
Plan identify critical processes
Research baseline data re: own processes, then that of other businesses
Observe visit benchmark partner, collect data
Analyze identify gaps between own and benchmark partners processes
Adapt translate findings into principles strategies action plans
Improve - link each process to improvement strategy and organizational goals
Business Impact Analysis discovery of inner workings of a process
Process value
How process works, who does what
Shortcomings
Revenue created or supported
Project process lifetime
Risk Management
Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %
Annual Loss Expectancy (ALE) = SLE * Annual Rate of Occurrence (ARO)
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 15 of 40
> Systems & System Development Life Cycle (SDLC) Verification/Validation Model (V-model)
Identifies relationship between development and test phases
Most granular test, unit test, validates detailed design phase
Development methodology
Organization-centric use SLDC
End-user centric alternate approaches
SDLC/Waterfall technique - FRD DIP
See chart under Business Process Re-engineering
Feasibility
o Identify the alternatives for addressing the business need
o Business case that justifies proceeding to the next phase
o Calculate ROI
o Impact assessment future effects on current projects/resources
Requirements
o Management/users must be involved
o Identify stakeholders and expectations
o Request for Proposal (RFP) process
o Create project schedule and resource commitments
o Create general preliminary design use entity relationship diagram (ERD)
Design/Select (When software is purchased rather than developed in-house, the stages are Select and Configuration)
o Establish baseline of system, program, database specifications
o Implement change control for scope creep - software baselining (design freeze), version numbering
o Address security considerations
Development/Configuration*
o Includes all unit and system testing, iterations of user acceptance testing (UAT) in secure environment
to protect against changes
o Develop data conversion strategies
o Train super users
o QA activities, software QA plan, Application QA function
Focuses on documented specifications and technology used, application works as specified in
logical design; performed by IT; not functionality related
Implementation
o Final UAT
o Certification
Assessment of management, operational, and technical controls; used to reassess risks and
update security plan
o Accreditation process
Management decision to authorize operation
Involves accepting responsibility and accountability for systems risks and system security
Post Implementation
o Assess whether system meets business requirements, has appropriate access controls, ROI achieved,
lessons learned
o ROI requires a few business cycles to be completed first
o Info to be reviewed needs to be identified at project startup
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 16 of 40
Entity Relationship Diagram (ERD)
Example: http://en.wikipedia.org/wiki/File:ER_Diagram_MMORPG.png
Identifies relationships between system data
Data modeling technique that describes information needs or the type of information to be stored in a
database (helps design the data dictionary)
Entity
o Physical object such as a report, an event such as a sale or a repair service, or a concept such as a
customer transaction or order (logical construct) NOUNS
o Attributes form the keys of an entity
o Primary key uniquely identifies each instance of an entity
o Represented by rectangular boxes
Relationships
o How entities are associated VERBS
o Foreign key is one or more entity attributes that map to primary key of related entity
o Represented by diamonds
Testing
Regression rerunning a part of the test scenario to ensure changes have not introduced new errors
Socialability can system operate in target environment without impacting existing systems (memory, shared
DLLs)
Alternatives to SDLC Project Organization Iterative Development
Develop in iterations or increments, with feedback after each stage
Now regarded as best practice; deals with development complexities and risks
Examples
Evolutionary create prototype to gather/verify requirements, explore design issues (called prototyping)
Spiral uses series of prototypes that become more detailed; risk analysis precedes each prototype
Agile developed in short, time-boxed iterations; uses trace-bullet approach
Evolutionary (Prototyping) Development (also called Heuristic)
Combines best of the SDLC with an iterative approach that enables developer and customer to react to risks at
each iteration
Focuses on prototyping screens and reports
Disadvantages
Leads to system extras that were not included in initial requirements (could end up functionally rich but inefficient)
Poor controls (that normally come out of traditional SDLC)
Poor change control and documentation/approvals
Agile Development
Process designed to handle changes to the system being developed or the project itself Scrum, one of first processes, 1990s Characteristics
Small, time-boxed iterations (plan and do 1 phase at a time)
Replanning at the end of each iteration (e.g., identify new requirements, reprioritizing)
Relies on head knowledge (vs. project documentation), frequent team meetings
Pair-wise programming: 2 people code same functions (knowledge share and quality check)
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 17 of 40
Planning and control by team members; project manager = facilitator/advocate
Validate functionality via frequent build-test cycle to limit defects
Rapid Application Development (RAD)
Well-defined methodology
Evolutionary prototypes with rigid limits on development timeframes
Small, well-trained team
Integrated power tools for development
Central repository
Iterative requirements and design workshops
Does NOT support planning or analysis of the info needs of business area/ enterprise as a whole
Stages
1. Concept definition
2. Functional design
3. Development
4. Deployment
Alternative Development Methods Development methods (data-oriented, object-oriented) are independent of the project organization model (evolutionary, spiral, agile)
Data-Oriented System Development (DOSD)
Focuses on data and their structure in prespecified formats for download or use in other systems Examples: stock, airline flight data Eliminates data transformation/converting errors
Object-Oriented System Development (OOSD)
Data and procedure (instructions) are grouped in an object
Data = attributes, functionality = methods (vs. SDLC which addresses data separate from procedures)
OOSD = programming technique, NOT a software development methodology: can be used in prototyping,
waterfall, agile, etc.
