Information System Auditing Process

1.1. Audit Planning

Auditor must understand processes, business applications, & relevant controls.
Audits must be reported directly to a board-level committee.
Audit Charter:
o Defines objectives, authority, and responsibility.
Audit Universe inventory of functions, processes, or units.
Risk factors influence the frequency of audits.
Auditors must focus on area that are most meaningful to management.
Examples of applications in business:
o E-commerce: single, two, or three tier architectures.
o Electronic Data Interchange (EDI): online transfer of data between
enterprises.
o Point of Sale (POS).
o Electronic Banking: websites, applications, etc.
o Electronic Fun Transfers (EFT)
o Image Processing
Types of Controls:
o Preventive: FW, physical barriers, edit checks, qualified personnel, etc.
o Detective: detect a threat event once that event has occurred.
o Corrective: restoring operations, BCP, DRP, etc.
o Deterrent: warning signal, e.g. CCTV
Control objective a reason why a control is implemented.
Risk Based Audit Planning:
o Risk = probability x impact
o Vulnerability: weakness in a system. Threat: element that exploits a
weakness.
o Inherent risk: before applying controls.
o Residual risk: risk after applying controls. residual risk = inherent risk –
control
o Audit risk: risk an auditor not able to detect error during an audit.
o Control risk: risk internal control fails to prevent or detect.
o Detection risk: risk internal audits fails to prevent or detect.
o Approach:
▪ Pre-audit requirements: industry, applicable risks, & prior audit
findings.
▪ Information about internal controls: procedures,
understanding control/detection risks.
▪ Conduct compliance test: identify controls to be tested &
determine effectiveness of these controls.
▪ Conduct substantive test.
 o Risk assessment:
▪ Identify critical assets/processes
▪ Identify relevant risks (vulnerabilities/threats)
▪ Impact analysis: qualitative/quantitative
▪ Risk prioritization
▪ Risk treatment
o Risk response:
▪ Mitigation
▪ Avoidance
▪ Acceptance
▪ Transfer
Policy development:
o Top-down approach: from senior management perspective. Targets
business risks.
o Bottom-up approach: polices designed from process’s owner perspective.
Targets process-level risks.
Type of Audits/Assessments:
o IS Audit: CIA
o Compliance Audit: with specific regulatory.
o Financial Audit: accuracy of financial reporting.
o Operational Audit: accuracy of internal control system.
o Integrated Audit: different types of audits together.
o Specialized Audit: 3rd party service audit.
o Computer Forensic Audit: analysis of electronic devices.
o Functional Audit: accuracy of software functionality.
 1.2. Audit Execution
Audit Project Management
Audit planning, resource allocation, audit scope, & audit reports.
Audit objectives:
o Confirm internal controls exist.
o Evaluate effectiveness of internal control.
o Confirm compliance with regulations.
Audit phases: planning Execution Reporting
o Audit objective risk assessment business processes to be audited
resource allocation control objectives evaluate controls report
findings.

Sampling Methodology
• Process of selecting of data from a population. Sampling is used when not possible to
study full population of data.
• Sampling types:
o Statistical Sampling: objective sampling, non-judgmental sampling, laws of
probability.
o Non-statistical Sampling: subjective sampling, judgmental sampling, etc.
o Attribute Sampling: complied or not complied. How many? Expressed in
percentage form. AC for Compliance.
o Variable Sampling: more information than attribute. How much?
Value, height, weight, etc. VS for Substantive testing.
o Stop-or-Go Sampling: used when controls are strong, and few errors are
expected.
o Discovery Sampling: to detect fraud & irregularities.
• Sampling Risk: bad sample, not representative of the population.
• Confidence Coefficient: accuracy and confidence about the quality of a sample.
95/100 or 25/100.
• Level of Risk: deducting confidence coefficient from 1 Ex. 1-0.95 = 5%
• Expected error rate: the higher the expected error rate, the bigger the sampling size.
• Tolerable error rate.
• Compliance Testing: verification of process, checks for presence of controls.
Attribute sampling is preferred.
• Substantive Testing: verification of data/transactions. Checks for accuracy &
validity of data. Variable sampling is preferred.
• Compliance to be performed first. Outcome of compliance testing is used
to plan for substantive test.

