CISA Review Chapter 5 With Answers

advertisement
CISA REVIEW
The material provided in this slide show came
directly from Certified Information Systems
Auditor (CISA) Review Material 2010 by ISACA.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Learning Objectives
By the end of chapter 5, you should be able to:
• Evaluate the design, implementation and monitoring of
logical access controls to ensure the confidentiality, integrity,
availability and authorized use of information assets.
• Evaluate the design, implementation and monitoring of
environmental controls to prevent or minimize loss.
• Evaluate the design, implementation and monitoring of
physical access controls to ensure that information assets are
adequately safeguarded.
• Evaluate the processes and procedures used to store,
retrieve, transport and dispose of confidential information
assets.
CISA REVIEW
Chapter 5 – Protection of Information Assets
To meet an organization's business requirements, it is
important that security objectives include ensuring:
• Continued availability of information systems
• Integrity of the information stored on computer
systems
• Confidentiality of sensitive data
• Conformity to applicable laws, regulations and
standards
• Adherence to trust and obligation requirements for
any information relating to an identified or
identifiable individual (i.e., data subject) in
accordance with its privacy policy
CISA REVIEW
Chapter 5 – Protection of Information Assets
Data should be treated as a core asset. Categorizing
data is a major part of the task of classifying all
information assets. Data classification as a control
measure should define the following:
• The owner of the information asset
• Who has access rights (need to know)
• The level of access to be granted
• Who is responsible for determining the access
rights and access levels
• What approvals are needed for access
• The extent and depth of security controls
CISA REVIEW
Chapter 5 – Protection of Information Assets
Data integrity as it relates to security objectives
generally refers to the accuracy, completeness,
consistency, validity and verifiability of the data
once they are entered into a system.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Privacy is an organization wide matter. An
organization should systematically build privacy into
its policies, standards and procedures by:
• Defining the nature of personally identifiable
information associated with business processes.
• Document the collection, use, disclosure and
destruction of personally identifiable information.
• Ensure that accountability for privacy issues exists.
• Be the foundation for informed policy, operations
and system design decisions. The decisions should
be based on an understanding of privacy risk and
the options available for mitigating that risk.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Is "privacy" considered a separate
security objective?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - Is "privacy" considered a separate security
objective?
The importance of privacy impact assessments and the security
measures implemented to protect privacy have been increased due to
the amount of privacy legislation and regulation put in place in many
jurisdictions and industries over the past years. As a result, organizations
must ensure they take privacy requirements into consideration when
formulating and implementing their information security governance.
The level of privacy required will, therefore, be a driver when
considering the traditional security objective of confidentiality and the
security measures implemented in response to the level of
confidentiality needed.
As an IS auditor, you should be aware of the new and changing privacy
laws and regulations related to your industry and test to ensure your
organization is in compliance.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: How does involvement with
external parties (e.g., outsourcers) affect security
design, implementation and monitoring?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - How does involvement with
external parties (e.g., outsourcers) affect security design,
implementation and monitoring?
The main consideration is that an organization should not
allow its security to be lessened due to involvement with
external parties. The organization must ensure the required
security controls are defined and agreed to, and the ability
to monitor controls established – and that all these are
formally documented in a service level agreement (SLA).
Where formal agreements are not practical (e.g.,
consumers purchasing goods using a web-enabled
application) the organization must take comprehensive
steps to ensure only very limited and controlled access is
permitted.
CISA REVIEW
Chapter 5 – Protection of Information Assets
All candidates for employment, contractors and third-party users should
be adequately screened, especially for sensitive jobs. This includes the
following:
• Background verification checks on all candidates for employment,
contractors and third-party users are carried out in accordance with
relevant laws, regulations and ethics, and proportional to the
business requirements, classification of information to be accessed
and perceived risks.
• A screening process for contractors and third-party users
– Where contractors are provided through an agency, the contract with
the agency should clearly specify the agency's responsibilities for
screening and the notification procedures they need to follow if
screening has not been completed or if the results give cause for doubt
or concern.
– Additionally, any agreements with the third party should clearly specify
all responsibilities and notification procedures for screening.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Management should require employees, contractors and thirdparty users to apply security in accordance with the established
policies and procedures of the organization. Specific
responsibilities should be documented in approved job
descriptions. This will help ensure that employees, contractors
and third-party users are aware of information security threats
and concerns, their responsibilities and liabilities.
• Management responsibilities should be defined to ensure
security is applied throughout an individual's employment
within the organization.
