1 / 86

CISA REVIEW

CISA REVIEW. The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA. CISA REVIEW Chapter 5 – Protection of Information Assets. Learning Objectives By the end of chapter 5, you should be able to:

baruch
Download Presentation

CISA REVIEW

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CISA REVIEW The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

  2. CISA REVIEWChapter 5 – Protection of Information Assets Learning Objectives By the end of chapter 5, you should be able to: • Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets. • Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss. • Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded. • Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets.

  3. CISA REVIEW Chapter 5 – Protection of Information Assets To meet an organization's business requirements, it is important that security objectives include ensuring: • Continued availability of information systems • Integrity of the information stored on computer systems • Confidentiality of sensitive data • Conformity to applicable laws, regulations and standards • Adherence to trust and obligation requirements for any information relating to an identified or identifiable individual (i.e., data subject) in accordance with its privacy policy

  4. CISA REVIEW Chapter 5 – Protection of Information Assets Data should be treated as a core asset. Categorizing data is a major part of the task of classifying all information assets. Data classification as a control measure should define the following: • The owner of the information asset • Who has access rights (need to know) • The level of access to be granted • Who is responsible for determining the access rights and access levels • What approvals are needed for access • The extent and depth of security controls

  5. CISA REVIEW Chapter 5 – Protection of Information Assets Data integrity as it relates to security objectives generally refers to the accuracy, completeness, consistency, validity and verifiability of the data once they are entered into a system.

  6. CISA REVIEW Chapter 5 – Protection of Information Assets Privacy is an organization wide matter. An organization should systematically build privacy into its policies, standards and procedures by: • Defining the nature of personally identifiable information associated with business processes. • Document the collection, use, disclosure and destruction of personally identifiable information. • Ensure that accountability for privacy issues exists. • Be the foundation for informed policy, operations and system design decisions. The decisions should be based on an understanding of privacy risk and the options available for mitigating that risk.

  7. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Is "privacy" considered a separate security objective?

  8. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Is "privacy" considered a separate security objective? The importance of privacy impact assessments and the security measures implemented to protect privacy have been increased due to the amount of privacy legislation and regulation put in place in many jurisdictions and industries over the past years. As a result, organizations must ensure they take privacy requirements into consideration when formulating and implementing their information security governance. The level of privacy required will, therefore, be a driver when considering the traditional security objective of confidentiality and the security measures implemented in response to the level of confidentiality needed. As an IS auditor, you should be aware of the new and changing privacy laws and regulations related to your industry and test to ensure your organization is in compliance.

  9. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: How does involvement with external parties (e.g., outsourcers) affect security design, implementation and monitoring?

  10. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - How does involvement with external parties (e.g., outsourcers) affect security design, implementation and monitoring? The main consideration is that an organization should not allow its security to be lessened due to involvement with external parties. The organization must ensure the required security controls are defined and agreed to, and the ability to monitor controls established – and that all these are formally documented in a service level agreement (SLA). Where formal agreements are not practical (e.g., consumers purchasing goods using a web-enabled application) the organization must take comprehensive steps to ensure only very limited and controlled access is permitted.

  11. CISA REVIEW Chapter 5 – Protection of Information Assets All candidates for employment, contractors and third-party users should be adequately screened, especially for sensitive jobs. This includes the following: • Background verification checks on all candidates for employment, contractors and third-party users are carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, classification of information to be accessed and perceived risks. • A screening process for contractors and third-party users • Where contractors are provided through an agency, the contract with the agency should clearly specify the agency's responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. • Additionally, any agreements with the third party should clearly specify all responsibilities and notification procedures for screening.

  12. CISA REVIEW Chapter 5 – Protection of Information Assets Management should require employees, contractors and third-party users to apply security in accordance with the established policies and procedures of the organization. Specific responsibilities should be documented in approved job descriptions. This will help ensure that employees, contractors and third-party users are aware of information security threats and concerns, their responsibilities and liabilities. • Management responsibilities should be defined to ensure security is applied throughout an individual's employment within the organization. • To minimize possible security risks, employees, contractors and third-party users should be provided with an adequate level of awareness, education and training in security procedures. • An organization should establish a formal disciplinary process for handling security breaches.

