AIS 5136 - INFORMATION SECURITY AND MANAGEMENT
Chapter 5: Identity and Access Management
Part 2
5.1 Authorization Issues - Introduction
● Authorization process used for access control
requires that the system be able to identify
and differentiate among users.
● Access rules (authorization) specify who can
access what.
➢ Example: Access control based on
least privilege,
● Access should be on a documented
need-to-know and need-to-do basis by type
of access.
● When IS auditors review computer
accessibility, they need to know what can be
done with the access and what is restricted.
● Access restrictions at the file level generally
include the following:
a. Read, inquire, or copy only
b. Write, create, update, or delete only
c. Execute only
d. A combination of the above
● Least dangerous type of access: read only, as
long as the information being accessed is not
sensitive or confidential.
➢ This is because the user cannot alter
or use the computerized file beyond
basic viewing or printing.
Access Control List
● Access authorization tables, also referred to
as access control lists (ACLs): used to provide
security for the fule and facilities listed
previously.
● ACLs refer to a register of:
○ Users (s (including groups, machines
and processes) who have permission
to use a particular system resource.
○ The types of access permitted.
● ACLs vary in capability and flexibility.
➢ Some only allow specifications for
certain preset groups (e.g., owner,
group and world),
● Advanced ACLs:
○ allow much more flexibility, such as
user-defined groups.
○ can be used to explicitly deny access
to a particular individual or group
○ access can be at the discretion of the
policy maker (and implemented by the
security administrator) or individual
user, depending upon how the
controls are technically implemented
● When users changes job roles within an
organization, often their old access rights are
not removed before adding their new required
accesses.
➢ Without removing the old access
rights, there could be a potential SoD
issue.
Logical Access Security Administration
● In a client-server environment, the access I&A
and authorization process can be
administered either through a centralized or
decentralized environment.
● Advantages of decentralized environment are:
○ The security administration is onsite at
the distributed location.
○ Security issues are resolved in a
timely manner.
○ Security controls are monitored on a
more frequent basis.
● Risks of decentralized environment:
○ Local standards might be
implemented rather than those
required by the organization.
○ Levels of security management might
be below what can be maintained by
a central administration.
○ Management checks and audits that
are often provided by central
administration to ensure that
standards are maintained might be
unavailable.
● Controls for remote and distributed sites
(decentralized):
○ Software controls over access to the
computer, data files and remote
 access to the network should be
implemented.
○ The physical control environment
should be as secure as possible, with
additions, such as lockable terminals
and a locked computer room.
○ Access from remote locations via
modems and laptops to other
microcomputers should be controlled
appropriately.
○ Opportunities for unauthorized people
to gain knowledge of the system
should be limited by implementing
controls over access to system
documentation and manuals.
○ Controls should exist for data
transmitted from remote locations,
such as sales in one location that
update accounts receivable files at
another location.
➢ The sending location should
transmit control information,
such as transaction control
totals, to enable the receiving
location to verify the update
of its files.
➢ When practical, central
monitoring should ensure that
all remotely processed data
have been received
completely and updated
accurately.
○ When replicated files exist at multiple
locations, controls should ensure that
all files used are correct and current
and, when data are used to produce
financial information, that no
duplication arises.
Remote Access Security
● Remote access connectivity to their
information resources is required for many
organizations for different types of users, such
as employees, vendors, consultants, business
partners and customer representatives
● Remote access users can connect to their
organization’s networks with the same level of
functionality that exists within their office.
➢ In doing so, the remote access design
uses the same network standards and
protocols applicable to the systems
that they are accessing.
Common Connectivity Methods for Remote
Access
● TCP/IP Internet-based remote access: a
cost-effective approach that enables
organizations to take advantage of the public
network infrastructures and connectivity
options available, under which Internet service
providers (ISPs) manage modems and dial-in
servers
➢ Internet service providers (ISPs) -
manage modems and dial-in servers
➢ DSL and cable modems - reduce
costs further to an organization
● Virtual private network (VPN): used to
communicate securely data packets over the
internet
● Advantages of VPNs:
a. ubiquity
b. ease of use
c. inexpensive connectivity
d. read, inquiry or copy only access
● Disadvantages of VPNs:
a. less reliable
b. no central authority,
c. difficult to troubleshoot
● Use of VPNs can create holes in security
infrastructure
● Preventive controls: Intrusion detection
systems (IDS) and virus scanners
● Good practice: terminate all VPNs to the same
endpoint
● Less common method: use of dial-up lines
(modem asynchronous point-to-point or
integrated services digital network- ISDN)
● Most common protocol: Remote Access
Dial-in User Service (RADIUS) and Terminal
Access Controller Access ControlSystem
(TACACS)
● Good security practice: terminate call AFTER
recording the number.
● Standard security practice: NAS to initiate a
 call back ○ Proper authorizations
● Remote access server (RAS): server whose ○ Identification and authentication
OS is set-up to accept remote access; dial-up mechanisms
connectivity not based on centralized control; ○ Encryption tools and techniques
not recommended ➢ such as use of a VPN
● Dedicated network connections: use private ○ System and network management
network circuits;considered safest; used by
branch/regional offices 5.2 Audit Logging in Monitoring System
● Advantages of dedicated network Access
connections include Audit Logging and Monitoring System Access -
a. greater performance gains in data Introduction
throughput and ● Security Features of access control software:
b. reliability, and enable a security administrator to automatically
c. data on a dedicated link belonging to log and report all levels of access attempts—
the subscribing organization, where successes and failures alike
an intruder would have to ➔ Applied by most access control
compromise the telecommunications software
provider itself to access the data link. ➢ Example: access control software can
● Disadvantages of dedicated network log computer activity initiated through a
connection logon ID or computer terminal
○ cost is typically two- to five-times ● Provides an Audit trail: to monitor activities of
higher than connections to the suspicious nature, such as a hacker attempting
Internet brute force attacks on a privileged logon ID
● Remote access risk includes the following: ● Keystroke logging: can be turned on for users
a. Denial of service (DoS) - remote who have sensitive access privileges
users may not be able to gain access ➔ What is logged is determined by the
to data or applications that are vital action of the organization.
for them to carry out their day-to-day ● Issues:
business 1) What is logged?,
b. Malicious third parties - these may 2) Who has access to logs?, and
gain access to critical applications or 3) How long logs are retained?
sensitive data by exploiting (recors-retention item)
weaknesses in communications
software and network protocols Audit Logging and Monitoring System Access –
c. Misconfigured communications Access Rights to System Logs
software - may result in unauthorized ● Access rights to system logs for security
access or modification of an administrators to perform the previous
organization’s information resources activities should be strictly controlled
d. Misconfigured devices on the ● Who should have access to system logs?
corporate computing infrastructure ➢ Computer security managers and
e. Host systems that are not secured system administrators/managers
appropriately - can be exploited by should have access for review
an intruder gaining access remotely purposes;
f. Physical security issues - over ➢ Security and/or administration
remote users’ computers. personnel who maintain logical
● Remote access controls include the following: access functions may not need to
○ Policy and standards access audit logs
● It is particularly important to ensure the
integrity of audit trail data against
modification.