• To minimize possible security risks, employees, contractors
and third-party users should be provided with an adequate
level of awareness, education and training in security
procedures.
• An organization should establish a formal disciplinary process
for handling security breaches.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Responsibilities should be in place to ensure that the
exit of employees, contractors or third-party users
from the organization is managed, and that the
return of all equipment and the removal of all access
rights are completed.
• Ongoing security requirements and legal
responsibilities
• Responsibilities contained within any
confidentiality agreement
• Responsibilities and duties still valid after
termination of employment should be contained in
the contracts of the employees, contractors or
third-party users.
CISA REVIEW
Chapter 5 – Protection of Information Assets
The access rights of all employees, contractors and
third-party users to information and IPFs should be
removed at termination of their employment,
contract or agreement, or adjusted upon change. The
access rights that should be removed or adapted
include: Physical and logical access
• Keys
• Identification (ID) cards
• Information Processing Facilities (IPF)
• Subscriptions
• Removal from any documentation that identifies
them as a current member of the organization
CISA REVIEW
Chapter 5 – Protection of Information Assets
This should include notifying partners and relevant third parties
when departing employees have access to the third-party
premises. If departing employees, contractors or third-party
users have known passwords for accounts remaining active,
these should be changed at termination or change of
employment, contract or agreement. Access rights for
information assets and IPFs should be reduced or removed
before employment terminates or changes, depending on the
evaluation of risk factors such as:
• Whether termination or change is initiated by the
employees, contractors or third-party users, or by
management and the reason for termination.
• The current responsibilities of the employees, contractors or
any other users.
• The value of the assets currently accessible.
CISA REVIEW
Chapter 5 – Protection of Information Assets
An IS auditor must be aware of four key concepts that help
foster understanding of how to evaluate a logical access control
mechanism:
• Identification: How subjects are recognized by the logical
access control mechanism (e.g., user name, user ID number)
• Authentication: How subjects prove they are who they say
they are (e.g., password, token, digital certificate)
• Authorization / Access Control: How rules are established
and evaluated to make an access control decision (e.g.,
should computer operators be able to change operations
logs)
• Monitoring: What security logging is in place and what
capabilities it has (e.g., failed logons, successful access to a
file)
CISA REVIEW
Chapter 5 – Protection of Information Assets
One of the best practices is to integrate the
review of access rights with human resource (HR)
processes. When an employee transfers to a
different function – i.e., promotions, lateral
transfers or demotions – access rights are
adjusted at the same time. Development of a
security-conscious culture increases the
effectiveness of access controls.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Why is monitoring an important
control, if unauthorized system access is
prevented in the first place?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - Why is monitoring an important
control, if unauthorized system access is prevented in the first
place?
An effective internal control structure requires multiple control
layers that include preventive, detective and corrective
techniques. While much effort goes toward preventing
unauthorized access (user IDs, passwords, access permissions),
it may be possible that these controls are bypassed due to
deficiencies in programming, configuration, or even human
error.
As a result, it is important to monitor system access to detect
unusual activity (e.g., user access at unusual times) that may
indicate a security breach has occurred, and to correct the
problem so that no future unauthorized access occurs.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Identification and authentication (I&A) is the process
by which the logical access control software obtains
identification information for the users and the
credentials necessary to authenticate the
information. I&A also include the actual validation of
this information.
• I&A is needed for most types of access control and
is necessary for establishing user accountability.
• I&A is the first line of defense for most systems
because it prevents unauthorized people (or
unauthorized processes) from entering a computer
system or accessing an information asset.
• I&A is a critical building block of computer security.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Can you list some of I&A's more
common vulnerabilities that may be exploited to
gain unauthorized system access?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - Can you list some of I&A's more
common vulnerabilities that may be exploited to gain
unauthorized system access?
• Weak authentication methods
• The potential for users to bypass the authentication
mechanism
• The lack of confidentiality and integrity for the stored
authentication information
• The lack of encryption for authentication and protection
of information transmitted over a network
• The user's lack of knowledge on the risks associated with
sharing authentication elements (e.g., passwords,
security tokens)
CISA REVIEW
Chapter 5 – Protection of Information Assets
The logon ID - Each user gets a unique logon ID that can be identified by
the system. The format of logon IDs is typically standardized.
• Logon ID syntax should follow an internal naming rule.
• Default system accounts, such as Guest, Administrator and Admin,
should be renamed whenever technically possible.
• Logon IDs not used after a predetermined period of time should be
deactivated to prevent possible misuse. This can be done
automatically by the system or manually by the security
administrator.
