Figure 6-6 Digital signature used to verify the integrity of a message
Key length This refers to the size (measured in bits) of an encryption key. Longer encryption keys mean that it takes greater effort to successfully attack a cryptosystem.
Block cipher This is an encryption algorithm that operates on blocks of data.
Stream cipher This is a type of encryption algorithm that operates on a continuous stream of data such as a video or audio feed.
Initialization vector (IV) A random number that is needed by some encryption algorithms to begin the encryption process
Symmetric encryption A method for encryption and decryption where it is necessary for both parties to possess a common encryption key
Asymmetric encryption, or public key cryptography A method for encryption, decryption, and digital signatures that uses pairs of encryption keys, consisting of a public key and a private key
Key exchange A technique that is used by two parties to establish a symmetric encryption key when there is no secure channel available
Nonrepudiation The property of digital signatures and encryption that can make it difficult or impossible for a party to later deny having sent a digitally signed message, unless they admit to having lost control of their private encryption key
Private Key Cryptosystems
A private key cryptosystem is based on a symmetric cryptographic algorithm. The primary characteristic of a private key cryptosystem is the necessity for both parties to possess an encryption key that is used to encrypt and decrypt messages.
The two main challenges with private key cryptography are:
Key exchange An “out of band” method for exchanging encryption keys is required before any encrypted messages can be transmitted. This key exchange must occur over a secure channel; if the encryption keys were transmitted over the main communications channel, then anyone who intercepts the encryption key will be able to read any intercepted messages, provided they can determine the encryption algorithm that is used. For instance, if two parties exchange encrypted e-mail, they would need to exchange their encryption key via telephone or fax, provided they are confident that their telephone and fax transmissions are not being intercepted.
Scalability Private key cryptosystems require that each sender-receiver pair exchange an encryption key. For a group of four parties, 6 encryption keys would need to be exchanged; for a group of 10 parties, 45 keys would be exchanged. For a large community of 1000 parties, many thousands of keys would need to be exchanged.
Some well-known private key algorithms in use include AES, Blowfish, DES, Triple DES, Serpent, and Twofish.
Secure Key Exchange
Secure key exchange refers to methods used by two parties to securely establish a symmetric encryption key without actually transmitting the key over a channel. Secure key exchange is needed when two parties, previously unknown to each other, need to establish encrypted communications where no out-of-band channel is available.
Two parties can perform a secure key exchange if a third party intercepts their entire conversation. This is because algorithms used for secure key exchange utilize information known by both parties but not transmitted between them.
The most popular algorithm is the Diffie-Hellman Key Exchange Protocol.
Public Key Cryptosystems
Public key cryptosystems are based on asymmetric, or public key, cryptographic algorithms. These algorithms use two-part encryption keys that are handled differently from encryption keys in symmetric key cryptosystems.
Key Pair The encryption keys that are used in public key cryptography are called the public key and the private key. Each user of public key cryptosystems has these two keys in his or her possession. Together, the public and private keys are known as a key pair. The two keys require different handling, and are used together but for different purposes that are explained in this section.
When a user generates his or her key pair (the public key and the private key), the key pair will physically exist as two separate files. The user is free to publish or distribute the public key openly; it could even be posted on a public web site. This is in contrast to the private key, which must be well protected and never published or sent to any other party. Most public key cryptosystems will utilize a password mechanism to further protect the private key; without its password, the private key is inaccessible and cannot be used.
Message Security Public key cryptography is an ideal application for securing messages—e-mail in particular. The reason for this is that users do not need to establish and communicate symmetric encryption keys through a secure channel. With public key cryptography, users who have never contacted each other can immediately send secure messages to one another. Public key cryptography is depicted in Figure 6-7.
Every user is free to publish his or her public encryption key so that it is easily retrievable. There are servers on the Internet where public keys can be published and made available to anyone in the world. Public key cryptography is designed so that open disclosure of a user’s public key does not compromise the secrecy of the corresponding private key: A user’s private key cannot be derived from the public key.
When User A wishes to send an encrypted message to User B, the procedure is as follows:
1. User B publishes his public key to the Internet at a convenient location.
2. User A retrieves User B’s public key.
3. User A creates a message and encrypts it with User B’s public key and sends the encrypted message to User B.
4. User B decrypts the message with his private key and is able to read the message.
Note that only User B’s encryption key is used in this example. This method is used only to protect the message from eavesdroppers. This method is not used to verify the authenticity of the message.
Public key cryptography can also be used to verify the authenticity and integrity of a message. This is used to verify that a specific party did, in fact, create the message. The procedure is as follows:
1. User A publishes his public key to the Internet at a convenient location.
2. User B retrieves User A’s public key and saves it for later use.
3. User A creates a message and digitally signs it with his private key, and then sends the signed message to User B.
4. User B verifies the digital signature using User A’s public key. If the message verifies correctly, User B knows that the message originated from User A and has not been altered in transit.
In this example, only the authenticity and integrity of a message is assured. The message is not encrypted, which means that it can be read by any party that intercepts the message.
Public key cryptography can be used to both encrypt and digitally sign a message, which will guarantee its confidentiality as well as its authenticity. The procedure is as follows:
1. User A and User B publish their public encryption keys to convenient places.
2. User A retrieves User B’s public key, and User B retrieves User A’s public key.
3. User A creates a message, then signs it with his private key and encrypts it with User B’s public key, and then sends the message to User B.
4. User B decrypts the message with his private key and verifies the digital signature with User A’s public key.
Public key cryptography also supports encryption of a message with more than one user’s public key. This permits a user to send a single encrypted message to several recipients that is encrypted with each of their public keys. This method does not compromise the secrecy of any user’s private key, since a user’s private key cannot be derived from the public key.
Figure 6-7 Public key cryptography used to transmit a secret message
Verifying Public Keys It is possible for a user to claim the identity of another and even publish a public key that claims the identity of the other party. Three methods are available for verifying a user’s public key as genuine.
Certificate authority A public key that has been obtained from a trusted, reputable certificate authority can be considered genuine.
E-mail address Public keys used for e-mail will include the user’s e-mail address. If the e-mail address is a part of a corporate or government domain (for example, adobe.com or seattle.gov), then some level of credence can be attributed to the successful exchange of messages with that e-mail address. However, since e-mail addresses can be spoofed, this should be considered a weak method at best.
Key fingerprint Many public key cryptosystems employ a method for verifying a key’s identity, known as the key’s fingerprint. If a user wishes to verify a public key, the user retrieves the public key and calculates the key’s fingerprint. The user then contacts the claimed owner of the public key, who runs a function against his private key that returns a string of numbers. The user also runs a function against the owner’s public key, also returning a string of numbers. If both numbers match, the public key is genuine.
NOTE When verifying a public key, it is essential that the purported owner of the public key be authenticated, such as by viewing a government-issued ID or by contacting the owner at a publicly listed telephone number.
Hashing and Message Digests
Hashing is the process of applying a cryptographic algorithm on a block of information that results in a compact, fixed-length “digest.” The purpose of hashing is to provide a unique “fingerprint” for the message or file—even if the file is very large. A message digest can be used to verify the integrity of a large file, thus assuring that the file has not been altered.
Some of the properties of message digests that make them ideally suited for verifying integrity include:
Any change made to a file—even a single bit or character—will result in a significant change in the hash.
It is computationally infeasible to make a change to a file without changing its hash.
It is computationally infeasible to create a message or file that will result in a given hash.
It is infeasible to find any two messages that will have the same hash.
One common use of message digests is on software download sites, where the computed hash for a downloadable program is available so that users can verify that the software program has not been altered (provided that the posted hash has not also been compromised).
Digital Signatures
A digital signature is a cryptographic operation where a sender “seals” a message or file using his identity. The purpose of a digital signature is to authenticate a message and to guarantee its integrity. Digital signatures do not protect the confidentiality of a message, however, as encryption is not one of the operations performed.
Digital signatures work by encrypting hashes of messages; recipients verify the integrity and authenticity of messages by decrypting hashes and comparing them to original messages. In detail, a digital signature works like this:
1. Sender publishes his public key to the Internet at a location that is easily accessible to recipients.
2. Recipient retrieves sender’s public key and saves it for later use.
3. Sender creates a message (or file) and computes a message digest (hash) of the message, and then encrypts the hash with his private key.
4. Then the sender sends the original file plus the encrypted hash to the recipient.
5. The recipient receives the original file and the encrypted hash. The recipient computes a message digest (hash) of the original file and sets the result aside. She then decrypts the hash with the sender’s public key. The recipient compares the hash of the original file and the decrypted hash.
6. If the two hashes are identical, the recipient knows that a) the message in her possession is identical to the message that the sender sent, b) the sender is the originator, and c) the message has not been altered.
The use of digital signatures is depicted earlier in this chapter in Figure 6-6.
Digital Envelopes
One aspect of symmetric (private key) and asymmetric (public key) cryptography that has not been discussed yet is the computing requirements and performance implications of these two types of cryptosystems. It can be stated rather broadly that public key cryptography requires far more computing power than private key cryptography. The practical implication of this is that public key encryption of large sets of data can be highly compute-intensive and make its use infeasible in some occasions.
One solution to this is the use of a so-called digital envelope that utilizes the convenience of public key cryptography with the lower overhead of private key cryptography. The procedure for using digital envelopes works like this:
1. Sender and recipient agree that the sender will transmit a large message to recipient.
2. Sender selects or creates a symmetric encryption key, known as the session key, and encrypts the session key with recipient’s public key.
3. Sender encrypts the message with the session key.
4. Sender sends the encrypted message (encrypted with the session key) and the encrypted session key (encrypted with the recipient’s public key) to the recipient.
5. Recipient decrypts the session key with his private key.
6. Recipient decrypts the message with the session key.
The now-deprecated SET (secure electronic transaction, a predecessor to SSL/TLS) protocol uses digital envelopes. Digital envelopes require less computing overhead than the Diffie-Hellman key exchange, which is why digital envelopes may be preferred in some circumstances.
