CISAe

Protection of Information Assets

Information Asset Security Frameworks &
Standards
o Standards can be used as a
benchmark across an industry
o Frameworks are used to help
describe how an organization
can achieve compliance with a
standard
o Control frameworks are a set of
fundamental controls that help
support and protect and
enterprise
 Auditing The InfoSec Management Framework

o Logical access
o Tes>ng security
o Inves>ga>ve techniques
o Policies and procedures provide
the framework and must be
reviewed regularly
o Documenta>on must be current
Security Awareness and Training

o Security training should be done

formally and focused on the people
involved.
o Promoting security awareness is a
preventive control
o IS auditors should interview some
employees to test for awareness
o Data ownership must be established
and owners must be aware of their
responsibility
 CISAe
Protection of Information Assets
 Roles and Responsibilities for Auditing the IS
Framework
o Data Owners:
o Managers or Directors
o Responsible for using information to run
the business
o Responsible for authorizing access
o Make sure that access rules are applied
at all times
o Data Custodians
o Responsible for storing and
safeguarding the data
o Includes IS personnel
 Roles and Responsibilities for Auditing the IS
Framework
o Security Administrator
o Responsible for providing adequate
physical and logical security for IS
programs, data and equipment
o Operate according to the ISP
o IT Users
o Must sign a document stating their security
obligations
o Data Users
o Include internal and external user
communities
 CISAe
Protection of Information Assets
 Recommended IT Security Baseline
o Inventory
o Objective: Establish and maintain
inventory
o Standards should be followed when
connecting devices to the network and
internet
o Passwords
o Users must use strong passwords
o Departmental accounts should be
created for workgroups to prevent
password sharing
 Recommended IT Security Baseline

o Patching
o Should be automated as much as possible
o Automating for workstations give admins more
time to work on servers and their more complex
environments
o Addressing Vulnerabilities
o Use enterprise-wide system scans to provide a
baseline for comparison
o Backups
o Backups should be offsite for increased security
o Restores should be practiced often
Standards

o IS Auditors should review

access standards
o Security standards could be
defined:
oAt generic levels
oFor specific machines
oFor specific application systems
 CISAe
Protection of Information Assets
 Principles of Data Privacy
o IS Auditors will be tasked with
checking compliance with privacy
regulations
o Privacy is the right of an individual to
trust that others will handle their
sensitive and personal data
appropriately
o Changes that impact privacy:
o Technology
o Processes
o People
 Audit Considerations for Privacy

o Seven categories of privacy:

1. Privacy of communication
2. Privacy of behavior
3. Privacy of person
4. Privacy of data and image
5. Privacy of thoughts and feelings
6. Privacy of location and space
7. Privacy of association
Audit Considerations for Privacy
o Choice and Consent
o Legitimate purpose
o PII Lifecycle
o Accuracy
o Transparency
o Safeguards
o Preventing Harm
o Breach Management
 CISAe
Protection of Information Assets
 Physical Access and Controls
o Physical access is just as vulnerable
as logical access
o Most IT assets require a controlled
environment as well (HVAC,
Dehumidifiers, etc.)
o Controls for IS can be proac>ve or
reac>ve
o Safeguards (proacPve)
o Countermeasures (reacPve)
 Controls

o Managerial
o Technical
o Physical
 Control Matrix

(Method/Type) Managerial Technical Physical

User Registration
Preventative Login Screen Fence
Process
Intrusion
Detective Audit Motion Sensor
Detection System

Corrective Remove access Network isolation Close fire doors

© ISACA – Certified Information Systems Auditor Review Manual- 27th edition All rights reserved
Audit Considerations for Controls
o Validate processes, logs and
audit hooks have been placed
in the control framework
o During control design make
sure that monitoring
capabilities are considered
o If these are external (MSP or
SIEM), notifications must be
given to operations staff
Physical Access Issues

o Unauthorized entry
o Vandalism or TheS
o Altera>on of equipment
o Blackmail
o Wiretapping
o Viewing sensi>ve informa>on
 Physical Access Controls

o Bolting door locks

o Combination locks
o Electronic door locks
o Biometric locks
o RFID/Photo badges
o Video cameras
o Security guards
o Deadman doors
 CISAe
Protection of Information Assets
 Environmental Controls

o IS auditors should be aware of

environmental exposure of IS
infrastructure
o Some exposure is considered natural
while other can be malicious
o Controls can be utilized for short-
term interruptions and long-term
exposure/interruptions
o Testing can be done with
walkthroughs and physical inspection
 Controls for Environmental Exposures

