Free CISA Study Guide

FREE CISA Study Guide from http://ITauditSecurity.wordpress.com 1 of 40

ITauditSecurity’s CISA Study Guide

For a description of this guide, guidance on using it, and some warnings, see

http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/

Table of Contents on next page

Copyright 2012, ITauditSecurity

Rev 2.0

NOTE: When this guide was created, the main sections of the exam were as follows:

• IS Audit process

• IT Governance

• Systems & Lifecycle Mgmt

• IT Service Delivery & Support

• Protection of Info Assets

• BCP and DRP

ISACA has since reorganized the sections, but that doesn’t affect the information itself.

Quick Review InfoYellow highlight notes where ISACA

emphasizes CISA must-know this

Blue highlight = good-to-know info

List of key items to recite from memory:

5 Task Statements - SPCCA

10 Knowledge Statements – SPGE – CRP - CCC

7 Code of Ethics – IPS PC DE

3 types of Standards

6 Project Mgmt – IP EMC

Projects: Triple restraint: QRS & CDT

10 Audit Stages

OSI – PDNTSPA

TCP/IP – NDITA

Capability Maturity Model– zeroIRDMO

6 SDLC – FRD DIP

(don’t forget differences if software purchased)

6 Benchmarking – PROAAI


Quick Review Info ................................................................................................................................................... 1

> IS Audit Process...................................................................................................................................................... 5

5 Task Statements - SPCCA .................................................................................................................................. 5

10 Knowledge Statements – SPGE – CRP - CCC ................................................................................................. 5

7 Code of Ethics – IPS PC DE ............................................................................................................................... 5

Information Tech Assurance Framework (ITAF) .................................................................................................... 6

3 types of Standards (+ Guidelines & Techniques = ITAF) .................................................................................................. 6

Policy/Standards .................................................................................................................................................................. 6

Misc Notes .............................................................................................................................................................. 6

Project Mgmt .......................................................................................................................................................... 6

Project Estimation ................................................................................................................................................................ 7

10 Audit Stages ...................................................................................................................................................... 7

Engagement Letter vs. Audit Charter ..................................................................................................................... 8

Charter - RAA ....................................................................................................................................................................... 8

Sampling .............................................................................................................................................................................. 8

Open Systems Interconnect (OSI) Model ............................................................................................................. 10

IP Addresses (32 bits) .......................................................................................................................................... 11

Packet Switching ................................................................................................................................................................ 11

> IT Governance ...................................................................................................................................................... 12

CMM vs. ISO 15504 (SPICE) – PME PO ........................................................................................................................... 13

Risk Management .............................................................................................................................................................. 13

Business Process Reengineering (BPR) ............................................................................................................................ 13

Risk Management .............................................................................................................................................................. 14

Systems & System Development Life Cycle (SDLC) ............................................................................................... 15

Alternatives to SDLC Project Organization......................................................................................................................... 16

Alternative Development Methods ..................................................................................................................................... 17

Physical Architecture Analysis (RADFFP) .......................................................................................................................... 18

Change Control Procedures ................................................................................................................................. 19

Change Management Auditing ........................................................................................................................................... 19

Emergency Changes .......................................................................................................................................................... 19

Computer-aided Software Engineering (CASE) ................................................................................................... 19

Key CASE Audit Issues ...................................................................................................................................................... 19

Programming Languages ..................................................................................................................................... 19

Fourth-generation Languages ............................................................................................................................................ 19

4GL Types.......................................................................................................................................................................... 20

Application Controls ................................................................................................................................................. 20

Input Controls ....................................................................................................................................................... 20

Input Control Techniques ................................................................................................................................................... 21

Processing Controls ............................................................................................................................................. 22


Output Controls .................................................................................................................................................... 23

Data Integrity ............................................................................................................................................................ 24

Testing ............................................................................................................................................................................... 24

Data Integrity Requirements (ACID) ................................................................................................................................... 24

Application Testing Methods .............................................................................................................................................. 24

Continuous Auditing Techniques ............................................................................................................................. 24

E-commerce Risks ............................................................................................................................................................. 25

EDI Controls ....................................................................................................................................................................... 25

Auditing EDI ....................................................................................................................................................................... 26

Digital Signatures ............................................................................................................................................................... 26

Project Mgmt Organizational Alignment ............................................................................................................................. 28

> IT Service Delivery & Support ............................................................................................................................... 28

IS Operations ........................................................................................................................................................ 28

IS Hardware .......................................................................................................................................................... 28

IS Architecture & Software ................................................................................................................................... 28

Database Management System (DBMS) ........................................................................................................................... 28

Database Structures .......................................................................................................................................................... 29

Networking ............................................................................................................................................................ 29

Wireless ................................................................................................................................................................ 30

TCP/IP (32-bit) ...................................................................................................................................................... 30

System Control ................................................................................................................................................................... 30

> Protection of Information Assets ........................................................................................................................... 31

Key elements of Information Security Mgmt ....................................................................................................................... 31

Inventory Classification ...................................................................................................................................................... 31

Mandatory access control (MAC) ....................................................................................................................................... 31

Discretionary access control (DAC) ................................................................................................................................... 31

Biometrics .......................................................................................................................................................................... 31

Bypassing Security Controls .............................................................................................................................................. 32

Wireless Security .................................................................................................................................................. 32

Firewalls................................................................................................................................................................ 33

Application Firewalls - 2 levels/types .................................................................................................................................. 33

Stateful Inspection Firewalls............................................................................................................................................... 33

Firewall implementations .................................................................................................................................................... 34

Intrusion Detection Systems (IDS) ....................................................................................................................... 34

IDS Types .......................................................................................................................................................................... 34

Encryption ............................................................................................................................................................. 34

Digital signatures ................................................................................................................................................................ 35

Digital Envelope ................................................................................................................................................................. 35

Encryption Risks ................................................................................................................................................................ 36

Viruses ............................................................................................................................................................................... 37


VOIP .................................................................................................................................................................................. 37

Auditing Infosec Management Framework ......................................................................................................................... 38

Computer Forensics (IPAP) ............................................................................................................................................... 38

> BCP/DRP .............................................................................................................................................................. 38

Difference between ISACA book and Sybex ........................................................................................................... 40


> IS Audit Process

5 Task Statements - SPCCA Develop & implement risk-based IS audit strategy

Plan specific audits

Conduct audits

Communicate issues, risks, results

Advise on risk mgmt & control practices

10 Knowledge Statements – SPGE – CRP - CCC Standards/Code of Ethics

Auditing practices/techniques

Techniques to gather/preserve evidence

Evidence lifecycle (collection, protection, chain of custody)

Control objectives & controls

Risk Assessment

Audit planning & mgmt

Reporting/Communication

CSA

Continuous audit techniques

7 Code of Ethics – IPS PC DE Support the implementation of appropriate policies, standards, guidelines, and procedures for information

systems.

Perform your duties with objectivity, professional care, and due diligence in accordance with professional

standards. Support the use of best practices.

Serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon your

profession.

Maintain privacy and confidentiality of information obtained during your audit except for required disclosure to

legal authorities.

Undertake only those activities in which you are professionally competent; strive to improve your competency.

Disclose accurate results of all work and significant facts to the appropriate parties.

Support ongoing professional education to help stakeholders enhance their understanding of information

systems security and control.


Information Tech Assurance Framework (ITAF) • Provides guidance on design, conduct, and reporting of IT audit & assurance

• Establishes IT audit standards

• Consists of General, Performance, and Reporting standards; Guidelines; Tools & Techniques (TBA)

3 types of Standards (+ Guidelines & Techniques = ITAF) General – guiding principles for IT assurance profession

Performance – how to conduct IT assurance engagements

Reporting – address types of reports, means of communication, and info to be communicated

Policy/Standards Policy, Standard, Procedure – mandatory

Guideline– discretionary

Misc Notes Purpose of audit: challenge mgmt assertions and determine whether evidence supports mgmt claims

Types of audits:

• Internal – audit own organization, scope restrictions, cannot use for licensing

• External – customer auditing your organization or you auditing supplier

• Independent – 3rd party audit used for licensing, certification, product approval.

