cisa study guide

FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 1 of 40

ITauditSecuritys CISA Study Guide

For a description of this guide, guidance on using it, and some warnings, see

http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/

Table of Contents on next page

Copyright 2012, ITauditSecurity

Rev 2.0

NOTE: When this guide was created, the main sections of the exam were as follows:

IS Audit process

IT Governance

Systems & Lifecycle Mgmt

IT Service Delivery & Support

Protection of Info Assets

BCP and DRP

ISACA has since reorganized the sections, but that doesnt affect the information itself.

Quick Review InfoYellow highlight notes where ISACA

emphasizes CISA must-know this

Blue highlight = good-to-know info

List of key items to recite from memory:

5 Task Statements - SPCCA 10 Knowledge Statements SPGE CRP - CCC 7 Code of Ethics IPS PC DE 3 types of Standards 6 Project Mgmt IP EMC Projects: Triple restraint: QRS & CDT 10 Audit Stages OSI PDNTSPA TCP/IP NDITA Capability Maturity Model zeroIRDMO 6 SDLC FRD DIP (dont forget differences if software purchased) 6 Benchmarking PROAAI


Quick Review Info ................................................................................................................................................... 1 > IS Audit Process...................................................................................................................................................... 5

5 Task Statements - SPCCA .................................................................................................................................. 5 10 Knowledge Statements SPGE CRP - CCC ................................................................................................. 5 7 Code of Ethics IPS PC DE ............................................................................................................................... 5 Information Tech Assurance Framework (ITAF) .................................................................................................... 6

3 types of Standards (+ Guidelines & Techniques = ITAF) .................................................................................................. 6 Policy/Standards .................................................................................................................................................................. 6

Misc Notes .............................................................................................................................................................. 6

Project Mgmt .......................................................................................................................................................... 6 Project Estimation ................................................................................................................................................................ 7

10 Audit Stages ...................................................................................................................................................... 7 Engagement Letter vs. Audit Charter ..................................................................................................................... 8

Charter - RAA ....................................................................................................................................................................... 8 Sampling .............................................................................................................................................................................. 8

Open Systems Interconnect (OSI) Model ............................................................................................................. 10 IP Addresses (32 bits) .......................................................................................................................................... 11

Packet Switching ................................................................................................................................................................ 11

> IT Governance ...................................................................................................................................................... 12 CMM vs. ISO 15504 (SPICE) PME PO ........................................................................................................................... 13 Risk Management .............................................................................................................................................................. 13 Business Process Reengineering (BPR) ............................................................................................................................ 13 Risk Management .............................................................................................................................................................. 14

Systems & System Development Life Cycle (SDLC) ............................................................................................... 15 Alternatives to SDLC Project Organization......................................................................................................................... 16 Alternative Development Methods ..................................................................................................................................... 17

Physical Architecture Analysis (RADFFP) .......................................................................................................................... 18 Change Control Procedures ................................................................................................................................. 19

Change Management Auditing ........................................................................................................................................... 19 Emergency Changes .......................................................................................................................................................... 19

Computer-aided Software Engineering (CASE) ................................................................................................... 19 Key CASE Audit Issues ...................................................................................................................................................... 19

Programming Languages ..................................................................................................................................... 19 Fourth-generation Languages ............................................................................................................................................ 19 4GL Types.......................................................................................................................................................................... 20

Application Controls ................................................................................................................................................. 20 Input Controls ....................................................................................................................................................... 20

Input Control Techniques ................................................................................................................................................... 21

Processing Controls ............................................................................................................................................. 22


Output Controls .................................................................................................................................................... 23 Data Integrity ............................................................................................................................................................ 24

Testing ............................................................................................................................................................................... 24 Data Integrity Requirements (ACID) ................................................................................................................................... 24 Application Testing Methods .............................................................................................................................................. 24

Continuous Auditing Techniques ............................................................................................................................. 24 E-commerce Risks ............................................................................................................................................................. 25

EDI Controls ....................................................................................................................................................................... 25 Auditing EDI ....................................................................................................................................................................... 26 Digital Signatures ............................................................................................................................................................... 26 Project Mgmt Organizational Alignment ............................................................................................................................. 28

> IT Service Delivery & Support ............................................................................................................................... 28 IS Operations ........................................................................................................................................................ 28 IS Hardware .......................................................................................................................................................... 28 IS Architecture & Software ................................................................................................................................... 28

Database Management System (DBMS) ........................................................................................................................... 28 Database Structures .......................................................................................................................................................... 29

Networking ............................................................................................................................................................ 29 Wireless ................................................................................................................................................................ 30

TCP/IP (32-bit) ...................................................................................................................................................... 30 System Control ................................................................................................................................................................... 30

> Protection of Information Assets ........................................................................................................................... 31 Key elements of Information Security Mgmt ....................................................................................................................... 31 Inventory Classification ...................................................................................................................................................... 31 Mandatory access control (MAC) ....................................................................................................................................... 31 Discretionary access control (DAC) ................................................................................................................................... 31 Biometrics .......................................................................................................................................................................... 31

Bypassing Security Controls .............................................................................................................................................. 32

Wireless Security .................................................................................................................................................. 32 Firewalls................................................................................................................................................................ 33

Application Firewalls - 2 levels/types .................................................................................................................................. 33 Stateful Inspection Firewalls............................................................................................................................................... 33 Firewall implementations .................................................................................................................................................... 34

Intrusion Detection Systems (IDS) ....................................................................................................................... 34 IDS Types .......................................................................................................................................................................... 34

Encryption ............................................................................................................................................................. 34 Digital signatures ................................................................................................................................................................ 35 Digital Envelope ................................................................................................................................................................. 35 Encryption Risks ................................................................................................................................................................ 36

Viruses ............................................................................................................................................................................... 37


VOIP .................................................................................................................................................................................. 37 Auditing Infosec Management Framework ......................................................................................................................... 38 Computer Forensics (IPAP) ............................................................................................................................................... 38

> BCP/DRP .............................................................................................................................................................. 38 Difference between ISACA book and Sybex ........................................................................................................... 40


> IS Audit Process

5 Task Statements - SPCCA Develop & implement risk-based IS audit strategy Plan specific audits Conduct audits Communicate issues, risks, results Advise on risk mgmt & control practices

10 Knowledge Statements SPGE CRP - CCC Standards/Code of Ethics Auditing practices/techniques Techniques to gather/preserve evidence Evidence lifecycle (collection, protection, chain of custody) Control objectives & controls Risk Assessment Audit planning & mgmt Reporting/Communication CSA Continuous audit techniques

7 Code of Ethics IPS PC DE Support the implementation of appropriate policies, standards, guidelines, and procedures for information systems. Perform your duties with objectivity, professional care, and due diligence in accordance with professional standards. Support the use of best practices. Serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon your profession. Maintain privacy and confidentiality of information obtained during your audit except for required disclosure to legal authorities. Undertake only those activities in which you are professionally competent; strive to improve your competency. Disclose accurate results of all work and significant facts to the appropriate parties. Support ongoing professional education to help stakeholders enhance their understanding of information systems security and control.