o Alarm Control Panels

o Water/Smoke Detectors
o Manual Fire Alarms
o Strategic loca>on
o Fire Suppression Systems
o Water-Based (Wet and Dry Pipe)
o Halon Systems
o FM-200
o Argonite or Carbon Dioxide ( ☠ )
 CISAe
Protection of Information Assets
 Identity and Access Management

o I & A is considered the first line of

defense for information systems
o Logical and physical access controls
are used to protect information
assets
o System access permission allows
people or devices to act upon a
computer resource
o IT assets are typically grouped in
layers of Networks, Platforms,
Databases and Applications
 Access Controls

o Mandatory Access Controls (MAC)

o Discretionary Access Controls (DAC)
o Logical access
o Access rules
o Time of Day
o Role based access (RBAC)
 CISAe
Protection of Information Assets
 Logical Access

o Logical access controls are what most

organiza>ons use to protect
informa>on assets
o IS Auditors need to be aware of the
level of risk appe>te of an
organiza>on
o This allows you to evaluate the
effec>veness of controls that are put
into place
 The Road to Access

o Direct Access
o Local Network
o Remote Access
o Points of System Entry
o Front End
o Back End
Common Vulnerabilities

o Weak authentication
o Poor Password policies
o Lack of access identification
o Lack of encryption
o Lack of end user training
Common Vulnerabilities

o Reinstatement without valid

authorization
o Access without authorization
o Lack of SoD
o Lack of Logging
o Orphan/Dormant accounts
 Means to Control Access

o Token Devices (MFA)

o Biometrics
o Physical
o Behavior-oriented
o Voice recogni:on
o Single Sign-On (SSO)
o Advantages
o Disadvantages
 CISAe
Protection of Information Assets
 Audit Logging of System Access

o Most software and access control

systems allow for automatic logging
of access attempts
o The primary concerns of an IS
Auditor are:
o What is logged
o Who/what has access to the logs
o How long are logs retained/archived
 System Logs

o Vitally important to make sure audit

trail data is NOT modified
o Audit trails should also be protected
by access controls
o Tools for Audit Logs:
o Audit reduction tools
o Trend/Variance Detection
o Attack Signature Detection
o SIEM systems
Cost Considerations

o System overhead
o Frequency of reviews
o Tools needed
o Archive storage
Audit Logging of System Access
o Auditors should look for:
o PaYerns or trends that show abuse
o Clear cut violaPons
o When Viola>ons are iden>fied
o Referred to Security administrator
o If serious, noPfy ExecuPve
management
o Follow formal processes for
disciplinary acPons
 Audit Logging of System Access

o Logical Access Control Evaluation

o Obtain a general understanding of the
security risk
o Document and evaluate controls over
potential access paths
o Make sure server OS is hardened
o Test controls over access paths
o Evaluate overall security environment
 CISAe
Protection of Information Assets
 Data Loss Prevention

o Data loss can happen accidentally or

maliciously
o Regardless of the reason, it typically
involves the unauthorized transfer of
information
o Data leaks create risk to the
organization and its customers
o Data Leak Prevention (DLP) can help
locate, monitor and protect sensitive
information
 Data Integrity

o Data integrity needs to be

maintained at all states of Data:
o Data at rest
o Data in moPon
o Data in use
o Full DLP solu:ons must address all
three of the Data states
DLP Risk and Limitations

o Auditors should look for:

o Improperly tuned DLP modules
o Excessive reporting and false
positives
o Encryption
o Be aware of graphics (DLP not
adequate)
 CISAe
Protection of Information Assets
 Network Infrastructure

o Types of Networks
o Local Area Networks
o Wide Area Networks
o Storage Area Networks
o Virtual Networks
 Network Protocols and the OSI Model

o Protocols allow networks to have:

o Availability
o Maintainability
o Flexibility
o Interoperability
o Network architectures like the OSI
model help facilitate the creation of
protocols
Transmission Media and Vulnerability

o Twisted Pair
o Coaxial Cable
o Fiber Op:cs
o Radio Systems
o Microwave Systems
o Satellite Radio Link
 Wide Area Networks
o Technologies
o Frame Relay
o Asynchronous Transfer Mode
o Multiprotocol Label Switching
o Digital Subscriber Lines
o Virtual Private Networks
o Remote-Access
o Intranet
o Extranet
 CISAe
Protection of Information Assets
 Applications in a Network Environment

o Client Server Technology

o Two Tiered
o Three Tiered
o Middleware
o Transaction Processing (TP)
o Remote Procedure Calls (RPC)
o Object request broker (ORB)
 Risk and Control for Middleware