Public Key Infrastructures (PKI)
One of the issues related to public key cryptography is the safe storage of public encryption keys. While individuals are free to publish public keys online, doing so in a secure and controlled manner requires some central organization and control. A public key infrastructure (PKI) is designed to fulfill this and other functions.
A PKI is a centralized function that is used to store and publish public keys and other information. Some of the services provided by a PKI include:
Digital certificates A digital certificate is a digital credential that consists of a public key and a block of information that identifies the owner of the certificate. The identification portion of a digital certificate will follow a standard, structured format and include such data as the owner’s name, organization name, and other identifying information, such as e-mail address. The public key and the identifying information will reside in a document that is itself digitally signed by a trusted party, known as a certificate authority (CA).
Certificate authority (CA) A certificate authority (CA) is a business entity that issues digital certificates and publishes them in the PKI. The CA vouches for the identity of each of the digital certificates in a PKI; the CA undergoes certain safeguards to ensure that each digital certificate is genuine and really does belong to its rightful owner.
Registration authority (RA) The registration authority (RA) operates within or alongside a CA to accept requests for new digital certificates. The RA vets the request, carefully examining it, and undergoes steps to verify the authenticity of the person making the request. This verification may include viewing government-issued ID cards, passports, or taking other steps as needed to make sure that the request is originating from the genuine person. When the RA is satisfied that the requestor is indeed the person making the request, the RA will issue a digital certificate. Part of the certificate issuance will be the delivery of private encryption keys to the requesting party. This may take place in person or over a secured electronic connection.
Certificate revocation list (CRL) Some circumstances may require that a user’s digital certificate be cancelled or revoked. These circumstances include termination of employment (if a person’s certificate was issued expressly for employment-related purposes), or loss or compromise of a user’s private key. A CRL is an electronic list of digital certificates that have been revoked prior to their expiration date. In order to be effective, any consumer of digital certificates needs to consult a CRL to be doubly sure that a certificate remains valid.
Certification practice statement (CPS) This is a published statement that describes the practices used by the CA to issue and manage digital certificates. This helps determine the relative strength and validity of digital certificates that are issued by the CA.
Key Management
The term key management refers to the various processes and procedures used by an organization to generate, protect, use, and dispose of encryption keys over its lifetime. Several of the major practices are described in this section.
Key Generation The start of an encryption key life cycle is its generation. While at first glance it would appear that this process should require little scrutiny, further study shows that this is a critical process that requires safeguards.
The system on which key generation takes place must be highly protected. If keys are generated on a system that has been compromised or is of questionable integrity, it would be difficult to determine if key generation could have been electronically observed by a bystander. For instance, if a key logger or other process spying tool were active in the system when keys were generated, that key generation may have been observable and details about keys captured. This would mean that newly minted keys have already been compromised if their identities are known to an outsider.
In many situations, it would be reasonable to require that systems used for key generation be highly protected, isolated, and used by as few persons as possible. Regular integrity checks would need to take place to make sure the system continues to be free of any problems.
Furthermore, the key generation process needs to include some randomness (or, as some put it, entropy), so that the key generation process cannot be easily duplicated elsewhere. If key generation were not a random event, it could be possible to duplicate the conditions related to a specific key and then regenerate a key with the very same value. This would instantaneously compromise the integrity and uniqueness of the original key.
Key Protection Private keys used in public key cryptosystems and private keys used in symmetric cryptosystems must be continuously and vigorously protected. At all times they must be accessible to only the parties that are authorized to use them. If protection measures for private encryption keys are compromised, it will be possible for a key compromise to take place.
A key compromise is any event where a private encryption key has been disclosed to any unauthorized third party. When a key compromise occurs, it will be necessary to re-encrypt all materials encrypted by the compromised key with a new encryption key.
Key Custody Key custody refers to the policies, processes, and procedures regarding the management of keys. This is closely related to key protection, but is focused on who manages keys and where they are kept.
Key Rotation Key rotation is the process of issuing a new encryption key and re-encrypting data protected with the new key. Key rotation may occur when any of the following occurs:
Key compromise When an encryption key has been compromised, a new key must be generated and used.
Key expiration This happens in situations where encryption keys are rotated on a schedule.
Rotation of staff In some organizations, if any of the persons associated with the creation or management of encryption keys transfers to another position or leaves the organization, keys must be rotated.
Key Disposal Key disposal refers to the process of decommissioning encryption keys. This may be done upon receipt of an order to destroy a data set that is encrypted with a specific encryption key—destroying an encryption key can be as effective (and a whole lot easier) than destroying the encrypted data itself.
However, key disposal can present some challenges. If an encryption key is backed up to tape, for instance, disposal of the key will require that backup tapes also be destroyed.
Encryption Applications
Several applications utilize encryption algorithms. Many of these are well known and in common use.
Secure Sockets Layer/Transport Layer Encryption (SSL/TLS) SSL and TLS are the encryption protocols used to encrypt web pages requested with the HTTPS (Hypertext Transfer Protocol/Secure) URL. Introduced by Netscape Communications for use in its own browser, SSL and its successor, TLS, have become de facto standards for the encryption of web pages.
SSL provides several cryptographic functions, including public key encryption, private key encryption, and hash functions. These are used for server and client authentication (although in practice, client authentication is seldom used) and session encryption. SSL supports several encryption algorithms, including AES, RC4, IDEA, DES, and triple DES, and in several key lengths, from 40 bits to 256 bits and beyond.
S-HTTP (Secure Hypertext Transfer Protocol) Not to be confused with HTTPS, S-HTTP also provides encryption of web pages between web servers and web browsers. Because Netscape and Microsoft favored HTTPS, S-HTTP never caught on and is not widely supported.
Secure Multipurpose Internet Mail Extensions (S/MIME) S/MIME is an e-mail security protocol that provides sender and recipient authentication and encryption of message content and attachments.
Secure Shell (SSH) Secure shell is a multipurpose protocol that is used to create a secure channel between two systems. The most popular use of SSH is the replacement of the TELNET protocol, but it also supports tunneling of protocols such as X-Windows and FTP (File Transfer Protocol).
Secure Electronic Transaction (SET) SET is a now-deprecated protocol designed to protect Internet-based financial transactions. SET never caught on because it required the installation of a separate client program. HTTPS became the standard for encrypting web pages, and then became the preferred method for encryption.
SET offered greater protection of credit card transactions through the substitution of tokens for actual credit card numbers.
Voice over IP (VoIP)
Voice over IP (VoIP) is the term that encompasses several technologies that permit telephony that is transported over IP networks. Other terms associated with VoIP include Internet telephony and IP telephony. These terms all describe services for transporting voice, video, and facsimile over IP networks, including the Internet. Organizations that implement VoIP will incorporate one or more of the following:
Trunking Here, organizations replace older-technology voice trunks with SIP (Session Initiation Protocol) trunks that have far greater capacity and lower costs. Trunks can connect an organization’s private branch exchange (PBX) to telecommunications providers that offer VoIP trunking. Also, an organization can connect its digital PBXs together via MPLS (Multiprotocol Label Switching) over IP WAN connections.
Digital PBX Organizations replace older PBX systems with newer PBXs that support VoIP.
VoIP handsets Digital and analog telephone sets are replaced with IP telephone sets that connect to the PBX via TCP/IP over Ethernet or Wi-Fi.
VoIP clients Here, organizations replace telephone sets with software programs on workstations that communicate over TCP/IP to the PBX. These programs eliminate the need for separate telephone handsets.
VoIP Threats and Vulnerabilities
The primary threat to VoIP systems is the fact that an organization’s telephone network is connected to the TCP/IP network and thus vulnerable to all the types of attacks that plague workstations and servers. Furthermore, many VoIP components run on devices and systems that use conventional operating systems like Unix. That means that most VoIP components are vulnerable to the same class of threats that servers and workstations are subject to. These threats include:
Eavesdropping Attackers may attempt to listen in to voice, video, and facsimile transmissions.
Spoofing Attackers can send packets to VoIP devices, systems, and PBXs that impersonate other devices and systems. Possible reasons include stealing information, altering information, denial of service, toll fraud, and more.
Malware This includes viruses, worms, Trojan horses, root kits, and so on.
Denial of service This is an attack designed to disable a target system or network by flooding it either with an enormous volume of traffic or with specially crafted traffic designed to cause the target to malfunction.
Toll fraud This is an attack designed to steal long-distance service by using another organization’s telephone network for one’s personal use.
These and other threats are not unique to VoIP but plague all kinds of IP and Internet-connected networks and systems. For a complete discussion on threats and vulnerabilities, see the section, “Logical Access Controls,” earlier in this chapter.
Protecting VoIP
Because VoIP systems communicate over TCP/IP, and because many are based on conventional operating systems, VoIP is protected through primarily the same measures that are used to protect other IT systems. The protection measures that are most effective include:
System and device hardening.
Strict access controls and access management
Anti-malware controls
Firewalls
Intrusion detection systems
These and other countermeasures are discussed in detail in the section, “Logical Access Controls,” earlier in this chapter.
Private Branch Exchange (PBX)
A private branch exchange, most commonly referred to as a PBX, is a private telephone switch used by an organization to manage its internal telephone calls, as well as telephone calls with parties in the public telephone network. Workers in an organization can often call one another with shortened phone numbers, such as four-digit extensions, and call “outside” numbers using a prefix such as “8” or “9.”
PBXs are connected to the public-switched telephone network (PSTN) via one or more “trunks,” which are telecommunications circuits designed to carry several simultaneous telephone conversations. Trunks are leased from common-carrier telecommunications carriers.