  13. CISA REVIEW Chapter 5 – Protection of Information Assets Responsibilities should be in place to ensure that the exit of employees, contractors or third-party users from the organization is managed, and that the return of all equipment and the removal of all access rights are completed. • Ongoing security requirements and legal responsibilities • Responsibilities contained within any confidentiality agreement • Responsibilities and duties still valid after termination of employment should be contained in the contracts of the employees, contractors or third-party users.

  14. CISA REVIEW Chapter 5 – Protection of Information Assets The access rights of all employees, contractors and third-party users to information and IPFs should be removed at termination of their employment, contract or agreement, or adjusted upon change. The access rights that should be removed or adapted include: Physical and logical access • Keys • Identification (ID) cards • Information Processing Facilities (IPF) • Subscriptions • Removal from any documentation that identifies them as a current member of the organization

  15. CISA REVIEW Chapter 5 – Protection of Information Assets This should include notifying partners and relevant third parties when departing employees have access to the third-party premises. If departing employees, contractors or third-party users have known passwords for accounts remaining active, these should be changed at termination or change of employment, contract or agreement. Access rights for information assets and IPFs should be reduced or removed before employment terminates or changes, depending on the evaluation of risk factors such as: • Whether termination or change is initiated by the employees, contractors or third-party users, or by management and the reason for termination. • The current responsibilities of the employees, contractors or any other users. • The value of the assets currently accessible.

  16. CISA REVIEW Chapter 5 – Protection of Information Assets An IS auditor must be aware of four key concepts that help foster understanding of how to evaluate a logical access control mechanism: • Identification: How subjects are recognized by the logical access control mechanism (e.g., user name, user ID number) • Authentication: How subjects prove they are who they say they are (e.g., password, token, digital certificate) • Authorization / Access Control: How rules are established and evaluated to make an access control decision (e.g., should computer operators be able to change operations logs) • Monitoring: What security logging is in place and what capabilities it has (e.g., failed logons, successful access to a file)

  17. CISA REVIEW Chapter 5 – Protection of Information Assets One of the best practices is to integrate the review of access rights with human resource (HR) processes. When an employee transfers to a different function – i.e., promotions, lateral transfers or demotions – access rights are adjusted at the same time. Development of a security-conscious culture increases the effectiveness of access controls.

  18. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Why is monitoring an important control, if unauthorized system access is prevented in the first place?

  19. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Why is monitoring an important control, if unauthorized system access is prevented in the first place? An effective internal control structure requires multiple control layers that include preventive, detective and corrective techniques. While much effort goes toward preventing unauthorized access (user IDs, passwords, access permissions), it may be possible that these controls are bypassed due to deficiencies in programming, configuration, or even human error. As a result, it is important to monitor system access to detect unusual activity (e.g., user access at unusual times) that may indicate a security breach has occurred, and to correct the problem so that no future unauthorized access occurs.

  20. CISA REVIEW Chapter 5 – Protection of Information Assets Identification and authentication (I&A) is the process by which the logical access control software obtains identification information for the users and the credentials necessary to authenticate the information. I&A also include the actual validation of this information. • I&A is needed for most types of access control and is necessary for establishing user accountability. • I&A is the first line of defense for most systems because it prevents unauthorized people (or unauthorized processes) from entering a computer system or accessing an information asset. • I&A is a critical building block of computer security.

  21. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Can you list some of I&A's more common vulnerabilities that may be exploited to gain unauthorized system access?

  22. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Can you list some of I&A's more common vulnerabilities that may be exploited to gain unauthorized system access? • Weak authentication methods • The potential for users to bypass the authentication mechanism • The lack of confidentiality and integrity for the stored authentication information • The lack of encryption for authentication and protection of information transmitted over a network • The user's lack of knowledge on the risks associated with sharing authentication elements (e.g., passwords, security tokens)

  23. CISA REVIEW Chapter 5 – Protection of Information Assets The logon ID - Each user gets a unique logon ID that can be identified by the system. The format of logon IDs is typically standardized. • Logon ID syntax should follow an internal naming rule. • Default system accounts, such as Guest, Administrator and Admin, should be renamed whenever technically possible. • Logon IDs not used after a predetermined period of time should be deactivated to prevent possible misuse. This can be done automatically by the system or manually by the security administrator. • The system should automatically disconnect a logon session if no activity has occurred for a period of time. This reduces the risk of misuse of an active logon session left unattended because the user went to lunch, left for home, went to a meeting or otherwise forgot to log off. This is often referred to as a session timeout.