o System integrity may be affected

o Data portability cannot be
guaranteed
o Compensa>ng controls are needed
to ensure integrity
o Systems (and the Controls) should be
properly tested and approved
o Change and Version Control must be
managed
 CISAe
Protection of Information Assets
 Network Infrastructure Security and Firewalls

o Control is accomplished through a

network control terminal and
specialized communications software
o Network access is controlled
o Data Encryption must be used
o Device hardening must be
accomplished
o Internet Security Controls must be
established
 Firewalls
o Can be hardware or software based
o They accomplish two overall
objectives:
o Separate Networks
o Filter/Screen the traffic between the
network segments
o Typically will be used to block access to
particular sites on the internet, prevent
users from accessing particular
network segments, and monitor
communciation
Firewalls

o Types of Firewalls
o Packet Filtering
o Application Firewall
o Stateful Inspection
o Types of Implementation
o Screened-Host
o Dual-Homed
o DMZ
 CISAe
Protection of Information Assets
 Change Management in Networks

o Network configuration changes can

add risk to your Information Systems
o IS auditors should test to see if there
is a change management process in
place
o Sample recent change requests looking
for authorization and assessment
o Match changes to documentation to
find any unauthorized modifications
 Unauthorized Change
o Any change that has not properly
followed the change management
process is considered unauthorized
o Controls to prevent unauthorized
change:
o SoD among software development and
administration
o Restrict the development team to the
development environment only
o Restrict access to the software source code
o Software code comparison utilities
Shadow IT

o Any application, tool, piece of

hardware that serves the user’s
purpose that has not been
appropriately authorized
o Typically not added maliciously
o Controls for Shadow IT:
oShadow IT policy clearly communicated
oActivity monitoring
oIT budgeting and procurement
oEnd user education
 CISAe
Protection of Information Assets
 Encryption Systems

o Encryp>on’s primary goal is to

protect confiden>ality
o Protects data in transit
o Protects data that is stored
o Can verify authen:city of a document
or transac:on
o Encryp>on does NOT prevent against
data loss or data availability a\acks
 Elements of Encryption Systems

o Encryption Algorithm
o Encryption Keys
o Key Length
Symmetric Key Cryptography
Asymmetric Key Cryptography
 CISAe
Protection of Information Assets
 Applications of Cryptographic Systems

o Using a combina>on of Symmetric

and Asymmetric systems you can
build out many applica>ons
o Transport Layer Security (TLS)
o IPsec
o Secure Shell
o Secure MulPpurpose Internet Mail
Extensions
 Digital Signatures
o A digest is derived from a document
(pre-hash) and a key algorithm is
applied
o The same hashing function is applied
by the recipient and the post-hash is
then compared with the decrypted
pre-hash
o This ensures:
o Data integrity
o Authentication
o Non-Repudiation
 CISAe
Protection of Information Assets
 The Public Key Infrastructure (PKI)

o One major issue with public key

systems are “man-in-the-middle”
attacks
o Tampering with public keys can’t
really be detected
o A trusted third party is necessary to
prove the authenticity of a public key
o These trusted third parties are
known as Certificate Authorities
 Digital Certificates
o Certificates are issued by trusted CAs
and typically contain a certificate
practice statement (CPS):
o Type of certificate issued
o Policies, procedures and processes for
issuing, renewing and recovering
certificates
o Cryptographic algorithm used
o Key length
o Lifetime of the certificate issued
o Policies for revoking certificates (CRLs)
 CISAe
Protection of Information Assets
 IS Audits and Social Media
o The creation and dissemination of
content in the internet public square
has grown astronomically in the last
decade
o While there are many positive
aspects of social media, it is also one
of the largest attack vectors into
organizations
o Use of social media within an
organization must be controlled
based on its strategic objectives and
risk appetite
 Vulnerabilities of Social Media
o Introduction of viruses and malware
to the organization’s network
o Fraudulent usage of organization’s
assets
o Unclear or undefined content rights
o Confidential information exposed on
social media sites
o Mismanagement of electronic
communications in violation of
regulatory requirements
 CISAe
Protection of Information Assets
Virtualization And Cloud Computing

o In the Mid-2000’s the capability to

make “virtual machines” opened up
the ability to create software based
computing systems
o In addition, large companies like
Amazon, Google and Microsoft had
massive datacenters that only slightly
used their capacity
o Containerization took it to another
level
 Cloud Computing Risk
o Cloud introduces different types of
risk to your business
o While they are highly secure, they
are also huge targets
o Where your data is stored does
ma\er
o This is considered “outsourcing”
and brings the same risk
 IS Auditing Considerations