Compliance audit– verify presence or absence

Substantive audit - check the content/substance and integrity of a claim

Risk – the potential that a given threat will exploit vulnerabilities of an asset (or group of assets) and thereby cause harm to the

organization

CobiT – Control Objectives for Information and Related Technology. A framework consisting of strategies, processes, and

procedures for leading IT organizations.

Project Mgmt Project is unique, progressive (planning starts high-level and gets more detailed), and has start and end dates.

Triple restraint: QRS

• Quality

• Resources (cost, time)

• Scope

3 project elements: CDT

• Cost/resources

• Deliverables

• Time/duration

5 Process groups/phases of project management – IP EMC

• Initiating (2 components: scope & authorization)

• Planning (detail scope, goals, deliverables)

• Executing

• Monitoring & Controlling

• Closing

Earned value – current value of work already performed in a project


Project Estimation

• Source Lines of Code (SLOC) – traditional method (also Kilo LOC or KLOC) – direct size-oriented measures

• Thousand Delivered Source Instructions (KDSI) – better with structured programming languages like BASIC,

COBOL

• Function Point Analysis (FPA) – indirect measure

• Based on number and complexity of inputs, outputs, files, interfaces, and user queries

• Functions are weighted by complexity

Project Diagramming

• Gantt: resource details;-schedule & sequence in waterfall-style (MS Project);

serial view w/bars & diamonds

o Shows concurrent and sequential activities

o Show project progress and impact of completing a task early or late

• PERT (Program Evaluation Review Technique)-illustrates relationships

between planned activities

o Critical path (minimum steps, longest route, shortest time estimate for completion)

� Activities on critical path have no slack

time; activities w/ no slack time are on

critical path

� Route on which a project can be shortened

(accelerated) or lengthened (delayed)

o Quantitative measure for risk analysis: risk of

delays, failure, and likely completion

o 3 hourly estimates for each task’s effort:

Optimistic, Mostly likely, and Pessimistic

� PERT time estimate for each task: [O + P +

4 (M)] / 6

Timebox Management

• Define and deploy software deliverables in short/fixed period of time

• Prevents cost overruns or delays from scheduled delivery

• Design/development shortened due to newer development tools/techniques

10 Audit Stages 1. Approving audit charter/engagement letter

2. Preplanning audit

3. Risk Assessment

4. Determine whether audit is possible

5. Performing the actual audit

6. Gathering evidence

7. Performing audit tests

8. Analyzing results

9. Report Results

10. Follow-up activities


Engagement Letter vs. Audit Charter Diff is auditor independence (external vs. internal audit)

Charter - RAA

• Responsibility – scope with goals/objectives

• Authority – right to access & audit

• Accountability – agreement between auditor/Audit Committee; reporting requirements

2 foundational audit objectives:

• Test control implementation to determine if adequate safeguards implemented

• Comply with legal requirements

Process technique – Shewhart - PDCA

1. Plan – plan or method?

2. Do – work match the plan?

3. Check – anyone monitoring the process? What is acceptable criterion?

4. Act – how are differences identified and dealt with?

Controls

• General – overall controls; all depts.

• Pervasive (technology)

• Detailed IS controls (tasks)

• Application (most detailed, lowest level controls)

Evidence Life Cycle – ICI SAP PR � Chain of custody

• Identification

• Collection

• Initial preservation

• Storage

• Analysis

• Post analysis preservation storage

• Presentation

• Return of evidence

Sampling

Statistical/Mathematical

• Random

• Cell – random selection at defined intervals

• Fixed interval – select every n + increment

Non-statistical

• Haphazard

Compliance Testing – presence/absence

Attribute sampling – is attribute present in sample? Specified by rate of occurrence

Stop & Go sampling – used when few errors expected, reduces overall sample size. Reduces effort. Auditor determines

whether to stop testing or continue testing.

Discovery sampling – 100 percent sampling to detect fraud (ex: forensics).

Precision/expected error rate – acceptable margin of error between samples and subject population. Low error rate

requires large sample.


Substantive Testing – content/integrity

Variable sampling – designating $ value or effectiveness (weight) of entire subject by prorating from a smaller sample

(ex: weigh $50 bill and calculate value of stack of bills by total weight).

Unstratified mean estimation – projects an estimated total for entire population

Stratified mean estimation – calculate average by grouping items (all males, all females, all over 30)

Difference estimation – determine difference between audited and unaudited claims of value.

Audit coefficient – level of confidence re: audit results. 95% & higher = high degree of confidence

Attestation – providing assurance via your signature that document contents are authentic & genuine.

Type 1 events occur before balance sheet date; Type 2 after (not auditor’s responsibility to detect subsequent events)


Open Systems Interconnect (OSI) Model Provides standard interface at each layer; ensures each layer does not have to be concerned about the details of how

other layers operate

Each layer is self-contained and can be updated without affecting other layers

• Each layer communicates with the layer above and below it, as well as virtually with the same layer on the

remote system

Memory

Phrase 7 OSI Layers

4 TCP/IP

Layers

Memory

Phrase

Headers &

Data

Communication

Types

Layer Controls/

Provides Protocol

Away 7 – Application

4 -

Application

Anchovi

es

To

Application

Gateway -Standard

interface to

the network

-Problem

solving

-Encryption

-DNS

Pizza 6 –

Presentation

Format &

Data

Structure

Translate &

Display.

Screen

formatting

Sausage 5 – Session

App to App Communicati

on sessions

between

applications

-RPC

-SQL database

session

-NFS

Throw 4 – Transport 3–

Transport Throw

Message

Host to Host -Login screen -TCP (confirmed

delivery)

-UDP(un-confirmed)

Not 3 – Network

2 –

Internet/

Network

I

Packet

Router

Routing

Address to

Address

-IP

Do 2 - Data Link

1 – Link

(LAN/WAN

Interface)

Do

-Frame

-MAC

address

Switch/Bridg

e

Transmit &

Receive

-Flow control

-Error

notification

-Order

sequence

-NetBIOS

-DHCP

-PPP

Please ↑ 1 – Physical Nor

Signal Cable/Wireless

Hub/Repeater

Wifi Transmitter

Cable &

voltage

requirements

Control

electrical link

between

systems

MAC Address = 48-bit

Cables

• Coax – 185 meters, 2 pairs of wires

• UTP < 200 ft, 4 twisted pairs

• Fiber – dense wave multiplexing


Point-to-Point Protocol (PPP)

• Data link layer protocol for accessing remote network using IP over serial lines (replaced SLIP)

IP Addresses (32 bits)

Four IPs in each subnet are lost/reserved

• Numeric name (e.g., 192.0.0.0) for routing table/network path

• Starting IP

• Ending IP (IPs in between start & end = IP address space)

• Broadcast IP

ARP = MAC address to IP address

VLANs (requires router to access other subnets)

• Port-based: specific port configured to a specific VLAN. Small networks

• MAC-based: ties MAC address into VLAN, reconfigures network port on switch

• Policy or rule-based: Rule based on IP address or protocol in header. Switch ports reconfigure automatically

DNS – Bootp using RARP!

Dedicated Phone Circuits

• POTS – 56Kbs (half of ISDN circuit)

• Integrated Services Digital Network (ISDN) – 128Kbs, 23 channels of data, voice, video (conference); runs on

POTS

• Primary trunk line (T1) – 28 POTS circuits, 1.544 Mbps. Charged by the mile.

• Digital Subscriber Line (DSL) – over POTS. 368 Kbps-1.544 Mbps.