Information Tech Assurance Framework (ITAF) Provides guidance on design, conduct, and reporting of IT audit & assurance

Establishes IT audit standards

Consists of General, Performance, and Reporting standards; Guidelines; Tools & Techniques (TBA)

3 types of Standards (+ Guidelines & Techniques = ITAF) General guiding principles for IT assurance profession Performance how to conduct IT assurance engagements Reporting address types of reports, means of communication, and info to be communicated

Policy/Standards Policy, Standard, Procedure mandatory Guideline discretionary

Misc Notes Purpose of audit: challenge mgmt assertions and determine whether evidence supports mgmt claims Types of audits:

Internal audit own organization, scope restrictions, cannot use for licensing

External customer auditing your organization or you auditing supplier

Independent 3rd party audit used for licensing, certification, product approval.

Compliance audit verify presence or absence Substantive audit - check the content/substance and integrity of a claim Risk the potential that a given threat will exploit vulnerabilities of an asset (or group of assets) and thereby cause harm to the

organization

CobiT Control Objectives for Information and Related Technology. A framework consisting of strategies, processes, and

procedures for leading IT organizations.

Project Mgmt Project is unique, progressive (planning starts high-level and gets more detailed), and has start and end dates. Triple restraint: QRS

Quality Resources (cost, time) Scope

3 project elements: CDT

Cost/resources

Deliverables

Time/duration

5 Process groups/phases of project management IP EMC

Initiating (2 components: scope & authorization)

Planning (detail scope, goals, deliverables)

Executing

Monitoring & Controlling

Closing

Earned value current value of work already performed in a project


Project Estimation

Source Lines of Code (SLOC) traditional method (also Kilo LOC or KLOC) direct size-oriented measures

Thousand Delivered Source Instructions (KDSI) better with structured programming languages like BASIC,

COBOL

Function Point Analysis (FPA) indirect measure

Based on number and complexity of inputs, outputs, files, interfaces, and user queries

Functions are weighted by complexity

Project Diagramming

Gantt: resource details;-schedule & sequence in waterfall-style (MS Project);

serial view w/bars & diamonds

o Shows concurrent and sequential activities

o Show project progress and impact of completing a task early or late

PERT (Program Evaluation Review Technique)-illustrates relationships

between planned activities

o Critical path (minimum steps, longest route, shortest time estimate for completion)

Activities on critical path have no slack

time; activities w/ no slack time are on

critical path

Route on which a project can be shortened

(accelerated) or lengthened (delayed)

o Quantitative measure for risk analysis: risk of

delays, failure, and likely completion

o 3 hourly estimates for each tasks effort:

Optimistic, Mostly likely, and Pessimistic

PERT time estimate for each task: [O + P +

4 (M)] / 6

Timebox Management

Define and deploy software deliverables in short/fixed period of time

Prevents cost overruns or delays from scheduled delivery

Design/development shortened due to newer development tools/techniques

10 Audit Stages 1. Approving audit charter/engagement letter

2. Preplanning audit

3. Risk Assessment

4. Determine whether audit is possible

5. Performing the actual audit

6. Gathering evidence

7. Performing audit tests

8. Analyzing results

9. Report Results

10. Follow-up activities


Engagement Letter vs. Audit Charter Diff is auditor independence (external vs. internal audit) Charter - RAA

Responsibility scope with goals/objectives

Authority right to access & audit

Accountability agreement between auditor/Audit Committee; reporting requirements

2 foundational audit objectives:

Test control implementation to determine if adequate safeguards implemented

Comply with legal requirements

Process technique Shewhart - PDCA

1. Plan plan or method?

2. Do work match the plan?

3. Check anyone monitoring the process? What is acceptable criterion?

4. Act how are differences identified and dealt with?

Controls

General overall controls; all depts.

Pervasive (technology)

Detailed IS controls (tasks)

Application (most detailed, lowest level controls)

Evidence Life Cycle ICI SAP PR Chain of custody

Identification

Collection

Initial preservation

Storage

Analysis

Post analysis preservation storage

Presentation

Return of evidence

Sampling

Statistical/Mathematical

Random

Cell random selection at defined intervals

Fixed interval select every n + increment

Non-statistical

Haphazard

Compliance Testing presence/absence Attribute sampling is attribute present in sample? Specified by rate of occurrence

Stop & Go sampling used when few errors expected, reduces overall sample size. Reduces effort. Auditor determines

whether to stop testing or continue testing.

Discovery sampling 100 percent sampling to detect fraud (ex: forensics).

Precision/expected error rate acceptable margin of error between samples and subject population. Low error rate

requires large sample.


Substantive Testing content/integrity Variable sampling designating $ value or effectiveness (weight) of entire subject by prorating from a smaller sample

(ex: weigh $50 bill and calculate value of stack of bills by total weight).

Unstratified mean estimation projects an estimated total for entire population

Stratified mean estimation calculate average by grouping items (all males, all females, all over 30)

Difference estimation determine difference between audited and unaudited claims of value.

Audit coefficient level of confidence re: audit results. 95% & higher = high degree of confidence

Attestation providing assurance via your signature that document contents are authentic & genuine.

Type 1 events occur before balance sheet date; Type 2 after (not auditors responsibility to detect subsequent events)


Open Systems Interconnect (OSI) Model Provides standard interface at each layer; ensures each layer does not have to be concerned about the details of how other layers operate Each layer is self-contained and can be updated without affecting other layers

Each layer communicates with the layer above and below it, as well as virtually with the same layer on the

remote system

Memory Phrase 7 OSI Layers

4 TCP/IP Layers

Memory Phrase

Headers & Data

Communication Types

Layer Controls/ Provides Protocol

Away 7 Application

4 - Application

Anchovies

To Application

Gateway -Standard interface to the network -Problem solving -Encryption

-DNS

Pizza 6 Presentation

Format & Data Structure

Translate & Display. Screen formatting

Sausage 5 Session

App to App Communication sessions between applications

-RPC -SQL database session -NFS

Throw 4 Transport 3 Transport Throw

Message Host to Host -Login screen -TCP (confirmed

delivery) -UDP(un-confirmed)

Not 3 Network 2 Internet/ Network

I Packet Router

Routing Address to Address

-IP

Do 2 - Data Link 1 Link (LAN/WAN Interface)

Do

-Frame -MAC address Switch/Bridge

Transmit & Receive

-Flow control -Error notification -Order sequence

-NetBIOS -DHCP -PPP

Please 1 Physical Nor

Signal Cable/Wireless

Hub/Repeater

Wifi Transmitter

Cable & voltage requirements

Control electrical link between systems

MAC Address = 48-bit

Cables Coax 185 meters, 2 pairs of wires

UTP < 200 ft, 4 twisted pairs

Fiber dense wave multiplexing


Point-to-Point Protocol (PPP)

Data link layer protocol for accessing remote network using IP over serial lines (replaced SLIP)

IP Addresses (32 bits) Four IPs in each subnet are lost/reserved

Numeric name (e.g., 192.0.0.0) for routing table/network path

Starting IP

Ending IP (IPs in between start & end = IP address space)

Broadcast IP

ARP = MAC address to IP address

VLANs (requires router to access other subnets)

Port-based: specific port configured to a specific VLAN. Small networks

MAC-based: ties MAC address into VLAN, reconfigures network port on switch

Policy or rule-based: Rule based on IP address or protocol in header. Switch ports reconfigure automatically

DNS Bootp using RARP!