Objects are created from a template called a class, which contains characteristics of the class without
reference to the data
Polymorphism: ability of objects to interpret a message differently at execution depending on objects
superclass
First OOP languages: Simiula67, Smalltalk; Java boosted acceptance of OOP
Unified Modeling Language (UML)
Major Advantages
Ability to manage unrestricted variety of data types
Ability to model complex relationships
Component-Based Development
Outgrowth of OOD
Definition: assembling applications from packages of executable software that make their services available
through defined interfaces (i.e., objects, which can interact with one another regardless of language written in
or OS running)
o In process client components run from within a container ( e.g., web browser)
o Stand-alone client components applications that expose services to other software (e.g., Excel and
Word).
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 18 of 40
Initiated by RPCs or other network calls. Supporting technologies:
Microsofts Distributed Component Object Model (DCOM) basis for ActiveX
Common Object Request Broker Architecture (CORBA)
Java via Remote Method Invocation (RMI)
All of the above are distributed object technologies, which all objects on distributed platforms
to interact. Also called middleware, which provides run-time services whereby
programs/objects/components can interact.
o Stand-alone server components processes running on servers that provide standard services
o In process server components run on servers within containers
Microsofts Transaction Server (MTS)
Enterprise Java Beans (EJB)
Benefits
o Reduces development time & cost. Only have to code unique parts of the system.
o Improves quality. Prewritten components have already been tested.
o Allows developers to focus more on business functionality. Increases abstraction and shields low-level
programming details.
o Promotes modularity.
o Simplifies reuse. No source required, no need to know procedural or class libraries.
o Supports multiple development environments as components can interact regardless of language or OS.
o Allows combining build and buy components.
Web-Based Application Development
Extensible Markup Languages (XML) are key to development Simple Object Access Protocol (SOAP) is used to define APIs
SOAP works with any OS or programming language that supports XML
SOAP is simpler than RPCs in that modules are coupled loosely (can change one component without
changing others)
Web Services Description Language (WSDL) identifies the SOAP specification used for the modules API;
formats the SOAP messages in/out of the module. Also identifies the web service available to be used
Universal Description, Discovery, and Integration (UDDI) is used to make an entry in the UDDI directory,
which allows others to find and use the available web services
Reengineering updating an existing system by extracting and reusing design and program components.
Reverse Engineering
Risks software licenses usually prohibit it to protect trade secrets/programming techniques
Decompilers depends on specific computers, OSs, and programming languages. Any changes to these require a
new decompiler.
Physical Architecture Analysis (RADFFP)
Review of existing architecture
Analysis and design
Draft functional requirements (start vendor selection)
Function requirements
Define final functional requirements
Proof of Concept
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 19 of 40
Change Control Procedures
Change Management Auditing
Program library access is restricted
Supervisory reviews occur
Changes are approved and documented
Potential impact of changes is assessed
User approves change
Programming management reviews/approves change
Implementation date on change request matches actual implementation date
Distributed systems changes are rolled out to all nodes (check for same version of software)
Emergency Changes
Emergency ID use is logged and monitored
Normal change controls are applied, often retroactively
Computer-aided Software Engineering (CASE) 3 categories of CASE tools
Upper CASE describe and document business/application requirements
Middle CASE develop the detailed design: screen/report layouts, editing criteria, data object organization,
process flow
Lower CASE generate code and database definitions (using upper and middle case output)
Key CASE Audit Issues Functional design and data elements become the source code
Users are involved
CASE methodology is defined and followed
Integrity of data between CASE products and processes is controlled and monitored
Changes to the application are reflected in stored CASE product data
Application controls are designed and included
CASE repository is secured and version control implemented
Programming Languages 1st machine lang 2nd assembly lang
3rd English-like
4th embedded database interface, prewritten utilities; programmer selects program actions (aka psuedocoding or
bytecoding)
5th artificial intelligence; learning system/fuzzy logic/neural algorithms
Fourth-generation Languages
4GL Characteristics Nonprocedural language event driven, uses OOP concepts of objects, properties, and methods
Portable across OSs, computer architectures
Software facilities allows design/paint of screens, help screens, and graphical outputs
Programmer workbench concepts (integrated development environment) include filing facilities, temporary
storage, text editing, OS commands
Simple language subsets
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 20 of 40
4GL Types
Query and report generators
Embedded database 4GLs FOCUS, RAMIS II, NOMAD 2
Relational database 4GLs included in vendor DBMS to allow better use of DBMS product: SQL+, MANTIS,
NATURAL
Application generators generate lower-level programming languages (3GL) like COBOL and C.