○ Use of digital signatures, write-once
devices, security information and
event management (SIEM) system
● Audit trail files/records should be protected:
➔ Why? Intruders may try to cover their
tracks by modifying audit trail records
➔ How? By strong access controls to
help prevent authorized access
● Integrity of audit trail information may be
particularly important when legal issues arise
- Use of audit trails as legal evidence
➢ require daily printing and
signing of the logs
- Questions regarding such legal issues
should be directed to the appropriate
legal counsel.
● Confidentiality of audit trail information may
be protected if the audit trail is recording
information about users that may be
disclosuresensitive, such as transaction data
containing personal information
➢ before and after records of
modification to income tax data
● Media logging is used for accountability
➔ Logs with control numbers or other
tracking data, such as:
1. the times and dates of
transfers,
2. names and signatures of
individuals involved, and
3. other relevant information
➔ Conduct periodic spot checks or
audits to determine
a. no controlled items have been
lost and
b. all are in the custody of
individuals named in control
logs
➔ Use of automated media tracking
systems are helpful in maintaining
inventories of tape and disk libraries
Audit Logging and Monitoring System Access –
Tools for Audit Trail (Logs) Analysis
● Purpose of the tools developed:
- to help reduce the amount of
information contained in audit records
and
- to delineate useful information from
the raw data
● Audit trail software: on most system, audit trail
software can create large files, which can be
extremely difficult to analyze manually
● Use of automated tools: likely to be the
difference between unused audit trail data and
an effective review
● Types of tools:
a) Audit reduction tools:
- Reduce volume of audit trail:
They are preprocessors
designed to reduce the volume
of audit records to facilitate
manual review.
- Remove records of little
significance: this is before a
security review; may cut in half
the number of records in the
audit trail
- Remove records generated by
specified classes of events:
these may be records
generated by nightly backups
b) Trend/variance-detection tools
- Look for anomalies s in user
or system behavior
- More sophisticated
processors that monitor
usage and detect variations
can be constructed
➢ Example: If a user typically
logs in at 09:00 but appears
at 04:30 one morning, this
may indicate a security
problem that may need to be
investigated
c) Attack-signature-detection tools
- Look for an attack signature,
which is a specific sequence
 of events indicative of an
unauthorized access attempt
➢ Example: repeated failed
logon attempts
d) Security information and event
management (SIEM) systems:
- Capture audit trails/ logs and
perform real-time analysis
- Can be configured to perform
automated tasks based upon
the alerts
➢ Example: launching a
vulnerability scan or
commanding the
firewall to close a
certain port
Audit Logging and Monitoring System Access –
Cost Considerations
● Audit trails involve many costs that factor into
IT’s determination as to how much logging is
enough
● System overhead is incurred while recording
the audit trail
➢ Additional system overhead will be
incurred to store and process the
records.
➢ The more detailed the records, the
more overhead is required.
● In some systems, logging every event could
cause the system to lock up or slow to the
point at which response time would be
measured in minutes.
➔ this is not acceptable if IT is properly
aligned with the needs of the business
● Another cost consists of human and machine
time to perform the analysis;
➔ can be minimized by using tools to
perform most of the analysis
➔ Use of simple analyzers can be
constructed quickly and inexpensively
from system utilities, but they are
limited to audit reduction and the
identification of particularly sensitive
events
➔ More complex tools, such as SIEM
systems, will be more expensive both
to purchase and to implement
● Final cost of audit trails: cost of investigating
unexpected events and anomalous events
➔ If the system is identifying too many
events as suspicious, administrators
may spend undue time reconstructing
events and questioning personnel.
● Frequency of review of reports = Sensitivity of
the computerized information being protected
➔ The more sensitive, the more
frequency
● IS auditor: ensure that the logs cannot be
tampered with, or altered, without leaving an
audit trail
● When reviewing or performing security access
follow-up, the IS auditor should look for:
○ Patterns or trends that indicate abuse
of access privileges,
➢ example: concentration on a
sensitive application
○ Violations (such as attempting
computer file access that is not
authorized) and/or use of incorrect
passwords
● Actions when a violation is identified:
1. Refer problem to security
administrator for investigation
➔ The person who identified the
violator should refer the
problem
2. Investigate and determine severity of
the violation
➔ The security administrator and
responsible management
should work together
➔ Generally, most violations are
accidental.
3. Notify executive management, not the
law enforcement officials, if violation
attempt is serious
➔ Executive management
normally is responsible for
notifying law enforcement
officials.
 ➔ Involvement of external resource (data set or file) and at what level
agencies may result in (read or update)
adverse publicity that is ● The access control mechanism applies these
ultimately more damaging rules whenever a user attempts to access or
than the original violation; use a protected resource
therefore, the decision to ● Access control naming conventions:
involve external agencies ➔ Are structures to govern user access
should be left to executive to the system and user authority to
management. access or use computer resources,
4. Set-up procedures to manage public such as:
relations and the press
a) Files
5. Provide written guidelines to identify
b) Programs
types and levels of violations, and
how these will be addressed c) terminals
➔ To facilitate proper handling of ➔ Are required in a computer
access violations environment to establish & maintain
➔ This effectively provides personal accountability and SOD in
direction for judging the the access of data
seriousness of a violation. ➔ Are set-up by the owners (with the
6. Apply consistent disciplinary action help of the security officer) of the
➔ Must be a formal process
data or application
that is applied consistently
➔ Naming conventions should promote
➔ This may involve a
the implementation of efficient
- Reprimand - to
access rules and simplify security
criticize adversely or
formally (admonish) administration
- probation or ● The NEED of Sophisticated naming
- immediate conventions over access controls: depend
termination. on importance and level of security needed
➔ The procedures should be to ensure that unauthorized access has not
legally and ethically sound to been granted
reduce the risk of legal action ● Naming conventions for system resources:
against the company. pre-requisite for efficient
7. Include in the corrective measures the implementation/administration of security
review of access rules controls
➔ not only for the perpetrator
but for interested parties Example system resources:
➔ Excessive or inappropriate
access rules should be 1) Data sets
eliminated. 2) Volumes
3) Programs
5.3 Naming Conventions for Logical Access 4) Employee Workstations
Controls
● Structure of naming conventions: resources
● Access capabilities: are implemented by the
beginning with same high-level qualifier can
security administration in a set of access
be governed by one or more generic rule(s)
rules which stipulate which users/group of
➔ This reduces the number of rules
users are authorized to access what
 required to adequately protect monitoring mechanisms to ensure
resources which in turn, protect unauthorized access are prevented or
security administration and detected or corrected.