Dedicated Phone Circuits

POTS 56Kbs (half of ISDN circuit)

Integrated Services Digital Network (ISDN) 128Kbs, 23 channels of data, voice, video (conference); runs on

POTS

Primary trunk line (T1) 28 POTS circuits, 1.544 Mbps. Charged by the mile.

Digital Subscriber Line (DSL) over POTS. 368 Kbps-1.544 Mbps.

Packet Switching

Eliminated need for dedicated lines (Internet is PSd)

Not limited by distance

Source & destination known, path is not

Charged according to packets transmitted, not distance

Examples

X.25 foundation of modern switched networks (not popular today)

o Quality of Service (QOS)

o Permanent Virtual Circuits (PVCs) fixed path, replaced dedicated phone lines

o Switched Virtual Circuits (SVCs) path dynamic, constantly changing

Frame relay has PVC and SVC. 1.544 44.5 Mbps (replaced X.25)

o Different format and functionality

o Packets arrive out of sequence, are reassembled

Asynchronous Transfer Mode (ATM)

o High speed, 155 Mbps 1 GBps

o Cell switching and multiplexing ensures solid delivery

o Multiple concurrent data paths

Multiprotocol Label Switching (MPLS)

Protocol and routing table independent

Packet headers examined once (versus every hop in traditional layer 3 switching) and then assigned a

stream/label that contains forwarding information


Piconet one trillionth or very small Small wireless adhoc network Bluetooth (PAN)

Syslog no message authentication/integrity; no message delivery verification

Remote Monitoring Protocol (RMON1) monitors only Data Link/MAC layers and below

Remote Monitoring Protocol 2 (RMON2) - unlike Sniffer that monitors layers 1-3, RMON2 monitors all 7 OSI layers

> IT Governance IT Governance leading and monitoring IT performance & investment

Strategic alignment between IT & business

Monitoring assurance practices for executive management

Intervention to stop, modify, or fix practices as they occur

3 IT Governance management levels:

Strategic (3+ yrs)

Tactical (6 months 2 yrs)

Operational (daily)

Balanced Scorecard CB FG

Customer

Business process

Financial

Growth & Learning

3 layers that incorporate the 4 perspectives (MMS)

Mission

Metrics

Strategy

5 Capability Maturity Model (CCM) Levels zero IRD MO

13 to 25 months to move up a level

Idea started in auto assembly line


CMM vs. ISO 15504 (SPICE) PME PO

# Level Description Process ISO

0 Nothing Incomplete

1 Initial adhoc, firefighting unique and chaotic (people

have most freedom and

decision making)

Performed

2 Repeatable Documented Inspected quality

Project mgmt

Basic standards, processes,

procedures documented

Managed

3 Defined well documented

and understood

Lessons learned

Standardization between

departments

Objectives, qualitative

measurements,

improvement procedures

Established

4 Managed mgmt controls

processes &

adjusts

Portfolio mgmt

PMO

Predictable by quantitative

measure (numeric measure

of quality)

Predictable

5 Optimized continually

improved to

reflect business

needs

least freedom, decision

making

statistical process control

Optimizing

Risk Management

Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %

Annual Loss Expectancy (ALE)$ = SLE * Annual Rate of Occurrence (ARO)

Business Process Reengineering (BPR) 3 areas of improvement

1. Business efficiency

2. Improved techniques

3. New requirements

Guiding Principles

Think big future process/end state

Incremental

Hybrid approach top down view of strategy, bottom-up research


Business Process Reengineering (BPR) vs. Project Mgmt vs. SDLC Chart 6 BPR

EIDRRE

5 Project Mgmt

IP EMC

6 SDLC

FRD DIP

Waterfall method

Task

Envision Initiate Feasibility Scope, sponsor, pick a process, goals

Initiate Requirements Stakeholder buy-in, external customer

needs

Diagnose Plan Identify benchmarks, activities, resources,

roles, costs, communication needs

Redesign Design/Select* Determine solutions, alternatives

Execute Development/Configuration* Build prototypes

Reconstruct Implementation Install systems, train, transition

Evaluate Manage and Control Post Implementation Monitor and review; goals obtained?

Close Lessons learned, archive files, TQM * When software is purchased rather than developed in-house

BPR Rules

Fix only broken processes

Calculate ROI

Understand current process first

No leftovers

Role of IS in BRP

Enable new processes by improving automation

Provide IT project mgmt tools to analyze process and define requirements

Provide IT support for collaboration tools, teleconference, and specialized business user software

Help business integrate their processes with ERP

Delphi technique blind interaction of ideas between group members

6 Benchmarking Steps PRO AAI

Plan identify critical processes

Research baseline data re: own processes, then that of other businesses

Observe visit benchmark partner, collect data

Analyze identify gaps between own and benchmark partners processes

Adapt translate findings into principles strategies action plans

Improve - link each process to improvement strategy and organizational goals

Business Impact Analysis discovery of inner workings of a process

Process value

How process works, who does what

Shortcomings

Revenue created or supported

Project process lifetime

Risk Management

Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %

Annual Loss Expectancy (ALE) = SLE * Annual Rate of Occurrence (ARO)


> Systems & System Development Life Cycle (SDLC) Verification/Validation Model (V-model)

Identifies relationship between development and test phases

Most granular test, unit test, validates detailed design phase

Development methodology

Organization-centric use SLDC

End-user centric alternate approaches

SDLC/Waterfall technique - FRD DIP

See chart under Business Process Re-engineering

Feasibility

o Identify the alternatives for addressing the business need

o Business case that justifies proceeding to the next phase

o Calculate ROI

o Impact assessment future effects on current projects/resources

Requirements

o Management/users must be involved

o Identify stakeholders and expectations

o Request for Proposal (RFP) process

o Create project schedule and resource commitments

o Create general preliminary design use entity relationship diagram (ERD)

Design/Select (When software is purchased rather than developed in-house, the stages are Select and Configuration)

o Establish baseline of system, program, database specifications

o Implement change control for scope creep - software baselining (design freeze), version numbering

o Address security considerations

Development/Configuration*

o Includes all unit and system testing, iterations of user acceptance testing (UAT) in secure environment

to protect against changes

o Develop data conversion strategies

o Train super users

o QA activities, software QA plan, Application QA function

Focuses on documented specifications and technology used, application works as specified in

logical design; performed by IT; not functionality related

Implementation

o Final UAT

o Certification

Assessment of management, operational, and technical controls; used to reassess risks and

update security plan

o Accreditation process

Management decision to authorize operation

Involves accepting responsibility and accountability for systems risks and system security

Post Implementation

o Assess whether system meets business requirements, has appropriate access controls, ROI achieved,

lessons learned

o ROI requires a few business cycles to be completed first

o Info to be reviewed needs to be identified at project startup


Entity Relationship Diagram (ERD)

Example: http://en.wikipedia.org/wiki/File:ER_Diagram_MMORPG.png

Identifies relationships between system data

Data modeling technique that describes information needs or the type of information to be stored in a

database (helps design the data dictionary)