o Legal requirements in a cloud

environment
o Transborder Data delivery
o Data ownership, data custody and
security administration
o Use the Cloud Security Alliance (CSA)
questionnaire to ascertain how
service providers comply with the
controls matrix
 CISAe
Protection of Information Assets
Security Awareness Training

o Training should be done on a

consistent basis
o Assessments should be attached to
ensure knowledge transfer
o New and Reviewed concepts should be
contained in the training
o Documentation of the training is
typically required for accreditation
and/or regulations
 Security Awareness Training
o Methodical approaches should be
u>lized. Avoid random topics or
following a non-u>litarian
approach
o Wri\en security no>ces should be
posted to remind users of their
responsibili>es and policies
o Risk-based analysis will help to
iden>fy the areas that need
training the most
 CISAe
Protection of Information Assets
Information System Attack Methods and Techniques

o Risk is based upon vulnerabilities in

your IS environment
o Threats are analyzed and should have
layers of response
o Preventative
o Detective
o Corrective
o IS Auditors should know about the
majority of types of attacks
 Fraud
o Fraud is the crime of using
dishonest methods to take
something valuable from a person
or organization
o Typically based on the Fraud
Triangle:
o Motivation
o Rationalization
o Opportunity
 Common Attacks and Techniques
o Denial-of-Service (DoS)
o Botnets
o Eavesdropping
o Email Bombing/Spoofing
o Phishing/Spear-phishing
o Juice Jacking
o Man-in-the-middle Attack
o Salami
 Malware
o Short for “malicious soSware”
o Four a\ack vectors:
oExecutable program files
oFile-Directory system
oBoot and System areas
oData files
o Policy and procedure controls
must be in place
 Malware Controls
o Managerial
o No unauthorized media
o All new software is scanned
o Mandate anti-virus signature
updates
o Technical
o Boot malware protection
o Scanners/CRC checkers
o Hardware based passwords
 CISAe
Protection of Information Assets
Testing Techniques for Security Tools

o Terminals and Card Keys

o Terminal Identification
o Logon IDs and Passwords
o Logging and Reporting of Access
Violations
o Bypassing Security Controls
 CISAe
Protection of Information Assets
Network and System Penetration Testing

o IS Auditors can “act like” hackers and

malicious actors
o ”Pen Tes>ng” is a tool that can be
u>lized to help protect Informa>on
Systems
o Factors to consider:
o Scope of the test
o Acceptable tes:ng techniques
o Point of Contact
 Types of Penetration Testing

o External Testing
o Internal Testing
o Blind Testing
o Double Blind Testing
o Targeted Testing
Phases of Pen Testing

Planning Reconnaissance A-acks

Control
Repor1ng
Development
 CISAe
Protection of Information Assets
Monitoring Tools

o Intrusion Detection Systems

o Network-based IDS
o Host-based IDS
o Signature-based
o Statistical-based
o Neural Networks
 Intrusion Protection Systems

o Closely related to IDS systems

o Helps prevent the victim from
being affected by the attack
o Examples:
o Honeypots
o Network Assessments
 CISAe
Protection of Information Assets
Incident Response Management

o At some point an a\ack will be

successful and a security incident will
occur
o Roles need to be assigned to handle
the different aspects of the response
o Incident coordinator
o Incident director
o Specific managers
o Security Specialists
 Incident Response Process
o Establishing the process makes
employees and contractors aware
of the procedures to:
o Reporting incidents
o Categorize and prioritize incidents
o Ideally a CSIRT or CERT should be
formed
o IS auditors should make sure that
the CSIRT is actively involved with
users to assist them in mitigating
the risk associated with the event
 Incident Response Process

Detection Initiation Recording Evalua2on Containment

Eradication Escalation Response Recovery Reporting/PIR

 CISAe
Protection of Information Assets
Evidence Collecting and Forensics

o Computer hacking and cyberattacks

are illegal and considered crimes
o In many cases organizations have not
reported these crimes due to fear of
damaged reputation and negative
publicity
o After an attack, theft or other crime it
is important that evidence collection is
done correctly and documented
appropriately
 Computer Forensics
o Forensics is the process of
identifying, preserving, analyzing
and presenting digital evidence in
a manner legally acceptable in a
court of law
o Forensics:
o Provides validation an attack
occurred
o Gathers digital evidence for judicial
proceedings
 Computer Forensics
o Forensics has 4 phases:
o Identify
o Preserve
o Analyze
o Present
o IS Auditors ensure the presence of:
o Data Protection
o Data Acquisition
o Imaging
o Extraction
o Interrogation
o Ingestion/Normalization