maintenance efforts

5.4 Federated Identity Management 5.5 Auditing Logical Access

Federated Identity Management (FIM) ● Obtain a general understanding of security

● Definition: arrangement for multiple risk facing information processing through:
enterprises; to use common identification data
a) Review of relevant documentation
of users; to provide access
➢ AKA Identity Federation b) Inquiry
● A corporate entity may initiate such federation c) Observation
for group enterprises within corporate control d) Risk Assessment and Evaluation
● Main objective: make access easy for users Techniques
● Identify federation: links user’s identity
across multiple security domains, each ● Document and evaluate controls over
supporting its own identity management access paths over potential access paths, to
system assess their:
● Two federated domains: a user
authenticated in its home domain can access 1) Adequacy
resources in the other domains without 2) Efficiency
separate login process 3) Effectiveness by/how:
● Advantages of identity federation: economic
advantage and convenience
➔ Reviewing appropriate hardware,
➢ For example: multiple corporations
software, and security features
can share a single application,
➔ Identifying any deficiencies or
resulting in cost-savings and
redundancies
consolidation of resources.
● Test the controls over access paths to
● Effective FIM: the partners must have a
determine whether they’re functioning &
presence of mutual trust, generally
effective by applying appropriate audit
established through contracts and secured
channel for message transmission techniques
➢ Partnering organizations policies: ● Evaluate access control environment to
must adhere to security requirements determine if the control objectives are
of members, which can sometimes be achieved by analyzing test results and other
complicated due to different security audit evidence
requirements and rules set by each
enterprise.
● Evaluate the security environment to assess
➔ When an organization is a
its adequacy by:
member of multiple federations,
the process of ensuring 1. Reviewing written policies
accuracy of policies can be
2. Observing practices and procedures
time-consuming, costly and
and comparing with appropriate
complex.
practices, standards, or procedures
● IS auditor: should review the need for identity
used by the organization
federation; should review policies and
Auditing Logical Access — FAMILIARIZATION the unnecessary services such as:
1. Those connected with remote
WITH THE IT ENVIRONMENT
procedure calls
● First step of the audit
2. Sending emails
● Obtaining a clear understanding of technical,
3. Network management & library
managerial and security environment of the IS
routines
processing facility
● Common activities: interviews, physical • Parameter settings and configuration
walkthrouqhs, documentation reviews, of PC OS should be investigated; ports
assessing of risks not used must be closed

Auditing Logical Access — ASSESSING AND 2) Second

DOCUMENTING THE ACCESS PATHS • One or more servers on which the

● Access path: logical route an end-user takes application to be used/invoked
to access computerized information
➔ Similar to the OS of the PC in the
● Starts with terminal/workstation and ends
previous sequence
with data being processed/accessed ● Server OS must be patched
➔ Numerous hardware & software are according to the suggestions of the
encountered supplier of the OS
● IS auditor: should evaluate hardware and • Virus defense should be updated;
software components for implementation and Outdated OS version and virus
physical & logical access security defenses can be exploited by attackers
● Special considerations should be given to: • Server OS should be hardened
a) Origination and authorization of data deleting the unnecessary services such
b) Validity and correctness of input data as:
c) Maintenance of affected OSs (attaching, 1. Those connected with remote
hardening, and closing the procedure calls
unnecessarily open ports) 2. Sending emails
3. Network management &
SEQUENCE OF COMPONENTS
library routines
1) First • Parameter settings and configuration
• End user signs to PC which is part of of server OS should be investigated;
the LAN; ports not used must be closed
➔ physically secure PC
➔ restrict logon ID/password
used for the sign-on 3) Third
• PC OS must be patched according to ● Telecommunications software/LAN
the suggestions of the supplier of the server/Terminal emulator (if
OS connected to a mainframe) intercepts
● Malware defense should be updated the logon to direct it to the proper
● Outdated OS version and virus telecommunication link
defenses can be exploited by ○ The telecommunication
attackers software can restrict the
● PC OS should be hardened, deleting specific data or application
 software
● Key audit issue: to ensure all applications
have been identified/defined within the
software, and optional telecommunication
control and processing features used are
appropriate and approved by management
● Analysis here needs the aid of a system
software analyst
4) Fourth
● Transaction processing software may
be the next component in the access
path
● Transaction processing software
routes transactions to the proper
application software
● Key audit issues: ensure appropriate
identification/authentication (log-on
ID & password) and authorization of
the user to gain access to the
application
● Analysis here is by reviewing internal
tables that reside in the transaction
processing software or to a separate
security software (access restricted
to security administrator)
5) Fifth
● Application software is encountered
and processes transactions
according to the program logic
● Audit issue: restrict access
production software library to ONLY
the implementation coordinator
6) Sixth
● DBMS directs access to computerized
Information
● Audit issues: ensure that-
a) all data elements are identified in
the data dictionary
b) access to data dictionary is
restricted to the DB Administrator
c) all data elements are subject to
the logical access control
● the application now can be
accessed in this sequence
7) Seventh
• The access control software may
wrap logical access security around all
of the above components
- Done via internal security tables
• Audit issues: ensure that-
a) all the above or previous
components are defined to
the access control software,
providing access rules that
define who can access what
on a need-to-know basis
b) security table access is
restricted to the security
administrator
NOTE:
• Discipline is needed in developing
application systems
• IS auditor:
● Should evaluate the control
objectives referring to the origination
and authentication of the application
data
● Should evaluate the control measures
used in data input and processing
● What is the effect of omitting control
objectives and measures?