PBX Threats and Vulnerabilities
A variety of security issues affect PBXs. IT managers and security professionals need to be aware of these threats and vulnerabilities to be able to better protect them. Some of these include:
Default passwords on administrator console This can permit anyone with physical access to the PBX with the ability to change the configuration of the PBX or extract data from it (including phone records and access controls). Passwords on many PBXs are left at factory default; this is an old practice still in place today.
Dial-in modem Many PBXs employ an administrative dial-in modem so that the PBX administrator can perform remote administrative duties. Often, dial-in access uses either a default password or no authentication at all.
Toll fraud One of the most enticing opportunities on a PBX is the ability to commit toll fraud by using it to place long-distance telephone calls. This is done by logging into the PBX (when passwords are weak or nonexistent) and changing its configuration to permit the attacker to place long-distance calls at the PBX owner’s expense.
Espionage PBXs are also the target of attempts to eavesdrop on telephone conversations as well as retrieve phone records.
Many PBXs have IP connections to facilitate administrative access. PBXs with IP connectivity are subject to the broader scope of IP-related threats and vulnerabilities that are discussed in detail earlier in this chapter in the section, “Logical Access Controls.”
PBX Countermeasures
PBXs without IP connectivity are fairly easy to protect. Some of the most effective countermeasures include:
Administrative access control Console and modem access should be configured with the strongest reasonable controls, including strong, complex passwords, administrative access logging, and dial-back modems.
Physical access control Be sure that only authorized personnel have physical access to the PBX. A PBX should be protected with keycard and/or video surveillance so that the organization can positively identify individual personnel who access it.
Regular log reviews Administrative personnel should regularly review access logs to verify that only authorized personnel are accessing administrative consoles and functions. Furthermore, toll records should be reviewed frequently to ensure that no toll fraud is taking place.
PBXs with IP connectivity will require additional IP-centric countermeasures that are similar to those required for servers and network devices.
Malware
Malware is the inclusive term that includes many types of malicious code, including viruses, worms, Trojan horses, root kits, and more. Malware is increasingly stealthy and potent, and if the past 20 years is any indication, malware will always be one step ahead of the measures that try to keep it at bay.
Blocking malware should not be a matter for discussion, any more than locks on the outside doors. The threat is just too real, and the consequences can be devastating.
Malware has many “attack vectors,” meaning it has many ways to get into an organization, which requires a variety of defenses operating simultaneously. It is no longer sufficient to just run antivirus software on end-user workstations; instead, it is necessary to employ other means for detecting and filtering malware.
Malware Threats and Vulnerabilities
Malware is capable of making a wide variety of mischief, as well as serious trouble, for organizations. The earliest viruses were relatively benign, whereas contemporary malware is able to produce a wide range of damage.
There are several classes of malware:
Viruses These are fragments of code that attach themselves to .exe files (executable programs) and are activated when the program they are attached to is run.
Worms These are stand-alone programs capable of human-assisted and automatic propagation.
Trojan horses As the name suggests, these are programs that are purported to perform one function, but which actually perform other (or additional) undesired functions. For example, something might be advertised as a game that actually erases files (or does both).
Spyware This type of software performs one or more surveillance-type actions on a computer, reporting back to the spyware owner. The most insidious form of spyware is the key logger, a software program (and also an implantable hardware device) that records user keystrokes and transmits them back to a central location.
Root kits These are malware designed to hide themselves from the operating system as well as evade detection by antivirus software. Some root kits are also able to run “underneath” the operating system so that they are undetectable.
Bots These are agents implanted by other forms of malware and which are programmed to obey remotely issued instructions. Collections of bots are called bot armies. These are built to create spam, propagate malware, attack target systems and networks, and host phishing sites.
The types of damage that malware can cause include:
Computer slowdowns
Alteration or destruction of data
Eavesdropping on communications
Stolen data
Attack or damage to other systems
The vulnerabilities that malware is able to exploit include:
Missing patches Many malware programs are designed to exploit known vulnerabilities that remain on many computers that do not have security patches installed.
Unsecure configuration Old, outdated, or incorrectly set configuration settings can leave a computer vulnerable to attack.
Faulty architecture Mistakes in a network’s architecture (for example, incorrect placement of a firewall that exposes too many systems) or errors in implementation can leave systems open to attack.
Faulty judgment Mistakes and decisions that are based on incomplete knowledge can lead to configuration or architecture errors that introduce vulnerabilities.
The most common threats associated with malware include:
Spam Junk e-mail often contains malware, or entices users to connect to web sites that contain malware. Spam also includes e-mail messages that advertise both legitimate goods and services as well as fakes; prescription medication is a good example of the phony merchandise that many people buy in the hopes of saving money.
Phishing Some spam impersonates real government and private institutions, pretending to communicate urgent news to customers, who need to act quickly. A common ploy is an e-mail message from a bank telling customers that their bank accounts will be locked unless they respond by logging in to an imposter site. People who fall for these schemes inadvertently provide login credentials to thieves, who use them to transfer funds out of their victims’ accounts. Many similar schemes exist that attempt to steal money or other valuables from victims.
Denial of service Some malware deliberately causes computers to malfunction. Plus, malware that is designed to rapidly spread from computer to computer over networks will cause high volumes of network traffic that make the networks, as well as computers, unusable.
Stolen information Some malware is designed to intercept keystrokes and displayed information and relay that data back to a central location. The information of greatest interest is credit card numbers, bank account numbers, and user ID-and-password combinations for high-value sites such as online banking.
The Malware Industry |
The face of malware is rapidly changing. Once the purview of hacker-hobbyists and script kiddies, malware is now the domain of large organized crime syndicates and cybercrime gangs. These are businesses with investors, research and development, and profit sharing. The only thing fundamentally different from legitimate businesses is that organized crime is in the business of conducting illegal operations, such as financial fraud. |
The U.S. Treasury Department published a report in 2006 that claimed that, on a worldwide scale, organized crime is now making more profits from Internet-based fraud than from drug trafficking. And they are just getting better at it. |
Anti-Malware Administrative Controls
Organizations’ anti-malware controls need to include several administrative controls to stop the introduction and spread of malware. These controls include policies such as:
Spam policy Security policy and awareness training needs to include “don’t open strange or unusual e-mail messages, even from people you know” guidance to workers. Even in an environment with effective spam filters, some spam does get through, so this policy helps users think twice before opening them.
Only business-related Internet access Because some malware spreads through malicious code implanted on web sites (and for other reasons like lost productivity), organizations may forbid its employees from visiting web sites with no direct business purpose.
No removable media Malware can be introduced via removable media. In fact, the earliest viruses were spread via floppy disk. Today, many organizations forbid, and even actively block, the use of removable media such as USB drives and memory sticks.
No downloading Because some malware is implanted in downloadable software, many organizations have enacted policies that forbid the practice of downloading software. Instead, requests are made to the IT service desk if additional software or tools are needed.
No personally owned computers In many organizations, it was once okay to access the corporate network remotely using personally owned computers. Because the organization is unable to control the spread of malware on computers it does not own or control, the right place to draw the line is to enact a policy that forbids all but company-owned computers from connecting to any network, local or remote.
Malware: Avoiding Repeats of History |
For the most part, organizations are serious about stopping malware at the network boundary. This is because they remember malware attacks of the past 10 years that incapacitated corporate networks for days at a time. Malware with names like I Love You, Code Red, Blaster, and SQL Slammer evoke memories of battles to keep corporate networks running. |
Those were painful events that resulted in serious business disruption, sometimes enough to affect financial results. Pointed questions from senior executives, who often did not understand the rules of the new cyberwars, distracted IT managers from their primary objective: get the malware out of the network! |
Anti-Malware Technical Controls
Because malware is so potent, and because some kinds of malware are able to spread without any human interaction or assistance, a defense-in-depth strategy for blocking it is needed in most organizations to make sure that malware has few opportunities to enter the network.
Anti-malware on all servers and workstations Every workstation should have current anti-malware software. It should be configured to perform real-time malware detection, plus regular scans (daily in high-risk environments, weekly in others). Users should not be able to remove or tamper with anti-malware software, even if they are local administrators for their workstations. However, users should be able to perform scans on demand if they sense that something new in their system may be infected.
Anti-malware on e-mail servers E-mail servers should have anti-malware programs designed to block malware on incoming and outgoing e-mail. This cannot be ordinary anti-malware software, but a type designed to run on an e-mail server and interoperate with the e-mail server programs.
Anti-malware on web proxy servers/filters Organizations should have active or passive web proxy servers that have anti-malware software on board. This will prevent malware from entering an organization from web sites that users are visiting.
Centralized anti-malware console Organizations should consider using enterprise versions of anti-malware software that provide central monitoring and configuration consoles. This gives the organization the ability to instantly see the “big picture” with regard to anti-malware controls. For instance, a console will show which workstations’ anti-malware programs are having trouble running or getting new updates and where infections are occurring.
Intrusion prevention systems Organizations can employ agented or agentless intrusion prevention systems (IPSs) that will automatically sense activities typical of malware. An IPS has the ability to immediately disconnect an infected system from the network so that it cannot infect other systems or disrupt network traffic.
Spam filters A lot of malware (not to mention phishing schemes and fraud) enters an organization through e-mail. Centralized spam filters can intercept and block spam before it even reaches the e-mail server. Many spam filters also have antivirus programs on them to scrub viruses from incoming e-mail—even when it comes from legitimate, known persons.
Blocking use of removable media While external memory devices such as USB sticks and external hard drives are popular, they do represent a number of threats, including malware. Blocking removable media is also one measure that is effective against information leakage.
NOTE Blocking malware is not a one-time effort of procuring tools. Rather, this should be thought of as the “malware wars” that continue for long periods and require constant vigilance.
Information Leakage
Information leakage refers to the tendency for sensitive information to leak out of an organization’s databases through various means. Blocking opportunities for information leakage is a developing area in information technology today.
There are fundamentally two forms of information leakage: accidental and malicious. Accidental leakage occurs when, for instance, an employee selects the wrong recipients in an outgoing e-mail that contains sensitive information and mistakenly sends sensitive information to the wrong external party, resulting in a potential security breach.