Application Controls Definition: controls over input, processing, and output functions
Examples
Edit tests
Totals
Reconciliations
Identification/reporting of incorrect, missing, and exception data
Auditor tasks
Identify significant application components and flow of transactions
Gaining understanding of the application through documentation review and interviews
Identifying application control strengths and weaknesses
Testing controls and evaluating control environment
Reviewing application efficiency/effectiveness, and whether it meets management objectives
Input Controls Input Authorization
Signatures on batch forms/source documents
Online access controls ensuring only authorized users can access data and perform sensitive functions
Unique passwords
Terminal/workstation identification to limit clients that can access the application
Source documents should be prenumbered and controlled
Batch Controls and Balancing
Definition: Input transactions grouped together (batched) to provide control totals.
Batch Controls
Total $ amount
Total items
Total documents
Hash totals total of a meaningless, predetermined field (e.g., customer account numbers or zip codes) used
to detect errors or omissions; do not ensure correct employees, pay rates, etc., only errors or omissions
Balancing Controls
Batch registers comparing manual batch totals against system reported totals
Control accounts control account use is performed via an initial edit to determine batch totals. After
processing data to the master file, reconciliation is performed between the initial edit file totals and the
master file.
Computer agreement application compares the batch totals recorded in the batch header with the calculated
totals and accepts/rejects the batch
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 21 of 40
Error Handling and Reporting
Input Error Handing
Reject only transactions (trx) with errors
Reject the whole batch of trxs
Hold the batch in suspense (until errors corrected)
Accepting the batch and flagging error transactions
Input Control Techniques
Trx Log of all updates, verified to source documents
Reconciliation of data
Documentation written evidence of user, data entry, and data control procedures
Error correction procedures
o Logging of errors
o Timely corrections
o Upstream resubmission
o Approval of corrections
o Suspense file
o Error file
o Validity of corrections
Anticipation user or control group anticipates the receipt of data
Transmittal log of transmission or receipt of data
Cancellation of source documents punching or marking to avoid duplicate entry
Batch Integrity
Batch established by time of day, specific terminal of entry, or individual who entered data
Supervisor reviews batch and releases for processing
Data Validation/Editing Procedures
Identifies errors, incomplete or missing data, and inconsistencies amount related items.
Should occur as close to the time and point of origination as possible
Edits and Controls (types of checks)
Sequence control numbers are sequential
Limit
Range
Validity
Reasonableness
Table lookups
Existence
Key verification two people key the data and both sets are compared
Check digit detects transposition and transcription errors
Completeness
Duplicate
Logical relationship
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 22 of 40
Processing Controls Ensure completeness and accuracy of accumulated data
Processing Control Techniques
Manual recalculations
Edit check
Run-to-run totals
Programmed controls (e.g., detects incorrect file or file version)
Reasonable verification of calculated amounts
Limit checks on calculated amounts check using predetermined limits
Reconciliation of file totals
Exception reports
Data File Control Procedures
Ensures only authorized processing occurs
Data File Control Procedures
Ensures only authorized processing occurs
Data File Control Techniques
Before and after image reporting shows impact trxs have on data
Maintenance error reporting and handling
Source documentation retention
Internal and external labeling of files, batches, tapes
Version usage (file or database)
Data file security
One-for-one checking documents processed equals source documents]
Prerecorded input some data preprinted on blank input forms to reduce entry errors
Trx logs
File dating and maintenance authorization
Parity checking for transmission errors
o Vertical/column check check on single character
o Horizontal/longitudinal/row check check on all the equivalent bits
Use of both checks recommended
4 Categories of data files or database tables
System control parameters controls edits and exception flags; changes to these files should be controlled
same as program changes
Standing data data that seldom changes, referred to during processing (e.g., vendor names & addresses).
Changes should be authorized and logged.
Master data/balance data running balances and totals should be adjusted only under strict approval/review
controls and logged
Trx files controlled via validation checks, control totals, exception reports, etc.
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 23 of 40
Output Controls Ensures delivered data is presented, formatted, and delivered consistently and securely
Logging and storage of negotiable, sensitive, and critical forms securely
Computer generation of negotiable instruments, forms, and signatures
Report distribution
o All reports logged prior to distribution
o Secure print spools to avoid deletion or redirection of print jobs
o Restricted to certain IT resources, websites, or printers
o Confidential disposal
Balancing and reconciling
Output error handling
Output report retention
Verification of receipt of reports
Risk Assessment of Application Controls
Quality of internal controls
Economic conditions
Recent accounting system changes
Time since last audit
Prior audit results
Complexity of operations
Changes in operations/environment
Changes in key positions
Time in existence
Competitive environment
Assets as risk
Staff turnover
Trx volume and trends
Regulatory agency impact
Monetary volume
Sensitivity of trxs
Impact of application failure
User Procedures Review
SOD authority to do only one: origination, authorization, verification, distribution (DAVO)
Authorization of input written approval or unique passwords
o Supervisor overrides should be logged and reviewed by mgmt
o Excessive overrides may indication validation/edit routines need improvement
Balancing
Error control and correction
Distribution of reports
Access authorizations and capabilities
o Based on job description
o Activity reports generated and reviewed (activities valid for user and occurs during authorized hours of
operations)
o Violation reports of unauthorized activities or unsuccessful access attempts
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 24 of 40
Data Integrity Testing
Cyclical testing checking data against source documents, one section of data at a time. Whole file is
eventually checked after multiple cycles.