Entity

o Physical object such as a report, an event such as a sale or a repair service, or a concept such as a

customer transaction or order (logical construct) NOUNS

o Attributes form the keys of an entity

o Primary key uniquely identifies each instance of an entity

o Represented by rectangular boxes

Relationships

o How entities are associated VERBS

o Foreign key is one or more entity attributes that map to primary key of related entity

o Represented by diamonds

Testing

Regression rerunning a part of the test scenario to ensure changes have not introduced new errors

Socialability can system operate in target environment without impacting existing systems (memory, shared

DLLs)

Alternatives to SDLC Project Organization Iterative Development

Develop in iterations or increments, with feedback after each stage

Now regarded as best practice; deals with development complexities and risks

Examples

Evolutionary create prototype to gather/verify requirements, explore design issues (called prototyping)

Spiral uses series of prototypes that become more detailed; risk analysis precedes each prototype

Agile developed in short, time-boxed iterations; uses trace-bullet approach

Evolutionary (Prototyping) Development (also called Heuristic)

Combines best of the SDLC with an iterative approach that enables developer and customer to react to risks at

each iteration

Focuses on prototyping screens and reports

Disadvantages

Leads to system extras that were not included in initial requirements (could end up functionally rich but inefficient)

Poor controls (that normally come out of traditional SDLC)

Poor change control and documentation/approvals

Agile Development

Process designed to handle changes to the system being developed or the project itself Scrum, one of first processes, 1990s Characteristics

Small, time-boxed iterations (plan and do 1 phase at a time)

Replanning at the end of each iteration (e.g., identify new requirements, reprioritizing)

Relies on head knowledge (vs. project documentation), frequent team meetings

Pair-wise programming: 2 people code same functions (knowledge share and quality check)


Planning and control by team members; project manager = facilitator/advocate

Validate functionality via frequent build-test cycle to limit defects

Rapid Application Development (RAD)

Well-defined methodology

Evolutionary prototypes with rigid limits on development timeframes

Small, well-trained team

Integrated power tools for development

Central repository

Iterative requirements and design workshops

Does NOT support planning or analysis of the info needs of business area/ enterprise as a whole

Stages

1. Concept definition

2. Functional design

3. Development

4. Deployment

Alternative Development Methods Development methods (data-oriented, object-oriented) are independent of the project organization model (evolutionary, spiral, agile)

Data-Oriented System Development (DOSD)

Focuses on data and their structure in prespecified formats for download or use in other systems Examples: stock, airline flight data Eliminates data transformation/converting errors

Object-Oriented System Development (OOSD)

Data and procedure (instructions) are grouped in an object

Data = attributes, functionality = methods (vs. SDLC which addresses data separate from procedures)

OOSD = programming technique, NOT a software development methodology: can be used in prototyping,

waterfall, agile, etc.

Objects are created from a template called a class, which contains characteristics of the class without

reference to the data

Polymorphism: ability of objects to interpret a message differently at execution depending on objects

superclass

First OOP languages: Simiula67, Smalltalk; Java boosted acceptance of OOP

Unified Modeling Language (UML)

Major Advantages

Ability to manage unrestricted variety of data types

Ability to model complex relationships

Component-Based Development

Outgrowth of OOD

Definition: assembling applications from packages of executable software that make their services available

through defined interfaces (i.e., objects, which can interact with one another regardless of language written in

or OS running)

o In process client components run from within a container ( e.g., web browser)

o Stand-alone client components applications that expose services to other software (e.g., Excel and

Word).


Initiated by RPCs or other network calls. Supporting technologies:

Microsofts Distributed Component Object Model (DCOM) basis for ActiveX

Common Object Request Broker Architecture (CORBA)

Java via Remote Method Invocation (RMI)

All of the above are distributed object technologies, which all objects on distributed platforms

to interact. Also called middleware, which provides run-time services whereby

programs/objects/components can interact.

o Stand-alone server components processes running on servers that provide standard services

o In process server components run on servers within containers

Microsofts Transaction Server (MTS)

Enterprise Java Beans (EJB)

Benefits

o Reduces development time & cost. Only have to code unique parts of the system.

o Improves quality. Prewritten components have already been tested.

o Allows developers to focus more on business functionality. Increases abstraction and shields low-level

programming details.

o Promotes modularity.

o Simplifies reuse. No source required, no need to know procedural or class libraries.

o Supports multiple development environments as components can interact regardless of language or OS.

o Allows combining build and buy components.

Web-Based Application Development

Extensible Markup Languages (XML) are key to development Simple Object Access Protocol (SOAP) is used to define APIs

SOAP works with any OS or programming language that supports XML

SOAP is simpler than RPCs in that modules are coupled loosely (can change one component without

changing others)

Web Services Description Language (WSDL) identifies the SOAP specification used for the modules API;

formats the SOAP messages in/out of the module. Also identifies the web service available to be used

Universal Description, Discovery, and Integration (UDDI) is used to make an entry in the UDDI directory,

which allows others to find and use the available web services

Reengineering updating an existing system by extracting and reusing design and program components.

Reverse Engineering

Risks software licenses usually prohibit it to protect trade secrets/programming techniques

Decompilers depends on specific computers, OSs, and programming languages. Any changes to these require a

new decompiler.

Physical Architecture Analysis (RADFFP)

Review of existing architecture

Analysis and design

Draft functional requirements (start vendor selection)

Function requirements

Define final functional requirements

Proof of Concept


Change Control Procedures

Change Management Auditing

Program library access is restricted

Supervisory reviews occur

Changes are approved and documented

Potential impact of changes is assessed

User approves change

Programming management reviews/approves change

Implementation date on change request matches actual implementation date

Distributed systems changes are rolled out to all nodes (check for same version of software)

Emergency Changes

Emergency ID use is logged and monitored

Normal change controls are applied, often retroactively

Computer-aided Software Engineering (CASE) 3 categories of CASE tools

Upper CASE describe and document business/application requirements

Middle CASE develop the detailed design: screen/report layouts, editing criteria, data object organization,

process flow

Lower CASE generate code and database definitions (using upper and middle case output)

Key CASE Audit Issues Functional design and data elements become the source code

Users are involved

CASE methodology is defined and followed

Integrity of data between CASE products and processes is controlled and monitored

Changes to the application are reflected in stored CASE product data

Application controls are designed and included

CASE repository is secured and version control implemented

Programming Languages 1st machine lang 2nd assembly lang

3rd English-like

4th embedded database interface, prewritten utilities; programmer selects program actions (aka psuedocoding or

bytecoding)

5th artificial intelligence; learning system/fuzzy logic/neural algorithms

Fourth-generation Languages

4GL Characteristics Nonprocedural language event driven, uses OOP concepts of objects, properties, and methods

Portable across OSs, computer architectures

Software facilities allows design/paint of screens, help screens, and graphical outputs

Programmer workbench concepts (integrated development environment) include filing facilities, temporary

storage, text editing, OS commands

Simple language subsets


4GL Types

Query and report generators

Embedded database 4GLs FOCUS, RAMIS II, NOMAD 2

Relational database 4GLs included in vendor DBMS to allow better use of DBMS product: SQL+, MANTIS,

NATURAL

Application generators generate lower-level programming languages (3GL) like COBOL and C.