Deliberate information leakage occurs when an employee chooses to acquire sensitive data with the intention of taking it out of the organization. There are many reasons and motivations for this, including:
Profit Some sensitive information such as credit card and bank account numbers are easily sold on the black market.
Revenge If the employee senses that injustice has occurred—or will occur—in the organization, the employee may exact a form of revenge by taking copies of sensitive information for later use: extortion, exposure, or profit.
Leakage also occurs when malware intercepts logon credentials, resulting in a hacker’s ability to log in and steal sensitive information. Leakage is multifaceted and extends into other areas, including social engineering, malware, proper HR hiring procedures, and more.
Because of the numerous means available for users to deliberately remove data from the organization, several measures should be taken to limit those opportunities, including:
Outbound e-mail filtering Outbound e-mail filters that check for information leakage can be used to observe what information is leaving the organization.
Block removable media Through centralized automatic policies, organizations can prevent the use of USB media, writing to CD-ROM discs, and other actions contributing to information leakage.
Blocking Internet access Users in the most sensitive functions (those with access to the most sensitive information) should be prevented from accessing any computer or network outside of the organization. This not only reduces the likelihood of malware infecting a sensitive system, but also reduces the opportunity for leakage.
Tighter access controls Organizations should periodically examine their access controls for the most sensitive information, looking for ways to further reduce the ability for people to access that data, except in situations where they must for business purposes. When fewer people have access, there will be fewer opportunities for leakage.
Access logging The organization should improve access logging so that all accesses (not just updates) to information are logged. This can be an effective detective control, since this would tell the organization who is accessing which data records. If the organization discloses the logging to its workers, this also becomes a deterrent control, not unlike video surveillance.
Job rotation Staff members should be periodically shifted into other positions so that their opportunities for covertly extracting information are fewer. When organizations shift their employees on short notice and on sporadic schedules, employees are less likely to engage in information-pilfering schemes since they do not want to get caught.
Periodic background checks Organizations should consider periodic background checks for employees in positions of access to sensitive information. Changes in an employee’s current background may provide additional incentives for employees to engage in unauthorized or illegal acts. For instance, an employee whose credit background has gone from good to terrible may be tempted to find ways to supplement his income, such as embezzlement or selling information on the black market. Also, an employee who started employment with a clean criminal record may, over time, turn to the dark side and enter a lifestyle of crime. That two-week vacation last year could actually have been a jail sentence.
NOTE Employers should understand that a patient employee who is determined to remove information from the organization would probably be able to do so, despite many controls to prevent it.
Environmental Controls
Computers and networks operate in the physical world. Networks consist of devices like routers, switches, and firewalls, plus cabling within and between buildings. Computer systems and network devices are designed to operate within a narrow band of temperature, humidity, moisture, and cleanliness. When they operate within these bounds, they are likely to provide years of service, but even brief periods outside these bounds can significantly shorten the life of many components.
Organizations that employ computers and networks to support vital business processes need to provide suitable environments for them. Failure to do so can result in higher operating costs and business disruptions due to frequent downtime. This section discusses the environmental systems and controls required to maintain a suitable environment for computers and networks.
Environmental Threats and Vulnerabilities
Computer systems require special facilities that include reliable electric power, environmental controls, and physical security. By their very nature, the controls that support and protect computer systems are complex and require periodic maintenance in order to provide reliable service. Redundant controls or systems are often needed for organizations intolerant of downtime.
This section discusses electric power, cooling and humidity controls, fire detection and suppression, and physical security.
Electric Power Vulnerabilities
Computer systems require a steady diet of clean electric power. The quality and delivery of electric power from virtually every public utility falls far short of the needs required by IT systems. Several power-related events threaten the health of computer equipment, including:
Spike or surge This is a sharp increase in voltage that lasts for only a fraction of a second.
Inrush A sudden increase in current flowing to a device, usually associated with the startup of a large motor. This can cause a voltage drop that lasts several seconds.
Noise This is the presence of other electromagnetic signals within incoming power.
Dropout This is a momentary loss of power that lasts from a few milliseconds to a few seconds.
Brownout This is a sustained drop in voltage that can last from several seconds to several hours.
Blackout A complete loss of electric power for more than a few seconds.
All of these phenomena can damage computer and network equipment by damaging internal components that make them fail outright or through latent damage that may shorten the life of a component.
Physical Environment Vulnerabilities
Computer and network equipment is sensitive to changes in environmental conditions. The conditions that warrant discussion here are:
Temperature Computer and network equipment generate potentially large volumes of waste heat that must be continuously siphoned away. Even a brief interruption in environmental systems can cause sharp rises in temperature that can damage equipment. Temperature that is too low can cause condensation on equipment, which can invite corrosion and even cause short circuits when it occurs on electrical components.
Humidity Computer and network equipment must operate within a narrow band of humidity, usually 40 to 55 percent. When humidity drops below 40 percent, static buildup can occur that can damage sensitive electronics. Excessively high humidity can result in condensation, inviting corrosion and short circuits.
Dust and dirt Computer and network equipment is designed to be used in clean environments that are reasonably free of dust and dirt. Dust and dirt can accelerate wear in mechanical components and clog air filters, causing heat buildup.
Smoke and fire A fire that is in or near a data center can introduce smoke, which can damage computer and network equipment. Fire extinguishing agents such as water can also damage sensitive equipment. Fire departments often cut electric power to a building when there is a fire, so even equipment that is not threatened by the fire will suffer the effects of a blackout.
Sudden unexpected movement Earthquakes can violently shake equipment, pulling it away from its fastenings. Personnel moving equipment may accidentally bump into other devices or snag or damage loose cabling.
Environmental Controls and Countermeasures
Several environmental control systems are required to counteract the threats and vulnerabilities discussed in this section. When designed and operated properly, these controls will contribute to high reliability and a good service record for IT equipment, which is sensitive to environmental conditions.
Electric Power
Because the quality of commercial utility electric power is usually insufficient for sensitive and critical computing equipment, several additional controls may be needed to improve the quality and/or quantity of available electric power. These controls are:
Uninterruptible power supply (UPS) This is a system that filters incoming power of spikes and other noise, and supplies power for short periods through a bank of batteries. A UPS is sufficient for power outages that last from a few minutes to as long as a few hours (provided there is sufficient battery capacity). A UPS provides a continuous supply of electricity; when there is a brownout or blackout, power delivered to computer systems is unaffected.
Electric generator This is a system consisting of an internal combustion engine powered by gasoline, diesel fuel, or natural gas that spins an electric generator. A generator can supply electricity for as long as several days, depending on the size of its fuel supply and whether it can be refueled.
Dual power feeds An organization that is especially dependent on reliable electric power can consider using two separate power feeds that would ideally originate from separate utility substations.
Power distribution unit (PDU) A power distribution unit is a device that distributes electric power to a computer room or data center. A PDU may be large and supply dozens of separate power circuits or be as small as a power strip. Some PDUs also have voltage step-down capabilities, converting higher-input voltages into voltage levels used by computer equipment.
These components are depicted in Figure 6-8.
Figure 6-8 Components in a facility power system
It is important to understand present and future electric power requirements so that the components discussed here can be appropriately sized. Some organizations with high reliability requirements may build fully redundant power systems consisting of dual power feeds, dual switchgears, generators, UPSs, and PDUs, delivering fully redundant power to each computer. Organizations that utilize redundant power systems usually refer to their power systems as “A side” and “B side” systems. Computer and network equipment that utilizes dual power supplies can take advantage of redundant power systems by connecting one power supply to the A side and one to the B side. This permits systems to continue functioning, even in the event of a complete failure of any single component in the facility’s power system.
Temperature and Humidity Controls
Because computing and network equipment sheds a large volume of waste heat, highly reliable and adequately sized HVAC (heating, ventilation, and air conditioning) systems are required.
The temperature in rooms containing computer and network equipment should range from 68 to 75°F, and humidity should range from 40 to 55 percent. In facilities with a considerable number of computer systems, this will require highly reliable and high-capacity HVAC systems.
It is recommended that facilities utilize an “N+1” design, which means that there should be at least one additional HVAC system than is required to continuously cool the facility. For example, if a facility requires four HVAC systems for cooling, then at least five HVAC systems should be used. This permits adequate cooling to continue in the event one system fails or is being maintained.
Computer facilities should employ continuous temperature and humidity monitoring that regularly records readings, and alerts personnel when readings exceed safe levels. Sensitive equipment should also have internal temperature monitoring capabilities that alert support personnel when readings exceed tolerance. Systems that are sensitive to variations in temperature should have auto-shutdown capabilities in the event that support personnel are unable to respond in time.
Many computer rooms and data centers employ a raised floor system consisting of removable tiles. The space under the tiles acts as an air plenum for air conditioning systems; tiles with holes in them are strategically placed to direct cold air into areas requiring it. Tiled floors are typically 80 to 100 cm above the floor beneath.
Fire Prevention, Detection, and Suppression Controls
Virtually every local government authority requires fire detection, prevention, and suppression controls. However, the minimum controls may be considered inadequate for facilities containing expensive computer and network equipment. For example, regulations requiring water sprinkler suppression systems would certainly extinguish a fire in a data center, but the water would also cause considerable damage. For this reason, different types of detection and suppression systems are often used to protect valuable equipment from fire and suppression agent damage.
Fire Prevention Measures that help to prevent fires in the first place contribute to a safer environment. Some measures include:
Combustibles Materials such as packing boxes and manuals should be stored away from computer equipment. Reductions in combustible materials make fires less likely to start or spread.
Cleanliness Dust can sometimes trigger highly sensitive smoke detectors; this is another reason to practice good cleanliness measures in data centers.
Electrical equipment maintenance Maintenance activities such as soldering should not be done near computer equipment. Smoke from soldering can trigger smoke detectors and cause a discharge in fire suppression agents.