Data Integrity Tests
o Relational at data element and record levels
o Referential enforced through programmed data validation routines or by defining the input
conditions (edits), or both
Define existence relationships between database elements (primary and foreign keys)
All references to a primary key from another file (foreign key) actually exist in the original file
Data Integrity Requirements (ACID)
Atomicity trx is completed entirely or not at all
Consistency maintained with each trx, taking the database from one consistent state to another
Isolation Each trx isolated and accesses only data part of a consistent database state
Durability trxs that are reported complete survive subsequent HW/software failures
Application Testing Methods
Snapshot records flow of designated trxs through logic paths within programs
Mapping identifies untested program logic and whether program statements have been executed
Tracing & tagging shows trail of instructions executed; tagging selected trxs and using tracing to track them
Test data/deck
Base case system evaluation uses test data to verify correct system operations (extensive test)
Parallel operation
Integrated test facility using fictitious file with test trxs that is processed with live data
Parallel simulation processing production data against simulated program logic
Trx selection programs uses audit software to screen and select trxs
Embedded audit data collection software embedded in production system used to select input and
generated trxs during production
o System control audit review file (SCARF) auditor determines reasonableness of tests incorporated
into normal processing; provides information for further review
o Sample audit review file (SARF) randomly selects trxs for analysis
Extended records gathers all data affected by a particular program for review
Continuous Auditing Techniques System control audit review file and Embedded Audit Modules (SCARF/EAM)
Snapshots of data from input to output; trxs are tagged by applying identifiers and recording selected
information for audit review
Audit hooks functions as red flags; allows review before issues get out of hand
Integrated test facility (ITF)
Continuous and Intermittent Simulation (CIS) system audits trxs that meet predetermined criteria
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 25 of 40
E-commerce Risks
Confidentiality
Integrity
Availability
Authentication and non-repudiation
Power shift to customers
E-commerce Audit/Control Issues (Best Practices)
Security architecture (firewalls, encryption, PKI, certificates, password mgmt)
Digital signatures
Public Key Infrastructure (PKI)
o Framework for issuing, maintaining, verifying and revoking public key certificates by a trusted party.
o Key elements
Digital certificates - Public key and info about the owner that authenticates the owner (issued
by trusted 3rd party)
Includes distinguishing username, public key, algorithm, certificate validity period
Certificate Authority (CA) trusted provider of public/private key pairs that confirms
authenticity of the owner of the certificate (business) by issuing/signing the requestors
certificate with CAs private key
Registration Authority (RA) optional entity that some CAs use to record/verify business
information needed by a CA to issue/revoke certificates
Certification revocation list
Certification practice statement (CPS) Rules governing CAs operations, controls, validation
methods, expectations of how certificates are to be used.
Log monitoring
Methods and procedures to identify security breaches
Protecting customer data to ensure not used for other purposes or disclosed without permission
Regular audits of security and controls
EDI Risks
Transaction authorization
Business continuity
Unauthorized access to transactions
Deletion/manipulation of transactions before or after establishment of application controls
Loss or duplication of EDI transmissions
Loss of confidentiality or improper distribution of trx by 3rd parties
EDI Controls
Message format and content standards to avoid transmission errors
Controls to ensure transmissions are converted properly for the application software
Receiving organization controls to ensure reasonableness of messages received, based on trading partners trx
history or documentation
Controls to guard against manipulation of trxs in files and archives
Procedures for ensuring messages are from authorized parties and were authorized
Dedicated transmission channels between partners to prevent tapping
Data is encrypted and digitally signed to identify source and destination
Message authentication codes are used to ensure what was sent is received.
Error handling for trxs that are nonstandard or from unauthorized parties
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 26 of 40
Business relationships are defined in trading partner agreement identifying trxs to be used, responsibilities of
both parties in handling/processing trxs, and business terms of the trxs
Auditing EDI
Encryption processes ensure CIA and nonrepudiation of trxs
Edit checks to identify erroneous, unusual, or invalid trxs prior to updating the application
Edit checks to assess trx reasonableness and validity
Trx are logged on receipt
Control totals on receipt of trxs to verify number/value of trx to be passed to the application, and reconcile
totals between applications and trading partners
Segment count totals built into trx set trailers by sender
Trx set count totals built into group headers by sender
Validity of sender against trading partner details by:
o Using control fields with a message at the trx, function, group, or interchange level, often within the
EDI header, trailer, or control record
o Using VAN sequential control numbers or reports, if applicable
o Sending acknowledgement trx to sender to verify receipt; sender matches acks against a log of EDI
messages sent.