Audit Evidence Collection Technique

Evidence gathering techniques:
o Review organization structure & governance model.
o Review IS policies, processes, & standards.
o Observations: skill of staff, security awareness, & segregation of duties.
o Interview technique.
o Re-Performance: re-do the activity performed by the staff.
o Process walkthrough.
Data Analytics
Is the method of examining data or information.
Computer assisted audit techniques (CAAT)
Continuous Auditing: An audit that’s conducted in a real-time environment.
o Integrated Test Facility (ITF): a fictitious entity created in production
environment.
▪ Can enter dummy transactions and check processing and results.
▪ Processed results compared to expected results.
o System Control Audit Review File (SCARF)
▪ Audit module is embedded into application to track transactions on an
ongoing basis.
▪ Used to obtain data or information for audit purposes.
▪ Useful when regular processing cannot be interrupted.
o Snapshot Technique:
▪ Captures snaps/pics of transactions as they are processed at different
stages in the system.
▪ Details are captured both before and after the execution.
▪ Useful when audit trail is required.
o Audit Hook:
▪ Are embedded in an application system to capture exceptions.
▪ Helpful in the early identification of irregularities.
o Continuous and Intermittent Simulation (CIS)
▪ Replicates or simulates the processing of the application system.
▪ CIS compares the results it produced with the results produced
by the application
▪ Useful to identify the transactions as per the predefined criteria in a
complex environment.
Continuous Monitoring: Relevant process of a system is observed on a continuous basis
e.g. AV, IDS, etc.

Reporting and Communication Techniques

Exit interview: not about finding faults. It ensures facts are not
misunderstood or misinterpreted.
Audit reporting: final audit report should be sent to audit board.
Audit report structure:
o Introduction: audit scope, audit limitations, objective, audit period, etc.
o Audit findings, & recommendations.
o Opinion about adequacy, effectiveness, & efficiency of the control environment.

Control Self-Assessment (CSA)

CSA is the self-assessment of controls by process owners.
CSA helps process owners to take the responsibility of control monitoring.
Helps increase employee awareness of organizational goals.
Disadvantage: due care should be taken when implementing CSA.
Auditor role in CSA is facilitator for the implementation of CSA.
2. Governance and Management of IT
2.1. IT Governance
IT Enterprise Governance (EGIT)
• EGIT is a process used to monitor & control IT activities.
• EGIT ensures IT activities are aligned with business objectives.
• Board of Directors responsible for EGIT.
• EGIT Processes:
o IT resource management: inventory of IT resources & manages associated risks.
o Performance measurement: monitors performance of IT resources.
o Compliance management:
• Governance vs. Management:
o Governance:
▪ Provides direction for attainment of business objectives.
▪ Monitoring of performance & compliance.
o Management: implements policies & procedures to achieve goals set by
governance body.

IT Standards, Policies, & Procedures

• Standards: mandatory requirements.
• Policies: set of strategies, high-level statements of direction by management.
• Procedures: detailed steps & actions.
• Guidelines: suggestions, additional details.

Organizational Structure
IT Strategy Committee (board members + roadmap) Board of Directors IT Steering
Committee (C- Suite + implementation).

Enterprise Architecture
• Defines structure and operations of the organization.
• Enterprise Security Architecture: subset of overall enterprise architecture.

Enterprise Risk Management

• Process Steps:
o Asset Identification.
o Identify threats & vulnerabilities.
o Evaluation of impact.
o Calculation of risk (risk = probability * effect).
o Risk response.
• Risk Analysis methods:
o Qualitative: H, M, L
o Semi-Qualitative: 5 = H, 4 = M, 1 = L.
o Quantitative: mathematical, statistical, $$$
• Risk treatment: mitigate accept avoid transfer.
 2.2. IT Management
• Monitoring, administration, & controlling of IT assets.

IT Resource Management
• Optimal utilization of IT resources.
• HR management, IT Management Practices, & Financial Management Practices.
o Distributing the costs of IT programs to end users is chargeback.

IT Service Provider Acquisition & Management

• Outsourcing:
o Not for core functions, specific expertise, & items due to
contractual/regulatory constraints.
• Steps for outsourcing:
o Define function to be outsources.
o Define SLA.
o Know in-house costs for comparison with bids.
o Conduct due diligence of service providers.
o Confirm contractual or regulatory requirements for outsourcing.
• SLAs should contain:
o Achievable o Confidentiality agreements
output o Right to audit, BCM, & DRP.
o CIA
requirements
• Audit Reports:
o SOC 1: program controls for financial reporting by the service organization.
o SOC 2: restricted to the use of the service organization’s management,
customers, etc.
o SOC 3: for general use & can be distributed freely.