Application Controls Definition: controls over input, processing, and output functions

Examples

Edit tests

Totals

Reconciliations

Identification/reporting of incorrect, missing, and exception data

Auditor tasks

Identify significant application components and flow of transactions

Gaining understanding of the application through documentation review and interviews

Identifying application control strengths and weaknesses

Testing controls and evaluating control environment

Reviewing application efficiency/effectiveness, and whether it meets management objectives

Input Controls Input Authorization

Signatures on batch forms/source documents

Online access controls ensuring only authorized users can access data and perform sensitive functions

Unique passwords

Terminal/workstation identification to limit clients that can access the application

Source documents should be prenumbered and controlled

Batch Controls and Balancing

Definition: Input transactions grouped together (batched) to provide control totals.

Batch Controls

Total $ amount

Total items

Total documents

Hash totals total of a meaningless, predetermined field (e.g., customer account numbers or zip codes) used

to detect errors or omissions; do not ensure correct employees, pay rates, etc., only errors or omissions

Balancing Controls

Batch registers comparing manual batch totals against system reported totals

Control accounts control account use is performed via an initial edit to determine batch totals. After

processing data to the master file, reconciliation is performed between the initial edit file totals and the

master file.

Computer agreement application compares the batch totals recorded in the batch header with the calculated

totals and accepts/rejects the batch


Error Handling and Reporting

Input Error Handing

Reject only transactions (trx) with errors

Reject the whole batch of trxs

Hold the batch in suspense (until errors corrected)

Accepting the batch and flagging error transactions

Input Control Techniques

Trx Log of all updates, verified to source documents

Reconciliation of data

Documentation written evidence of user, data entry, and data control procedures

Error correction procedures

o Logging of errors

o Timely corrections

o Upstream resubmission

o Approval of corrections

o Suspense file

o Error file

o Validity of corrections

Anticipation user or control group anticipates the receipt of data

Transmittal log of transmission or receipt of data

Cancellation of source documents punching or marking to avoid duplicate entry

Batch Integrity

Batch established by time of day, specific terminal of entry, or individual who entered data

Supervisor reviews batch and releases for processing

Data Validation/Editing Procedures

Identifies errors, incomplete or missing data, and inconsistencies amount related items.

Should occur as close to the time and point of origination as possible

Edits and Controls (types of checks)

Sequence control numbers are sequential

Limit

Range

Validity

Reasonableness

Table lookups

Existence

Key verification two people key the data and both sets are compared

Check digit detects transposition and transcription errors

Completeness

Duplicate

Logical relationship


Processing Controls Ensure completeness and accuracy of accumulated data

Processing Control Techniques

Manual recalculations

Edit check

Run-to-run totals

Programmed controls (e.g., detects incorrect file or file version)

Reasonable verification of calculated amounts

Limit checks on calculated amounts check using predetermined limits

Reconciliation of file totals

Exception reports

Data File Control Procedures

Ensures only authorized processing occurs

Data File Control Procedures

Ensures only authorized processing occurs

Data File Control Techniques

Before and after image reporting shows impact trxs have on data

Maintenance error reporting and handling

Source documentation retention

Internal and external labeling of files, batches, tapes

Version usage (file or database)

Data file security

One-for-one checking documents processed equals source documents]

Prerecorded input some data preprinted on blank input forms to reduce entry errors

Trx logs

File dating and maintenance authorization

Parity checking for transmission errors

o Vertical/column check check on single character

o Horizontal/longitudinal/row check check on all the equivalent bits

Use of both checks recommended

4 Categories of data files or database tables

System control parameters controls edits and exception flags; changes to these files should be controlled

same as program changes

Standing data data that seldom changes, referred to during processing (e.g., vendor names & addresses).

Changes should be authorized and logged.

Master data/balance data running balances and totals should be adjusted only under strict approval/review

controls and logged

Trx files controlled via validation checks, control totals, exception reports, etc.


Output Controls Ensures delivered data is presented, formatted, and delivered consistently and securely

Logging and storage of negotiable, sensitive, and critical forms securely

Computer generation of negotiable instruments, forms, and signatures

Report distribution

o All reports logged prior to distribution

o Secure print spools to avoid deletion or redirection of print jobs

o Restricted to certain IT resources, websites, or printers

o Confidential disposal

Balancing and reconciling

Output error handling

Output report retention

Verification of receipt of reports

Risk Assessment of Application Controls

Quality of internal controls

Economic conditions

Recent accounting system changes

Time since last audit

Prior audit results

Complexity of operations

Changes in operations/environment

Changes in key positions

Time in existence

Competitive environment

Assets as risk

Staff turnover

Trx volume and trends

Regulatory agency impact

Monetary volume

Sensitivity of trxs

Impact of application failure

User Procedures Review

SOD authority to do only one: origination, authorization, verification, distribution (DAVO)

Authorization of input written approval or unique passwords

o Supervisor overrides should be logged and reviewed by mgmt

o Excessive overrides may indication validation/edit routines need improvement

Balancing

Error control and correction

Distribution of reports

Access authorizations and capabilities

o Based on job description

o Activity reports generated and reviewed (activities valid for user and occurs during authorized hours of

operations)

o Violation reports of unauthorized activities or unsuccessful access attempts


Data Integrity Testing

Cyclical testing checking data against source documents, one section of data at a time. Whole file is

eventually checked after multiple cycles.

Data Integrity Tests

o Relational at data element and record levels

o Referential enforced through programmed data validation routines or by defining the input

conditions (edits), or both

Define existence relationships between database elements (primary and foreign keys)

All references to a primary key from another file (foreign key) actually exist in the original file

Data Integrity Requirements (ACID)

Atomicity trx is completed entirely or not at all

Consistency maintained with each trx, taking the database from one consistent state to another

Isolation Each trx isolated and accesses only data part of a consistent database state

Durability trxs that are reported complete survive subsequent HW/software failures

Application Testing Methods

Snapshot records flow of designated trxs through logic paths within programs

Mapping identifies untested program logic and whether program statements have been executed

Tracing & tagging shows trail of instructions executed; tagging selected trxs and using tracing to track them

Test data/deck

Base case system evaluation uses test data to verify correct system operations (extensive test)

Parallel operation

Integrated test facility using fictitious file with test trxs that is processed with live data

Parallel simulation processing production data against simulated program logic

Trx selection programs uses audit software to screen and select trxs

Embedded audit data collection software embedded in production system used to select input and

generated trxs during production

o System control audit review file (SCARF) auditor determines reasonableness of tests incorporated

into normal processing; provides information for further review

o Sample audit review file (SARF) randomly selects trxs for analysis

Extended records gathers all data affected by a particular program for review

Continuous Auditing Techniques System control audit review file and Embedded Audit Modules (SCARF/EAM)

Snapshots of data from input to output; trxs are tagged by applying identifiers and recording selected

information for audit review

Audit hooks functions as red flags; allows review before issues get out of hand

Integrated test facility (ITF)

Continuous and Intermittent Simulation (CIS) system audits trxs that meet predetermined criteria


E-commerce Risks

Confidentiality

Integrity

Availability

Authentication and non-repudiation

Power shift to customers

E-commerce Audit/Control Issues (Best Practices)

Security architecture (firewalls, encryption, PKI, certificates, password mgmt)

Digital signatures

Public Key Infrastructure (PKI)

o Framework for issuing, maintaining, verifying and revoking public key certificates by a trusted party.

o Key elements

Digital certificates - Public key and info about the owner that authenticates the owner (issued

by trusted 3rd party)

Includes distinguishing username, public key, algorithm, certificate validity period

Certificate Authority (CA) trusted provider of public/private key pairs that confirms

authenticity of the owner of the certificate (business) by issuing/signing the requestors

certificate with CAs private key

Registration Authority (RA) optional entity that some CAs use to record/verify business

information needed by a CA to issue/revoke certificates

Certification revocation list

Certification practice statement (CPS) Rules governing CAs operations, controls, validation

methods, expectations of how certificates are to be used.