Digital Signatures
Unique to each document; cannot be transferred or reused
Verifies sender and that document has not been altered
Based on message digest, a short, fixed length number
o Some messages have the same digest, but cant produce message from them
o 128-bit cryptographic hash
o Similar to checksum or fingerprint of the document
DES (symmetric); RSA (asymmetric public key)
Risk Management for e-banking
1. Board & mgmt oversight
2. Security controls
3. Legal and reputational risk management
Purchase Order Accounting functions
Accounts payable processing
Goods received processing
Order processing
Artificial Intelligence
Languages: LISP and PROLOG
Primary components
o Inference engine
o Knowledge base
Contains subject matter facts and rules for interpreting them
Decision trees questionnaires or choices users walk through
Semantic notes graph which describes relationships between the nodes
o Explanation module
o Database
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 27 of 40
Also contains
o Knowledge interface allows entry of knowledge without needing a programmer
o Data interface Enables system to collect data from nonhuman sources (other systems, like
temperatures)
Used in auditing!
Errors in system have a bigger impact, especially in health care
Decision Support Systems
Emphasizes effectiveness (right task/right decision) over efficiency (performing tasks quickly and reducing
costs)
G. Gorry-M.S. Morton framework degree of structure in decision process & mgmt level making decision
o Decision-structure: structured, semi-structured, unstructured
Decision-structure depends on the extent it can be automated/programmed
o Mgmt-level: operational control, mgmt control, and strategic planning
Sprague-Carson framework family trees structure
Motivated by end users
Use 4GL
Critical Success Factors (CSF)
Productivity
Quality
Economic value
Customer service
Integrated Resource Management Systems ERP
American Standard Code for Information Interchange (ASCII)
Extended Binary-Coded Decimal Interchange Code (EBCDIC)
Project Portfolio Management Objectives
Optimization of the results of the project portfolio
Prioritizing and scheduling projects
Resource coordination
Knowledge transfer throughout the projects
PPM requires a PP database
Benefits Realization (Management) Techniques
Describe benefits mgmt
Assign measure/target
Establish measuring/tracking regimen
Document assumption
Establish key responsibilities for realization
Validate the benefits predicted in the business
Planning the benefit to be realized
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 28 of 40
Project Mgmt Organizational Alignment
Method Authority Style
Influence Not formal Advise on which activities to complete
Pure Formal Special work area
Matrix Shared between PM & dept heads
ISO Internl Org for Standardization creates internl standards ISO 15504 PME PO / Software Process Improvement and Capability Determination (SPICE) see CCM
ISO 9001 quality mgmt
Requires quality manual, trained staff, managed to improve competency
ISO 9126 Software Quality Metrics FUR PEM
Functionality of the software processes
Usability (Ease of use)
Reliability with consistent performance
Portability between environments
Efficiency
Maintainability for modifications
ISO 15489:2001 Records Mgmt/Retention
Requires ISO 9001 quality and 140001 records mgmt compliant
Includes fundraising campaigns
Used to determine liability and sentencing during prosecution
Requires data classification
Decision Making
Critical success factors
Scenario planning
> IT Service Delivery & Support
IS Operations Resource allocation
Standards & procedures
Process monitoring
IS Hardware CPU = arithmetic logic unit (ALU), control unit, and internal memory
IS Architecture & Software
Database Management System (DBMS)
Primary Functions
Reduced data redundancy
Decreased access time
Security over sensitive data
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 29 of 40
Data Dictionary/Directory System
Contains index and description of all items stored in database
Defines and stores source and object forms of all data definitions in schemas and all associated mappings
One DD/DS can be used across multiple databases
Database Structures
Hierarchical
o data arranged in parent/child relationships
o one-to-many mappings
o results in duplicate data
o easy to implement, modify, and search.
o No high-level query capability; have to navigate the database
Network
o Data arranged in sets (owner record type, member record, name)
o One-to-many or one-to-one mappings
o Sets can have the same member record type
o Very complex
o No high-level query capability; have to navigate the database
Relational
o Based on sets and relational calculations (dynamic database)
o Data organized in tables (collection of rows)
Row/tuple = record
Columns/domains/attributes = fields
o Properties
Values are atomic
Rows are unique
Sequence of columns and rows insignificant
Allow control over sensitive data
o Easy to understand, query, modify
o Normalization minimizing amount of data needed and stored by eliminating data redundancy
and ensuring reference integrity
Networking Baseband single channel, half-duplex, entire capacity used to transmit one signal
Broadband multiple channels, full duplex, multiple signals
Bridge Data link layer 2 device used to connect LANs or create separate LAN or WAN segments to reduce collision
domains
Router Like bridges/switches, they link physical separate network segments. Block broadcast data. software-based,
less efficient than switches. Can connect LAN and WAN.