to ○ Makes the application
vulnerable to attacks either
from within or without
(especially from the Internet)
● Firewalls do not protect applications
against the types of attacks that come
from the HTTP (hypertext transfer protocol)
communication, that is usually permitted
on applications
○ HTTP: this is the protocol, standard,
 rule, or guideline used to transfer data confidentiality
over the web. It is part of the internet
protocol suite that defines the
commands and services used for
Auditing Logical Access — REVIEWING
transmitting webpage data
REPORTS FROM ACCESS CONTROL
SOFTWARE
● Do firewalls protect, in this case

Auditing Logical Access — INTERVIEWING

● Reporting features: provide security
SYSTEM PERSONNEL
administrator and used for the opportunity
● Technical experts: required; to control and
to monitor adherence to security policies
maintain access path components, as well as
● Purpose of reviewing sample security
the OS and computer mainframe;
○ These people can be a valuable reports: to determine if-
source of information to the IS ○ Information is enough to support
Auditor when gaining an investigation
understanding of security ○ Security administrator is doing an
effective review
● Determination of Technical experts: IS auditor
should meet with IS manager and review org. Unsuccessful attempts
charts and job descriptions ● Should be reported
● Key people: security administrator, network ● Should identify relevant information about
control manager, systems software manager the access attempt, such as:
(focus on interviewing them) a) Time
○ Security administrator should be b) Terminal
asked on his duties, responsibilities &
c) Log -on
function of his position
d) The file or data element
○ If answers are not sufficient or do not
support sound control practices or do
not adhere to the written job Auditing Logical Access — REVIEWING
description, IS auditor should APPLICATIONS SYSTEMS OPERATIONS
compensate by expanding the scope MANUAL
by testing access controls
● In addition, the IS auditor should determine • Application systems manual:
the security administrator’s: ➔ Should contain documentation on
○ Awareness of the logical accesses to programs generally used in a data
be protected processing installation to support the;
○ Motivation and means to monitor 1) Development
logons to account employee 2) Implementation
changes 3) Operations
○ Knowledge in maintaining and
4) Use of application systems
monitoring access
➔ Should include information on the
• A sample End users should be interviewed
platform where the application can run
to assess their awareness of management
on, DBMSs, compilers, interpreters,
policies regarding logical security and
telecommunication monitors, and other
 applications 3) Monitor and control the movement of
sensitive information on end-user
5.6 Data Leakage Data Leak Prevention systems
Data Leakage ● The objectives are associated with the
● Involves siphoning or leaking information out following primary states of information:
of the computer (e.g. dumping files to paper 1) Data at rest
or stealing computer reports and tapes). 2) Data in motion
➔ Leaves the original copy, which may go 3) Data in use
➔ Each state is addressed by a
undetected
specific set of technologies
➔ Involves the unauthorized transfer of
provided by DLP solutions
sensitive or proprietary information from
an internal network
- DATA AT REST:
● Ways of data leakage include the following:
● A basic function of DLP solutions is
➢ Peer-to-peer (P2P) networks,
the ability to identify and log where
➢ Instant message (IM),
specific types of information are
➢ Social media,
stored throughout the enterprise.
➢ Email,
● Most DLP systems use crawlers,
➢ Cloud storage, and
which are applications that are
➢ File sharing solutions
deployed remotely to log onto each
● Common controls to prevent data leakage:
end system and “crawl” through data
1) Identifying assets,
stores, searching for and logging the
2) Classifying assets, and
location of specific information sets.
3) Information security management
system (ISMS), including policies and
- DATA IN MOTION:
procedures
● DLP solutions use specific network
● Data leakage may:
appliances or embedded technology
- create risk to enterprises, their
to selectively capture and analyze
customers and business partners, and
network traffic.
- negatively impact an enterprise’s
● To inspect information being sent
reputation, compliance, competitive
across the network, the DLP solution
advantage and finances
must be able to:
● Data leak prevention/protection (DLP)
a) Passively monitor the network
solutions: arose due to the need to better
traffic,
control and protect sensitive information.
b) Recognize the correct data
These vary in capabilities and methodologies.
streams to capture,
c) Assemble the collected
Data Leak Prevention
packets (of information),
● Definition: A suite of technologies and
d) Reconstruct the files carried
associated processes that locate, monitor and
in the data stream, and
protect sensitive information from
e) Perform the same analysis
unauthorized disclosure.
done on the data at rest
● Has three key objectives, namely:
● At the core of this ability is a process
1) Locate and catalog sensitive
known as deep packet inspection
information stored in the enterprise
(DPI).
2) Monitor and control the movement of
➔ DPI goes beyond the basic
sensitive information across enterprise
header information and reads
networks
 data contents within the
packet’s payload
➔ If sensitive data are detected,
DLP solution has the capability
to alert and optionally block the
data flows in real or near real
time
➔ Based on the rule set, the
solution may also quarantine or
encrypt the data in question.
- DATA IN USE (ENDPOINT):
● Refers to monitoring data movement
stemming from actions taken by end
users on their workstations.
● DLP solutions typically accomplish
this through the use of a software
program known as an agent, which is
ideally controlled by the same central
management capabilities of the
overall DLP solution.
A full DLP solution should have the capability to
address the three states of information and be
integrated by a centralized management function.
➔ The range of services varies but many DLP
solutions have functions in common.
Common Functions of (DLP) Solutions
- Policy Creation and Management:
● Policies (rule sets): dictate the actions
taken by various DLP components.
● Most DLP solutions come with
preconfigured policies that map to
common regulations; these policies
should be able to be customized
● Policies should be built upon the
asset management and data
classifications exercises.
- Directory Services Integration:
● This allows the DLP console to map a
network to address to a named end
user.
- Workflow Management:
● Most DLP solutions provide the
capacity to configure incident
handling, which allows the central
management system to route specific
incidents to the appropriate parties.
- Backup and Restore:
● Allows for preservation of policies and
other configuration settings.
- Reporting:
● May be internal or may leverage
external reporting tools.
DLP Risks, Limitations, and Considerations
- Improperly Tuned Network DLP Modules:
● Proper tuning and testing of the DLP
system should occur before enabling
actual blocking of content.
● Monitor-only mode allows for tuning
and provides the opportunity to alert
users to out-of-compliance processes
and activities.
● Involving the appropriate business
and IT stakeholders in the planning
and monitoring stages helps to ensure
that disruptions to processes will be
anticipated and mitigated.
● A means of accessibility must be
established when there is critical
content being blocked during
off-hours when the team is
unavailable.
- Excessive Reporting and False Positives:
● DLP solutions may register significant
amounts of false positives, which
overwhelm staff and can obscure
valid hits.
● Avoid excessive use of template
patterns or black box solutions that
allow for little customization.
● The greatest feature of a DLP solution
is the ability to customize rules or
templates.
● The system should be rolled out in
phases, focusing on the highest risk
areas first.
- Encryption:
● DLP solutions can only inspect
encrypted information that they can
first decrypt. As such, there is a need
to use the appropriate decryption
 keys.
● Files cannot be analyzed if keys to
personal encryption packages are not
managed by the enterprise and not
provided to the DLP solution.
● Ways to mitigate this risk include:
a) forbid the installation and use
of encryption solutions that
are not centrally managed,
b) users should be educated
that anything that cannot be
decrypted for inspection will
ultimately be blocked
- Graphics:
● DLP solutions cannot intelligently
interpret graphics files.
● This includes sensitive information
scanned into a graphics file or
intellectual property that exists in a
graphics format.
● As such, enterprises should develop
strong policies that govern the use
and dissemination of this information.
● Although DLP solutions cannot
intelligently read contents of a
graphics file, they can identify specific
file types, their source, and
destination.
➔ This capability can flag
uncharacteristic movement of
this type of information and
provide some level of control.
Chapter 6: Network Infrastructure Security
6.1 & 6.2: Introduction and Client-Server
Security
INTRODUCTION
● Communication networks: include devices
connected to network; control thru network
control terminal and specialized
communications software.
➔ Control is done thru network control
terminal and specialized
communications software
Controls over the communication network:
1. Network control functions performed by
individuals with sufficient training and
experience.