Log monitoring

Methods and procedures to identify security breaches

Protecting customer data to ensure not used for other purposes or disclosed without permission

Regular audits of security and controls

EDI Risks

Transaction authorization

Business continuity

Unauthorized access to transactions

Deletion/manipulation of transactions before or after establishment of application controls

Loss or duplication of EDI transmissions

Loss of confidentiality or improper distribution of trx by 3rd parties

EDI Controls

Message format and content standards to avoid transmission errors

Controls to ensure transmissions are converted properly for the application software

Receiving organization controls to ensure reasonableness of messages received, based on trading partners trx

history or documentation

Controls to guard against manipulation of trxs in files and archives

Procedures for ensuring messages are from authorized parties and were authorized

Dedicated transmission channels between partners to prevent tapping

Data is encrypted and digitally signed to identify source and destination

Message authentication codes are used to ensure what was sent is received.

Error handling for trxs that are nonstandard or from unauthorized parties


Business relationships are defined in trading partner agreement identifying trxs to be used, responsibilities of

both parties in handling/processing trxs, and business terms of the trxs

Auditing EDI

Encryption processes ensure CIA and nonrepudiation of trxs

Edit checks to identify erroneous, unusual, or invalid trxs prior to updating the application

Edit checks to assess trx reasonableness and validity

Trx are logged on receipt

Control totals on receipt of trxs to verify number/value of trx to be passed to the application, and reconcile

totals between applications and trading partners

Segment count totals built into trx set trailers by sender

Trx set count totals built into group headers by sender

Validity of sender against trading partner details by:

o Using control fields with a message at the trx, function, group, or interchange level, often within the

EDI header, trailer, or control record

o Using VAN sequential control numbers or reports, if applicable

o Sending acknowledgement trx to sender to verify receipt; sender matches acks against a log of EDI

messages sent.

Digital Signatures

Unique to each document; cannot be transferred or reused

Verifies sender and that document has not been altered

Based on message digest, a short, fixed length number

o Some messages have the same digest, but cant produce message from them

o 128-bit cryptographic hash

o Similar to checksum or fingerprint of the document

DES (symmetric); RSA (asymmetric public key)

Risk Management for e-banking

1. Board & mgmt oversight

2. Security controls

3. Legal and reputational risk management

Purchase Order Accounting functions

Accounts payable processing

Goods received processing

Order processing

Artificial Intelligence

Languages: LISP and PROLOG

Primary components

o Inference engine

o Knowledge base

Contains subject matter facts and rules for interpreting them

Decision trees questionnaires or choices users walk through

Semantic notes graph which describes relationships between the nodes

o Explanation module

o Database


Also contains

o Knowledge interface allows entry of knowledge without needing a programmer

o Data interface Enables system to collect data from nonhuman sources (other systems, like

temperatures)

Used in auditing!

Errors in system have a bigger impact, especially in health care

Decision Support Systems

Emphasizes effectiveness (right task/right decision) over efficiency (performing tasks quickly and reducing

costs)

G. Gorry-M.S. Morton framework degree of structure in decision process & mgmt level making decision

o Decision-structure: structured, semi-structured, unstructured

Decision-structure depends on the extent it can be automated/programmed

o Mgmt-level: operational control, mgmt control, and strategic planning

Sprague-Carson framework family trees structure

Motivated by end users

Use 4GL

Critical Success Factors (CSF)

Productivity

Quality

Economic value

Customer service

Integrated Resource Management Systems ERP

American Standard Code for Information Interchange (ASCII)

Extended Binary-Coded Decimal Interchange Code (EBCDIC)

Project Portfolio Management Objectives

Optimization of the results of the project portfolio

Prioritizing and scheduling projects

Resource coordination

Knowledge transfer throughout the projects

PPM requires a PP database

Benefits Realization (Management) Techniques

Describe benefits mgmt

Assign measure/target

Establish measuring/tracking regimen

Document assumption

Establish key responsibilities for realization

Validate the benefits predicted in the business

Planning the benefit to be realized


Project Mgmt Organizational Alignment

Method Authority Style

Influence Not formal Advise on which activities to complete

Pure Formal Special work area

Matrix Shared between PM & dept heads

ISO Internl Org for Standardization creates internl standards ISO 15504 PME PO / Software Process Improvement and Capability Determination (SPICE) see CCM

ISO 9001 quality mgmt

Requires quality manual, trained staff, managed to improve competency

ISO 9126 Software Quality Metrics FUR PEM

Functionality of the software processes

Usability (Ease of use)

Reliability with consistent performance

Portability between environments

Efficiency

Maintainability for modifications

ISO 15489:2001 Records Mgmt/Retention

Requires ISO 9001 quality and 140001 records mgmt compliant

Includes fundraising campaigns

Used to determine liability and sentencing during prosecution

Requires data classification

Decision Making

Critical success factors

Scenario planning

> IT Service Delivery & Support

IS Operations Resource allocation

Standards & procedures

Process monitoring

IS Hardware CPU = arithmetic logic unit (ALU), control unit, and internal memory

IS Architecture & Software

Database Management System (DBMS)

Primary Functions

Reduced data redundancy

Decreased access time

Security over sensitive data


Data Dictionary/Directory System

Contains index and description of all items stored in database

Defines and stores source and object forms of all data definitions in schemas and all associated mappings

One DD/DS can be used across multiple databases

Database Structures

Hierarchical

o data arranged in parent/child relationships

o one-to-many mappings

o results in duplicate data

o easy to implement, modify, and search.

o No high-level query capability; have to navigate the database

Network

o Data arranged in sets (owner record type, member record, name)

o One-to-many or one-to-one mappings

o Sets can have the same member record type

o Very complex

o No high-level query capability; have to navigate the database

Relational

o Based on sets and relational calculations (dynamic database)

o Data organized in tables (collection of rows)

Row/tuple = record

Columns/domains/attributes = fields

o Properties

Values are atomic

Rows are unique

Sequence of columns and rows insignificant

Allow control over sensitive data

o Easy to understand, query, modify

o Normalization minimizing amount of data needed and stored by eliminating data redundancy

and ensuring reference integrity

Networking Baseband single channel, half-duplex, entire capacity used to transmit one signal

Broadband multiple channels, full duplex, multiple signals

Bridge Data link layer 2 device used to connect LANs or create separate LAN or WAN segments to reduce collision

domains

Router Like bridges/switches, they link physical separate network segments. Block broadcast data. software-based,

less efficient than switches. Can connect LAN and WAN.