Router does packet-switching using microprocessor; layer 3 switch does switching using ASIC hardware
Layer 4 switch switches based on layer 3 addresses and application information (such as port #s) to provide policy-
based switching
Layer4-7 switches used for load balancing
Gateways protocol converters; used between LANs and mainframes or LANs and Internet
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 30 of 40
Synchronous transmission bits transmitted at constant speed. Sending modem uses specific character when it starts
sending data block to synchronize the receiving device. Provides maximum efficiency.
Asynchronous transmission Sender uses start and stop bit before and after each data byte. Lower efficiency, but
simpler.
Multiplexing dividing physical circuit into multiple circuits by:
Time-division regardless of whether data is ready to transmit
Asynchronous time division dynamically assigned time slots as needed for transmission
Frequency based on signal frequency
Statistical dynamic allocation of any data channel based on criteria
Wireless Wi-fi Protected Access (WPA) wireless security protocol
Wireless Application Protocol (WAP) multi-layered protocol and technologies that provide Internet content to mobile
wireless devices (phones and PDAs).
TCP/IP (32-bit) Includes network and application support protocols
Network layer 3 = IP
Transport layer 4 = TCP/UDP
Common Gateway Interface (GFI) Script machine-independent code run on a server that can be called & executed by
a web server; performs tasks such as processing input received from a web form
Applets Programs downloaded from web servers that run applications in browsers (most popular ones use Java,
JavaScript, Visual Basic)
Servlet Small program that runs in web server, similar to CGI program. Unlike CGI, servlets stay in memory and can
serve multiple requests
Middleware software used by client/server applications to provide communications and other services between
applications, systems, and devices.
Services include identification, authentication, authorization, directories, and security
Resides between the application and the network
Manages the interaction between the GUI and the database back-end.
System Control
First level of control in a computer is the privileged supervisory user (root/admin).
Operating System States
Supervisory security front end not loaded; requests are run at highest authority level without security
controls.
General user/problem security is active; system is solving problems for user.
Wait computer busy and unable to respond to additional requests
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 31 of 40
> Protection of Information Assets Risk What can happen if a threat exploits a vulnerability.
Threat Who or what can cause an undesirable event.
Vulnerability How a weakness in technology or organizational process can be exploited by a threat.
Key elements of Information Security Mgmt
Senior mgmt commitment & support
Policies and procedures
Organization (define who is responsible for protection)
Security awareness & education
Monitoring and compliance
Incident Handling & response
Inventory Classification
Identification of the asset (hardware, software, data)
Relative value to the organization
Location
Security risk/classification
Asset group, if asset forms part of larger system
Owner
Custodian
Logical security layers
Networks
Platforms (OS)
Applications
Databases
Mandatory access control (MAC)
Control that cannot be changed by normal users or data owners; they act by default; prohibitive
Changed by admins making decisions derived from policy
Example: password complexity requirements
Discretionary access control (DAC)
Controls that CAN be changed by normal users/data owners
Example: access to departmental shared folder on server
Pharming redirecting web site traffic to a bogus site via changes in DNS or a users host file
Biometrics
Something you are (fingerprint) or do (typing behavior)
Quantitative measures (% rate)
o False rejection rate (FRR, type I) person falsely rejected access
o Failure to enroll rate (FER) person fails to enroll successfully
o False acceptance rate (FAR, type II) unauthorized person allowed access
o Increase in type I rate decreases the type II rate & vice versa
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 32 of 40
o Equal error rate (ERR) point at which FRR & FAR are equal. Lower the measure, the more effective
the biometric
o Best response times and lowest ERR: palm, hand, iris, retina, fingerprint, voice
Palm* ridges and valleys
Hand geometry* oldest, 3D, hand and fingers, 90 measurements
Iris color patterns around pupil, 260 characteristics. No physical contact, high cost
Retina blood vessel pattern, best FAR, requires close proximity, high cost
Fingerprint low cost, size, ease of integration
Face acceptable/friendly, but lack of uniqueness
* Socially accepted, low storage cost
Single Sign-on (SSO)
Consolidation of platform-based administration, authentication, and authorization functions into a single,
centralized function
Example: Kerberos, developed at MIT, Project Athena
Bypassing Security Controls
Only system software programmers should have access to:
Bypass label processing (BLP) bypasses the reading of the file, which most access control rules are based, and
bypasses the associated security on the file
System exits system software feature that allows complex system maintenance. Exits often exist outside of
the computer security system, so they are not restricted or logged.