IT Performance Monitoring & Reporting

• Tools & techniques:
o Six Sigma/Lean Six Sigma o Business Process
o Balanced Scorecard (BSC) Reengineering (BPR).
o KPI o Root Cause Analysis
o Benchmarking
Quality Assurance & Quality
Management
• QA: process aims to provide adequate confidence that an item meets requirements.
QA team ensure changes to the system are approved, checked, & implemented in a
controlled manner.
o Proactive, prevent defects, & focused on process.
• QC: method for performing tests to verify that product is free if defects.
o Reactive, find defects, & focused on products.
• QM: monitoring, tracking, & enhancing quality management processes.
3. Information Systems Acquisitions, Development, & Implementation
3.1. Information Systems Acquisitions, &
Development Project Management Structure
• Functional: no authority for PM. Project: formal authority. Matrix: authority is shared.

Project Cost Estimation Methods

• Analogous: costs estimated based on experience of prior projects.
• Parametric: past data is used to leverage statistical data. More accurate than analogous.
• Bottom-up: detailed cost estimate of each activity.
• Actual

Software Size Estimation Methods

• Source Lines of Code (SLOC): based on a single parameter such as lines of code.
• Function Point Analysis (FPA): units of measurement. Different factors considered such
as complexity, input, processing, outputs, modules & their interactions.
• Constructive Cost Model (COCOMO): advanced version of SLOC (number of lines of code +
complexity).

Project Evaluation Method

• Critical Path Methodology (CPM): longest path, no slack time, & considers a single scenario.
For project duration.
• Program Evaluation Review Technique (PERT): Optimistic, Pessimistic, & most likely. For
project duration.
• Earned Value Analysis (EVA): measures progress of project at any given point in time.
• Timebox Management: ensures timely completion of projects. Heavily applied in prototyping
& rapid application development (RAD). Saves time by integrating system & user acceptance
test.
• Object Breakdown Structure (OBS): for defining project objectives.
• Work Breakdown Structure (WBS): individual components of work to be done (tasks).

Business Cases and Feasibility Analysis

• Business case: is a justification for a proposed project. Captures reasoning for initiating a
project
• Feasibility analysis: takes various factors into account like economic, technical, legal,
etc. feasibility study should consider how the project will impact the organization.

System Development Methodologies

SDLS Models

• Waterfall: used when requirements are well defined & don’t change. Useful when prototypes
are required.
• V-Shaped: for verification & validation model. Unit tests are immediately conducted
once program is written.
• Iterative:
SDLC Phases
• Feasibility study
• Requirements
• Software selection & acquisition (build or buy)
• Development (configuration)
• Testing & implementation
• Post implementation
Software Development Methods
• Agile: produce releasable software in shore iterations.
• Prototyping: system is developed through trial & error methods. Puts
emphasis on user requirements.
o Design requirements change frequently and hardly documented or approved.
o More emphasis to major functionality such as screen & reports.
• Rapid Application Development (RAD): uses prototypes & sophisticated
tools/software, & central repository. RAD relies on prototype.
• Object Oriented System Development: is a technique with an objective to make a
program
code that’s reusable & maintainable.
o Encapsulation – provides security for data.
o Polymorphism – ability of 2 or more objects to interpret a message.
• Component Based Development: ready-made components are assembled to design
& develop a specific application.
• Software Reengineering: process of updating a system to enhance the system
functionality to make it better and more efficient.
• Reverse Engineering: process of detailed analysis & study of a system with the
objective to develop a similar system.

Control Identification & Design

• Check Digits: extra digit for error detection via a mathematical algorithm.
• Parity Bits: to verify complete and accurate data transmission.
• Checksums: ability to recognize complex errors through advanced mathematical
formulas.
• Cyclic Redundancy Checks (CRC): more advanced version of checksums – more
complex arithmetic.
• Forward Error Control: like Redundancy Checksum but have capability to correct the
error.
• Limit Checks: restrict the data input to a certain predefined level – input control.
• Automated Systems Balancing: In = Out.
• Sequence Checks: testing a list of items for correct ascending or descending order.