  24. CISA REVIEW Chapter 5 – Protection of Information Assets The password provides individual authentication. Accordingly, a password should be easy for the user to remember but difficult for an intruder to guess. • Initial passwords may be allocated by the security administrator or generated by the system itself. When the user logs on for the first time, the system should force a password change to improve confidentiality. Initial password assignments should be randomly generated. The ID and password should be communicated in a controlled manner to ensure only the appropriate user receives this information. New accounts without an initial password assignment should be suspended. • If the wrong password is entered for a predefined number of times, typically three, the logon ID should be automatically locked out. • Users that have forgotten their password must notify the security administrator. This is the only person with sufficient privileges to reset the password and, in case this is necessary, to unlock the logon ID. The security administrator should reactivate the logon ID only after verifying the user's identification (challenge/response system). To verify, the security administrator should return the user's call after verifying his or her extension or calling a supervisor for verification.

  25. CISA REVIEW Chapter 5 – Protection of Information Assets The password cont., • To reduce the risk of an intruder gaining access to other users' logon IDs, passwords should not be displayed in any form. They are normally masked on a computer screen. They should not be shown on computer reports, kept on index or card files, or written on pieces of paper taped somewhere near the terminal or inside a person's desk. These are the first places a potential intruder will look. • Passwords should be changed periodically. On a regular basis (e.g., every 30 days), the user should change his or her password. The frequency of changing a password should depend on the criticality of the information access level, the nature of the organization, the IS architecture and technologies used, etc. Passwords should be changed by users at their terminal or workstation rather than at the administrator's terminal or in any location where their new password might be observed. The best method is to force the change by notifying the user prior to the password expiration date. The risk of allowing voluntary password changes is that, generally, users will not change their passwords unless forced to do so.

  26. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Why are dynamic passwords considered superior to static passwords?

  27. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - Why are dynamic passwords considered superior to static passwords? • Static passwords (also known as "reusable passwords") suffer from the main weaknesses that they are reused over an extended time period (e.g., 90 days). As a result, there is a greater chance that they may be discovered by an unauthorized user. Examples of discovery methods may range from simple "shoulder surfing," to brute-force password cracking attacks, to eavesdropping an unencrypted password on a network. • In contrast, dynamic passwords (usually "one-time passwords") are not reused. The password is typically generated by a small device (a "token") or via program, and is valid for a short period of time only – a common limit is 60 seconds. In addition, once the password is entered, it is no longer valid for reuse. This eliminates the effectiveness of attacks for password discovery noted above. • Dynamic passwords generated by a token are usually combined with a static password like a PIN, known only to the token's user. Both must be combined to produce the required password for system access; hence, this is one form of "two-factor" authentication since it requires something only the user has (the token) and something only the user knows (the PIN).

  28. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: What are some common weaknesses found when evaluating logical access controls?

  29. CISA REVIEW Chapter 5 – Protection of Information Assets Think About It: Answer - What are some common weaknesses found when evaluating logical access controls? • Sharing user IDs between multiple people – eliminates accountability for user actions. • Poor password quality (e.g., too short, easily guessed, not changed regularly) – increases risk that a password will become known and permit unauthorized access. • Overly permissive access rules or rules granting access by default – increases risk of accidental or intentional unauthorized access to programs or data. • Lack of security monitoring and follow-up – staff may be unaware of attacks against the system, or other error conditions, that may result in unauthorized access or other problems.

  30. CISA REVIEW Chapter 5 – Protection of Information Assets Instructions: Here are four items and four IS audit procedures. Match each item to its corresponding IS audit procedure. Items • Logon ID and Password • Logging and Reporting of Computer Access Violations • Bypassing Security and Compensating Controls • Review Access Controls and Password Administration Procedures • Verifying that passwords are changed periodically • Analyze global configuration settings for password strength in the system application and compare this with the organization's security policy. • Attempts to access computer transactions or data for which access is not authorized • Looking for special system maintenance logon IDs, operating system exits, installation utilities and input/output (I/O) devices

  31. CISA REVIEW Chapter 5 – Protection of Information Assets Answer: Logon ID and PasswordAnalyze global configuration settings for password strength in the system application and compare this with the organization's security policy. Logging and Reporting of Computer Access Violations Attempts to access computer transactions or data for which access is not authorized Bypassing Security and Compensating Controls Looking for special system maintenance logon IDs, operating system exits, installation utilities and input/output (I/O) devices Review Access Controls and Password Administration Verifying that passwords are changed periodically

  32. CISA REVIEW Chapter 5 – Protection of Information Assets Real World Example: An organization was implementing a new financial accounting application that consisted of a number of separate modules (e.g., payables, general ledger). Each module stored its data in tables within a database management system. While the application included security features that controlled which users could access which functions, the database tables could be directly accessed because the default database user ID and password used by the application to store and retrieve data were set to well-known default values. Think About It: Where is the information security risk in this situation?