Packet Switching

• Eliminated need for dedicated lines (Internet is PS’d)

• Not limited by distance

• Source & destination known, path is not

• Charged according to packets transmitted, not distance

Examples

• X.25 – foundation of modern switched networks (not popular today)

o Quality of Service (QOS)

o Permanent Virtual Circuits (PVCs) – fixed path, replaced dedicated phone lines

o Switched Virtual Circuits (SVCs) – path dynamic, constantly changing

• Frame relay – has PVC and SVC. 1.544 – 44.5 Mbps (replaced X.25)

o Different format and functionality

o Packets arrive out of sequence, are reassembled

• Asynchronous Transfer Mode (ATM)

o High speed, 155 Mbps – 1 GBps

o Cell switching and multiplexing ensures solid delivery

o Multiple concurrent data paths

Multiprotocol Label Switching (MPLS)

• Protocol and routing table independent

• Packet headers examined once (versus every hop in traditional layer 3 switching) and then assigned a

stream/label that contains forwarding information


Piconet – one trillionth or very small – Small wireless adhoc network – Bluetooth (PAN)

Syslog – no message authentication/integrity; no message delivery verification

Remote Monitoring Protocol (RMON1) – monitors only Data Link/MAC layers and below

Remote Monitoring Protocol 2 (RMON2) - unlike Sniffer that monitors layers 1-3, RMON2 monitors all 7 OSI layers

> IT Governance IT Governance – leading and monitoring IT performance & investment

• Strategic alignment between IT & business

• Monitoring assurance practices for executive management

• Intervention to stop, modify, or fix practices as they occur

3 IT Governance management levels:

• Strategic (3+ yrs)

• Tactical (6 months – 2 yrs)

• Operational (daily)

Balanced Scorecard – CB FG

• Customer

• Business process

• Financial

• Growth & Learning

3 layers that incorporate the 4 perspectives (MMS)

• Mission

• Metrics

• Strategy

5 Capability Maturity Model (CCM) Levels – zero IRD MO

• 13 to 25 months to move up a level

• Idea started in auto assembly line


CMM vs. ISO 15504 (SPICE) – PME PO

# Level Description Process ISO

0 Nothing Incomplete

1 Initial adhoc, firefighting unique and chaotic (people

have most freedom and

decision making)

Performed

2 Repeatable Documented • Inspected quality

• Project mgmt

• Basic standards, processes,

procedures documented

Managed

3 Defined well documented

and understood

• Lessons learned

• Standardization between

departments

• Objectives, qualitative

measurements,

improvement procedures

Established

4 Managed mgmt controls

processes &

adjusts

• Portfolio mgmt

• PMO

• Predictable by quantitative

measure (numeric measure

of quality)

Predictable

5 Optimized continually

improved to

reflect business

needs

• least freedom, decision

making

• statistical process control

Optimizing

Risk Management

Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %

Annual Loss Expectancy (ALE)$ = SLE * Annual Rate of Occurrence (ARO)

Business Process Reengineering (BPR) 3 areas of improvement

1. Business efficiency

2. Improved techniques

3. New requirements

Guiding Principles

• Think big future process/end state

• Incremental

• Hybrid approach top down view of strategy, bottom-up research


Business Process Reengineering (BPR) vs. Project Mgmt vs. SDLC Chart

6 BPR

EIDRRE

5 Project Mgmt

IP EMC

6 SDLC

FRD DIP

Waterfall method

Task

Envision Initiate Feasibility Scope, sponsor, pick a process, goals

Initiate Requirements Stakeholder buy-in, external customer

needs

Diagnose Plan Identify benchmarks, activities, resources,

roles, costs, communication needs

Redesign Design/Select* Determine solutions, alternatives

Execute Development/Configuration* Build prototypes

Reconstruct Implementation Install systems, train, transition

Evaluate Manage and Control Post Implementation Monitor and review; goals obtained?

Close Lessons learned, archive files, TQM * When software is purchased rather than developed in-house

BPR Rules

• Fix only broken processes

• Calculate ROI

• Understand current process first

• No leftovers

Role of IS in BRP

• Enable new processes by improving automation

• Provide IT project mgmt tools to analyze process and define requirements

• Provide IT support for collaboration tools, teleconference, and specialized business user software

• Help business integrate their processes with ERP

Delphi technique – blind interaction of ideas between group members

6 Benchmarking Steps – PRO AAI

• Plan – identify critical processes

• Research – baseline data re: own processes, then that of other businesses

• Observe – visit benchmark partner, collect data

• Analyze – identify gaps between own and benchmark partner’s processes

• Adapt – translate findings into principles � strategies �action plans

• Improve - link each process to improvement strategy and organizational goals

Business Impact Analysis – discovery of inner workings of a process

• Process value

• How process works, who does what

• Shortcomings

• Revenue created or supported

• Project process lifetime

Risk Management

Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %

Annual Loss Expectancy (ALE) = SLE * Annual Rate of Occurrence (ARO)


> Systems & System Development Life Cycle (SDLC) Verification/Validation Model (V-model)

• Identifies relationship between development and test phases

• Most granular test, unit test, validates detailed design phase

Development methodology

• Organization-centric � use SLDC

• End-user centric � alternate approaches

SDLC/Waterfall technique - FRD DIP

See chart under Business Process Re-engineering

• Feasibility

o Identify the alternatives for addressing the business need

o Business case that justifies proceeding to the next phase

o Calculate ROI

o Impact assessment – future effects on current projects/resources

• Requirements

o Management/users must be involved

o Identify stakeholders and expectations

o Request for Proposal (RFP) process

o Create project schedule and resource commitments

o Create general preliminary design � use entity relationship diagram (ERD)

• Design/Select (When software is purchased rather than developed in-house, the stages are Select and Configuration)

o Establish baseline of system, program, database specifications

o Implement change control for scope creep - software baselining (design freeze), version numbering

o Address security considerations

• Development/Configuration*

o Includes all unit and system testing, iterations of user acceptance testing (UAT) in secure environment

to protect against changes

o Develop data conversion strategies

o Train super users

o QA activities, software QA plan, Application QA function

� Focuses on documented specifications and technology used, application works as specified in

logical design; performed by IT; not functionality related

• Implementation

o Final UAT

o Certification

� Assessment of management, operational, and technical controls; used to reassess risks and

update security plan

o Accreditation process

� Management decision to authorize operation

� Involves accepting responsibility and accountability for system’s risks and system security

• Post Implementation

o Assess whether system meets business requirements, has appropriate access controls, ROI achieved,

lessons learned

o ROI requires a few business cycles to be completed first

o Info to be reviewed needs to be identified at project startup


Entity Relationship Diagram (ERD)

• Example: http://en.wikipedia.org/wiki/File:ER_Diagram_MMORPG.png

• Identifies relationships between system data

• Data modeling technique that describes information needs or the type of information to be stored in a

database (helps design the data dictionary)

• Entity

o Physical object such as a report, an event such as a sale or a repair service, or a concept such as a

customer transaction or order (logical construct) � NOUNS

o Attributes form the keys of an entity

o Primary key uniquely identifies each instance of an entity

o Represented by rectangular boxes

• Relationships

o How entities are associated � VERBS

o Foreign key is one or more entity attributes that map to primary key of related entity

o Represented by diamonds

Testing

• Regression – rerunning a part of the test scenario to ensure changes have not introduced new errors

• Socialability – can system operate in target environment without impacting existing systems (memory, shared

DLLs)

Alternatives to SDLC Project Organization Iterative Development

• Develop in iterations or increments, with feedback after each stage

• Now regarded as best practice; deals with development complexities and risks

Examples

• Evolutionary – create prototype to gather/verify requirements, explore design issues (called prototyping)

• Spiral – uses series of prototypes that become more detailed; risk analysis precedes each prototype

• Agile – developed in short, time-boxed iterations; uses trace-bullet approach

Evolutionary (Prototyping) Development (also called Heuristic)