• The system should automatically disconnect a logon session if no
activity has occurred for a period of time. This reduces the risk of
misuse of an active logon session left unattended because the user
went to lunch, left for home, went to a meeting or otherwise forgot
to log off. This is often referred to as a session timeout.
CISA REVIEW
Chapter 5 – Protection of Information Assets
The password provides individual authentication. Accordingly, a password
should be easy for the user to remember but difficult for an intruder to guess.
• Initial passwords may be allocated by the security administrator or
generated by the system itself. When the user logs on for the first time, the
system should force a password change to improve confidentiality. Initial
password assignments should be randomly generated. The ID and password
should be communicated in a controlled manner to ensure only the
appropriate user receives this information. New accounts without an initial
password assignment should be suspended.
• If the wrong password is entered for a predefined number of times, typically
three, the logon ID should be automatically locked out.
• Users that have forgotten their password must notify the security
administrator. This is the only person with sufficient privileges to reset the
password and, in case this is necessary, to unlock the logon ID. The security
administrator should reactivate the logon ID only after verifying the user's
identification (challenge/response system). To verify, the security
administrator should return the user's call after verifying his or her extension
or calling a supervisor for verification.
CISA REVIEW
Chapter 5 – Protection of Information Assets
The password cont.,
• To reduce the risk of an intruder gaining access to other users' logon
IDs, passwords should not be displayed in any form. They are
normally masked on a computer screen. They should not be shown
on computer reports, kept on index or card files, or written on pieces
of paper taped somewhere near the terminal or inside a person's
desk. These are the first places a potential intruder will look.
• Passwords should be changed periodically. On a regular basis (e.g.,
every 30 days), the user should change his or her password. The
frequency of changing a password should depend on the criticality of
the information access level, the nature of the organization, the IS
architecture and technologies used, etc. Passwords should be
changed by users at their terminal or workstation rather than at the
administrator's terminal or in any location where their new password
might be observed. The best method is to force the change by
notifying the user prior to the password expiration date. The risk of
allowing voluntary password changes is that, generally, users will not
change their passwords unless forced to do so.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Why are dynamic passwords
considered superior to static passwords?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - Why are dynamic passwords considered superior to
static passwords?
• Static passwords (also known as "reusable passwords") suffer from the main
weaknesses that they are reused over an extended time period (e.g., 90
days). As a result, there is a greater chance that they may be discovered by
an unauthorized user. Examples of discovery methods may range from
simple "shoulder surfing," to brute-force password cracking attacks, to
eavesdropping an unencrypted password on a network.
• In contrast, dynamic passwords (usually "one-time passwords") are not
reused. The password is typically generated by a small device (a "token") or
via program, and is valid for a short period of time only – a common limit is
60 seconds. In addition, once the password is entered, it is no longer valid
for reuse. This eliminates the effectiveness of attacks for password discovery
noted above.
• Dynamic passwords generated by a token are usually combined with a static
password like a PIN, known only to the token's user. Both must be combined
to produce the required password for system access; hence, this is one form
of "two-factor" authentication since it requires something only the user has
(the token) and something only the user knows (the PIN).
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: What are some common
weaknesses found when evaluating logical access
controls?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - What are some common
weaknesses found when evaluating logical access controls?
• Sharing user IDs between multiple people – eliminates
accountability for user actions.
• Poor password quality (e.g., too short, easily guessed,
not changed regularly) – increases risk that a password
will become known and permit unauthorized access.
• Overly permissive access rules or rules granting access
by default – increases risk of accidental or intentional
unauthorized access to programs or data.
• Lack of security monitoring and follow-up – staff may be
unaware of attacks against the system, or other error
conditions, that may result in unauthorized access or
other problems.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Instructions: Here are four items and four IS audit procedures. Match
each item to its corresponding IS audit procedure.
Items
• Logon ID and Password
• Logging and Reporting of Computer Access Violations
• Bypassing Security and Compensating Controls
• Review Access Controls and Password Administration
Procedures
• Verifying that passwords are changed periodically
• Analyze global configuration settings for password strength in the
system application and compare this with the organization's security
policy.
• Attempts to access computer transactions or data for which access is
not authorized
• Looking for special system maintenance logon IDs, operating system
exits, installation utilities and input/output (I/O) devices
CISA REVIEW
Chapter 5 – Protection of Information Assets
Answer:
Logon ID and Password
Analyze global configuration settings for password
strength in the system application and compare this with
the organization's security policy.