  33. CISA REVIEW Chapter 5 – Protection of Information Assets Real World Example: Answer – The security risk here is that knowledgeable users could bypass security within the application, and directly add or modify important business data.

  34. CISA REVIEW Chapter 5 – Protection of Information Assets Question: What do you, as an IS audit expert, think could have been done to prevent this organization from being in this situation?

  35. CISA REVIEW Chapter 5 – Protection of Information Assets Answer: The organization's database management team should have been more aware of the security weakness due to default passwords. This could have been achieved if the organization had more detailed security governance (e.g., a security baseline prohibiting use of default passwords), and improved security awareness training.

  36. CISA REVIEW Chapter 5 – Protection of Information Assets This section discusses common attack methods and techniques. To properly evaluate whether an organization's information assets are safe from these attacks, an IS auditor must understand how these types of attack function and what an organization must do to protect itself. There is a general assumption that attack tools exploit only highly sophisticated vulnerabilities discovered by genius-level hackers. While there are certainly examples of these, there are also many attacks that target the use of weak security options that are easily discovered and exploited. Examples include trying default passwords, attacking vulnerable services running with greater privileges than necessary, and attacking services that are not required but are configured to run by default (e.g., some web servers).

  37. CISA REVIEW Chapter 5 – Protection of Information Assets Technical exposures are unauthorized activities which interfere with normal processing. These can be intentional or unintentional, and involve activities such as implementation or modification of data and software, locking or misusing user services, destroying data, compromising system usability, distracting processing resources, or spying data flow or user activities at either the network, platform (operating system), database or application level.

  38. CISA REVIEW Chapter 5 – Protection of Information Assets Data leakage involves siphoning or leaking information out of the computer. Examples include dumping files to paper or stealing computer reports and tapes. Unlike product leakage, data leakage leaves the original copy, so it may go undetected. Wire tapping occurs when someone eavesdrops on information being transmitted over telecommunications lines. The use of Trojan horses and/or backdoors occurs when someone hides malicious, fraudulent code in an authorized or falsely authorized computer program. This hidden code is executed whenever the authorized program is executed. A Denial of Service attack disrupts or completely denies service to legitimate users, networks, systems or other resources. The intent of any such attack usually is malicious in nature and often takes little skill because the requisite tools are readily available.

  39. CISA REVIEW Chapter 5 – Protection of Information Assets A computer shutdown is initiated through terminals or personal computers connected directly (online) or remotely (dial-up lines) to the computer. Only individuals who know a high-level logon ID usually can initiate the shutdown process, but this security measure is effective only if proper security access controls are in place for the high-level logon ID and the telecommunications connections into the computer. Piggybacking is the act of following an authorized person through a secured door or electronically attaching to an authorized telecommunications link to intercept and possibly alter transmissions.

  40. CISA REVIEW Chapter 5 – Protection of Information Assets Trapdoors are any area of authorized operating system code used for insertion of specific logic, such as program interrupt – i.e., to inspect data during processing. • Trapdoors may exist because of testing or maintenance reasons. Sometimes programmers insert code that allows them to bypass the integrity of an OS for the purpose of debugging at the development time or later during maintenance and system improvements. Trap doors should be eliminated in the final editing of code, but sometimes they are forgotten or intentionally left for future access into the system. • The exposure risk with trapdoors is that the logic inserted could be used to obtain unauthorized access rights. Additionally, logic design flaws and programming errors in complex programs may also introduce unwanted trapdoors into a system.

  41. CISA REVIEW Chapter 5 – Protection of Information Assets Rounding down is when someone draws off small amounts of money (the rounding fraction) from a computerized transaction or account and reroutes this amount to the perpetrator's account. Since the amounts are so small, they are rarely noticed, although it would be easy to detect irregularities by summing the rounding fractions. Proper rounding should give a total close to zero. A salami technique involves the slicing of small amounts of money from a computerized transaction or account – similar to the rounding down technique. The difference between the rounding down technique and the salami technique is that in rounding down, the program rounds off by the smallest money fraction.