• Combines best of the SDLC with an iterative approach that enables developer and customer to react to risks at

each iteration

• Focuses on prototyping screens and reports

Disadvantages

• Leads to system extras that were not included in initial requirements (could end up functionally rich but inefficient)

• Poor controls (that normally come out of traditional SDLC)

• Poor change control and documentation/approvals

Agile Development

Process designed to handle changes to the system being developed or the project itself

Scrum, one of first processes, 1990s

Characteristics

• Small, time-boxed iterations (plan and do 1 phase at a time)

• Replanning at the end of each iteration (e.g., identify new requirements, reprioritizing)

• Relies on head knowledge (vs. project documentation), frequent team meetings

• Pair-wise programming: 2 people code same functions (knowledge share and quality check)


• Planning and control by team members; project manager = facilitator/advocate

• Validate functionality via frequent build-test cycle to limit defects

Rapid Application Development (RAD)

Well-defined methodology

• Evolutionary prototypes with rigid limits on development timeframes

• Small, well-trained team

• Integrated power tools for development

• Central repository

• Iterative requirements and design workshops

• Does NOT support planning or analysis of the info needs of business area/ enterprise as a whole

Stages

1. Concept definition

2. Functional design

3. Development

4. Deployment

Alternative Development Methods Development methods (data-oriented, object-oriented) are independent of the project organization model (evolutionary,

spiral, agile)

Data-Oriented System Development (DOSD)

Focuses on data and their structure in prespecified formats for download or use in other systems

Examples: stock, airline flight data

Eliminates data transformation/converting errors

Object-Oriented System Development (OOSD)

• Data and procedure (instructions) are grouped in an object

• Data = attributes, functionality = methods (vs. SDLC which addresses data separate from procedures)

• OOSD = programming technique, NOT a software development methodology: can be used in prototyping,

waterfall, agile, etc.

• Objects are created from a template called a class, which contains characteristics of the class without

reference to the data

• Polymorphism: ability of objects to interpret a message differently at execution depending on object’s

superclass

• First OOP languages: Simiula67, Smalltalk; Java boosted acceptance of OOP

• Unified Modeling Language (UML)

Major Advantages

• Ability to manage unrestricted variety of data types

• Ability to model complex relationships

Component-Based Development

• Outgrowth of OOD

• Definition: assembling applications from packages of executable software that make their services available

through defined interfaces (i.e., objects, which can interact with one another regardless of language written in

or OS running)

o In process client components – run from within a container ( e.g., web browser)

o Stand-alone client components – applications that expose services to other software (e.g., Excel and

Word).


� Initiated by RPCs or other network calls. Supporting technologies:

• Microsoft’s Distributed Component Object Model (DCOM) – basis for ActiveX

• Common Object Request Broker Architecture (CORBA)

• Java via Remote Method Invocation (RMI)

All of the above are distributed object technologies, which all objects on distributed platforms

to interact. Also called middleware, which provides run-time services whereby

programs/objects/components can interact.

o Stand-alone server components – processes running on servers that provide standard services

o In process server components – run on servers within containers

� Microsoft’s Transaction Server (MTS)

� Enterprise Java Beans (EJB)

• Benefits

o Reduces development time & cost. Only have to code unique parts of the system.

o Improves quality. Prewritten components have already been tested.

o Allows developers to focus more on business functionality. Increases abstraction and shields low-level

programming details.

o Promotes modularity.

o Simplifies reuse. No source required, no need to know procedural or class libraries.

o Supports multiple development environments as components can interact regardless of language or OS.

o Allows combining build and buy components.

Web-Based Application Development

Extensible Markup Languages (XML) are key to development

Simple Object Access Protocol (SOAP) is used to define APIs

• SOAP works with any OS or programming language that supports XML

• SOAP is simpler than RPCs in that modules are coupled loosely (can change one component without

changing others)

• Web Services Description Language (WSDL) identifies the SOAP specification used for the module’s API;

formats the SOAP messages in/out of the module. Also identifies the web service available to be used

• Universal Description, Discovery, and Integration (UDDI) is used to make an entry in the UDDI directory,

which allows others to find and use the available web services

Reengineering – updating an existing system by extracting and reusing design and program components.

Reverse Engineering

Risks

software licenses usually prohibit it to protect trade secrets/programming techniques

• Decompilers depends on specific computers, OSs, and programming languages. Any changes to these require a

new decompiler.

Physical Architecture Analysis (RADFFP)

• Review of existing architecture

• Analysis and design

• Draft functional requirements (start vendor selection)

• Function requirements

• Define final functional requirements

• Proof of Concept


Change Control Procedures

Change Management Auditing

• Program library access is restricted

• Supervisory reviews occur

• Changes are approved and documented

• Potential impact of changes is assessed

• User approves change

• Programming management reviews/approves change

• Implementation date on change request matches actual implementation date

• Distributed systems – changes are rolled out to all nodes (check for same version of software)

Emergency Changes

• Emergency ID use is logged and monitored

• Normal change controls are applied, often retroactively

Computer-aided Software Engineering (CASE) 3 categories of CASE tools

• Upper CASE – describe and document business/application requirements

• Middle CASE – develop the detailed design: screen/report layouts, editing criteria, data object organization,

process flow

• Lower CASE – generate code and database definitions (using upper and middle case output)

Key CASE Audit Issues Functional design and data elements become the source code

• Users are involved

• CASE methodology is defined and followed

• Integrity of data between CASE products and processes is controlled and monitored

• Changes to the application are reflected in stored CASE product data

• Application controls are designed and included

• CASE repository is secured and version control implemented

Programming Languages 1

st – machine lang

2nd – assembly lang

3rd – English-like

4th – embedded database interface, prewritten utilities; programmer selects program actions (aka psuedocoding or

bytecoding)

5th – artificial intelligence; learning system/fuzzy logic/neural algorithms

Fourth-generation Languages

4GL Characteristics

• Nonprocedural language – event driven, uses OOP concepts of objects, properties, and methods

• Portable across OSs, computer architectures

• Software facilities – allows design/paint of screens, help screens, and graphical outputs

• Programmer workbench concepts (integrated development environment) – include filing facilities, temporary

storage, text editing, OS commands

• Simple language subsets


4GL Types

• Query and report generators

• Embedded database 4GLs – FOCUS, RAMIS II, NOMAD 2

• Relational database 4GLs – included in vendor DBMS to allow better use of DBMS product: SQL+, MANTIS,

NATURAL

• Application generators – generate lower-level programming languages (3GL) like COBOL and C.

Application Controls Definition: controls over input, processing, and output functions

Examples

• Edit tests

• Totals

• Reconciliations

• Identification/reporting of incorrect, missing, and exception data

Auditor tasks

• Identify significant application components and flow of transactions

• Gaining understanding of the application through documentation review and interviews

• Identifying application control strengths and weaknesses

• Testing controls and evaluating control environment

• Reviewing application efficiency/effectiveness, and whether it meets management objectives

Input Controls Input Authorization

• Signatures on batch forms/source documents

• Online access controls ensuring only authorized users can access data and perform sensitive functions

• Unique passwords

• Terminal/workstation identification to limit clients that can access the application

• Source documents – should be prenumbered and controlled

Batch Controls and Balancing

• Definition: Input transactions grouped together (batched) to provide control totals.

Batch Controls

• Total $ amount

• Total items

• Total documents

• Hash totals – total of a meaningless, predetermined field (e.g., customer account numbers or zip codes) used

to detect errors or omissions; do not ensure correct employees, pay rates, etc., only errors or omissions

Balancing Controls

• Batch registers – comparing manual batch totals against system reported totals

• Control accounts – control account use is performed via an initial edit to determine batch totals. After

processing data to the master file, reconciliation is performed between the initial edit file totals and the

master file.