Data Integrity Principles

• Atomicity: a transaction is either processed completely or not at all – all or nothing.
• Consistency: all integrity conditions must be applied to each transaction id DB.
• Isolation: each transaction should be separated from other transactions.
• Durability: DB should be resilient to survive system failure.
Decision Support Systems (DSS)
• DSS is a semi-structured interactive decision-making framework.
• DSS uses traditional data access & restoration techniques.
• DSS is flexible & user-friendly.

Decision Trees
• Simple way to create a visualization based on clearly defined criteria of the
paths toward decision making.

3.2. Information Systems

Implementation Testing Methodology
• Testing is very important in SDLC. Used to ensure system can provide its intended
objective.
o Unit Testing: test of each separate program or module. Done via white box
approach.
o Integrated Testing: examines the integration between two or more system
components
o System Testing: tests the entire system’s capabilities (functionality,
recoverability,
security, load, volume, etc.)
o Final Acceptance Test: consists of 2 tests: Quality Assurance Test & User
Acceptance Test
o Regression Testing: returning to an earlier stage. To confirm a recent
change has not introduced any new faults & other existing features are
working properly.
o Sociability Test: the quality of being able to merge with others. To ensure
new system works as expected in the existing infrastructure.
o Pilot Testing: a small-scale preliminary study to
understand/evaluate system functionality. Used to determine
feasibility of new system.
o Parallel Testing: testing a new system and comparing results with old system.
o White Box Testing: internal program logic is verified.
o Black Box Testing: like user acceptance testing & interface test,
o Alpha Testing: conducted by internal user; may or may not include a full
functionality test.
o Beta Testing: conducted by an external user; generally, includes full
functionality.
• Testing Approaches:
o Bottom-Up Approach: starts from a separate program or module and
gradually the complete system is tested. Test can begin before the full
system is completed. Early detection of faults in critical module.
o Top-Down Approach: test starts at a broad level & moves toward a separate
program. Early detection of interface errors.
• Testing Phases: Unit Integration System Final Acceptance.

System Migration
• The process of transferring IT resources to a new hardware or software platform.
• Ensure availability of fallback arrangements
• Save last copy of old data & the first copy of converted data for future reference.
 • Changeover is the process of shifting to a new system & stopping use of old system.
o Parallel Changeover: new & old systems are operated in parallel for some time.
o Phased Changeover: changes are implemented in a phased manner.
o Abrupt Changeover: a new system is implemented from a cut-off date & the
old system is completely discontinued (direct cutover). Riskiest approach.

Post Implementation Review

• Process of determining & evaluating the performance of the system against the
requirement & objective defined in the business case.
• Used to determine cost-benefit analysis, ROI, objectives met, & lessons learned.

4. Information System Operations & Business Resilience

4.1. Information System Operations
Understanding Common Technology
Components
• Server Types:
o Print Server: printing materials are captured in this server.
o File Server: document repository.
o Application Server: hosts software programs, databases, logic, etc.
o Web Server: provides information & services through web pages.
o Proxy Server: provides connection between users & resources – prevents direct
access.
o Database Server: stores data & information.
• Universal Serial Bus (USB): a device that can be connected to different peripherals
through a single standardized interface socket.
o Risks: malware transmission, data theft, etc.
o Security controls: encryption, disable USB ports centrally, AV to scan content,
etc.
• Radio Frequency Identification (RFID): used to identify & locate assets within a
limited radius. A tag would include a microchip & an antenna.

IT Asset Management
• IT assets include systems, data, networking, IT processes, people, information, &
infrastructure,
• First step in IT asset management is to identify & create an inventory of IT assets.
• Inventory includes software, hardware, location, security classification, owner, etc.
• Must have a list of approved software.
• Synchronization of production source code & objects can be best controlled by
date-and-time stamping source & object code.

Job Scheduling
• A program used to run various processes automatically.
• Used to automate tape backups & other maintenance jobs.
• Advantages: reduces probability of errors increases availability of records.
• Things to consider: procedures for collecting & reporting KPI are defined, priorities of
jobs are identified & scheduled, audit trail is captured for each job, job completion
status is monitored, & approval roles are defined for scheduling, changing, or
prioritizing jobs.
End User Computing
• Refers to a system wherein a non-programmer can create their own application.
• A quick way to build & deploy applications without relying on IT department.
• Some risks:
o Applications are not subject to various tests
o Users may not adhere to change & release management procedures
o Authentication, Authorization, Audit, logs, & encryption may not be
given due importance.
• Must have End User Computing Policy to address these risks.