Fire Detection Facilities can be equipped with more than the minimum required capabilities for smoke detection. Highly sensitive smoke and heat detection systems are available that can provide earlier warning. This gives personnel an added opportunity to identify the cause of the fire and suppress it with limited-impact means such as fire extinguishers. Such measures help to avoid a larger fire that would require more aggressive suppression measures.
Commercial buildings also employ many manually operated fire alarms, often called “pull stations,” where someone who sees a fire can pull the lever to set the alarm manually. In most cases, this causes fire alarms and bells to ring but does not trigger fire suppression.
Fire Suppression Most commercial facilities are required to have automatic or semi-automatic fire suppression systems. While the minimum is usually water-based sprinkler systems and a complement of hand-operated fire extinguishers, often an organization will make an investment in more sophisticated suppression systems that have less of an impact on computing equipment. But in some locations, even where advanced suppression systems are permitted, sometimes water-based systems are still required as a backup.
The types of centralized fire suppression systems include:
Wet pipe In this type of system, all sprinkler pipes are filled with water. Each sprinkler head is equipped with a fuse—a heat-sensitive glass bulb—that breaks upon reaching a preset temperature. When this occurs, water is discharged from just that sprinkler head, which is presumably located near a fire. When water begins to flow, an automatic sensor trips a fire alarm. This is the most common type of sprinkler system.
Dry pipe This type of system is used where ambient temperatures often drop below freezing. In this type of system, pipes are filled with compressed air. When sufficient heat causes one of the sprinkler head fuses to break, a control valve releases water into the piping. A delay of up to one minute occurs as water flows from the control valve to the sprinkler head.
Pre-action This type of system is used in areas with high-value contents such as data centers. A pre-action system is essentially a dry pipe system until a “preceding” event, such as a smoke detector alarm, occurs; at this time, the system is filled with water and essentially converted in real time to a wet pipe system. Then, if the ambient temperature at any of the sprinkler heads is high enough, those fuses break, releasing water to extinguish the fire. Pre-action systems are more expensive and complicated than wet pipe or dry pipe systems.
Deluge This type of system has dry pipes and all of the sprinkler heads are open. When the system is operated (for instance, when an alarm is triggered), water flows into the pipes and out of all of the sprinkler heads.
Inert gas Often the choice for use in computer centers because of its low impact on computing equipment and high effectiveness in fire suppression. Inert gas systems work by displacing oxygen from the room by bringing down the concentration of oxygen from the usual 21 percent to a lower figure, which slows the advancement of a fire. Through the 1980s, Halon 1301 was the substance of choice for inert gas systems. Declared a greenhouse gas in 1987, Halon 1301 has been replaced by other substances, such as FM-200.
In addition to centralized fire suppression systems, many commercial buildings are required to have hand-operated fire extinguishers. These come in a range of sizes, from 1 to 30 pounds, and have fire retardants of several types, including:
Class A: Suitable for ordinary solid combustibles such as wood and paper
Class B: Suitable for flammable liquids and gases
Class C: Suitable for energized electrical equipment
Class D: Suitable for combustible metals
Class K: Suitable for cooking oils and fats
The five types listed here are U.S. standards. Different classifications are used in other countries.
Larger fire extinguishers are used in some facilities that have 50 pounds or more fire retardant. These larger units are mounted on large-wheeled carts that can be pulled to the site of a fire.
Cleaning
Facilities containing computing and network equipment need to be kept clean, with dirt, dust, and debris kept to a minimum. While computer rooms do not need to be kept clean to the same extent as “clean rooms” (facilities that manufacture disk drives and computer chips), they do need to be regularly cleaned to prevent the buildup of dust, dirt, and other particles that will clog filters and get inside computers and network devices, shortening their life span.
Classification Data Center Reliability |
The Telecommunications Industry Association (TIA) released the TIA-942 Telecommunications Infrastructure Standards for Data Centers standard in 2005. The standard describes various aspects of data center design, including reliability. The standard describes four levels of reliability: |
Tier I - Basic Reliability Power and cooling distribution are in a single path. There may or may not be a raised floor, UPS, or generator. All maintenance requires downtime. |
Tier II - Redundant Components Power is in a single path; there may be redundant components for cooling. Includes raised floor, UPS, and generator. Most maintenance requires downtime. |
Tier III - Concurrently Maintainable Includes multiple power and cooling paths, but with only one path active. Includes sufficient capacity to carry power and cooling load on one path while performing maintenance on the other path. Includes raised floor, UPS, and generator. |
Tier IV - Fault Tolerant Includes multiple active power and cooling distribution paths. Includes redundant components, including UPS and generator. Includes raised floor. |
Physical Security Controls
Physical security controls are primarily concerned with the protection of valuable or sensitive facilities (including those with computers and network devices) from unauthorized personnel. Controls are used to detect or prevent the entry of unwanted persons at these facilities. This section describes typical threats and vulnerabilities related to physical security and the controls and countermeasures that can be employed to protect a facility.
Physical Access Threats and Vulnerabilities
The threats and vulnerabilities in the realm of physical security are all associated with unwanted persons at business premises. A site without proper security controls may be subject to one or more threats, including these:
Theft Persons who are able to enter a building may be able to steal equipment, records, or other valuable items.
Sabotage Persons who may enter a building or work site may be able to damage or destroy valuable equipment or records.
Espionage Persons may wish to conduct espionage in order to acquire information about the organization.
Covert listening devices These are listening devices that can be placed in a building to overhear conversations and transmit them to a receiver located in a remote location. Covert listening devices are commonly known as bugs. Sometimes intruders plant bugs; bugs can also be hidden in articles that are delivered to a building (for example, in flower bouquets or gift baskets).
Tailgating This is a specific technique that intruders may use when attempting to enter a building; they may follow an employee into a building without showing their own security credentials (for example, a keycard). This practice is also known as piggybacking.
Propped doors Sometimes a front, rear, or side door that is equipped with security controls will be propped open for various reasons, including hot weather (to permit a cooling breeze to enter and cool the building), frequent traffic moving in or out, or persons going out for a quick smoke who don’t want the hassle of having to return to the building through another door.
Poor visibility A facility may have exterior features that permit an unauthorized person to lurk about without being noticed. The person may be able to gain entry if he can discover a weakness before he is noticed himself.
Physical Access Controls and Countermeasures
Several controls can be used to improve the physical security of a worksite, reducing the threat of intruders and resultant theft or damage. Some of these controls are:
Keycard systems Authorized persons are issued electronically activated ID cards that can be used to momentarily activate entry doors that are usually locked. These systems record the date and time that persons entered each door. Some keycard systems are also equipped with a “PIN pad” that requires the person to enter a numeric PIN before the door will unlock. This helps to prevent someone who finds a keycard from entering a facility. Keycard systems can also utilize biometrics such as palm scan, fingerprint scan, or iris scan.
Cipher locks These are electronic or mechanical doors equipped with combination locks. Only persons who know the combination may unlock the door. Some cipher locks can be equipped with different combinations for each person and also record each entry.
Fences, walls, and barbed wire These barriers are used to prevent unauthorized persons from approaching a building, keeping them at a safe distance.
Bollards and crash gates These barriers prevent the entry of vehicles into protected areas. Some bollards can be retracted or removed when needed. Crash gates are hard barriers that lift into position, preventing the entry (or exit) of unauthorized vehicles, and can be lowered to permit authorized vehicles.
Video surveillance The use of video cameras, monitors, and recording systems can be used to record the movement of persons in or near sensitive areas.
Visual notices This includes signs and placards that warn intruders that premises are monitored and protected.
Bug sweeping Because most covert listening devices emit radio frequency radiation, it is possible to detect them through the use of a bug sweeper.
Security guards These are personnel who control passage at entry points or roam building premises looking for security issues such as unescorted visitors.
Guard dogs These assist security guards and can be used to apprehend and control trespassers.
NOTE A detailed risk analysis, including a study of physical facilities and access controls, should be used to determine which controls are appropriate for a facility.
Auditing Asset Protection
Auditing asset protection requires substantial knowledge about information technology, threats, vulnerabilities, countermeasures, and common asset protection practices. The IS auditor who lacks this knowledge will likely overlook threats or vulnerabilities that might be obvious to more knowledgeable auditors.
Auditing Security Management
Auditing security management activities requires attention to several key activities, including:
Policies, processes, procedures, and standards The auditor should request and examine information security policies to see what processes are required. This should be followed by requests to examine process and procedure documentation for key processes that are cited in security policies. The IS auditor should review the entire body of information security policy to determine if there is adequate coverage on every topic. Rather than examine the organization’s security policy in a vacuum, it should be compared to an industry standard, such as ISO 17799, to ensure that the organization has not omitted any topic that should be included in its security policy.
Records For those security management processes that usually have associated recordkeeping, the auditor should examine business records to see whether processes are active.
Security awareness training The auditor should examine training materials, training procedures, and training records to determine the effectiveness of the organization’s security awareness training program. In various walkthroughs on this and other topics, the IS auditor should ask questions related to security awareness training, such as, “Have you received security awareness training?”, “Does your organization have a security policy?”, or “What security procedures are required for laptop computers?” to see whether employees can corroborate the effectiveness of the security awareness program.
Data ownership and management The IS auditor should inquire about the methodology used to determine ownership and management of business data. The key point with data ownership and management is accountability: When someone is responsible for management of a given data set, that person will ensure that only authorized parties have access to it and will take steps to ensure the continuing integrity of the data. The auditor should determine if there are company-wide policies and procedures on data management, or whether this is a disorganized or undocumented activity.
Data custodians Often, business owners of information and systems delegate management to the IT department, who will manage access on their behalf. If an organization manages data in this way, the IS auditor should identify whether data custodians effectively carry out the wishes of the data owner, or whether data custodians act on their own as if they are the owner.
