Audting期末

未分类

I. Introduction to Information Security and IS Auditing

A. Objectives of IS audit and control

Auditing : a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and establishing criteria and communicating the results to interested users

Information System Auditing Objectives

• Validate information service functions

• Validate the controls of the system development life cycle

• Validate the access controls to equipment and facilities

• Automate the internal auditing activities

• Prepare internal training

• Collaborate with external auditors

Internal Control Objectives

• Safeguard assets
• Ensure the accuracy and reliability of records
• Promote efficiency
• Measure compliance with policies and procedures

Internal Control PDC Control Model

Preventive

• Reduce the frequency of undesirable events
• more cost-effective

Detective

• identify undesirable events that elude preventive controls
• Uncover errors by comparing

Corrective

• Reverse the effects
• Always take the best feasible corrective action

B. The structure of an IS audit and audit reports

Structure of an IT Audit:

Audit Planning Phase

1. Review Policies, Practices, and Structure
2. Review General Controls and Application Controls
3. Plan Tests of Controls and Substantive Testing Procedures

Tests of Control Phase

1. Perform Tests Of Controls
2. Evaluate Test Results
3. Determine Degree Of Reliance on Controls

Substantive Testing Phase

1. Perform Substantive Tests
2. Evaluate Results And Issue Auditor’s Report
   ==>Audit Report

C. IS auditing standards

Categories of Control Activities

1. General Controls
2. Application Controls
3. Independent Verification
4. Transaction Authorization
5. Segregation Of Duties
6. Supervision
7. Audit trail provision
8. Access Control

Information Systems Audit Program

• Environmental controls
• Physical security controls
• Logical security controls
• IS operating controls

Areas to Concern Regarding Operating Security Controls

• Operational procedures and responsibilities
  
  • Documented Operating Procedures
  • Segregation of Duties
  • Incident Handling
  • Service Delivery
• Third party service delivery management
  
  • Monitoring and Review of Third Party Services
  • Managing Changes to Third Party
• Backup
  
  • Information Backup
• Media handling
  
  • Management of Removable Media and System Documentation, Disposal of Media
• Exchange of information
  
  • Information Exchange Policies and Procedures
  • Exchange Agreements
  • Physical Media in Transit and Electronic Messaging
  • Business Information Systems
• Monitoring
  
  • Audit Logging
  • Monitoring System Use
  • Protection of Log Information and Administrator and Operator Logs
  • Clock Synchronization

D. Computer assisted audit tools

II. Organization Security and Controls

A. Physical security controls

• contingency plan, disaster recovery and reconstruction

Provision of a Secure Area

• Security Perimeter
• Control on Physical Entry
• Sensitive Facilities and Security Office
• Delivery and Loading Areas

General Controls

• Disposal or re-use of equipment
• Clear desk and clear screen policy
  (Other Types:)
• Physical locks
• Security guards
• Video surveillance cameras
• General emergency and detection procedures
• Heating, ventilation, and cooling (HVAC) systems
• Emergency power and uninterruptible power supply (UPS) systems
• Insurance coverage
• Backups

Business Resumption Programs
Can be referred as disaster recovery programs

• List of key contact personnel
• Primary and secondary headquarters sites
• Identify and rank operational areas in terms of criticality and risk
• Events that should trigger the BRP
• Concise descriptions of actions to be taken in each operation area
• Measures to deal with potential psychological impact of disaster

B. Logical security controls

• operating system security and access control

Logical Security Controls

• Deal with the protection of system, application program and data
• Restrict access capabilities of system users
  
  • Challenge
    
    • Unauthorized activities by a system security administrator
  • Solution
    
    • Require a second system security administrator –segregate the duties
    • System log

Access Controls

• Restrict use of computer system resources to authorized users
• Limit actions the authorized users can take
• Ensure users obtain only authentic computer system resources

C. Operating controls

• segregation of duties, monitoring and logging controls

D. Personnel security and management practices

• user training and incident reporting
• third-party access and outsourcing

E. Application software control

• software development control
• input, processing and output control

The objective of IS auditor: to ensure the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives.