Logging and Reporting of Computer Access Violations
Attempts to access computer transactions or data for
which access is not authorized
Bypassing Security and Compensating Controls
Looking for special system maintenance logon IDs,
operating system exits, installation utilities and
input/output (I/O) devices
Review Access Controls and Password Administration
Verifying that passwords are changed periodically
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real World Example: An organization was implementing a
new financial accounting application that consisted of a
number of separate modules (e.g., payables, general
ledger).
Each module stored its data in tables within a database
management system. While the application included
security features that controlled which users could access
which functions, the database tables could be directly
accessed because the default database user ID and
password used by the application to store and retrieve data
were set to well-known default values.
Think About It: Where is the information security risk in
this situation?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real World Example: Answer –
The security risk here is that knowledgeable users
could bypass security within the application, and
directly add or modify important business data.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Question: What do you, as an IS audit expert,
think could have been done to prevent this
organization from being in this situation?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Answer: The organization's database
management team should have been more aware
of the security weakness due to default
passwords. This could have been achieved if the
organization had more detailed security
governance (e.g., a security baseline prohibiting
use of default passwords), and improved security
awareness training.
CISA REVIEW
Chapter 5 – Protection of Information Assets
This section discusses common attack methods and techniques.
To properly evaluate whether an organization's information assets
are safe from these attacks, an IS auditor must understand how
these types of attack function and what an organization must do to
protect itself.
There is a general assumption that attack tools exploit only highly
sophisticated vulnerabilities discovered by genius-level hackers.
While there are certainly examples of these, there are also many
attacks that target the use of weak security options that are
easily discovered and exploited. Examples include trying default
passwords, attacking vulnerable services running with greater
privileges than necessary, and attacking services that are not
required but are configured to run by default (e.g., some web
servers).
CISA REVIEW
Chapter 5 – Protection of Information Assets
Technical exposures are unauthorized activities which
interfere with normal processing. These can be
intentional or unintentional, and involve activities such
as implementation or modification of data and software,
locking or misusing user services, destroying data,
compromising system usability, distracting processing
resources, or spying data flow or user activities at either
the network, platform (operating system), database or
application level.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Data leakage involves siphoning or leaking information out of the
computer. Examples include dumping files to paper or stealing
computer reports and tapes. Unlike product leakage, data leakage
leaves the original copy, so it may go undetected.
Wire tapping occurs when someone eavesdrops on information
being transmitted over telecommunications lines.
The use of Trojan horses and/or backdoors occurs when someone
hides malicious, fraudulent code in an authorized or falsely
authorized computer program. This hidden code is executed
whenever the authorized program is executed.
A Denial of Service attack disrupts or completely denies service to
legitimate users, networks, systems or other resources. The intent
of any such attack usually is malicious in nature and often takes
little skill because the requisite tools are readily available.
CISA REVIEW
Chapter 5 – Protection of Information Assets
A computer shutdown is initiated through terminals or personal
computers connected directly (online) or remotely (dial-up lines)
to the computer. Only individuals who know a high-level logon ID
usually can initiate the shutdown process, but this security
measure is effective only if proper security access controls are in
place for the high-level logon ID and the telecommunications
connections into the computer.
Piggybacking is the act of following an authorized person through
a secured door or electronically attaching to an authorized
telecommunications link to intercept and possibly alter
transmissions.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Trapdoors are any area of authorized operating system code used
for insertion of specific logic, such as program interrupt – i.e., to
inspect data during processing.
• Trapdoors may exist because of testing or maintenance reasons.
Sometimes programmers insert code that allows them to
bypass the integrity of an OS for the purpose of debugging at
the development time or later during maintenance and system
improvements. Trap doors should be eliminated in the final
editing of code, but sometimes they are forgotten or
intentionally left for future access into the system.
• The exposure risk with trapdoors is that the logic inserted could
be used to obtain unauthorized access rights. Additionally, logic
design flaws and programming errors in complex programs may
also introduce unwanted trapdoors into a system.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Rounding down is when someone draws off small amounts of
money (the rounding fraction) from a computerized transaction or
account and reroutes this amount to the perpetrator's account.
Since the amounts are so small, they are rarely noticed, although it
would be easy to detect irregularities by summing the rounding
fractions. Proper rounding should give a total close to zero.
A salami technique involves the slicing of small amounts of money
from a computerized transaction or account – similar to the
rounding down technique. The difference between the rounding
down technique and the salami technique is that in rounding
down, the program rounds off by the smallest money fraction.