Security administrators Often, an IT department will handle the day-to-day responsibilities of managing access to, and integrity of, business data. The IS auditor should determine if IT staff are knowledgeable about these duties and qualified to carry them out.
New and existing employees Data management is implicitly every employee’s responsibility. As individuals who are entrusted to properly access and use company data, individual employees are obligated to handle data properly, to keep data confidential, and to be alert for any misuse of data. The IS auditor should determine if any policies exist on this topic and whether security awareness training covers this theme.
Auditing Logical Access Controls
Auditing logical access controls requires attention to several key areas, including:
Network access paths
User access controls
User access logs
Investigative procedures
Internet points of presence
These topics are discussed in depth in this section.
Network Access Paths
The IS auditor should conduct an independent review of the IT infrastructure to map out the organization’s logical access paths. This will require considerable effort and may require the use of investigative and technical tools, as well as specialized experts on IT network architecture. The reason for this is that the IT network may have undocumented access paths that are deliberately hidden from most personnel, or the network may have unexpected access paths due to incorrect configuration of even a single device. For instance, the IS auditor or a security specialist may discover a hidden, unauthorized Wi-Fi access point in an office or data center network or a network back door in the form of a dial-in modem. The presence of deliberate or accidental back doors is a particular problem in larger organizations with highly complex network infrastructures that have many interconnections within the network and with external parties. Any of those connections could be a wide-open back door. Proving the absence of such a path is similar to the analogy of proving that there is no spider in the room where you are now.
The IS auditor should request network architecture and access documentation to compare what was discovered independently against existing documentation. The auditor will need to determine why any discrepancies exist.
Similar investigations should take place for each application to determine all of the documented and undocumented access paths to functions and data. This topic is explored in Chapter 4, “IT Life-Cycle Management.”
Auditing User Access Controls
User access controls are often the only barrier between unauthorized parties and sensitive or valuable information. This makes the audit of user access controls particularly significant. Auditing user access controls requires keen attention to several key factors and activities in four areas:
User access controls, to determine if the controls themselves work as designed
User access provisioning, to determine if provisioning processes are effective
Password management, to determine if passwords are effectively managed
Employee transfers and terminations, to determine if accesses are managed and removed effectively
NOTE The IS auditor should not become so entrenched in the details of user access controls as to lose the big picture. One of the responsibilities of the IS auditor is to continue to observe user access controls from the “big picture” perspective to determine if the entire set of controls works together to effectively manage this important process.
Auditing User Access Controls Auditing user access controls requires attention to several factors, including:
Authentication The auditor should examine network and system resources to determine if they require authentication, or whether any resources can be accessed without first authenticating.
Authentication bypass The auditor should examine network and system resources to determine if it is possible to bypass user authentication methods. This may require the use of specialized tools or techniques. This needs to include penetration testing tools and application scanning tools to determine the presence of vulnerabilities that can be exploited to bypass authentication. For highly valued or sensitive data and applications that are Internet-accessible, hackers will certainly try these techniques in attempts to access and steal this information; the organization’s security staff should regularly attempt to determine the presence of any such vulnerabilities.
Access violations The auditor should determine if systems, networks, and authentication mechanisms have the ability to log access violations. These usually exist in the form of system logs showing invalid login attempts, which may indicate intruders who are trying to log in to employee user accounts.
User account lockout The auditor should determine if systems and networks have the ability to automatically lock user accounts that are the target of attacks. A typical system configuration is one that will lock a user account after five unsuccessful login attempts within a short period. Such a control helps to prevent automated password guessing attacks. Without such detective and preventive controls, intruders could write scripts to guess every possible password until a user’s correct password was guessed correctly, thereby enabling an intruder to log in to a user account. Systems use different methods for unlocking such locked accounts: some will automatically unlock after a “cooling off period” (usually 30 minutes), or the user is required to contact the IT service desk and, after properly identifying themselves, get the account manually unlocked. The IS auditor should obtain policies, procedures, and records for this activity.
Intrusion detection and prevention The auditor should determine if there are any IDSs or IPSs that would detect authentication-bypass attempts. The auditor should examine these systems to see whether they have up-to-date configurations and signatures, whether they generate alerts, and whether the recipients of alerts act upon them.
Dormant accounts The IS auditor should determine if any automated or manual process exists to identify and close dormant accounts. Dormant accounts are user (or system) accounts that exist but are unused. These accounts represent a risk to the environment, as they represent an additional path between intruders and valuable or sensitive data. A dormant account could also be a back door, deliberately planted for future use. But chances are that most dormant accounts are user accounts that were assigned to persons who ended up not needing to access the environment, or terminated employees whose accounts were never cleaned up.
Shared accounts The IS auditor should determine if there are any shared user accounts; these are user accounts that are routinely (or even infrequently) used by more than one person. The principal risk with shared accounts is the inability to determine accountability for actions performed with the account. Through the 1990s, information systems were routinely designed with shared user accounts, and many such systems continue to use shared accounts. To the greatest extent possible, shared user accounts should be identified as audit exceptions and be replaced with individual user accounts.
System accounts The IS auditor should identify all system-level accounts on networks, systems, and applications. The purpose of each system account should be identified, and it should be determined if each system account is still required (some may be artifacts of the initial implementation or of an upgrade or migration). The IS auditor should determine who has the password for each system account, whether accesses by system accounts are logged, and who monitors those logs.
Auditing Password Management Auditing password management requires attention to several key technologies and activities, including:
Password standards The IS auditor needs to examine password configuration settings on information systems to determine how passwords are controlled. Some of the areas requiring examination are:
Minimum length: How many characters must a password have and whether there is a maximum length
Complexity: Whether passwords must contain various types of characters (lowercase alphabetic, uppercase alphabetic, numeric, symbols), whether dictionary words are permitted, and whether permutations of the user ID are permitted
Expiration: How frequently must passwords be changed
History: Whether former passwords may be used again
Minimum time between changes: Whether users are permitted to change their passwords frequently (for instance, to cycle back to the familiar password they are used to)
Display: Whether the password is displayed when logging in or when creating a new password
Transmission: Whether the password is encrypted when transmitted over the network or if it is transmitted in plaintext
Storage: Whether the password is stored encrypted or hashed, or if it is stored in plaintext. If it is stored encrypted or in plaintext, the IS auditor needs to determine who has access to it.
Account lockout The IS auditor should determine if systems automatically lock user accounts after a series of unsuccessful login attempts. The auditor should determine how locked user accounts are unlocked—whether automatically or manually—and whether these events are logged.
Access to encrypted passwords The IS auditor should determine if end users are able to access encrypted/hashed passwords, which would enable them to use password cracking tools to discover other users’ and administrative passwords.
Password vaulting The IS auditor should determine if users are encouraged or required to use password vaulting tools for the safe storage of passwords and if administrative passwords are vaulted for emergency use.
Auditing User Access Provisioning Auditing the user access provisioning process requires attention to several key activities, including:
Access request processes The IS auditor should identify all user access request processes and determine if these processes are used consistently throughout the organization. The auditor should determine if there is one central user access request process, or if each environment has a separate process. The auditor should identify what data elements are required in a user access request—for instance, if the request specifies why and for how long the user needs this access. The auditor should examine business records to determine how access requests are documented.
Access approvals When studying the user access process, the IS auditor needs to determine how requests are approved and by what authority they are approved. The auditor should determine if system or data owners approve access requests, or if any accesses are ever denied (if no access requests are denied, the IS auditor should see if all requests are merely “rubber stamped” without any real scrutiny). The auditor should examine business records to look for evidence of access approvals.
New employee provisioning The IS auditor should examine the new employee provisioning process to see how a new employee’s user accounts are initially set up. The auditor should determine how a new employee’s initial roles are determined: Does a new user have an established “template” of accesses, or do requests simply state, “make John’s access just like Susan’s”? The auditor should determine if new employees’ managers are aware of the access requests that their employees are given and if they are excessive. Furthermore, the IS auditor should determine if access to applications requires any initial training of the user of the application, or if the organization just “turns them loose” to figure out how the application is supposed to be used. The IS auditor also needs to determine how initial user credentials are communicated to the new employee and if the method is secure and reasonable.
Segregation of duties (SOD) The IS auditor should determine if the organization makes any effort to identify segregation of duties. This may include whether there are any SOD matrices in existence and if they are actively used to make user access request decisions. Furthermore, the IS auditor should determine if the organization performs SOD reviews to identify persons who have access privileges within or among applications that would constitute SOD violations. The auditor should determine how violations are managed when they are found.
Access reviews The IS auditor should determine if there are any periodic access reviews and what aspects of user accounts are reviewed; this may include termination reviews, internal transfer reviews, SOD reviews, and dormant account reviews.
Auditing Employee Terminations Auditing employee terminations requires attention to several key factors, including:
Termination process The IS auditor should examine the employee termination process and determine its effectiveness. This examination should include understanding how terminations are performed and how user account management personnel are notified of terminations. The auditor should identify specific security policies to determine how quickly user accounts should be terminated. The auditor should examine HR records to see if all employee terminations correspond to user account management termination records.
Timeliness The IS auditor should examine termination records and the records on individual information systems to determine if user accounts are terminated in a timely manner. Typically, user accounts should be terminated within one business day, but in environments with particularly valuable or sensitive information, terminations should be processed within minutes or hours of a termination to ensure that a terminated employee cannot access systems immediately after being terminated (when passions often run high).
Access reviews The IS auditor should determine if any internal reviews of terminated accounts are performed, which would indicate a pattern of concern for effectiveness in this important activity. If such reviews are performed, the auditor should determine if any missed terminations are identified and if any process improvements are undertaken.