2. Network control functions separated; duties
should be rotated on a regular basis
3. Network control software restricts operator
access for certain functions.
➢ (e.g., the ability to amend or delete
operator activity logs)
4. Network control software should maintain an
audit trail of all operator activities .
5. Audit trails reviewed periodically by operations
management to detect any unauthorized
network operations activities.
6. Network operation standards and protocols
documented, available, and reviewed
periodically to ensure compliance.
7. Network access by systems engineers
monitored and reviewed closely to detect
unauthorized access to the network.
8. Analysis should be performed to ensure:
- workload balance
- fast response time
- system efficiency
9. Terminal identification file should be
maintained by the communications software
to check the authentication of a terminal when
it tries to send or receive messages.
10. Data encryption should be used, where
appropriate, to protect messages from
disclosure during transmission..
11. Remote printing facilities restricted. to ensure
sensitive documents cannot be read by
unauthorized personnel.
12. Device hardening thru keeping devices up to
date. That means upgrading the firmware,
patching and updated to fix any security gaps.
● To improve the control and maintenance of
the infrastructure and its use, besides the
direct management of the network devices,
consolidate logs of devices with firewall logs
and client server OS’s logs (detective control)
● Fiber channel connections: basis of
management of large capacity storage units
 ● Dynamic inventory of devices: improves - OS
systems security. - Database
- In the case of an incident, it is - Middleware
important to know which computer is ➢ Middleware is a software layer
used by whom. situated between applications
● Ability to identify users at every step of and operating systems.
their activity: important security improvement ➢ Middleware is typically used in
- Some application packages used distributed systems where it
defined names (e.g., system); new simplifies software
monitoring tools have been developed development.
to resolve this problem ➢ Middleware is a software that
● Adopting IT governance practice: means to acts as an intermediary
comply with network security requirements between applications or
effectively. services to facilitate
- Some application packages use communication.
predefined names (e.g., SYSTEM). ● In a client-server environment, several access
New monitoring tools have been routes exist because application data may
developed to resolve this problem. exist on the server or on the client.
● Information Technology Infrastructure ● Access routes must be examined individually
Library (ITIL): framework for information and with each other to ensure no exposures
technology service management; can be used are left unchecked.
for setting up service level agreements (SLAs), ● Potential gaps among components:
specifically for enterprise network operations, additional risk to consider.
to maintain the uninterrupted operation of the - How do the components connect to
network through controls, incident handling each other?
and auditing.
● Example: two-tiered environment. (the thick
CLIENT-SERVER SECURITY client must connect to the database: it can
● Client server: network architecture where the achieved by:
computer/process is either a server (a source 1. every user has a database account
of services and data) or a client (a user of - in which case they may be
these services and data that relies on servers able to bypass the client
to obtain them). application (and hence the
● Client server architectures can be: application controls) and
- two tiered: includes the use of a thick connect directly to the
client database
- three-tiered: includes the use of 2. a proxy user (i.e., a single account
application servers and a thin client, that connects to the database on
probably a browser behalf of all others) is used.
- n-tiered: includes multiple - in which case the database
applications servers, middleware, etc password must be stored
● The security of a client-server environment is somewhere.
dependent on the security of its component - This may be stored securely
part. or unencrypted
● Components of client server environment: ● The IS auditor should ensure that:
- LAN - Application controls cannot be
- Client bypassed.
 - Passwords are always encrypted.
- Access to configuration or
initialization files be kept to a
minimum.
- Access to configuration or
initialization files be audited.
6.3 Internet Security Controls
● To establish effective Internet security
controls, an organization must develop
controls within an information systems
security framework from which Internet
security controls can be implemented and
supported.
➔ Establishing such a framework entails
defining the rules the organization will
follow to control Internet usage.
● One set of rules should address appropriate
use of Internet resources with rules that might
reserve Internet privileges for those with a
business need.
● Another set of rules should address the
classification of the sensitivity or criticality of
corporate information resources.
➔ These will help determine what
information will be available for use on
the Internet and the level of security to
be used for corporate resources of a
sensitive or critical nature on the
Internet.
● An organization will be able to develop
guidelines for defining levels of security
controls on confidentiality, integrity, and
availability of information resources on the
Internet.
● Supporting processes over these controls
should be defined, including the following:
a) Risk assessments performed
periodically
b) Security awareness and training for
employees, tailored to their levels of
responsibilities
c) Firewall standards and security to
develop and implement firewall
architectures
d) Intrusion detection standards and
security to develop and implement
IDS architectures
e) Remote access for coordinating and
centrally controlling dial-up access
f) Incident handling and response for
detection, response, containment and
recovery
g) Configuration management for
controlling the security baseline when
changes do occur
h) Encryption techniques applied to
protect information assets
i) A common desktop environment to
control what is displayed on a user’s
desktop
j) Monitoring Internet activities for
unauthorized usage and notification to
end users of security incidents via
computer emergency response
team (CERT) bulletins or alerts
● Internet usage is drastically changing the way
business is done and is creating opportunities
for organizations to compete in what has
become a global virtual market.
● Security, as it relates to the Internet, will have
to be considered an enabler for success and
treated as an essential business tool.
6.4 Firewall Security Systems
Firewall Security Systems - Introduction
● Danger: Every time a corporation connects its
internal computer network to the Internet
➔ Because of the Internet’s openness,
every corporate network connected to it
is vulnerable to attack.
➔ Hackers on the Internet could
theoretically break into the corporate
network and do harm in a number of
ways
● Firewalls:
➔ Companies build firewalls: as one
means of perimeter security of
network;
 ➔ Likewise, the same principle is
applicable as protection to sensitive or
critical systems that need to be
protected from untrusted users inside
the corporate network (internal
hackers)
➔ Firewalls are defined as a device
installed at the point where network
connecting enter a site
➔ they apply rules to control the type of
networking traffic flowing in and out
➔ Most commercial firewalls are built to
handle the most commonly used
Internet protocols
● For firewalls, to be effective
- firewalls should allow individuals on
the corporate network to access the
Internet
- at the same time, stop hackers or
others on the Internet from gaining
access to the corporate network to
cause damage
● Deny-all philosophy: means that access to a
given resource will be denied unless a user
can provide a specific business reason or
need for access to the information resource.