CISA REVIEW
Instructions: Here are seven items and descriptions. Match each item to
its corresponding description.
Items
• Wire tapping
• Trojan horses
• Denial of service (DoS)
• Piggybacking
• Salami technique
Descriptions
• Eavesdropping on information being transmitted over
telecommunications lines
• Hiding fraudulent code in an authorized or falsely authorized
computer program
• Disrupts or completely denies service to legitimate users
• Electronically attaching to an authorized telecommunications link to
intercept and alter transmissions
• Slicing off small amounts of money from a computerized transaction
or account
CISA REVIEW
Answers
• Wire tapping
Eavesdropping on information being transmitted over
telecommunications lines
• Trojan horses
Hiding fraudulent code in an authorized or falsely authorized
computer program
• Denial of service (DoS)
Disrupts or completely denies service to legitimate users
• Piggybacking
Electronically attaching to an authorized telecommunications
link to intercept and alter transmissions
• Salami technique
Slicing off small amounts of money from a computerized
transaction or account
CISA REVIEW
Chapter 5 – Protection of Information Assets
Social engineering is the human side of breaking into a computer system
by playing on vulnerabilities of interpersonal relations and deception to
obtain confidential information from unknowing employees. A common
example of this would be tricking someone to give away confidential
information (e.g., passwords and IP addresses) by answering questions
over the phone with someone that person does not know or replying to
an e-mail from an unknown person.
An organization's best defense against social engineering attacks is to
proactively have an ongoing security awareness program wherein all
employees and third parties (who have access to the organization's
facilities) are educated about the risks involved in falling prey to social
engineering attacks. Simply having strong technical security
countermeasures are often not enough to protect an information
system.
The weakest link in the security chain are often the people using the
system.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Methods that malicious entities may use to gain access to wireless
devices related to wireless local area networks (WLANs) include,
but are not limited to, war driving and war chalking.
CISA REVIEW
Chapter 5 – Protection of Information Assets
War driving is when an individual drives around businesses or residential
neighborhoods scanning with a notebook computer, hacking tool
software and sometimes with a global position system (GPS) for wireless
network names. Someone driving around the vicinity of a wireless
network might be able to see the wireless network name, but whether
that person will be able to do anything beyond viewing the wireless
network name is determined by the use of wireless security.
If an organization does not have wireless security enabled and properly
configured, war drivers can send data, interpret the data sent on the
wireless network, access the shared resources of the wireless or wired
network (shared files, private web sites), install viruses, modify or
destroy confidential data, and use the Internet connection without the
knowledge or consent of the owner. For example, a malicious user might
use the Internet connection to send thousands of spam e-mails or
launch attacks against other computers. The malicious traffic would be
traced back to the owner's home.
CISA REVIEW
Chapter 5 – Protection of Information Assets
War chalking is when an individual has marked a series of symbols
(outward-facing crescents) on sidewalks and walls to indicate
nearby wireless access points. These markings are used to identify
hotspots, where other computer users can connect to the Internet
wirelessly and at no cost.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Firewalls are designed to protect the most vulnerable point between a
network and the Internet.
Most firewalls:
• Block access to particular sites on the Internet.
• Prevent certain users from accessing certain servers or services.
• Monitor communications between an internal and an external
network.
• Monitor and record all communications between an internal network
and the outside world to investigate network penetrations or detect
internal subversion.
• Protect against viruses and attacks directed to exploit known
operating system vulnerabilities (these are additional capabilities
offered by some firewalls).
• Firewalls are hardware and software combinations that are built using
routers, servers and a variety of software.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Firewall Types: An analogy
To compare the operation of packet filtering versus applicationlevel (proxy) firewall functions, consider a scenario where the
firewall is acting as if it were a security guard at an organization
who is designated as the only person in the organization who may
communicate with outsiders, and therefore all messages must be
passed through this individual.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Firewall Types: An analogy
If acting like a packet filter firewall, the guard looks at each word
of the message only. The guard can decide to allow or deny
sending the word based only on the word itself, plus details on the
sender and intended recipient. This can be very useful since some
words are easy to identify as objectionable, and especially since
looking at one word can be done quickly. However, looking at a
single word lacks context – a word within one message may be
acceptable, but in the context of another message, it may not be
permissible.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Firewall Types: An analogy
If acting like an application-level (proxy) firewall, the guard
sees the whole message, and can therefore evaluate it in its
entirety. In addition to the sender and recipient, the guard
can note restrictions such as the size of the message, time of
day it is being sent, organization the recipient works for and
other considerations not available from a single word. The
guard can also log the important details about the message
as well as whether it was sent. As a result, more complex and
sophisticated security decisions can be implemented, but at
the cost of taking longer to review and evaluate the entire
message.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Organizations that implement firewalls are not without risk and must be
aware of several issues.