Special system logon IDs vendor provided
Wireless Security 9 categories of overall security threats
1. Errors and omissions
2. Fraud and theft by authorized/unauthorized users
3. Employee sabotage
4. Loss of physical and infrastructure support
5. Malicious hackers
6. Industrial espionage
7. Malicious code
8. Foreign government espionage
9. Personal privacy threats
Main Wireless Threats
1. Theft
2. DOS
3. Malicious hackers
4. Industrial espionage
5. Malicious code
6. Foreign government espionage
7. Theft of service
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 33 of 40
Security Requirements
Authenticity verification that message not changed in transit
Nonrepudiation verification of origin or receipt of message
Accountability actions traceable to an entity
Network availability
Scanners strobe, jakal, asmodeous
Install local firewall, turn off scripting
Firewalls 3 types of firewalls
router packet filtering
application
stateful inspection Router packet filtering
first generation
examines header (source/destination IP, port number) at network layer
simple, stable performance
allows direct exchange of packets between outside/inside systems
Miniature fragment attack - fragment the IP packet into smaller ones; the first packets will be examined, and the rest won't
Caused by default setting that passes residual packets
Firewall should drop fragmented packets or offset value = 1
Application Firewalls - 2 levels/types
application-level
circuit-level
Neither allow the direct exchange of packets between outside/inside systems Bastion hosting: Handle all requests and are highly fortified
Can secure, modify, and log all packets
Provide NAT
Application level analyzes traffic through a set of proxies, one for each service: http, ftp, etc
can reduce network performance
Circuit-level Analyzes traffic through a single, general-purpose proxy
more efficient, but rare
Stateful Inspection Firewalls
Tracks destination address of packets leaving network; prevents initiation of attacks from outside
Tracks connection-oriented and connectionless packets like UDP
More efficient, faster firewall as packets are not examined in deep OSI layers
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 34 of 40
Firewall implementations
Screened host packet filtering router and bastion host
Includes application firewall/proxy services
bastion host is on private network, packet filtering router is between Internet and private network
Requires compromise of two systems
Dual homed firewall More restrictive version of the screened host firewall, a dual-home bastion host
DMZ or screened-subnet firewall Uses 2 packet filtering routers and bastion host
Provides network (packet filtering) and application-level security with a DMZ network
Insider router manages DMZ access to the internal network, accepting traffic only from the bastion host
Requires compromise of 3 hosts; hides internal network addresses
Hardware firewalls faster, but not as flexible or scalable
Software firewalls more slower, but more scalable
Intrusion Detection Systems (IDS) Monitor network anomalies
Network-based
Host-based monitor modification of programs, files; detect privileged command execution
Components
o Sensors that collect data
o Analyzers that receive input and determine intrusive activity
o Administrative console
o User interface
IDS Types
Signature-based
Statistical-based must be configured with known and expected system behaviors
Neural networks monitors general activity, similar to statistical-based, but capable of self-learning
IDS cannot help with
Policy definition weaknesses
Application-level vulnerabilities
Backdoors in applications
Identification and authentication scheme weaknesses
Encryption Key elements
Encryption Algorithm
Encryption Keys
Key length
Private Key Systems
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 35 of 40
Symmetric 1 key encrypts and decrypts
Less complicated, faster
Problem is distributing key safely
RC2, RC4, IDEA, DES, AES
Data Encryption Standard (DES) 64-bit block cipher
56-bit key (8 extra bits for parity checking)
Replaced by AES 128-256 bit key (Rijndal invented by Rijmen and Daemen)
o Symmetric block cipher
o Unlike DES, Rijndal has variable block and key length
o Based on round operations
Public Key Systems
Asymmetric 2 keys, one encrypts, other decrypts
Keys created by integer factorization
Used to encrypt symmetric keys and for digital signatures
RSA (Rivest, Shamir, Adelman invented in 1977), Diffie-Hellman, DSA, Fortezza
Encrypt with public key, decrypt only with private key confidentiality (read only by receiver)
Encrypt with private key, decrypt with public key authentication and non-repudiation
Encrypt with private key, then public key confidentiality, authentication, and non-repudiation
Elliptical Curve Cryptography (ECC)
Public key variation using discrete logarithm using elliptical curve (2 points on curve)
Works with networked computers, smart cards, wireless phones, mobile devices
Less computational power, more security per bit (160-bit ECC = 1024-bit RSA)
Quantum Cryptography
Uses interaction of light pulses, polarization metrics
Digital signatures
Uses public key algorithm to ensure identify of sender and integrity of the data
Hash algorithm creates message digest, smaller version of the original message
Changes variable length messages into a fixed, 128-bit length digest
Hashes are one-way functions, can't reverse
o MD5, SHA-1, SHA-256
Digital signature encrypted by sender's private key, receiver decrypts with public key, then recomputes a
digital signature and compares it to the original signature
Ensure data integrity, authentication, and non-repudiation (but not confidentiality)
Vulnerable to man-in-the-middle attack
Digital Envelope
Contains data encrypted with symmetric key and the session key (which is the symmetric key, encrypted with
the receiver's public/asymmetric key)
Receivers' private key used to decrypt session key (symmetric key); symmetric key used to decrypt data.