System Performance Management

• Understand the system architecture & features of each function.
• Kernel Functions: basic processes associated with operating system.
• Utility Programs: help to manage & control computer resources. Examples: disk
tools, backup software, & data directories. Must restrict & control activities of
utility programs.
• Parameters Settings: determines how a system will function.
• Registry: system settings & parameters are set in registries.
• Activity Logging: for future analysis – capture logs in a centralized server (SIEM)
• Software Licensing: scan network using automated tools to capture a list of installed
software.
o Open Source: can be listed, modified, & redistributed.
o Freeware: software is free, but source code cannot be redistributed.
o Shareware: available for free for some trial period.
• Source Code Management:
o Source code is created by a programmer & is human-readable.
o Source code is converted into object code by assemblers & compilers (for
computer understanding).
o Must use Version Control System (VCS) when updates are made to the software.
• Capacity Management: process of planning & monitoring IT resources to ensure
effective & efficient utilization.

Problem and Incident Management

• Problem management to prevent the recurrence of an incident by identifying the
root cause of incident – reduce number of incidents.
• Incident Management is for achieving a return to a normal state as quickly as possible –
minimizes impact on the business.
• Problem management elements:
o Investigation
o In-depth analysis
o Root cause analysis
o Resolution
• Problem management methodologies:
o Fishbone o 5 Whys
Analysis o Brainstorming
o Ishikawa
Diagram
 • Network Management Tools:
o Response Time Reports
o Downtime Report
o Help Desk Reports
o Online Monitors – data transmission error & accuracy.
o Network Monitor – real time information, network nodes, & status.
o Network Protocol Analysis – monitor packets flow (network usage reports).
o SNMP – TCP/IP protocol to monitor, control, & manage configurations.

Change, Configuration, & Patch Management

• Change Management: used to change hardware, software, installations, configurations,
etc.
o Transaction logs must be maintained for audit trail.
• Patch Management: test patch before implementation. Impact analysis is very
important.
• Configuration Management: determines base.
• Emergency Change Management: when delay cannot be tolerated – when changes
have significant impact on business operations. Emergency changes should be logged,
and post facto approval should be obtained on the next day.
• Backout Process: to restore the system to its previous state.

IT Service Level Management (SLA)

• SLA defines nature, expectations, escalations, etc. for the services being offered.
• SLA should be documented in a non-technical terms & serves as the basis for
measuring and monitoring services.

Database Management
• Database Structures:
o Hierarchical Database Model:
▪ Inverted tree model. A child record may have only one parent record.
▪ It implements one-to-one and one-to-many relationships.
o Network Database Model:
▪ Owner record and member records.
▪ It shows redundancy in data more efficiently than hierarchical model.
o Relational Database Model:
▪ Table form. Primary key & foreign key.
o Object Oriented Database Model:
▪ Each object is independently functioning application or program.
▪ OODM designed to manage all these independent programs.
• Database Checks & Controls:
o Concurrency Control: prevents integrity issues during simultaneous updates.
o Table Link/Table Reference Check: identify table linking errors.
o Integrity Constraint: preventive control against out-of-range data.
o Atomicity: either entire transaction processed, or none is processed.
o SQL: portability of an application for connecting to database.
o Referential Integrity: prevents deletion of primary table if it has associated
foreign keys.
o Normalization: removing duplicate data.
 o Commitment and Rollback Controls
o Tracing and Tagging:
o User Spool and Database Limit Control: control space utilization to improve query
performance.
o Restore procedures:
o Column and Row Level Restrictions: to restrict sensitive column or rows of a database.

4.2. Business Resilience

Business Impact Analysis (BIA)
• A process to determine and evaluate the impact of disruption of business processes.
• Must know critical processes and key business processes – can be obtained from risk
assessment.
• To have successful BIA different teams must participate (senior management, IT, etc.)
• Approaches may include: questionnaire, interview, & meeting.
• After BIA, make a recovery strategy.
• BIA and Risk Assessment are the same except that BIA will include downtime analysis.