➔ Generally, most organizations will follow
this philosophy
● Accept-all philosophy: everyone is allowed
access unless someone can provide a reason
for denying access
➔ Converse of Deny-all philosophy
➔ Not widely accepted
Firewall Security Systems – Firewall General
Features
● Firewall Features:
- Hardware and software combinations
- Built using routers, servers and
different software
- Separate networks from each other
and screen the traffic between them
- control the most vulnerable point
between a corporate network and the
Internet
- Simple or complex, as the corporate
security policy demands
● Firewalls enable organizations to:
a) Block access to particular sites on the
Internet
b) Limit traffic on an organization’s public
services segment to relevant addresses
and ports
c) Prevent certain users from accessing
certain servers or services
d) Monitor communications and record
communications between an internal
and an external network
e) Monitor and record all
communications between an internal
network and the outside world to
investigate network penetrations or
detect internal subversion
f) Encrypt packets that are sent between
different physical locations within an
organization by creating a VPN over the
Internet (i.e., IPSec, VPN tunnels)
● Extended firewall capabilities: provide for
protection against viruses and attacks directed
to exploit known OS vulnerabilities
Firewall Security Systems – Firewall Types
● Firewall types/categories
1) Packet filtering
2) Application firewall systems
3) Stateful inspection
Firewall Security Systems – Firewall Types
1) Packet Filtering Firewalls
● Packet filtering-based firewalls: simplest and
earliest kinds of firewalls (i.e., first generation
of firewalls)
➔ deployed between the private network
and the Internet
● Screening router examines the header of
every packet of data traveling between the
Internet and the corporate network
● Information content of packet headers:
- includes the IP address of the sender
and receiver and the authorized port
numbers (application or service)
allowed to use the information
transmitted
 ➔ Based on that information, the
router knows what kind of
Internet service, such as
web-based or FTP, is being
used to send the data as well
as the identities of the sender
and receiver of the data.
➔ Using that information, the
router can prevent certain
packets from being sent
between the Internet and the
corporate network.
- Example: The router could block any
traffic except for email or traffic to and
from suspicious destinations.
● Advantages: simplicity and generally stable
performance as the filtering rules are performed
at the network layer
● Disadvantage: Its simplicity is also a
disadvantage, because it is vulnerable to
attacks from improperly configured filters and
attacks tunneled over permitted services.
● Potential for attack: determined by the total
number of hosts and services to which the
packet filtering router permits traffic
➔ Because the direct exchange of
packets is permitted between outside
systems and inside systems
● Effect of compromising a single packet
filtering router: every system on the private
network may be compromised and
organizations with many routers may face
difficulties in designing, coding and maintaining
the rule base.
● Each host directly accessible from the Internet
needs to support sophisticated user
authentication and needs to be regularly
examined
● Common attacks against packet filter
firewalls
a) IP spoofing
- Attacker fakes the IP address of
network host (internal or trusted) so
that the packet being sent will pass
the rule base of the firewall
➔ allows for penetration of the
system perimeter
- Spoofing user internal IP address: the
firewall can be configured to drop the
packet on the basis of packet flow
direction analysis.
- Spoofing using secure or trusted
external IP address: firewall
architecture is defenseless
b) Source routing specification
- Possibility to define route of IP packet
must take when it traverses from the
source host to the destination host,
across the Internet
➔ bypass the firewall;
➔ can be done by those with
knowledge of the IP address,
subnet mask, default gateway
settings at the firewall routing
station
- Defense: examine and drop the
packet, if source routing specification
is enabled , drop that packet;
➔ However, if the topology
permits a route, skipping the
choke point, this
countermeasure will not be
effective
- Subnetting: is a strategy used to
partition a single physical network into
more than one, smaller subnetworks
or subnets
➔ An IP address includes a
network segment and a host
segment
➔ Subnets are designed by
accepting bits from the IP
address’ host part, and using
these bits to assign a smaller
subnet/ subnetwork inside the
original network
➔ Helps to reduce the network
traffic and conceals network
complexity
- Subnet Mask: a 32-bit number used
to differentiate the network
component of an IP address, by
 dividing the IP address into a network
address and the host address
➔ Aka address mask
➔ Used to design subnetworks/
subnets that connect local
networks
c) Miniature fragment attack
- an attacker fragments the IP packet
into smaller ones and pushes it
through the firewall
➔ in the hope that only the first
of the sequence of
fragmented packets would be
examined and the others
would pass without review
➔ true if the default setting is to
pass residual packets
- Countered: by configuring the firewall
to drop all packets where IP
fragmentation is enabled
2) Application Firewall Systems
● Two types
➔ application-level firewall systems
➔ circuit-level firewall systems
● Provides greater protection than packet
filtering routers
➔ Packet filtering routers allow the direct
flow of packets between internal and
external systems.
➔ Application and circuit gateway
firewall systems allow information to
flow between systems but do not allow
the direct exchange of packets.
● Primary Risk of allowing packet exchange
between internal and external systems: threat
posed by allowed packets to the host
applications residing on the protected network’s
system
➔ the host applications residing on the
protected network’s systems must be
secure against any threat posed by
allowed packets
● Could be an appliance or sit atop hardened
(tightly secured) OSs, such as Windows or
UNIX
● Work at the application level of the OSI (Open
Systems Interconnection) model
● Application-level gateway firewall: analyzes
packets through set of proxies—one for each
service
➔ e.g., HTTP proxy for web traffic, FTP
proxy
➔ Hypertext Transfer Protocol (HTTP)
proxy: known as a web application
firewall (WAF). This applies rules to
HTTP conversations that cover known
attacks, such as cross-site scripting
(XSS) and Structured Query Language
(SQL) injection. This kind of work could
reduce network performance.
➔ Circuit-level firewalls: are more
efficient and also operate at the
application level—where TCP and User
Datagram Protocol (UDP) sessions are
validated, typically through a single,
general-purpose proxy before opening
a connection. Commercially,
circuit-level firewalls are quite rare.