Contractor access and terminations In most organizations, a contractor’s tenure is not managed by HR, so the IS auditor needs to determine how contractor access and termination is managed and if such management is effective. The classic problem with contractors is that it’s sometimes difficult to precisely determine when a contractor no longer requires access to a system or network. The reason for this uncertainty lies in the nature of the contracted work: Sometimes the contractor performs services sporadically or on request, and sometimes months or even years pass between these events. Furthermore, contractors are often hired and fired by internal managers without any notification to or tracking by HR. In light of these aspects, it can be difficult to determine the effectiveness of contractor-related access management.
Auditing Access Logs
Auditing access logs requires attention to several key points, including:
Access log contents The IS auditor needs to determine what events are recorded in access logs. Events may include every user login and granular information, such as every program run and file accessed, or logs may include only invalid logon attempts (or not even that). The IS auditor needs to understand the capabilities of the system being audited and determine if the right events are being logged, or if logging is suppressed on events that should be logged.
Centralized access logs The IS auditor should determine if the organization’s access logs are aggregated or if they are stored on individual systems.
Access log protection The IS auditor needs to understand access log protection mechanisms. Primarily, the auditor needs to determine if access logs can be altered, destroyed, or attacked to cause the system to stop logging events. For especially high-value and high-sensitivity environments, the IS auditor needs to determine if logs should be written to digital media that is unalterable, such as optical WORM (write once read many) media.
Access log review The IS auditor needs to determine if there are policies, processes, or procedures regarding access log review. The auditor should determine if access log reviews take place, who performs them, how issues requiring attention are identified, and what actions are taken when necessary.
Access log retention The IS auditor should determine how long access logs are retained by the organization and if they are backed up.
Auditing Investigative Procedures
Auditing investigative procedures requires attention to several key activities, including:
Investigation policies and procedures The IS auditor should determine if there are any policies or procedures regarding security investigations. This would include who is responsible for performing investigations, where information about investigations is stored, and to whom the results of investigations are reported.
Computer crime investigations The IS auditor should determine if there are policies, processes, procedures, and records regarding computer crime investigations. The IS auditor should understand how internal investigations are transitioned to law enforcement.
Computer forensics The IS auditor should determine if there are procedures for conducting computer forensics. The auditor should also identify tools and techniques that are available to the organization for the acquisition and custody of forensic data. The auditor should identify whether any employees in the organization have received computer forensics training and are qualified to perform forensic investigations.
Auditing Internet Points of Presence
The IS auditor who is performing a comprehensive audit of an organization’s system and network system needs to perform a “points of presence” audit to discover what technical information is available about the organization’s Internet presence. Some of the aspects of this intelligence gathering include:
Search engines Google, Yahoo!, and other search engines should be consulted to see what information about the organization is available. Searches should include the names of company officers and management, key technologists, and any internal-only nomenclature such as the names of projects.
Social networking sites Social networking sites such as Facebook, LinkedIn, MySpace, and Twitter should be searched to see what employees, former employees, and others are saying about the organization. Any authorized or unauthorized “fan pages” should be searched as well.
Online sales sites Sites such as Craigslist and eBay should be searched to see if anything related to the organization is sold online.
Domain names The IS auditor should verify contact information for known domain names, as well as related domain names. For instance, for the organization mycompany.com, organizations should search for domain names such as mycompany.net, mycompany.info, and mycompany.biz to see if they are registered and what contents are available.
Justification of Online Presence The IS auditor should examine business records to determine on what basis the organization established online capabilities such as e-mail, Internet-facing web sites, Internet e-commerce, Internet access for employees, and so on. These services add risk to the business and consume resources. The auditor should determine if a viable business case exists to support these services or if they exist as a “benefit” for employees.
Auditing Network Security Controls
Auditing network security controls requires a thorough understanding of network technologies, network security techniques, and the architecture of the organization’s network being audited. Any gaps in understanding may lead to insufficient scrutiny of the network, possibly resulting in a failure to identify serious deficiencies.
Architecture Review
The IS auditor needs to conduct a meticulous review of the organization’s network architecture. This will require an examination of architecture diagrams and documents, walkthroughs with key systems and network staff, and inspection of many system and network device configuration files.
NOTE The IS auditor needs to conduct an investigation into the available network paths, independent of any examination of documents, in order to discover any undocumented or unintended paths. This process is explained in more detail earlier in this section.
Auditing architecture requires attention to several key details, including:
Architecture diagrams The IS auditor should obtain and become familiar with high-level and detailed architecture diagrams that show the logical relationships between key network and system features.
Architecture documents Visual diagrams are usually accompanied by written documents that describe the purpose of various architectural features. The IS auditor should use these documents to supplement diagrams to get a more complete picture of the network architecture.
Support of business objectives The IS auditor should determine if the network’s architecture supports key business objectives.
Compliance with security policy The IS auditor should determine if the network’s architecture is compliant with the organization’s security policy. This may include the logical segregation of business functions, protection of key assets, and separation of responsibilities between departments.
Comparisons of documented versus actual The IS auditor should examine several key points in the documented network architecture to see if the network’s configuration actually reflects its documented design. The IS auditor should seek to understand any discrepancies found.
Change and review process The IS auditor should determine if the organization has any processes used to identify, review, and approve any network architecture changes. This is described more fully in the next section.
Auditing Network Access Controls
Auditing network access controls requires attention to several key factors and activities, including:
User authentication In environments that employ network-centric user authentication (such as Microsoft Active Directory or LDAP), IS auditors need to apply the full range of user access control audit. See the section, “Auditing User Access Controls,” earlier in this chapter for a detailed discussion on this topic.
Firewalls The IS auditor should examine network architecture (described earlier in this section) and understand the role of firewalls in the network. With this understanding, the auditor should carefully examine network security policies, firewall access control lists, and configurations to determine if firewalls support security policy. The auditor should also examine change control records and firewall change records to determine if all firewall changes are approved and applied properly.
Intrusion detection system (IDS) The IS auditor should examine network security policy and IDS settings and logs to see if they detect violations of security policy.
Remote access The IS auditor should examine remote access policy to determine acceptable remote access scenarios. The auditor should then examine remote access servers and some workstations to determine if remote access infrastructure supports and enforces policy. Some issues to consider when auditing remote access include:
Whether user authentication is any more difficult over remote access than on the physical network
Whether remote access clients allow split tunneling
Whether remote access permits non-company-owned computers to remotely access network resources
Whether workstations missing security patches are permitted to connect via remote access
Whether workstations with nonfunctioning or out-of-date antivirus software are permitted to connect
Dial-up modems The IS auditor should determine if dial-up modems are permitted in the infrastructure. The auditor should use tools to independently verify if any dial-up modems exist in the infrastructure and if they permit access to the network.
Auditing Change Management
Auditing network change management requires attention to several key factors and activities, including:
Change control policy The IS auditor should examine the organization’s change control policy to understand how change is supposed to be controlled and managed.
Change logs The IS auditor should determine if information systems contain automatic logs that contain all changes to systems and if these logs are reviewed by IT staff to ensure that only approved changes are being made to systems. The auditor should examine procedures and records to determine what actions are taken when unapproved changes are discovered.
Change control procedures The IS auditor needs to examine change control procedures and examine records to determine if procedures are effective and are being followed.
Emergency changes The IS auditor should examine change control policy, procedures, and records to see how emergency changes are handled and how they are approved.
Rolled-back changes The IS auditor should examine change control records to see what changes needed to be rolled back because of problems. The auditor should determine how these situations were handled.
Linkage to software development life cycle (SDLC) The IS auditor should understand how the organization’s software development life cycle is integrated with its change management processes to ensure that only completed and properly functioning software changes are proposed for promotion into production.
NOTE The IS auditor should examine all of these aspects of change management to understand whether the organization is really in control of its environment.
Auditing Vulnerability Management
Auditing vulnerability management requires attention to several key factors and activities, including:
Alert management The IS auditor should determine if the organization actively searches for or subscribes to security alert bulletins. The auditor should examine procedures and records to see if any alert bulletins result in responsive actions such as applied security patches or configuration changes.
Penetration testing The IS auditor should determine if the organization performs any penetration testing on its own network and system infrastructure. The auditor should examine procedures and records to determine if the organization’s penetration testing program is effective. The auditor should see if vulnerabilities are mitigated and confirmed.
Application scanning The IS auditor should determine if the organization performs any application vulnerability scanning on its software applications to identify vulnerabilities. He or she should examine procedures and records to determine if the organization’s application scanning process is effective.
Patch management The IS auditor should examine procedures and records to determine if the organization performs any patch management activities. These activities might consist of a periodic review of available security and functionality patches and whether any patches are applied to production systems. The auditor should determine if patches are tested on nonproduction environment systems to understand their impact.
Complementary Penetration Testing The IS auditor should consider the use of penetration testing during a network security audit. The purpose of penetration testing is to identify active systems on a network and to discover the services that are active on those systems. Many penetration testing tools go a step further and identify vulnerabilities on systems.
Auditing Environmental Controls
Auditing environmental controls requires knowledge of building mechanical and electrical systems as well as fire codes. The IS auditor needs to be able to determine if such controls are effective and if they are cost-effective. Auditing environmental controls requires attention to these and other factors and activities, including:
Power conditioning The IS auditor should determine if power conditioning equipment, such as UPS, line conditioners, surge protectors, or motor generators, are used to clean electrical anomalies such as noise, surges, sags, and so on. He or she should examine procedures and records to see how frequently this equipment is inspected and maintained and if this is performed by qualified personnel.
Backup power The IS auditor should determine if backup power is available via electric generators or UPS and how frequently they are tested. He or she should examine maintenance records to see how frequently these components are maintained and if this is done by qualified personnel.
Heating, ventilation, and air conditioning (HVAC) The IS auditor should determine if HVAC systems are providing adequate temperature and humidity levels, and if they are monitored. Also, the auditor should determine if HVAC systems are properly maintained and if qualified persons do this.
Water detection The IS auditor should determine if any water detectors are used in rooms where computers are used. He or she should determine how frequently these are tested and if they are monitored.