• Computer agreement – application compares the batch totals recorded in the batch header with the calculated

totals and accepts/rejects the batch


Error Handling and Reporting

Input Error Handing

• Reject only transactions (trx) with errors

• Reject the whole batch of trxs

• Hold the batch in suspense (until errors corrected)

• Accepting the batch and flagging error transactions

Input Control Techniques

• Trx Log of all updates, verified to source documents

• Reconciliation of data

• Documentation – written evidence of user, data entry, and data control procedures

• Error correction procedures

o Logging of errors

o Timely corrections

o Upstream resubmission

o Approval of corrections

o Suspense file

o Error file

o Validity of corrections

• Anticipation – user or control group anticipates the receipt of data

• Transmittal log of transmission or receipt of data

• Cancellation of source documents – punching or marking to avoid duplicate entry

Batch Integrity

• Batch established by time of day, specific terminal of entry, or individual who entered data

• Supervisor reviews batch and releases for processing

Data Validation/Editing Procedures

• Identifies errors, incomplete or missing data, and inconsistencies amount related items.

• Should occur as close to the time and point of origination as possible

Edits and Controls (types of checks)

• Sequence – control numbers are sequential

• Limit

• Range

• Validity

• Reasonableness

• Table lookups

• Existence

• Key verification – two people key the data and both sets are compared

• Check digit – detects transposition and transcription errors

• Completeness

• Duplicate

• Logical relationship


Processing Controls Ensure completeness and accuracy of accumulated data

Processing Control Techniques

• Manual recalculations

• Edit check

• Run-to-run totals

• Programmed controls (e.g., detects incorrect file or file version)

• Reasonable verification of calculated amounts

• Limit checks on calculated amounts – check using predetermined limits

• Reconciliation of file totals

• Exception reports

Data File Control Procedures

• Ensures only authorized processing occurs

Data File Control Procedures

• Ensures only authorized processing occurs

Data File Control Techniques

• Before and after image reporting – shows impact trxs have on data

• Maintenance error reporting and handling

• Source documentation retention

• Internal and external labeling of files, batches, tapes

• Version usage (file or database)

• Data file security

• One-for-one checking – documents processed equals source documents]

• Prerecorded input – some data preprinted on blank input forms to reduce entry errors

• Trx logs

• File dating and maintenance authorization

• Parity checking for transmission errors

o Vertical/column check – check on single character

o Horizontal/longitudinal/row check – check on all the equivalent bits

Use of both checks recommended

4 Categories of data files or database tables

• System control parameters – controls edits and exception flags; changes to these files should be controlled

same as program changes

• Standing data – data that seldom changes, referred to during processing (e.g., vendor names & addresses).

Changes should be authorized and logged.

• Master data/balance data – running balances and totals should be adjusted only under strict approval/review

controls and logged

• Trx files – controlled via validation checks, control totals, exception reports, etc.


Output Controls Ensures delivered data is presented, formatted, and delivered consistently and securely

• Logging and storage of negotiable, sensitive, and critical forms securely

• Computer generation of negotiable instruments, forms, and signatures

• Report distribution

o All reports logged prior to distribution

o Secure print spools to avoid deletion or redirection of print jobs

o Restricted to certain IT resources, websites, or printers

o Confidential disposal

• Balancing and reconciling

• Output error handling

• Output report retention

• Verification of receipt of reports

Risk Assessment of Application Controls

• Quality of internal controls

• Economic conditions

• Recent accounting system changes

• Time since last audit

• Prior audit results

• Complexity of operations

• Changes in operations/environment

• Changes in key positions

• Time in existence

• Competitive environment

• Assets as risk

• Staff turnover

• Trx volume and trends

• Regulatory agency impact

• Monetary volume

• Sensitivity of trxs

• Impact of application failure

User Procedures Review

• SOD – authority to do only one: origination, authorization, verification, distribution (DAVO)

• Authorization of input – written approval or unique passwords

o Supervisor overrides should be logged and reviewed by mgmt

o Excessive overrides may indication validation/edit routines need improvement

• Balancing

• Error control and correction

• Distribution of reports

• Access authorizations and capabilities

o Based on job description

o Activity reports generated and reviewed (activities valid for user and occurs during authorized hours of

operations)

o Violation reports of unauthorized activities or unsuccessful access attempts


Data Integrity Testing

• Cyclical testing – checking data against source documents, one section of data at a time. Whole file is

eventually checked after multiple cycles.

• Data Integrity Tests

o Relational – at data element and record levels

o Referential – enforced through programmed data validation routines or by defining the input

conditions (edits), or both

� Define existence relationships between database elements (primary and foreign keys)

� All references to a primary key from another file (foreign key) actually exist in the original file

Data Integrity Requirements (ACID)

• Atomicity – trx is completed entirely or not at all

• Consistency – maintained with each trx, taking the database from one consistent state to another

• Isolation – Each trx isolated and accesses only data part of a consistent database state

• Durability – trxs that are reported complete survive subsequent HW/software failures

Application Testing Methods

• Snapshot – records flow of designated trxs through logic paths within programs

• Mapping – identifies untested program logic and whether program statements have been executed

• Tracing & tagging – shows trail of instructions executed; tagging selected trxs and using tracing to track them

• Test data/deck

• Base case system evaluation – uses test data to verify correct system operations (extensive test)

• Parallel operation

• Integrated test facility – using fictitious file with test trxs that is processed with live data

• Parallel simulation – processing production data against simulated program logic

• Trx selection programs – uses audit software to screen and select trxs

• Embedded audit data collection – software embedded in production system used to select input and

generated trxs during production

o System control audit review file (SCARF) – auditor determines reasonableness of tests incorporated

into normal processing; provides information for further review

o Sample audit review file (SARF) – randomly selects trxs for analysis

• Extended records – gathers all data affected by a particular program for review

Continuous Auditing Techniques • System control audit review file and Embedded Audit Modules (SCARF/EAM)

• Snapshots of data from input to output; trxs are tagged by applying identifiers and recording selected

information for audit review

• Audit hooks – functions as red flags; allows review before issues get out of hand

• Integrated test facility (ITF)

• Continuous and Intermittent Simulation (CIS) – system audits trxs that meet predetermined criteria


E-commerce Risks

• Confidentiality

• Integrity

• Availability

• Authentication and non-repudiation

• Power shift to customers

E-commerce Audit/Control Issues (Best Practices)

• Security architecture (firewalls, encryption, PKI, certificates, password mgmt)

• Digital signatures

• Public Key Infrastructure (PKI)

o Framework for issuing, maintaining, verifying and revoking public key certificates by a trusted party.

o Key elements

� Digital certificates - Public key and info about the owner that authenticates the owner (issued

by trusted 3rd party)

• Includes distinguishing username, public key, algorithm, certificate validity period

� Certificate Authority (CA) – trusted provider of public/private key pairs that confirms

authenticity of the owner of the certificate (business) by issuing/signing the requestor’s

certificate with CA’s private key

� Registration Authority (RA) – optional entity that some CA’s use to record/verify business’

information needed by a CA to issue/revoke certificates

� Certification revocation list

� Certification practice statement (CPS) – Rules governing CA’s operations, controls, validation

methods, expectations of how certificates are to be used.

• Log monitoring

• Methods and procedures to identify security breaches

• Protecting customer data to ensure not used for other purposes or disclosed without permission

• Regular audits of security and controls

EDI Risks

• Transaction authorization

• Business continuity

• Unauthorized access to transactions

• Deletion/manipulation of transactions before or after establishment of application controls

• Loss or duplication of EDI transmissions

• Loss of confidentiality or improper distribution of trx by 3rd parties

EDI Controls

• Message format and content standards to avoid transmission errors

• Controls to ensure transmissions are converted properly for the application software

• Receiving organization controls to ensure reasonableness of messages received, based on trading partner’s trx

history or documentation

• Controls to guard against manipulation of trxs in files and archives

• Procedures for ensuring messages are from authorized parties and were authorized

• Dedicated transmission channels between partners to prevent tapping

• Data is encrypted and digitally signed to identify source and destination

• Message authentication codes are used to ensure what was sent is received.