• The majority of incidents are caused by insiders, who are not
controlled by firewalls.
• The circumvention of firewalls through the use of modems may
connect users directly to ISPs.
• Misconfigured firewalls may allow unknown and dangerous services
to pass through freely.
• Monitoring activity logs may not occur on a regular basis.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Statement
Firewalls are used to protect an organization from data
traveling between the Internet and the corporate
network.
When implementing a firewall, most organizations will
follow a deny-all philosophy.
Once a firewall is in place, no unauthorized access to or
from outside the organization can occur.
True or False?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Statement
True or False?
Firewalls are used to protect an organization from data
traveling between the Internet and the corporate
network.
True
When implementing a firewall, most organizations will
follow a deny-all philosophy.
True
Once a firewall is in place, no unauthorized access to or
from outside the organization can occur.
False
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real-World Example
An organization wanted to better regulate their internal network
traffic by installing a firewall between major portions of their
network. IS management directed that this had to be
accomplished by a specific date.
When management asked whether the firewall was installed by
the date specified, the answer was "yes." However, what was not
communicated was that, although the firewall installation was
complete, no restrictive firewall rules were in place – instead, an
"any-to-any" rule was in place, which allowed traffic to continue to
flow freely throughout the network.
Think About It: Where is the information security risk in this
situation?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real-World Example: Answer –
• Although management was advised that the firewall was
technically "in place," it was not providing the required controls
over network traffic. In this situation the firewall was essentially
just being used as a router.
• Accordingly, without implementing any restrictive firewall rules,
there is a much greater risk of unauthorized access to network
traffic and network-attached computing resources.
• In this case, the project was viewed not as one to implement
restrictions over internetwork access, but instead to install a
network device. Security requirements were not reflected in the
project plan, and the firewall was permitted to "go live" with no
restrictions in place.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Encryption is the process of converting a plaintext message into a
secure-coded form of text called ciphertext, which cannot be
understood without converting back via decryption (the reverse
process) to plaintext. This is done via a mathematical function and
a special encryption/decryption password called the key.
Encryption generally is used to:
• Protect data in transit over networks from unauthorized
interception and manipulation.
• Protect information stored on computers from unauthorized
viewing and manipulation.
• Deter and detect accidental or intentional alterations of data.
• Verify the authenticity of a transaction or document.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Key elements of encryption systems include the following:
• Encryption algorithm: A mathematically based function or
calculation that encrypts/decrypts data.
• Encryption keys: A piece of information that is used within an
encryption algorithm (calculation) to make the encryption or
decryption process unique. Similar to passwords, a user needs
to use the correct key to access or decipher a message. The
wrong key will decipher the message into an unreadable form.
• Key length: A predetermined length for the key. The longer the
key, the more difficult it is to compromise in a brute-force attack
where all possible key combinations are tried.
CISA REVIEW
Chapter 5 – Protection of Information Assets
The effectiveness of an encryption system depends on:
• a combination of the algorithm strength
• secrecy and difficulty of compromising a key
• the nonexistence of back doors by which an encrypted file can
be decrypted without knowing the key
• the inability to decrypt an entire ciphertext message if the way
a portion of it decrypts is known (called a known-text attack)
• the properties of the plaintext known by a perpetrator
CISA REVIEW
Chapter 5 – Protection of Information Assets
Private key cryptographic systems are based on a symmetric
encryption algorithm.
In private key encryption:
• A secret (private) key encrypts the plaintext to the ciphertext.
• The same key is used to decrypt the ciphertext to the
corresponding plaintext.
• A private key is symmetric because the encryption key is the
same as the decryption key.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Public key cryptographic systems developed for key distribution
solve the problem of getting symmetric keys into the hands of two
people who do not know each other but who want to exchange
information in a secure manner. Based on an asymmetric
encryption process, two keys work together as a pair as follows:
Each user has a pair of keys—a public encryption key and a private
decryption key. The publicly available encrypting-key is widely
distributed, while the private decrypting-key is known only to the
recipient. Messages are encrypted with the recipient's public key
and can only be decrypted with the corresponding (recipient’s)
private key. The keys are related mathematically, but the private
key cannot feasibly be derived from the public key.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: What happens if an encryption key is lost?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - What happens if an encryption key is
lost?