  42. CISA REVIEW Instructions: Here are seven items and descriptions. Match each item to its corresponding description. Items • Wire tapping • Trojan horses • Denial of service (DoS) • Piggybacking • Salami technique Descriptions • Eavesdropping on information being transmitted over telecommunications lines • Hiding fraudulent code in an authorized or falsely authorized computer program • Disrupts or completely denies service to legitimate users • Electronically attaching to an authorized telecommunications link to intercept and alter transmissions • Slicing off small amounts of money from a computerized transaction or account

  43. CISA REVIEW Answers • Wire tapping Eavesdropping on information being transmitted over telecommunications lines • Trojan horses Hiding fraudulent code in an authorized or falsely authorized computer program • Denial of service (DoS) Disrupts or completely denies service to legitimate users • Piggybacking Electronically attaching to an authorized telecommunications link to intercept and alter transmissions • Salami techniqueSlicing off small amounts of money from a computerized transaction or account

  44. CISA REVIEW Chapter 5 – Protection of Information Assets Social engineering is the human side of breaking into a computer system by playing on vulnerabilities of interpersonal relations and deception to obtain confidential information from unknowing employees. A common example of this would be tricking someone to give away confidential information (e.g., passwords and IP addresses) by answering questions over the phone with someone that person does not know or replying to an e-mail from an unknown person. An organization's best defense against social engineering attacks is to proactively have an ongoing security awareness program wherein all employees and third parties (who have access to the organization's facilities) are educated about the risks involved in falling prey to social engineering attacks. Simply having strong technical security countermeasures are often not enough to protect an information system. The weakest link in the security chain are often the people using the system.

  45. CISA REVIEW Chapter 5 – Protection of Information Assets Methods that malicious entities may use to gain access to wireless devices related to wireless local area networks (WLANs) include, but are not limited to, war driving and war chalking.

  46. CISA REVIEW Chapter 5 – Protection of Information Assets War driving is when an individual drives around businesses or residential neighborhoods scanning with a notebook computer, hacking tool software and sometimes with a global position system (GPS) for wireless network names. Someone driving around the vicinity of a wireless network might be able to see the wireless network name, but whether that person will be able to do anything beyond viewing the wireless network name is determined by the use of wireless security. If an organization does not have wireless security enabled and properly configured, war drivers can send data, interpret the data sent on the wireless network, access the shared resources of the wireless or wired network (shared files, private web sites), install viruses, modify or destroy confidential data, and use the Internet connection without the knowledge or consent of the owner. For example, a malicious user might use the Internet connection to send thousands of spam e-mails or launch attacks against other computers. The malicious traffic would be traced back to the owner's home.

  47. CISA REVIEW Chapter 5 – Protection of Information Assets War chalking is when an individual has marked a series of symbols (outward-facing crescents) on sidewalks and walls to indicate nearby wireless access points. These markings are used to identify hotspots, where other computer users can connect to the Internet wirelessly and at no cost.

  48. CISA REVIEW Chapter 5 – Protection of Information Assets Firewalls are designed to protect the most vulnerable point between a network and the Internet. Most firewalls: • Block access to particular sites on the Internet. • Prevent certain users from accessing certain servers or services. • Monitor communications between an internal and an external network. • Monitor and record all communications between an internal network and the outside world to investigate network penetrations or detect internal subversion. • Protect against viruses and attacks directed to exploit known operating system vulnerabilities (these are additional capabilities offered by some firewalls). • Firewalls are hardware and software combinations that are built using routers, servers and a variety of software.

  49. CISA REVIEW Chapter 5 – Protection of Information Assets Firewall Types: An analogy To compare the operation of packet filtering versus application-level (proxy) firewall functions, consider a scenario where the firewall is acting as if it were a security guard at an organization who is designated as the only person in the organization who may communicate with outsiders, and therefore all messages must be passed through this individual.

  50. CISA REVIEW Chapter 5 – Protection of Information Assets Firewall Types: An analogy If acting like a packet filter firewall, the guard looks at each word of the message only. The guard can decide to allow or deny sending the word based only on the word itself, plus details on the sender and intended recipient. This can be very useful since some words are easy to identify as objectionable, and especially since looking at one word can be done quickly. However, looking at a single word lacks context – a word within one message may be acceptable, but in the context of another message, it may not be permissible.

More Related