Uses asymmetric keys to protect the data integrity, authentication, and non-repudiation gained by symmetric
key
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 36 of 40
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
Session or connection-layered protocol
Provides end point authentication and confidentiality
Typically, only the server is authenticated (including the client requires PKI deployment)
Phases
o Algorithm negotiation
o Exchange of Public key and certificate-based authentication
o Symmetric cipher-based traffic encryption
Runs on layers beneath application protocols HTTP, SMTP, NNTP and above the TCP protocol
Uses hybrid of hashed, private, and public key cryptography to provide confidentiality, integrity, authentication
(between client & server), and non-repudiation
IPSec
Runs at the network layer
Used for communicating between two or more hosts, subnets, or hosts and subnets (establishes VPNs)
Transport mode only data portion of packet (encapsulation security payload (ESP)) is encrypted
confidentiality
Tunnel mode ESP payload (data) and header are encrypted. Additional authentication header (AH) provides
non-repudiation
Uses security associations (SAs) to define the security parameters to use (algorithms, keys, initialization
vectors, etc.)
Using asymmetric encryption via Internet Security Association and Key Management Protocol/Oakley
(ISAKMP/Oakley) increases ISPsec security by using key management, public keys, negotiation, uses of SAs, etc.
SSH
Runs at application layer
Client/server program for encrypting command-line shell traffic used for remote logon and management.
Used to secure telnet and ftp
Secure Multipurpose Internet Mail Extensions (S/MIME)
Email protocol authenticating sender and receiver
Verifies message integrity and confidentiality, including attachments
Secure Electronic Transactions (SET)
Visa/MasterCard protocol used to secure credit card transactions
Application protocol using PKI of trusted 3rd party
Encryption Risks
Secrecy of keys is paramount
Randomness of key generation relates to how easy a key can be compromised
Tying passwords to key generation weakens the keys randomness, so important to use strong passwords
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 37 of 40
Viruses
Attached to programs
Self-propagating to other programs
Attack EXEs, file directory system, boot & system areas, data files
Worms
Does not attach to programs
Propagates via OS security weaknesses
Virus/Worm controls policies (preventative) and antivirus software (detective)
Backups = vital control
VOIP
Replaces circuit switching (and associated waste of bandwidth) with packet switching
Secure VOIP similar to data networks (firewalls, encryption)
Network issues take down phones also, so backup availability a big issue
VLANS should be used to segregate VOIP infrastructure/traffic
Session Border Controllers (SBCs) provide VOIP security similar to firewalls by monitoring VOIP protocols,
monitor for DoS, provide network address and protocol transition features
Private Branch Exchange (PBX)
In-house phone company for organization, allows 4-digit dialing, save cost of individual phone lines to phone
companys central office
PBX security different from normal OS security
o External access/control by 3rd party for updates/maintenance
o Richness of features available for attacks
PBX Controls
Physically secure PBX and telephone closets
Configure and secure separate and dedicated admin ports
Control direct inward dial (DID) lines to avoid external parties getting dial tone for free long-distance calls
Block certain long-distance numbers
Control numbers destined for faxes and modems
Use call-tracking logs
Maintenance out of Service (MOS) signaling communication is terminated on PBX, but line may be left open
for eavesdropping
Embedded passwords can be restored when system rebooted during crash recovery
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 38 of 40
Auditing Infosec Management Framework
Policies/Procedures, including Logical Access Security Polices
Security Awareness and training
Data ownership: owners, custodians, security administrator
New IT users (sign document regarding security policies/procedures)
New Data Users
Documented user authorization
Terminated users
Security baseline
Inventory (devices, applications, data)
Antivirus
Passwords
Patching
Minimizing services (turn off unneeded)
Addressing vulnerabilities
Backups
Computer Forensics (IPAP)
Identify information
Preserve retrieving data, documenting chain of custody
Who had access to the data
How evidence gathered
Proving that analysis based on copies of original, unaltered evidence
Analyze
Present
> BCP/DRP Starts with risk assessment
People, data, infrastructure, and other resources that support key business processes
Dangers and threats to the organization
Estimated probability of threat occurrence
BCP includes
DRP plan
Plan to restore operations to normal following disaster
Improvement of security operations
BCP Lifecycle
Create BCP policy
Businesses Impact Analysis (BIA)
Classify of operations and criticality
Identify IS processes that support business criticality
Develop BCP and IS DRP
Develop resumption procedures
Training and awareness programs
Test and implement plan
Monitoring
-
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 39 of 40
BCP Policy
Should encompass preventative, detective, and corrective controls
BCP most critical corrective control
Incident management control
Main severity criterion is service downtime
Media backup control
BIA identifies:
Different business processes & criticality
Critical IS resources supporting critical bus