• Good quality encryption algorithms do not contain back doors.
As a result, if a secret key (used with one-key encryption) is lost,
it will not be possible to recover any message encrypted with
that key. If a private key (used with two-key encryption) is lost, it
will not be possible to recover material encrypted with the
corresponding public key.
• The use of a public key infrastructure (PKI) helps ensure keys are
recoverable (but only using a secure process) and helps
decrease the chance that encrypted material is not recoverable
in the event of lost keys.
CISA REVIEW
Chapter 5 – Protection of Information Assets
A digital signature is an electronic identification of a person or entity
created by using a public key algorithm. Digital signatures assure the
recipient of the integrity of the data and the authentication and
nonrepudiation of the sender.
• Digital signatures verify the integrity of the data by computing a
cryptographic hashing algorithm against the entire message or
electronic document, which generates a smaller extrapolated version
of the original message, typically around 128 bits.
• Digital signatures verify the identity of the sender by enciphering the
message digest using the sender's private key, which "signs" the
document with the sender's digital signature for message
authenticity. To decipher, the receiver would use the sender's public
key, proving that the message could only have come from the sender,
which provides nonrepudiation.
CISA REVIEW
Chapter 5 – Protection of Information Assets
A virus is any type of self-propagating computer program that
attacks a host system by sending out requests to the operating
system and attaching itself to other programs. Worms are variants
of viruses that exploit security weaknesses in operating system
configurations instead of physically attaching themselves to
another program.
The common element is that the computer has received and
executed instructions that carry out the malicious intent (e.g.,
deleting files, allowing remote control), presumably inadvertently.
The function of antivirus tools is to identify the malicious code,
typically by its recognizable signature, and prevent the computer
from executing it.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Viruses can be transmitted:
• From the Internet when files are downloaded to computers via
web browsers.
• As attachments to e-mail, so that when word-processing
software opens the attachment, the system becomes infected if
it is not using scanning software to review unopened
attachments.
• From files received through online services, computer bulletin
board systems, LANs and even shrink-wrapped software sold in
retail stores.
CISA REVIEW
Chapter 5 – Protection of Information Assets
An organization must have a comprehensive and dynamic antivirus
program to effectively reduce the risk of infiltration by computer
viruses and worms. The two most common ways to protect against
these threats is to:
• establish preventive controls, such as sound management
policies and procedures, and
• implement detective controls, such as technical means, which
include antivirus software.
CISA REVIEW
Chapter 5 – Protection of Information Assets
For each item below, identify if it is a technical control or
management policy and procedural control?
•
•
•
•
•
•
Build all systems from original, clean master copies.
Have vendors run demonstrations on their machines.
Ensure a sound and effective backup plan is in place.
Use antivirus software.
Use boot virus protection.
Prepare a virus eradication procedure and identify a contact
person.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Answers : Each category is followed by the appropriate
statements.
Management Policy and Procedural Controls
• Build all systems from original, clean master copies.
• Have vendors run demonstrations on their machines.
• Ensure a sound and effective backup plan is in place.
• Prepare a virus eradication procedure and identify a contact
person.
Technical Controls
• Use antivirus software.
• Use boot virus protection.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Antivirus software is both the most effective and most common
tool for protecting networks and host-based computer systems
against viruses. The functionality of antivirus tools has steadily
expanded to include other types of undesirable software like
worms, Trojan horses, or spyware.
Antivirus software is not an effective tool against viruses unless it
is updated regularly.
Antivirus software should be used on virtually all processing
components within an organization. This includes workstations,
laptops, file servers, web servers, mail servers, firewalls, PDAs, and
any other network-connected computer where programs and data
can be shared.
CISA REVIEW
Chapter 5 – Protection of Information Assets
To protect corporate networks and an organization's
interconnected network, a common strategy is to use virusscanning software, referred to as virus walls, as an integral part of
firewall technologies.
Virus walls:
• Scan incoming traffic with the intent of detecting and removing
viruses before they enter the protected network.
• Are often are updated automatically with new virus signatures
by their vendors on a scheduled basis or on an as-needed basis
when dangerous new virus strains emerge.
• Provide facilities to log virus incidents and deal with the
incident in accordance with preset rules.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real-World Example: An organization implemented antivirus
scanning software on its mail servers in order to detect viruses
before they were received by end users. However, after months of
use, a decreased throughput performance problem on the servers
was observed by mail server administrators, who, without proper
investigation, attributed the problem to the antivirus software. To
restore performance, the administrators decided to disable the
antivirus scanning.