Router does packet-switching using microprocessor; layer 3 switch does switching using ASIC hardware

Layer 4 switch switches based on layer 3 addresses and application information (such as port #s) to provide policy-

based switching

Layer4-7 switches used for load balancing

Gateways protocol converters; used between LANs and mainframes or LANs and Internet


Synchronous transmission bits transmitted at constant speed. Sending modem uses specific character when it starts

sending data block to synchronize the receiving device. Provides maximum efficiency.

Asynchronous transmission Sender uses start and stop bit before and after each data byte. Lower efficiency, but

simpler.

Multiplexing dividing physical circuit into multiple circuits by:

Time-division regardless of whether data is ready to transmit

Asynchronous time division dynamically assigned time slots as needed for transmission

Frequency based on signal frequency

Statistical dynamic allocation of any data channel based on criteria

Wireless Wi-fi Protected Access (WPA) wireless security protocol

Wireless Application Protocol (WAP) multi-layered protocol and technologies that provide Internet content to mobile

wireless devices (phones and PDAs).

TCP/IP (32-bit) Includes network and application support protocols

Network layer 3 = IP

Transport layer 4 = TCP/UDP

Common Gateway Interface (GFI) Script machine-independent code run on a server that can be called & executed by

a web server; performs tasks such as processing input received from a web form

Applets Programs downloaded from web servers that run applications in browsers (most popular ones use Java,

JavaScript, Visual Basic)

Servlet Small program that runs in web server, similar to CGI program. Unlike CGI, servlets stay in memory and can

serve multiple requests

Middleware software used by client/server applications to provide communications and other services between

applications, systems, and devices.

Services include identification, authentication, authorization, directories, and security

Resides between the application and the network

Manages the interaction between the GUI and the database back-end.

System Control

First level of control in a computer is the privileged supervisory user (root/admin).

Operating System States

Supervisory security front end not loaded; requests are run at highest authority level without security

controls.

General user/problem security is active; system is solving problems for user.

Wait computer busy and unable to respond to additional requests


> Protection of Information Assets Risk What can happen if a threat exploits a vulnerability.

Threat Who or what can cause an undesirable event.

Vulnerability How a weakness in technology or organizational process can be exploited by a threat.

Key elements of Information Security Mgmt

Senior mgmt commitment & support

Policies and procedures

Organization (define who is responsible for protection)

Security awareness & education

Monitoring and compliance

Incident Handling & response

Inventory Classification

Identification of the asset (hardware, software, data)

Relative value to the organization

Location

Security risk/classification

Asset group, if asset forms part of larger system

Owner

Custodian

Logical security layers

Networks

Platforms (OS)

Applications

Databases

Mandatory access control (MAC)

Control that cannot be changed by normal users or data owners; they act by default; prohibitive

Changed by admins making decisions derived from policy

Example: password complexity requirements

Discretionary access control (DAC)

Controls that CAN be changed by normal users/data owners

Example: access to departmental shared folder on server

Pharming redirecting web site traffic to a bogus site via changes in DNS or a users host file

Biometrics

Something you are (fingerprint) or do (typing behavior)

Quantitative measures (% rate)

o False rejection rate (FRR, type I) person falsely rejected access

o Failure to enroll rate (FER) person fails to enroll successfully

o False acceptance rate (FAR, type II) unauthorized person allowed access

o Increase in type I rate decreases the type II rate & vice versa


o Equal error rate (ERR) point at which FRR & FAR are equal. Lower the measure, the more effective

the biometric

o Best response times and lowest ERR: palm, hand, iris, retina, fingerprint, voice

Palm* ridges and valleys

Hand geometry* oldest, 3D, hand and fingers, 90 measurements

Iris color patterns around pupil, 260 characteristics. No physical contact, high cost

Retina blood vessel pattern, best FAR, requires close proximity, high cost

Fingerprint low cost, size, ease of integration

Face acceptable/friendly, but lack of uniqueness

* Socially accepted, low storage cost

Single Sign-on (SSO)

Consolidation of platform-based administration, authentication, and authorization functions into a single,

centralized function

Example: Kerberos, developed at MIT, Project Athena

Bypassing Security Controls

Only system software programmers should have access to:

Bypass label processing (BLP) bypasses the reading of the file, which most access control rules are based, and

bypasses the associated security on the file

System exits system software feature that allows complex system maintenance. Exits often exist outside of

the computer security system, so they are not restricted or logged.

Special system logon IDs vendor provided

Wireless Security 9 categories of overall security threats

1. Errors and omissions

2. Fraud and theft by authorized/unauthorized users

3. Employee sabotage

4. Loss of physical and infrastructure support

5. Malicious hackers

6. Industrial espionage

7. Malicious code

8. Foreign government espionage

9. Personal privacy threats

Main Wireless Threats

1. Theft

2. DOS

3. Malicious hackers

4. Industrial espionage

5. Malicious code

6. Foreign government espionage

7. Theft of service


Security Requirements

Authenticity verification that message not changed in transit

Nonrepudiation verification of origin or receipt of message

Accountability actions traceable to an entity

Network availability

Scanners strobe, jakal, asmodeous

Install local firewall, turn off scripting

Firewalls 3 types of firewalls

router packet filtering

application

stateful inspection Router packet filtering

first generation

examines header (source/destination IP, port number) at network layer

simple, stable performance

allows direct exchange of packets between outside/inside systems

Miniature fragment attack - fragment the IP packet into smaller ones; the first packets will be examined, and the rest won't

Caused by default setting that passes residual packets

Firewall should drop fragmented packets or offset value = 1

Application Firewalls - 2 levels/types

application-level

circuit-level

Neither allow the direct exchange of packets between outside/inside systems Bastion hosting: Handle all requests and are highly fortified

Can secure, modify, and log all packets

Provide NAT

Application level analyzes traffic through a set of proxies, one for each service: http, ftp, etc

can reduce network performance

Circuit-level Analyzes traffic through a single, general-purpose proxy

more efficient, but rare

Stateful Inspection Firewalls

Tracks destination address of packets leaving network; prevents initiation of attacks from outside

Tracks connection-oriented and connectionless packets like UDP

More efficient, faster firewall as packets are not examined in deep OSI layers


Firewall implementations

Screened host packet filtering router and bastion host

Includes application firewall/proxy services

bastion host is on private network, packet filtering router is between Internet and private network

Requires compromise of two systems

Dual homed firewall More restrictive version of the screened host firewall, a dual-home bastion host

DMZ or screened-subnet firewall Uses 2 packet filtering routers and bastion host

Provides network (packet filtering) and application-level security with a DMZ network

Insider router manages DMZ access to the internal network, accepting traffic only from the bastion host

Requires compromise of 3 hosts; hides internal network addresses

Hardware firewalls faster, but not as flexible or scalable

Software firewalls more slower, but more scalable

Intrusion Detection Systems (IDS) Monitor network anomalies

Network-based

Host-based monitor modification of programs, files; detect privileged command execution