Fire detection and suppression The IS auditor should determine if fire detection equipment is adequate, if staff members understand their function, and if they are tested. He or she should determine how frequently fire suppression systems are inspected and tested, and if the organization has emergency evacuation plans and conducts fire drills. The auditor should examine the inspection tags on fire suppression equipment, including sprinkler valves and fire extinguishers, to see if their inspections are up-to-date. He or she should check the walls in data centers to ensure that they extend all the way to the real floor and ceiling, and not merely to the raised floor and dropped ceiling.
Cleanliness The IS auditor should examine data centers to see how clean they are. IT equipment air filters and the inside of some IT components should be examined to see if there is an accumulation of dust and dirt.
NOTE The IS auditor may need to consult with electrical and mechanical engineers to determine if power conditioning, backup power, HVAC systems, and fire detection and suppression equipment are in good working order and are adequately sized to meet the organization’s needs.
Auditing Physical Security Controls
Auditing physical security controls requires knowledge of natural and manmade hazards, physical security controls, and access control systems.
Siting and Marking
Auditing building siting and marking requires attention to several key factors and features, including:
Proximity to hazards The IS auditor should estimate the building’s distance to natural and manmade hazards, such as:
Dams
Rivers, lakes, and canals
Natural gas and petroleum pipelines
Water mains and pipelines
Earthquake faults
Areas prone to landslides
Volcanoes
Severe weather such as hurricanes, cyclones, and tornadoes
Flood zones
Military bases
Airports
Railroads
Freeways
The IS auditor should determine if any risk assessment regarding hazards has been performed and if any compensating controls that were recommended have been carried out.
Marking The IS auditor should inspect the building and surrounding area to see if building(s) containing information processing equipment identify the organization. Marking may be visible on the building itself, but also on signs or parking stickers on vehicles.
Auditing Physical Access Controls
Auditing physical access controls requires attention to several key factors, including:
Physical barriers This includes fencing, walls, barbed/razor wire, bollards, and crash gates. The IS auditor needs to understand how these are used to control access to the facility and determine their effectiveness.
Surveillance The IS auditor needs to understand how video and human surveillance are used to control and monitor access. He or she needs to understand how (and if) video is recorded and reviewed, and if it is effective in preventing or detecting incidents.
Guards and dogs The IS auditor needs to understand the use and effectiveness of security guards and guard dogs. Processes, policies, procedures, and records should be examined to understand required activities and how they are carried out.
Keycard systems The IS auditor needs to understand how keycard systems are used to control access to the facility. Some points to consider include:
Work zones: Whether the facility is divided into security zones and which persons are permitted to access which zones
Records: Whether keycard systems record personnel movement
Provisioning: What processes and procedures are used to issue keycards to employees. See the earlier section on managing user access for more details.
Access reviews: Whether the organization performs reviews of access logs and user access lists
Visitors: How visitors are handled in terms of building access
Incidents: What procedures are in place to respond to access incidents
Notes
The foundation of an effective information security program is an information security policy that includes executive support and well-defined roles and responsibilities.
A security awareness program is used to communicate security policy, procedures, and other security-related information to an organization’s employees. Security training should be administered upon hire and regularly thereafter.
An organization needs to continuously monitor and periodically audit its processes and systems to ensure that security controls effectively protect information systems and assets.
An information classification program defines levels of sensitivity and handling procedures for each classification level.
Access controls are used to control access to programs and data. Access control methods include authentication, authorization, access control lists, and encryption, as well as physical access controls. Access controls are usually implemented in several technology layers, including physical, operating system, database, and application. Because access controls are subject to a variety of threats, they should be regularly tested to ensure that they remain effective.
Third-party service organizations that store, transmit, or process an organization’s information should be required to implement controls that result in a level of risk that is the same or lower than if the organization managed it themselves.
An organization should implement controls to ensure that its personnel have an appropriate background prior to employment and that their behavior is monitored and controlled during employment.
Organizations need to implement controls to prevent and processes to respond to computer crimes and security incidents. Response processes should be periodically tested. Some personnel should be trained in forensic investigation techniques.
Stored information needs to be protected through several controls, including access controls and logging, sound user access management processes, patch management, vulnerability management, anti-malware, system hardening, and backup.
Organizations need to implement effective network security controls, including firewalls and other access controls, protection of mobile devices, encryption of sensitive communications, protection of wireless networks, and prevention of information leakage, all to control access and prevent security incidents.
Organizations need to implement effective controls to assure high-integrity environments for their computer systems and networks. These controls include power conditioning and backup power systems, temperature and humidity control, and fire detection and suppression systems.
Summary
Information security management is concerned with the identification and protection of valuable and sensitive assets. Security management begins with executive support of the organization’s information security program, including the development and enforcement of an organization-wide information security policy. Several processes also support security management, including security monitoring, auditing, security awareness training, incident response procedures, information classification, vulnerability management, service provider management, and corrective and preventive action processes.
Security roles and responsibilities need to be explicitly developed and communicated. Managers and staff need to demonstrate knowledge of their roles and responsibilities through proper decisions and actions.
Access management is a critical activity in a security management program. Access controls are often the only thing standing between valuable or sensitive information and parties who wish to access it. Access management consists of several separate but related processes, including user access management, network access management, and access log review.
Computers are used as instruments of crimes, can be used to support criminal activity, and are the target of crimes. Criminal activities are a threat to organizations, whether the activity is espionage, data theft, fraud, or sabotage.
Several techniques are used to protect sensitive and valuable information from disclosure to unauthorized parties. These techniques include user access controls, network access controls, anti-malware, system and network hardening, and encryption. Many threats exist that require a variety of countermeasures, many of which require continuous vigilance and effort.
Physical and environmental controls are required to safeguard the physical safety and reliability of computing and network equipment. These controls include power system improvements; heating, cooling, and humidity controls; fire control systems; and physical access controls, such as keycard systems, fences, walls, and video surveillance.
Questions
1. A fire sprinkler system has water in its pipes, and sprinkler heads emit water only if the ambient temperature reaches 220°F. What type of system is this?
A. Deluge
B. Post-action
C. Wet pipe
D. Pre-action
2. An organization is building a data center in an area frequented by power outages. The organization cannot tolerate power outages. What power system controls should be selected?
A. Uninterruptible power supply and electric generator
B. Uninterruptible power supply and batteries
C. Electric generator
D. Electric generator and line conditioning
3. An auditor has discovered several errors in user account management: many terminated employees’ computer accounts are still active. What is the best course of action?
A. Improve the employee termination process
B. Shift responsibility for employee terminations to another group
C. Audit the process more frequently
D. Improve the employee termination process and audit the process more frequently
4. An auditor has discovered that several administrators in an application share an administrative account. What course of action should the auditor recommend?
A. Implement activity logging on the administrative account
B. Use several named administrative accounts that are not shared
C. Implement a host-based intrusion detection system
D. Require each administrator to sign nondisclosure and acceptable-use agreements
5. An organization that has experienced a sudden increase in its long-distance charges has asked an auditor to investigate. What activity is the auditor likely to suspect is responsible for this?
A. Employees making more long-distance calls
B. Toll fraud
C. PBX malfunction
D. Malware in the PBX
6. An auditor is examining a key management process and has found that the IT department is not following its split-custody procedure. What is the likely result of this failure?
A. One or more individuals are in possession of the entire password for an encryption key
B. One or more individuals are in possession of encrypted files
C. Backup tapes are not being stored at an off-site facility
D. Two or more employees are sharing an administrative account
7. A programmer is updating an application that saves passwords in plaintext. What is the best method for securely storing passwords?
A. Encrypted with each user’s public key
B. Encrypted with a public key
C. Encrypted with a private key
D. Hashed
8. An organization experiences frequent malware infections on end-user workstations that are received through e-mail, despite the fact that workstations have antivirus software. What is the best measure for reducing malware?
A. Antivirus software on web proxy servers
B. Firewalls
C. Antivirus software on e-mail servers
D. Intrusion prevention systems
9. An auditor has reviewed the access privileges of some employees and has discovered that employees with longer terms of service have excessive privileges. What can the auditor conclude from this?
A. Employee privileges are not being removed when they transfer from one position to another
B. Long-time employees are able to successfully guess other users’ passwords and add to their privileges
C. Long-time employees’ passwords should be set to expire more frequently
D. The organization’s termination process is ineffective
10. An organization wants to reduce the number of user IDs and passwords that its employees need to remember. What is the best available solution to this problem?
A. Password vaults for storing user IDs and passwords
B. Token authentication
C. Single sign-on
D. Reduced sign-on
Answers
1. C. A wet pipe fire sprinkler system is charged with water and will discharge water out of any sprinkler head whose fuse has reached a preset temperature.
2. A. The best solution is an electric generator and an uninterruptible power supply (UPS). A UPS responds to a power outage by providing continuous electric power without interruption. An electric generator provides backup power for extended periods.
3. D. The best course of action is to improve the employee termination process to reduce the number of exceptions. For a time, the process should be audited more frequently to make sure that the improvement is effective.
4. B. Several separate administrative accounts should be used. This will enforce accountability for each administrator’s actions.
5. B. The auditor is most likely to suspect that intruders have discovered a vulnerability in the organization’s PBX and is committing toll fraud.
6. A. Someone may be in possession of the entire password for an encryption key. For instance, split custody requires that a password be broken into two or more parts, where each part is in possession of a unique individual. This prevents any one individual from having an entire password.
7. D. Passwords should be stored as a hash. This makes it impossible for any person to retrieve a password, which could lead to account compromise.
8. C. Implementing antivirus software on e-mail servers will provide an effective defense-in-depth, which should help to reduce the number of viruses encountered on end-user workstations.
9. A. User privileges are not being removed from their old position when they transfer to a new position. This results in employees with excessive privileges.
10. D. The most direct solution to the problem of too many user credentials is reduced sign-on. This provides a single authentication service (such as LDAP or Active Directory) that many applications can use for centralized user authentication.