● OSI Model: a conceptual model created by
the International Organization for
Standardization (ISO) which enables diverse
communication systems to communicate
using standard protocols
➔ Using plain English, the OSI provides
a standard for different computer
systems to be able to communicate
with each other
➔ Can be seen as a universal language
for computer networking
➔ Based on the concept of splitting-up a
communication system into seven
abstract layers, one each one stacked
upon the last
- Layer 1: Physical
- Layer 2: Data link
- Layer 3: Network
- Layer 4: Transport
- Layer 5: Session
- Layer 6: Presentation
- Layer 7: Application
● Bastion hosting
 ➔ Employed by both application-level
and circuit level firewalls
➔ All incoming requests from the
internet to the corporate network (FTP
or web requests) are only handled by
a single host
➔ Bastion host is fortified against attack
➔ By having only, a single host handling
incoming requests, Bastion host
makes it easier to maintain security
➔ In case of break-in, only the firewall
system is affected and compromised,
not the entire network
➔ Effective level of security: no direct
contact for requests in the internet
with computers/host in the corporate
network
● Application-based firewalls are set-up as
proxy servers
● Proxy servers
➔ Act on behalf of someone inside an
organization’s private network
➔ Use special purpose codes (proxy
servers) is incorporated into the
firewall system instead of packet
filtering tool, rather than relying on a
generic pocket filtering tool to manage
the flow of services through the
firewall
- Example: If someone inside the
corporate network wants to
access a server on the internet,
a request to the internet is sent
to the proxy server, and the
proxy server contacts the
server on the internet. The
proxy server then sends the
information from the internet
server to the computer inside
the corporate network
➔ Facilitate request/communication
between a computer in the network
and the Internet
➔ Act as go-between; can maintain
security by examining a service or
services (FTP or telnet program code)
and modifying and securing it to
known vulnerabilities
➔ Can log all traffic between the network
and the Internet
● Telnet (TN): a networking protocol and
software program used to access remote
computers and terminals over the internet or
TCP-IP computer network
➔ Designed for remote server access,
management, and client-server
architectures
➔ Telnet works through a purpose-built
program that provides connectivity
with a remote computer server and a
host computer
● Application-level firewall implementation of
proxy server functions: based on providing a
separate proxy for each application service
(FTP, Telnet, HTTP)
● Circuit-level firewall: no need for special proxy
for each application-level service (what proxy
server is used for all services)
● Advantages of application-level firewall
- provide security for commonly used
protocols
- generally hide the internal network
from outside untrusted networks
➔ Example: a feature available on
these types of firewall systems
is the network address
translation (NAT) capability
➔ This capability takes private
internal network addresses
(unusable on the Internet) and
maps them to a table of public
IP addresses, assigned to the
organization, which can be
used across the Internet
● Disadvantages of application-level firewall
- Poor performance and scalability as
Internet usage grows
➔ To offset this problem, the
concept of load balancing is
applicable in cases where a
redundant fail-over firewall
system may be used.
 3) Stateful Inspection Firewalls
● Keeps track of the destination IP address of
each packet that leaves the organization’s
internal network
● Whenever the response to a packet is received,
its Referencing of record:
➔ Ensure incoming message is in
response to request from the
organization’s network
➔ Done by mapping the source IP
address with the list of destination IP
addresses that is maintained and
updated
➔ Prevents any attack initiated and
originated by an outsider
● Advantage of stateful inspection firewalls over
application firewall systems
➔ control the flow of IP traffic by
matching information contained in the
headers of connection-oriented or
connectionless IP packets at the
transport layer, against a set of rules
specified by the firewall administrator;
➔ provides greater degree of efficiency
when compared to typical
CPU-intensive, full-time application
firewall systems’ proxy servers, which
may perform extensive processing on
each data packet at the application
level
● Disadvantage of stateful inspection firewalls:
complex to administer, compared to the other
two types of firewalls
Firewall Security Systems – Examples of Firewall
Implementations
● Firewall implementations: take advantage of
the functionality available in a variety of
firewall designs to provide a robust layered
approach in protecting an organization’s
information assets
● Commonly used implementations
1) Screened-host firewall
● Utilizing a packet-filtering router and a bastion
host; implements basic network layer security
(packet filtering) and application server
security (proxy services)
➔ An intruder in this configuration has to
penetrate two separate systems
before the security of the private
network can be compromised
● Consists of private network, bastion host,
packet filtering router and Internet
➔ configured with the bastion host
connected to the private network with
a packet filtering router between the
Internet and the bastion host
➔ Router filtering rules allow inbound
traffic to access only the bastion host,
which blocks access to internal
systems
● Because the inside hosts reside on the same
network as the bastion host, the security policy
of the organization determines whether inside
systems are given permission to access the
Internet (either direct access or whether they
are required proxy services on the bastion
host)
2) Dual-homed firewall
● Has two or more network interfaces, each of
which is connected to a different network
● Acts to block or filter some or all of the traffic
trying to pass between the networks in the
firewall configuration
● More restrictive form of a screened-host
firewall system
➔ a dual-homed bastion host is
configured with one interface
established for information servers
and another for private network host
computers
3) Demilitarized zone (DMZ) or screen-subnet
firewall
● Utilizing two packet-filtering routers and a
bastion host → Most secure firewall
➔ supports network and
application-level security while having
a separate DMZ network
● Functions as a small, isolated network for an
organization’s public servers, bastion host
information servers and modem pools.
 ● Configured to limit access from the Internet and
the organization’s private network
● Outside router: restricts incoming traffic to the
DMZ network
● Limiting the services available for use: protects
the organization against certain attacks
● External systems can access only the bastion
host (and its proxying service capabilities to
internal systems) and possibly information
servers in the DMZ
● Inside router: provides a second line of
defense, managing DMZ access to the private
network, while accepting only traffic originating
from the bastion host
➔ For outbound traffic, the inside router
manages private network access to the
DMZ network.
- permits internal systems to
access only the bastion host
and information servers in the
DMZ
● Filtering rules on the outside router: require
proxy services by accepting only outbound
traffic on the bastion host
● Key benefits of DMZ:
- Intruder should penetrate three
separate devices
- Private network addresses not
disclosed to the Internet
- Internal systems do not have direct
access to the Internet
Firewall Security Systems – Firewall Issues
● Issues on Implementing Firewalls
a) False sense of security
- may exist if management feels that no
further security checks and controls
are needed on the internal network
- Example: the majority of incidents are
caused by insiders, who are not
controlled by firewalls
b) Circumvention of firewalls thru modems
- may connect users directly to Internet
Service Providers (ISPs)
- Management should provide assurance
that the use of modems when a firewall
exists is strictly controlled or prohibited
altogether
c) Misconfigured firewalls
- may allow unknown and dangerous
services to pass through freely.
d) Wrong understanding about what constitutes
a firewalls
- Example: companies claiming to have
a firewall merely have a screening
router
e) Irregular monitoring of activities
- Example: log settings not
appropriately applied and reviewed
f) Firewall Policies not maintained regularly
g) Most Firewalls operating only at the network
layer
- therefore, they do not stop any
application-based or input-based
attacks.
- Example of attacks: SQL injection and
buffer-overflow attacks
- Newer-generation firewalls are able to
inspect traffic at the application layer
and stop some of these attacks.
Firewall Platform
Firewall Security Systems – Firewall Platforms
● Hardware or software platform
implementations
● Hardware-based firewall platforms: provide
good performance with minimal overhead;
faster; not as flexible or scalable as
software-based firewalls
● Software-based firewalls: slower; high systems
overhead; e flexible with additional services;
may include content and virus checking, before
traffic is passed to users
● Appliances-type firewalls: generally better to
use than normal servers; installed with hardened
OSs; generally, significantly faster to set-up and
recover
● Server-based firewalls: OSs in servers are often
vulnerable to attacks;
- When the attacks on OSs succeed, the
firewall is compromised.
6.5 Development and Authorization of
Network Changes
● Network configuration changes to update
telecommunications lines, terminals, modems
and other network devices should be
authorized in writing by management and
implemented in a timely manner.
● An IS Auditor can test the change control by:
- Sampling recent change requests,
looking for appropriate authorization
and matching the request to the
actual network device
- Matching recent network changes,
such as new telecommunication lines,
to added terminals and authorized
change requests
● The IS Auditor should determine who can
access the network change software - this
should be restricted to senior network
administrators.