Components

o Sensors that collect data

o Analyzers that receive input and determine intrusive activity

o Administrative console

o User interface

IDS Types

Signature-based

Statistical-based must be configured with known and expected system behaviors

Neural networks monitors general activity, similar to statistical-based, but capable of self-learning

IDS cannot help with

Policy definition weaknesses

Application-level vulnerabilities

Backdoors in applications

Identification and authentication scheme weaknesses

Encryption Key elements

Encryption Algorithm

Encryption Keys

Key length

Private Key Systems


Symmetric 1 key encrypts and decrypts

Less complicated, faster

Problem is distributing key safely

RC2, RC4, IDEA, DES, AES

Data Encryption Standard (DES) 64-bit block cipher

56-bit key (8 extra bits for parity checking)

Replaced by AES 128-256 bit key (Rijndal invented by Rijmen and Daemen)

o Symmetric block cipher

o Unlike DES, Rijndal has variable block and key length

o Based on round operations

Public Key Systems

Asymmetric 2 keys, one encrypts, other decrypts

Keys created by integer factorization

Used to encrypt symmetric keys and for digital signatures

RSA (Rivest, Shamir, Adelman invented in 1977), Diffie-Hellman, DSA, Fortezza

Encrypt with public key, decrypt only with private key confidentiality (read only by receiver)

Encrypt with private key, decrypt with public key authentication and non-repudiation

Encrypt with private key, then public key confidentiality, authentication, and non-repudiation

Elliptical Curve Cryptography (ECC)

Public key variation using discrete logarithm using elliptical curve (2 points on curve)

Works with networked computers, smart cards, wireless phones, mobile devices

Less computational power, more security per bit (160-bit ECC = 1024-bit RSA)

Quantum Cryptography

Uses interaction of light pulses, polarization metrics

Digital signatures

Uses public key algorithm to ensure identify of sender and integrity of the data

Hash algorithm creates message digest, smaller version of the original message

Changes variable length messages into a fixed, 128-bit length digest

Hashes are one-way functions, can't reverse

o MD5, SHA-1, SHA-256

Digital signature encrypted by sender's private key, receiver decrypts with public key, then recomputes a

digital signature and compares it to the original signature

Ensure data integrity, authentication, and non-repudiation (but not confidentiality)

Vulnerable to man-in-the-middle attack

Digital Envelope

Contains data encrypted with symmetric key and the session key (which is the symmetric key, encrypted with

the receiver's public/asymmetric key)

Receivers' private key used to decrypt session key (symmetric key); symmetric key used to decrypt data.

Uses asymmetric keys to protect the data integrity, authentication, and non-repudiation gained by symmetric

key


Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Session or connection-layered protocol

Provides end point authentication and confidentiality

Typically, only the server is authenticated (including the client requires PKI deployment)

Phases

o Algorithm negotiation

o Exchange of Public key and certificate-based authentication

o Symmetric cipher-based traffic encryption

Runs on layers beneath application protocols HTTP, SMTP, NNTP and above the TCP protocol

Uses hybrid of hashed, private, and public key cryptography to provide confidentiality, integrity, authentication

(between client & server), and non-repudiation

IPSec

Runs at the network layer

Used for communicating between two or more hosts, subnets, or hosts and subnets (establishes VPNs)

Transport mode only data portion of packet (encapsulation security payload (ESP)) is encrypted

confidentiality

Tunnel mode ESP payload (data) and header are encrypted. Additional authentication header (AH) provides

non-repudiation

Uses security associations (SAs) to define the security parameters to use (algorithms, keys, initialization

vectors, etc.)

Using asymmetric encryption via Internet Security Association and Key Management Protocol/Oakley

(ISAKMP/Oakley) increases ISPsec security by using key management, public keys, negotiation, uses of SAs, etc.

SSH

Runs at application layer

Client/server program for encrypting command-line shell traffic used for remote logon and management.

Used to secure telnet and ftp

Secure Multipurpose Internet Mail Extensions (S/MIME)

Email protocol authenticating sender and receiver

Verifies message integrity and confidentiality, including attachments

Secure Electronic Transactions (SET)

Visa/MasterCard protocol used to secure credit card transactions

Application protocol using PKI of trusted 3rd party

Encryption Risks

Secrecy of keys is paramount

Randomness of key generation relates to how easy a key can be compromised

Tying passwords to key generation weakens the keys randomness, so important to use strong passwords


Viruses

Attached to programs

Self-propagating to other programs

Attack EXEs, file directory system, boot & system areas, data files

Worms

Does not attach to programs

Propagates via OS security weaknesses

Virus/Worm controls policies (preventative) and antivirus software (detective)

Backups = vital control

VOIP

Replaces circuit switching (and associated waste of bandwidth) with packet switching

Secure VOIP similar to data networks (firewalls, encryption)

Network issues take down phones also, so backup availability a big issue

VLANS should be used to segregate VOIP infrastructure/traffic

Session Border Controllers (SBCs) provide VOIP security similar to firewalls by monitoring VOIP protocols,

monitor for DoS, provide network address and protocol transition features

Private Branch Exchange (PBX)

In-house phone company for organization, allows 4-digit dialing, save cost of individual phone lines to phone

companys central office

PBX security different from normal OS security

o External access/control by 3rd party for updates/maintenance

o Richness of features available for attacks

PBX Controls

Physically secure PBX and telephone closets

Configure and secure separate and dedicated admin ports

Control direct inward dial (DID) lines to avoid external parties getting dial tone for free long-distance calls

Block certain long-distance numbers

Control numbers destined for faxes and modems

Use call-tracking logs

Maintenance out of Service (MOS) signaling communication is terminated on PBX, but line may be left open

for eavesdropping

Embedded passwords can be restored when system rebooted during crash recovery


Auditing Infosec Management Framework

Policies/Procedures, including Logical Access Security Polices

Security Awareness and training

Data ownership: owners, custodians, security administrator

New IT users (sign document regarding security policies/procedures)

New Data Users

Documented user authorization

Terminated users

Security baseline

Inventory (devices, applications, data)

Antivirus

Passwords

Patching

Minimizing services (turn off unneeded)

Addressing vulnerabilities

Backups

Computer Forensics (IPAP)

Identify information

Preserve retrieving data, documenting chain of custody

Who had access to the data

How evidence gathered

Proving that analysis based on copies of original, unaltered evidence

Analyze

Present

> BCP/DRP Starts with risk assessment

People, data, infrastructure, and other resources that support key business processes

Dangers and threats to the organization

Estimated probability of threat occurrence

BCP includes

DRP plan

Plan to restore operations to normal following disaster

Improvement of security operations

BCP Lifecycle

Create BCP policy

Businesses Impact Analysis (BIA)

Classify of operations and criticality

Identify IS processes that support business criticality

Develop BCP and IS DRP

Develop resumption procedures

Training and awareness programs

Test and implement plan

Monitoring


BCP Policy

Should encompass preventative, detective, and corrective controls

BCP most critical corrective control

Incident management control

Main severity criterion is service downtime

Media backup control

BIA identifies:

Different business processes & criticality

Critical IS resources supporting critical bus

cisa study guide

Documents