• Error handling for trxs that are nonstandard or from unauthorized parties


• Business relationships are defined in trading partner agreement identifying trxs to be used, responsibilities of

both parties in handling/processing trxs, and business terms of the trxs

Auditing EDI

• Encryption processes ensure CIA and nonrepudiation of trxs

• Edit checks to identify erroneous, unusual, or invalid trxs prior to updating the application

• Edit checks to assess trx reasonableness and validity

• Trx are logged on receipt

• Control totals on receipt of trxs to verify number/value of trx to be passed to the application, and reconcile

totals between applications and trading partners

• Segment count totals built into trx set trailers by sender

• Trx set count totals built into group headers by sender

• Validity of sender against trading partner details by:

o Using control fields with a message at the trx, function, group, or interchange level, often within the

EDI header, trailer, or control record

o Using VAN sequential control numbers or reports, if applicable

o Sending acknowledgement trx to sender to verify receipt; sender matches acks against a log of EDI

messages sent.

Digital Signatures

• Unique to each document; cannot be transferred or reused

• Verifies sender and that document has not been altered

• Based on message digest, a short, fixed length number

o Some messages have the same digest, but can’t produce message from them

o 128-bit cryptographic hash

o Similar to checksum or fingerprint of the document

• DES (symmetric); RSA (asymmetric – public key)

Risk Management for e-banking

1. Board & mgmt oversight

2. Security controls

3. Legal and reputational risk management

Purchase Order Accounting functions

• Accounts payable processing

• Goods received processing

• Order processing

Artificial Intelligence

• Languages: LISP and PROLOG

• Primary components

o Inference engine

o Knowledge base

� Contains subject matter facts and rules for interpreting them

� Decision trees – questionnaires or choices users walk through

� Semantic notes – graph which describes relationships between the nodes

o Explanation module

o Database


• Also contains

o Knowledge interface – allows entry of knowledge without needing a programmer

o Data interface – Enables system to collect data from nonhuman sources (other systems, like

temperatures)

• Used in auditing!

• Errors in system have a bigger impact, especially in health care

Decision Support Systems

• Emphasizes effectiveness (right task/right decision) over efficiency (performing tasks quickly and reducing

costs)

• G. Gorry-M.S. Morton framework – degree of structure in decision process & mgmt level making decision

o Decision-structure: structured, semi-structured, unstructured

� Decision-structure depends on the extent it can be automated/programmed

o Mgmt-level: operational control, mgmt control, and strategic planning

• Sprague-Carson framework – family trees structure

• Motivated by end users

• Use 4GL

Critical Success Factors (CSF)

• Productivity

• Quality

• Economic value

• Customer service

Integrated Resource Management Systems � ERP

American Standard Code for Information Interchange (ASCII)

Extended Binary-Coded Decimal Interchange Code (EBCDIC)

Project Portfolio Management Objectives

• Optimization of the results of the project portfolio

• Prioritizing and scheduling projects

• Resource coordination

• Knowledge transfer throughout the projects

PPM requires a PP database

Benefits Realization (Management) Techniques

• Describe benefits mgmt

• Assign measure/target

• Establish measuring/tracking regimen

• Document assumption

• Establish key responsibilities for realization

• Validate the benefits predicted in the business

• Planning the benefit to be realized


Project Mgmt Organizational Alignment

Method Authority Style

Influence Not formal Advise on which activities to complete

Pure Formal Special work area

Matrix Shared between PM & dept heads

ISO – Intern’l Org for Standardization – creates intern’l standards

ISO 15504 – PME PO / Software Process Improvement and Capability Determination (SPICE) – see CCM

ISO 9001 – quality mgmt

• Requires quality manual, trained staff, managed to improve competency

ISO 9126 Software Quality Metrics – FUR PEM

• Functionality of the software processes

• Usability (Ease of use)

• Reliability with consistent performance

• Portability between environments

• Efficiency

• Maintainability for modifications

ISO 15489:2001 – Records Mgmt/Retention

• Requires ISO 9001 quality and 140001 records mgmt compliant

• Includes fundraising campaigns

• Used to determine liability and sentencing during prosecution

• Requires data classification

Decision Making

• Critical success factors

• Scenario planning

> IT Service Delivery & Support

IS Operations • Resource allocation

• Standards & procedures

• Process monitoring

IS Hardware CPU = arithmetic logic unit (ALU), control unit, and internal memory

IS Architecture & Software

Database Management System (DBMS)

Primary Functions

• Reduced data redundancy

• Decreased access time

• Security over sensitive data


Data Dictionary/Directory System

• Contains index and description of all items stored in database

• Defines and stores source and object forms of all data definitions in schemas and all associated mappings

• One DD/DS can be used across multiple databases

Database Structures

• Hierarchical

o data arranged in parent/child relationships

o one-to-many mappings

o results in duplicate data

o easy to implement, modify, and search.

o No high-level query capability; have to navigate the database

• Network

o Data arranged in sets (owner record type, member record, name)

o One-to-many or one-to-one mappings

o Sets can have the same member record type

o Very complex

o No high-level query capability; have to navigate the database

• Relational

o Based on sets and relational calculations (dynamic database)

o Data organized in tables (collection of rows)

� Row/tuple = record

� Columns/domains/attributes = fields

o Properties

� Values are atomic

� Rows are unique

� Sequence of columns and rows insignificant

� Allow control over sensitive data

o Easy to understand, query, modify

o Normalization – minimizing amount of data needed and stored by eliminating data redundancy

and ensuring reference integrity

Networking Baseband – single channel, half-duplex, entire capacity used to transmit one signal

Broadband – multiple channels, full duplex, multiple signals

Bridge – Data link layer 2 device used to connect LANs or create separate LAN or WAN segments to reduce collision

domains

Router – Like bridges/switches, they link physical separate network segments. Block broadcast data. software-based,

less efficient than switches. Can connect LAN and WAN.

Router does packet-switching using microprocessor; layer 3 switch does switching using ASIC hardware

Layer 4 switch – switches based on layer 3 addresses and application information (such as port #s) to provide policy-

based switching

Layer4-7 switches – used for load balancing

Gateways – protocol converters; used between LANs and mainframes or LANs and Internet


Synchronous transmission – bits transmitted at constant speed. Sending modem uses specific character when it starts

sending data block to synchronize the receiving device. Provides maximum efficiency.

Asynchronous transmission – Sender uses start and stop bit before and after each data byte. Lower efficiency, but

simpler.

Multiplexing – dividing physical circuit into multiple circuits by:

• Time-division – regardless of whether data is ready to transmit

• Asynchronous time division – dynamically assigned time slots as needed for transmission

• Frequency – based on signal frequency

• Statistical – dynamic allocation of any data channel based on criteria

Wireless Wi-fi Protected Access (WPA) – wireless security protocol

Wireless Application Protocol (WAP) – multi-layered protocol and technologies that provide Internet content to mobile

wireless devices (phones and PDAs).

TCP/IP (32-bit) • Includes network and application support protocols

• Network layer 3 = IP

• Transport layer 4 = TCP/UDP

Common Gateway Interface (GFI) Script – machine-independent code run on a server that can be called & executed by

a web server; performs tasks such as processing input received from a web form

Applets – Programs downloaded from web servers that run applications in browsers (most popular ones use Java,

JavaScript, Visual Basic)

Servlet – Small program that runs in web server, similar to CGI program. Unlike CGI, servlets stay in memory and can

serve multiple requests

Middleware – software used by client/server applications to provide communications and other services between

applications, systems, and devices.

• Services include identification, authentication, authorization, directories, and security

• Resides between the application and the network

• Manages the interaction between the GUI and the database back-end.