Think About It: Where is the information security risk in this
situation?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real World Answer: The security risk here is that large volumes of
inbound mail, which should be scanned by the antivirus software,
were not being scanned. Problems may occur if mail comes into
the organization containing viruses and other malware. This lack of
antivirus scanning could result in widespread virus outbreaks
within the organization, potentially crippling processing
capabilities, and causing lost data or breaches of confidentiality or
availability.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: What do you, as an IS audit expert, think could
have been done to prevent this organization from being in this
situation?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - The organization's server administrators
should have been more aware of the importance of antivirus
scanning as well as the fact that it was a required security
procedure. Simply deciding to disable the scans should have been
understood as an unacceptable breach of security governance.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real-World Example: In addition to the usual Internet-facing firewall, an
organization made use of internal firewalls to achieve various security
zones within their network. This permitted, for example, better
controlling access to production systems from users on the business
office network.
A new business function and application being introduced within the
organization required offering access to the Internet. Business-area
management group responsible for the new application had IT connect
this internal firewall directly to the internet as part of the deployment of
this application.
Think About It: Where is the information security risk in this situation?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Real-World Example: Answer - Business unit management was able
to bypass security requirements and the protection of the
approved security architecture. As a result, internal networks and
connected computing resources were exposed to attacks and
other attempts through unauthorized access from the Internet.
CISA REVIEW
Chapter 5 – Protection of Information Assets
The first step in any data classification scheme is to perform or
gather a detailed inventory of the information assets that need to
be classified. The inventory record of each information asset
should include the following:
• A clear and distinct identification of the asset
• Its relative value to the organization
• Its location
• Its security/risk classification
• Its asset group (where the asset forms part of a larger
information system)
• Its owner
• Its designated custodian
CISA REVIEW
Chapter 5 – Protection of Information Assets
Data classification as a control measure should define the
following:
• The owner of the information asset
• Who has access rights (need to know)
• The level of access to be granted
• Which individual is responsible for determining the access rights
and access levels
• What approvals are needed for access
• The extent and depth of security controls
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Who is responsible for determining the security
classification for data?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - Who is responsible for determining the
security classification for data?
Many individuals believe that the decisions about data
classification are made by an organization's IT staff. However, to
have a truly effective protection of information assets program, a
defined data owner is normally responsible for determining the
security classification for data. This designated data owner (as
defined in information security governance) should decide what
security classification is appropriate for their data, using the
classification scheme mandated by the organization. This is
because the data owner is accountable for protecting the data,
and advising the data custodians (typically the IT staff) on what
access restrictions are required.
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: What is the organizational security risk associated
with misuse of information if or when a user is not instructed on
how to deal with information at particular security levels?
CISA REVIEW
Chapter 5 – Protection of Information Assets
Think About It: Answer - What is the organizational security risk
associated with misuse of information if or when a user is not
instructed on how to deal with information at particular security
levels?
The risk is that a user might reveal confidential information simply
because he or she did not know that the requirements prohibited
disclosure. Social engineering relies on this kind of
misunderstanding at the end-user level.
CISA REVIEW
Chapter 5 – Protection of Information Assets
In order to properly evaluate how an organization protects its
information assets, the IS auditor must be aware of issues
involving the storing, retrieval, transportation and disposition of
confidential information. This section of the module discusses
what information should be protected during these processes and
methods of storing and shipping certain media.
CISA REVIEW
Chapter 5 – Protection of Information Assets
To protect all information assets, an organization's management
should define and implement procedures to prevent access to or
loss of sensitive information and software from computers, disks
and other equipment or media when they are stored, disposed of
or transferred to another user. This should be done for the
following:
• Backup files of databases
• Disposal of media previously used to hold confidential
information
• Management of equipment sent for offsite maintenance
• Transportation of confidential information on hard drives or
other magnetic media
• Storage records
CISA REVIEW
Chapter 5 – Protection of Information Assets
The "Delete" function provided by most operating systems will not
prevent confidential data from being accessed because the
deleted file can be recovered because it simply releases the space
used by the file, without first removing its data contents.
Even "reformatting" the media on which confidential information
is stored is not adequate, since tools and techniques exist to
recover data on reformatted drives.
Other than physically destroying the media, the most important
means of protecting confidential data while it is stored, retrieved
or transported is using encryption tools.
Additionally, most encryption packages include a "secure delete"
function that overwrites the file with a series of data patterns that
eliminate all traces of the original data from the storage media.
Download