Data Backup and Restoration

• Backup Types:
o Differential Backup: backup of new data after last full backup. Every day is taken
separately.
o Incremental Backup: backup of new data since last backup – continuous backup
everyday built on top of each other.
o Full Backup: entire data is taken each time.
• In terms of storage & time: Full Differential Incremental.
• In terms of restoration: Full Differential Incremental.

System Resiliency
• Ability of a system to withstand a disaster and to recover within acceptable timeframe.
• Clustering:
o Helps to protect against a disaster. It provides high availability of the system.
o Protects against single point of failure.
o Active-Passive: app runs on the active node only.
o Active-Active: app runs on all nodes, more expensive but faster for recovery.
• Telecommunication Network Resiliency:
o Alternative Routing: for routing the information through entirely different cables.
▪ Last Mile Circuit Protection:
• Redundancy for local communication.
▪ Long Haul Network Diversity:
• Redundancy for long distance communication.
o Diverse Routing: for routing information through split or duplicate cables – single cable
split into two parts.
Business Continuity Plan (BCP)
• Objective of BCP is to manage & mitigate the risk of disaster so continuity of business operations
can be resumed.
• Steps of BCP:
o Project & Scope Planning
o Risk Assessment & Analysis
o BIA
o Business Continuity Strategy Development
o BCP Development
o Business Continuity Awareness Training
o BCP Testing
o BCP Monitoring, Maintenance, & Updating
• Must be written in a very simple language & should document responsibilities & accountability
of each individual.
• Make key employee declare the disaster.
• Recommended to have only one BCP for the whole organization. In case where BCP is
maintained unit-wise, they should follow a uniform approach & are linked to one another.
• For critical & time sensitive data, shadow file processing is recommended. In shadow file
processing, exact duplicates of files are maintained.
• Must consider process owners to have successful BCP.
• Testing BCP:
o Paper Test/Desk-Based Evaluation: walkthrough of BCP.
o Preparedness Test: simulated system crash. Includes phase-wise simulation of entire
environment.
o Full Operational Test: involves complete shutdown of operations. To be conducted only
after a paper test and preparedness test are carried out.

Disaster Recovery Plan (DRP)

• Documented processes to recover & protect a business’s IT infrastructure in the event of a
disaster.
• BCP: to keep business operations functioning either from an alternate location, tools, or
processes.
• DRP: to restore normal business operations & to recover from disaster – technological aspect of
BCP.
• First step in DRP is to conduct BIA to determine critical business processes & systems that need
to be recovered as a priority.
• Data backup intervals should be aligned with RPO. Zero RPO means real-time data.
• Resilient information assets: ensuring assets can withstand the effects of a disaster.
• Service delivery objective: the level of service & operational capability to be maintained from
alternate site.
DRP Test Methods
• Checklist Review: performed prior to a real test.
• Structured Walkthrough: review DRP on paper to identify gaps, deficiencies, etc.
• Tabletop Test: conducted with the aim of practicing coordination efforts &
communication.
• Simulation Test: roleplay is prepared for disaster scenario, does not include
activation of recovery site.
• Parallel Test: recovery site is activated while primary site continues to operate
normally.
• Full Interruption Test: most expensive, primary site is completely shut down &
operations are carried out from the recovery site.

RTO & RPO

• RTO: tolerance to downtime – acceptable downtime.
• RPO: tolerance to data loss.

Alternate Recovery Site

• Mirrored Site: exact replica of primary site, most expensive, shortest time to be ready.
• Hot Site: similar to mirrored site, except it required an updated data backup to be
ready.
• Warm Site: will have basic infrastructure & few applications ready but will require data
& IT app
• Cold Site: will only have basic infrastructure.
• Mobile Site: a movable vehicle equipped with necessary computer equipment.
• Reciprocal Agreement: two organizations having similar capabilities & processing
capacities agree to support one another in case of emergency.

5. Protection of Information Assets

5.1. Information Asset Security and Control
Information Asset Security Frameworks, Standards, & Guidelines
• Framework is a set of documented policies, procedures, & processes that
define how information is managed.
• Objective of framework is to lower the risk & vulnerability and protect the enterprise.

Privacy Principles
• The right of the individual to demand utmost care of their personal information that
has been shared with the enterprise.