System Control

First level of control in a computer is the privileged supervisory user (root/admin).

Operating System States

• Supervisory – security front end not loaded; requests are run at highest authority level without security

controls.

• General user/problem – security is active; system is solving problems for user.

• Wait – computer busy and unable to respond to additional requests


> Protection of Information Assets Risk – What can happen if a threat exploits a vulnerability.

Threat – Who or what can cause an undesirable event.

Vulnerability – How a weakness in technology or organizational process can be exploited by a threat.

Key elements of Information Security Mgmt

• Senior mgmt commitment & support

• Policies and procedures

• Organization (define who is responsible for protection)

• Security awareness & education

• Monitoring and compliance

• Incident Handling & response

Inventory Classification

• Identification of the asset (hardware, software, data)

• Relative value to the organization

• Location

• Security risk/classification

• Asset group, if asset forms part of larger system’

• Owner

• Custodian

Logical security layers

• Networks

• Platforms (OS)

• Applications

• Databases

Mandatory access control (MAC)

• Control that cannot be changed by normal users or data owners; they act by default; prohibitive

• Changed by admins making decisions derived from policy

• Example: password complexity requirements

Discretionary access control (DAC)

• Controls that CAN be changed by normal users/data owners

• Example: access to departmental shared folder on server

Pharming – redirecting web site traffic to a bogus site via changes in DNS or a user’s host file

Biometrics

• Something you are (fingerprint) or do (typing behavior)

• Quantitative measures (% rate)

o False rejection rate (FRR, type I) – person falsely rejected access

o Failure to enroll rate (FER) – person fails to enroll successfully

o False acceptance rate (FAR, type II) – unauthorized person allowed access

o Increase in type I rate decreases the type II rate & vice versa


o Equal error rate (ERR) – point at which FRR & FAR are equal. Lower the measure, the more effective

the biometric

o Best response times and lowest ERR: palm, hand, iris, retina, fingerprint, voice

• Palm* – ridges and valleys

• Hand geometry* – oldest, 3D, hand and fingers, 90 measurements

• Iris – color patterns around pupil, 260 characteristics. No physical contact, high cost

• Retina – blood vessel pattern, best FAR, requires close proximity, high cost

• Fingerprint – low cost, size, ease of integration

• Face – acceptable/friendly, but lack of uniqueness

* Socially accepted, low storage cost

Single Sign-on (SSO)

• Consolidation of platform-based administration, authentication, and authorization functions into a single,

centralized function

• Example: Kerberos, developed at MIT, Project Athena

Bypassing Security Controls

Only system software programmers should have access to:

• Bypass label processing (BLP) – bypasses the reading of the file, which most access control rules are based, and

bypasses the associated security on the file

• System exits – system software feature that allows complex system maintenance. Exits often exist outside of

the computer security system, so they are not restricted or logged.

• Special system logon IDs – vendor provided

Wireless Security 9 categories of overall security threats

1. Errors and omissions

2. Fraud and theft by authorized/unauthorized users

3. Employee sabotage

4. Loss of physical and infrastructure support

5. Malicious hackers

6. Industrial espionage

7. Malicious code

8. Foreign government espionage

9. Personal privacy threats

Main Wireless Threats

1. Theft

2. DOS

3. Malicious hackers

4. Industrial espionage

5. Malicious code

6. Foreign government espionage

7. Theft of service


Security Requirements

• Authenticity – verification that message not changed in transit

• Nonrepudiation – verification of origin or receipt of message

• Accountability – actions traceable to an entity

• Network availability

Scanners – strobe, jakal, asmodeous

Install local firewall, turn off scripting

Firewalls 3 types of firewalls

• router packet filtering

• application

• stateful inspection Router packet filtering

• first generation

• examines header (source/destination IP, port number) at network layer

• simple, stable performance

• allows direct exchange of packets between outside/inside systems

Miniature fragment attack - fragment the IP packet into smaller ones; the first packets will be examined, and the rest

won't

• Caused by default setting that passes residual packets

• Firewall should drop fragmented packets or offset value = 1

Application Firewalls - 2 levels/types

• application-level

• circuit-level

• Neither allow the direct exchange of packets between outside/inside systems Bastion hosting: Handle all requests and are highly fortified

• Can secure, modify, and log all packets

• Provide NAT

Application level

• analyzes traffic through a set of proxies, one for each service: http, ftp, etc

• can reduce network performance

Circuit-level

• Analyzes traffic through a single, general-purpose proxy

• more efficient, but rare

Stateful Inspection Firewalls

• Tracks destination address of packets leaving network; prevents initiation of attacks from outside

• Tracks connection-oriented and connectionless packets like UDP

• More efficient, faster firewall as packets are not examined in deep OSI layers


Firewall implementations

Screened host

• packet filtering router and bastion host

• Includes application firewall/proxy services

• bastion host is on private network, packet filtering router is between Internet and private network

• Requires compromise of two systems

Dual homed firewall

• More restrictive version of the screened host firewall, a dual-home bastion host

DMZ or screened-subnet firewall

• Uses 2 packet filtering routers and bastion host

• Provides network (packet filtering) and application-level security with a DMZ network

• Insider router manages DMZ access to the internal network, accepting traffic only from the bastion host

• Requires compromise of 3 hosts; hides internal network addresses

Hardware firewalls faster, but not as flexible or scalable

Software firewalls more slower, but more scalable

Intrusion Detection Systems (IDS) • Monitor network anomalies

• Network-based

• Host-based – monitor modification of programs, files; detect privileged command execution

• Components

o Sensors that collect data

o Analyzers that receive input and determine intrusive activity

o Administrative console

o User interface

IDS Types

• Signature-based

• Statistical-based – must be configured with known and expected system behaviors

• Neural networks – monitors general activity, similar to statistical-based, but capable of self-learning

IDS cannot help with

• Policy definition weaknesses

• Application-level vulnerabilities

• Backdoors in applications

• Identification and authentication scheme weaknesses

Encryption Key elements

• Encryption Algorithm

• Encryption Keys

• Key length

Private Key Systems


• Symmetric – 1 key encrypts and decrypts

• Less complicated, faster

• Problem is distributing key safely

• RC2, RC4, IDEA, DES, AES

Data Encryption Standard (DES) 64-bit block cipher

• 56-bit key (8 extra bits for parity checking)

• Replaced by AES 128-256 bit key (Rijndal → invented by Rijmen and Daemen)

o Symmetric block cipher

o Unlike DES, Rijndal has variable block and key length

o Based on round operations

Public Key Systems

• Asymmetric – 2 keys, one encrypts, other decrypts

• Keys created by integer factorization

• Used to encrypt symmetric keys and for digital signatures

• RSA (Rivest, Shamir, Adelman invented in 1977), Diffie-Hellman, DSA, Fortezza

Encrypt with public key, decrypt only with private key – confidentiality (read only by receiver)

Encrypt with private key, decrypt with public key – authentication and non-repudiation

Encrypt with private key, then public key – confidentiality, authentication, and non-repudiation

Elliptical Curve Cryptography (ECC)

• Public key variation using discrete logarithm using elliptical curve (2 points on curve)

• Works with networked computers, smart cards, wireless phones, mobile devices

• Less computational power, more security per bit (160-bit ECC = 1024-bit RSA)

Quantum Cryptography

• Uses interaction of light pulses, polarization metrics

Digital signatures

• Uses public key algorithm to ensure identify of sender and integrity of the data

• Hash algorithm creates message digest, smaller version of the original message

• Changes variable length messages into a fixed, 128-bit length digest

• Hashes are one-way functions, can't reverse

o MD5, SHA-1, SHA-256

• Digital signature encrypted by sender's private key, receiver decrypts with public key, then recomputes a

digital signature and compares it to the original signature

• Ensure data integrity, authentication, and non-repudiation (but not confidentiality)

• Vulnerable to man-in-the-middle attack

Digital Envelope

• Contains data encrypted with symmetric key and the session key (which is the symmetric key, encrypted with

the receiver's public/asymmetric key)

• Receivers' private key used to decrypt session key (symmetric key); symmetric key used to decrypt data.