Traditional System Development Life Cycle Approach (SDLC)

• Feasibility Study
• Requirements Definition
• Software Acquisition
• Design
• Development
• Implementation

• Postimplementation Review

  Advantage

  • Provides a template

  Problems

  • Unanticipated events
  • Problem with changing business environment that alter customer’s/user’s requirements
  • Difficulty of obtaining an explicit set of requirements from the customer/user
  • Necessity of customer/user patience

  • Potential risks
    
    • The new system does not meet the users’ business needs, requirementsand expectations
    • Project activities exceedthe limits of financial resources assigned to the project, and it may finally lead to late completion

Framework PPTM(People | Process| Tools| Measures)

Test Steps for Auditing Applications

• Input Controls
• Interface Controls
• Audit Trials
• Access Controls
• Software Change Controls
• Backup and Recovery
• Data Retention and Classification and User Involvement

Software Capability Maturity Model Integration (CMMI)
Five maturity levels
1. Initial
2. Managed
3. Defined
4. Quantitatively Managed
5. Optimizing

A maturity model can be used as a benchmark for assessing different organizations for equivalent comparison

III. Basics of Information Security

Security Objectives

• Confidentiality
  Resources are accessed by authorized parties
• Integrity
  No unauthorized modification to the system
• Availability
  Resources/services accessible as expected
  
  • Additional objectives:
    
    • Accountability
      Resources/services accessible as expected
    • Authenticity
      User/data origins are accurately identifiable

Different Types of Threats

• Interception unauthorized access
• Modification unauthorized alters
• Fabrication counterfeiting
• Interruption unavailable

IV. Basics of Cryptographic Technologies

A. Symmetric encryption

Caesar Cipher
C = E(p) = (p + k) mod (26)
p = D(C) = (C – k) mod (26)

Rail Fence Cipher

Problems:
- Key distribution
- Key management
- Authentication problem
- Repudiation problem

B. Asymmetric encryption

C. Basics of message authentication and cryptographic hash functions

D. Digital signatures and digital certificates

E. Public-key Infrastructure & Web of Trust

V. User Authentication, Access Control and Identity Management

Means of User Authentication

• What the person knows
  E.g., password, PIN
• What the person possesses
  E.g., smart cards, token
• Who the person is (static biometrics)
  E.g., recognition by fingerprint, retina, face
• What the person does (dynamic biometrics)
  E.g., recognition by voice, handwriting

Two Factor Authentication (2FA)

1. Two-step verification
2. User provides two authentication factors

Simple Password Protocol
challenge: response protocol for remote authentication via password

using nonce to assure message freshness and against replay of an oldmessage

Web SSO Exchange

VII. Network Security – Attack & Defense

A. Network Attacks

• Host based attacks
• Network attacks
• Web based attacks

Network Layer Security

IP Security (IPSec): A protocol suite for securing IP at the network layer

Goals: secure traffic between any two IP systems

IPsec Services

• Access control
  
  • Packet filtering
• Data integrity
  
  • The packet has not been altered in transit
  • Replay attack prevention
• Data origin authentication
  
  • Source specified in the packet header
• Confidentiality
  
  • Communication nodes can encrypt messages to prevent eavesdropping

IPsec plays a vital role in the routing architecture required for internetworking

• Pros
  
  • Transparent to all applications
  • Device authentication transparent to end users
  • Adds to IP level end-to-end data reliability, secure sequencing of datagrams, authentication and confidentiality
  • Secure routing architecture
• Cons
  
  • Ties user to a single machine
  • Crypto operations adds to packet overhead, affecting throughput and latency
  • Complex to implement, choice of configurations
  • Does not prevent traffic analysis

Transport Layer Security

• Provide end-to-end secure communication channel over the Internet:
  
  • Secure Socket Layer (SSL)
  • Transport Layer Security (TLS)
• Designed to prevent eavesdropping, tampering, and message forgery
• Can be used to encapsulate the application-specific protocols such as HTTP, FTP, SMTP, etc.

SSL Handshake
1. Establish security capabilities
- Client hello: including protocol version, session ID, cipher suite, compression method, and initial random numbers
2. Server authentication & key exchange
- Server hello, certificate, server key exchange, and certificate request.
3. Client authentication & key exchange
- Certificate, client key exchange, certificate verification
4. Finish
- Change cipher suite and finish

Firewall
A choke point of control & monitoring by interconnect networks with differing trust

• Limitations
  
  • Cannot protect from attacks bypassing it
  • Cannot protect against internalthreats
  • Cannot protect against access via Wireless LAN
  • Cannot protect against malware imported via laptop, PDA, storage infected outside