Physical Access & Environmental Controls

• Four types of power failures:
o Backout: complete loss of power.
o Brownout: severely reduced voltage.
o Sags: rapid decease in voltage level. Protectors for prevention
o Spikes/Surges: rapid increase in voltage level.
• Short term reduction: power line conditioner.
• Long term power loss: power generator.
• UPS: for interruptions that last few seconds to 30 minutes.
 • Electromagnetic Interference (EMI): result of electrical storms or noisy electrical
equipment.
• Fire suppression systems:
o Wet-Based Sprinkler: more effective & reliable. But leakage is an issue.
Water stored in pipes.
o Dry Pipe Sprinkler: water not stored in pipe. No leakage but less reliable.
o Halon System: removed oxygen from the air. Not safe for humans.
Replacements of Halon gas are:
▪ FM-200: safe for environment & humans.
▪ Aragonite: 50% Argon 50% Nitrogen – environmentally friendly, but
not much with humans.
o Carbon Dioxide Systems: not safe for humans. Installed in unmanned data
centers.
• Physical Access Control – common types of door locks:
o Traditional locks.
o Combination door locks (cipher locks): numeric keypad.
o Electronic Door Locks: magnetic cards.
o Biometric Door Locks.
o Deadman Doors: mantrap – reduce risk of tailgating or piggybacking.

Identity and Access Management

• Logical access control: identification, authentication, authorization, & accountability.
• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Steps for Implementing Logical Access:
o Inventory
o Classify
o Grouping/labeling
o Create access control list
• Degaussing (demagnetizing)

Biometrics
• Verifying one or more biological features.
• False Acceptance Rate (FAR): acceptance of false person.
• False Rejection Rate (FRR): rejecting authorized person.
• Cross Error Rate (CER) or Equal Error Rate (EER): the lowest, the most effective the
system.
• Biometric Attacks:
o Replay Attack: use of residual biometric characteristics.
o Brute-force Attack: sending many samples to malfunction the system.
o Cryptographic Attack: targeting algorithms or the encrypted information.
o Mimic Attack: reproduce a fake biometric feature.
 5.2. Network Security and
Control Network and Endpoint
Devices
• OSI Model
• Network Devices:
o Repeaters: they repeat the signal to address risk of attenuation.
o Hubs: OSI L1, it broadcasts the message to all connected devices.
o Switch: OSI L2, send message only to designated devices using MAC.
o Bridge: same as switch but can act as a storage & forward device. Only has few
ports.
o Router: OSI L3, connects 2 different networks.
o Gateway: OSI L7, has capability to translate & connect different protocols &
networks.
• Network Media:
o Fiber Optics:
o Twisted Pair: Shielded & Unshielded.
o Wireless:
• Risks of Physical Network Media:
o Attenuation: loss or weakening signal transmission.
o EMI: interference or disturbance that impact quality of electrical signal.
o Cross Talk: when signal from one cable gets mixed up with another signal in
another cable. Happens in UTP.
• Network Protocols:
o DHCP: manages network configuration – dynamically assigns IP address
& other parameters.
o TLS/SSL: operate at Transport Layer. Used for privacy & data security. SSL is
depreciated.
o TCP/UDP: operate at Transport Layer.
o SSH/Telnet: remote terminal control protocols.

Firewall Types & Implementation

• Firewall Types:
o Packet Filtering: tracks IP & port of source/destination addresses. Operates
at Network Layer.
o Stateful Inspection: monitors & tracks destination of each packet that’s being
sent from
the internal network. Operates at Network Layer.
o Circuit Level: works on the concept of bastion host & proxy server. Operates
at Session Layer. It provides same proxy for all services.
o Application Level: provides separate proxy for each application. Operates at
Application Layer. Most secure Firewall.
• Bastion host protect the network from outside exposure. Only bastion hosts are made
available on the internet & it is the only system that can be addressed directly from
the public network.
• Proxy is a middleman – it stands between external & internal networks.
o Circuit level proxy.
o Application level proxy.
• Types of firewall implementation:
o Dual-Homed Firewall: one packet filtering router & one bastion host with 2
NICs. 2 links
o Screened Host Firewall: one packet filtering router & one bastion host. 1 link
 o Screened Subnet Firewall (DMZ): 2 packet filtering routers & one bastion
host. Most secure.