• Uses asymmetric keys to protect the data integrity, authentication, and non-repudiation gained by symmetric

key


Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

• Session or connection-layered protocol

• Provides end point authentication and confidentiality

• Typically, only the server is authenticated (including the client requires PKI deployment)

• Phases

o Algorithm negotiation

o Exchange of Public key and certificate-based authentication

o Symmetric cipher-based traffic encryption

• Runs on layers beneath application protocols HTTP, SMTP, NNTP and above the TCP protocol

• Uses hybrid of hashed, private, and public key cryptography to provide confidentiality, integrity, authentication

(between client & server), and non-repudiation

IPSec

• Runs at the network layer

• Used for communicating between two or more hosts, subnets, or hosts and subnets (establishes VPNs)

• Transport mode – only data portion of packet (encapsulation security payload (ESP)) is encrypted –

confidentiality

• Tunnel mode – ESP payload (data) and header are encrypted. Additional authentication header (AH) provides

non-repudiation

• Uses security associations (SAs) to define the security parameters to use (algorithms, keys, initialization

vectors, etc.)

• Using asymmetric encryption via Internet Security Association and Key Management Protocol/Oakley

(ISAKMP/Oakley) increases ISPsec security by using key management, public keys, negotiation, uses of SAs, etc.

SSH

• Runs at application layer

• Client/server program for encrypting command-line shell traffic used for remote logon and management.

• Used to secure telnet and ftp

Secure Multipurpose Internet Mail Extensions (S/MIME)

• Email protocol authenticating sender and receiver

• Verifies message integrity and confidentiality, including attachments

Secure Electronic Transactions (SET)

• Visa/MasterCard protocol used to secure credit card transactions

• Application protocol using PKI of trusted 3rd party

Encryption Risks

• Secrecy of keys is paramount

• Randomness of key generation relates to how easy a key can be compromised

• Tying passwords to key generation weakens the key’s randomness, so important to use strong passwords


Viruses

• Attached to programs

• Self-propagating to other programs

• Attack EXEs, file directory system, boot & system areas, data files

Worms

• Does not attach to programs

• Propagates via OS security weaknesses

Virus/Worm controls – policies (preventative) and antivirus software (detective)

• Backups = vital control

VOIP

• Replaces circuit switching (and associated waste of bandwidth) with packet switching

• Secure VOIP similar to data networks (firewalls, encryption)

• Network issues take down phones also, so backup availability a big issue

• VLANS should be used to segregate VOIP infrastructure/traffic

• Session Border Controllers (SBCs) provide VOIP security similar to firewalls by monitoring VOIP protocols,

monitor for DoS, provide network address and protocol transition features

Private Branch Exchange (PBX)

• In-house phone company for organization, allows 4-digit dialing, save cost of individual phone lines to phone

company’s central office

• PBX security different from normal OS security

o External access/control by 3rd party for updates/maintenance

o Richness of features available for attacks

PBX Controls

• Physically secure PBX and telephone closets

• Configure and secure separate and dedicated admin ports

• Control direct inward dial (DID) lines to avoid external parties getting dial tone for free long-distance calls

• Block certain long-distance numbers

• Control numbers destined for faxes and modems

• Use call-tracking logs

• Maintenance out of Service (MOS) – signaling communication is terminated on PBX, but line may be left open

for eavesdropping

• Embedded passwords can be restored when system rebooted during crash recovery


Auditing Infosec Management Framework

• Policies/Procedures, including Logical Access Security Polices

• Security Awareness and training

• Data ownership: owners, custodians, security administrator

• New IT users (sign document regarding security policies/procedures)

• New Data Users

• Documented user authorization

• Terminated users

• Security baseline

• Inventory (devices, applications, data)

• Antivirus

• Passwords

• Patching

• Minimizing services (turn off unneeded)

• Addressing vulnerabilities

• Backups

Computer Forensics (IPAP)

• Identify – information

• Preserve – retrieving data, documenting chain of custody ▪ Who had access to the data ▪ How evidence gathered ▪ Proving that analysis based on copies of original, unaltered evidence

• Analyze

• Present

> BCP/DRP Starts with risk assessment

• People, data, infrastructure, and other resources that support key business processes

• Dangers and threats to the organization

• Estimated probability of threat occurrence

BCP includes

• DRP plan

• Plan to restore operations to normal following disaster

• Improvement of security operations

BCP Lifecycle

• Create BCP policy

• Businesses Impact Analysis (BIA)

• Classify of operations and criticality

• Identify IS processes that support business criticality

• Develop BCP and IS DRP

• Develop resumption procedures

• Training and awareness programs

• Test and implement plan

• Monitoring


BCP Policy

• Should encompass preventative, detective, and corrective controls

• BCP most critical corrective control

• Incident management control

• Main severity criterion is service downtime

• Media backup control

BIA identifies:

• Different business processes & criticality

• Critical IS resources supporting critical business processes

• Critical recovery period before significant or unacceptable loses occur

Recovery point objective (RPO) – based on acceptable data loss; earliest time in which it is acceptable to recover; date/time or synchronization point to which systems/data will be restored.

Recovery time objective (RTO) – based on acceptable downtime; earliest time when business operations must

resume.

Interruption window – how long a business can wait before operations resume (after this point, losses are

unaffordable)

Maximum Tolerable outage (MTO) – maximum time business can operate in alternate processing mode before

other problems occur

Service delivery objective (SDO) – acceptable level of services required during alternate processing

Recovery Alternatives

• Hot site – fully configured and ready to operate within hours. Not for extended use.

• Warm site – partially configured (network and peripheral devices, but no main computers). Site ready in hours,

operations ready in days or weeks.

• Cold site – has basic utilities, ready in weeks.

• Redundant site – dedicated, self-developed sites.

• Mobile site – data center in a box

• Reciprocal agreements with other businesses

Redundant Array of Inexpensive/Independent Disks (RAID)

• Level 0 -striped disk array, no fault tolerance; stripes multiple disks into one volume (faster when software based)

• Level 1 – mirroring; 2 drives, half the space (faster when software based)

• Level 2 – Hamming code ECC – interweaving data based on hamming code (EXPENSIVE and rare; HW based,

resource intensive)

• Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 for parity (faster in HW)

• Level 5 – block level; independent disks with distributed parity blocks; at least 3 drives, stripes data and parity

(faster in HW) � mirrored sets

• Level 6 – Level 5 with 2 independent distributed parity schemes (faster in HW)

• Level 10 – high reliability & performance; at least 4 drives, stripes level 1 segments; hi I/O

• Level ) 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major data loss


Insurance Coverage

• IS equipment/facilities

• software media reconstruction

• Extra expense – of continuing operations after disaster; loss due to computer media damage

• Business interruption

• Valuable papers and records

• Errors and omissions

• Fidelity coverage – loss due to dishonest/fraudulent acts

• Media transportation

• Covers loss based on historical performance, not existing

• No compensation for loss of image/goodwill

Grandfather (monthly), father (weekly), son (daily) backup rotation scheme

Difference between ISACA book and Sybex Sybex is easier to read and digest

• Layout is better and more reader-friendly

• More bullet points, charts, and tables that summarize the information and show relationships or differences in

the subject matter

• Less subject matter on a page, so eyes don’t get so tired as you read.

Both identify critical things a CISA must know, but ISACA is more specific in their must-know notes.

I would never read just one book. Read one book and take notes. Then read the other book and supplement

your notes. This process will help you understand the difference between the two sources. Each perspective is

helpful.

Free CISA Study Guide

Documents

Transcript of Free CISA Study Guide