VPN
• Types of VPN:
o Remote Access VPN: from anywhere.
o Intranet VPN: to connect branch offices within enterprise WAN.
o Extranet VPN: to connect business partners & provide limited access to each
other’s
corporate networks.
• IPSec Tunnel: encrypts entire packet.
• IPSec Transport: only encrypts data portion of packet.

VoIP
• VoIP is the transmission of voice over IP networks. It digitalizes sounds into IP
packets & transmits them through network layer.
• Bandwidth capacity must be determined to ensure quality of service.
• Traditional lines are considered more secure.
• Session Border Controller: deployed to protect VoIP networks
o It prevents toll fraud or premium rate fraud.
o Protects session from malicious attacks such as DoS & DDoS.
o Encrypts signals.
o Provide QoS.

Wireless Networks
• Some common protection of WiFi:
o Enable MAC filtering.
o Enable encryption. WPA & WEP. WPA2 is the strongest.
o Disable SSID. Prevents broadcasting network name.
o Disable DHCP.
• Common wireless attacks:
o War Driving
o War Walking
o War Chalking – drawing a mark in a public area indicating existence of open
wireless network.

Email Security
 5.3. Public Key Cryptography & Emerging Technologies
Public Key Cryptography
• Symmetric Encryption:
o Single key for encrypting & decrypting.
o Faster computation & processing.
o Cheaper.
o Disadvantage in key distribution.
• Asymmetric Encryption:
o Two keys: public & private.
o Slower computation & processing.
o More expensive.
• Ensure non-repudiation by encrypting the message via sender’s private key.

Public Key Infrastructure (PKI)

• Terminology:
o Digital Certificate: to prove ownership of a public key.
o CA: entity that issues digital certificates.
o RA: entity that verifies user requests. Also does Proof of Possession POP.
o Certificate Revoking List CRL: list of digital certificates that have been
revoked before expiry date.
o Certification Practice Statement (CPS): practices & processes for
issuing and management of digital certificates by the CA.

Cloud Computing
• Deployment Models:
o Private Cloud: most secure.
o Public Cloud: highly scalable – can be reduced or increased.
o Community Cloud: used by specific communities of consumers who
have shared concerns.
o Hybrid Cloud: combination of private & public cloud.

5.4. Security Event Management

Information System Attack Methods
• Attack Types:
o Alteration Attack: data is altered or modified without authorization.
o Botnets: compromised computers.
o Data Diddling: data is altered as it is entered.
o Eavesdropping: gathering information flowing through the network.
o Email Bombing
o Email Spamming: unsolicited emails are sent to thousands of users.
o Email Spoofing: appears to originate from another source/address.
o Juice Jacking: public charging points.
 • Malicious Codes:
o Trojan Horse: malicious software disguised to be legitimate.
o Masquerading: intruder acting as someone else – identity theft.
o Network Analysis: intruder creates a repository of information pertaining to a
particular organization – passive attack.
o Pharming: website traffic redirected to bogus website.
o Parameter Tampering: unauthorized modifications od web application
parameters.
o Race condition: time-of-check & Time-of-Use attacks.

Security Testing Tools & Techniques

• Network Penetration Tests:
o External testing: test performed from outside the network – internet.
o Internal Testing: attack conducted from within – determines intruder.
o Blind testing: tester provided with limited knowledge about the systems.
o Double Blind Testing: admins & security staff are unaware of the test.
o Targeted Testing: all parties are aware.

Security Monitoring Tools & Techniques

• Intrusion Detection System IDS:
o Network-Based IDS:
▪ Monitors activities across the network.
▪ High rate of false alarms.
▪ Better at detecting attacks from outside.
▪ Inspects the content & header info of packets.
o Host-Based IDS:
▪ Monitors activities of a single host/system.
▪ low rate of false alarms.
▪ Better at detecting attacks from inside.
▪ Detects activities on a host computer such as deletion of files & app.
Modify.
o Limitation of IDS:
▪ Depends on policy definition – good policy = good IDS & vice versa.
▪ Cannot control application-level vulnerabilities.
▪ Cannot control backdoor into and application.
▪ Cannot analyze data that’s encrypted.
o Types of IDS:
▪ Signature-Based: predefined patterns.
▪ Statistical-Based: identify abnormal behavior – generates most false
positives.
▪ Neural Network: possesses advanced functionality of self-learning.
o Placement of IDS:
▪ between firewall & external network.
▪ between firewall & internal network.