● Development and change control procedures
should cover the following network
components’ hardware and software:
a) Firewalls
b) Routers
c) Switches
d) Application gateways
e) DNS/network topology
f) Client software
g) Network management software
h) Web server hardware and
configuration
i) Application software
j) Web pages
Unauthorized Changes
● One of the most important objectives of
change control procedures is to prevent or
detect unauthorized changes to software,
configurations or parameters, and data.
● Unauthorized changes may include:
➢ Changes to software or
configurations/parameters that occur
without conforming to change control
procedures
➢ Changes made to software code
without authorization
● Controls to prevent unauthorized changes to
software and software configurations include:
- Ensure SoD among software
development, software administration
and computer operations
- Restrict the software development
team’s access to the development
environment only
- Restrict access to the software source
codes
● Controls to detect unauthorized changes to
software include:
- Software code comparison utilities
● Controls to detect unauthorized changes to
configurations/parameters include:
- Logging and monitoring system
administrator activities
● What will prevent unauthorized access to
data?
- Application access control
mechanisms
- Built-in application controls
➔ These can be circumvented
by direct access to data,
which should be restricted
and monitored.
Chapter 7: Data Encryption and
Encryption-related Techniques
7.1 Key Elements of Encryption Systems
Introduction
● Encryption
- process of converting a plaintext
message into a secure-coded form of
text, called ciphertext
➔ which cannot be understood
without converting it back via
decryption (the reverse
process) to plaintext
- Reverse is decryption (ciphertext back
to plaintext)
- Done via a mathematical function and
a special encryption/decryption
password called the “key”
 ● Uses of Encryption
➔ Protect data in transit over networks
from unauthorized interception and
manipulation
➔ Protect information in computers from
unauthorized viewing and manipulation
➔ Prevent and detect accidental or
intentional alterations of data/
information
➔ Verify authenticity of a transaction or
document
● In many countries, encryption is subject to
governmental laws and regulation
● Limitation: Encryption cannot prevent
loss/modification of data
● Protection of keys: paramount concern when
using encryption systems
➔ Even when encryption is regarded as
an essential form of access control, it
sill requires a thorough understanding
of how schemes work
➔ misuse or misconfiguration may
significantly undermine the protection
that an organization believes is in place
Key Elements of Encryption Systems
● Key Elements of Encryption Systems
1) Encryption algorithm: mathematical
function used to encrypt/decrypt data
2) Encryption keys: A piece of information
that is used by the encryption algorithm
to make the encryption or decryption
process unique
➔ Similar to passwords, a user
needs to provide the correct
key to access or decrypt a
message.
➔ The wrong key will decipher
the message into an
unreadable form.
3) Key length: a predetermined length for
the key
➔ the longer the key, the more
difficult to compromise in a
brute force attack
● Encryption schemes are susceptible to brute
force attacks in which an attacker repeatedly
tries to decrypt a piece of ciphertext using all
the possible encryption keys until the correct
one is found
➔ Example: brute forcing stops when the
ciphertext does not decrypt to a
non-sense message
● Fundamental to choose the key adequately to
ensure the overall security of encryption scheme
➔ Because the amount of time required to
search for the correct key depends
exponentially on its length
● Attacks can be mounted against the
robustness of the underlying mathematical
algorithms to speed up the brute forcing
process
➔ Cryptanalysis is the science of finding
such weaknesses
➔ Example: algorithm prone to a
known-plaintext attack allows an
attacker to discard a large portion of
the possible decryption keys if
samples of ciphertexts and
corresponding plaintexts are available
➔ Variation of the attack: the attacker
guesses parts of the plaintext by
leveraging on statistical properties of
the encrypted data (e.g., spotting
vowels or finding the word “the” in an
English text)
● Randomness of key generation: significant
factor on the ability of compromising
encryption scheme
➔ Common words or phrases
significantly lessen the key space
combinations required to search for the
key, diminishing the strength of the
encryption algorithm
- Therefore, the capabilities of a
128- bit encryption algorithm
are diminished when
encrypting keys are based on
passwords, and the passwords
lack randomness
● Effective password syntax rules should be
applied and easily guessed passwords be
prohibited
● Two types of encryption schemes
 a) Symmetric key systems: use a unique
key for encryption and decryption
- Unique key: aka secret key; a
bidirectional key because it
encrypts and decrypts and it
must be shared out of band
(i.e., via a secure, alternative
method to the encrypted
message)
b) Asymmetric key systems: decryption
key different from encryption key;
- Unidirectional keys: they
encrypt or decrypt—but are
complementary
- The two parties (the sender
and the recipient) are not
expected to trust each other to
keep the secret key
- Encryption key is publicly
disclosed, decryption key is
private
- Asymmetric systems are also
known as public-key schemes
● Hash functions or hashing algorithms
- Important component of cryptographic
protection schemes
- Transform text of arbitrary or random
length into one of fixed with length
(digest or hash value of the input text)
➔ Example: a hash function is
one that just truncates a text
string after a fixed number of
characters
- Must be one-way: to be used in
cryptographic protection schemes
➔ Example: making it hard to
find a piece of text that
generates a given hash
- Accurate integrity check tool
- Calculate a hash value from the entire
or whole input message
- Output is always at fixed same length,
even if the input message is of
variable length
- Example: Hash function: Password
Encryption
➔ In the hash function, all of the
different passwords are
converted into fixed-length
strings before being stored in
the database. These output
strings cannot be converted
back to find out the actual
passwords.
- The length of digest or hash value
depends on the hash algorithm used.
➔ Example: MD5 generates a
digest length of 128 bits;
SHA-1, a digest of 160 bits;
and SHA-512, a digest of 512
bits
- Most common message digest
algoritms: MD5 and SHA-1
- Industry transitioning to SHA-2, due to
security considerations
➔ Has six hash functions
available with varying message
digest lengths
- Announcing SHA-3 by National
Institute for Standards and
Technology (NIST)
➔ In the event a successful
ayttack is developed against
SHA-2
- Senders: When they want to send a
message and ensure that it has not
been altered, they can compute the
digest of the message and send it
along with the message to the receiver.
- Receiver: When he/she receives the
message and its digest, he/she
independently computes the digest of
the received message and ensures that
the digest computed is the same as the
digest sent with the message (Figure
5.17).
● Figure 5.17 - Verifying Message Integrity
Using a Hash Function
 - Was employed by NIST to replace
3DES during 2001

● Advantages of symmetric key systems

(over asymmetric)
- Shorter keys and can be easily
remembered
- Less complicated and used less
7.2 Symmetric Key Cryptographic Systems processing power than an asymmetric
key
➔ ideally suited for bulk data
encryption
● Disadvantages of symmetric key systems
- Major: key distribution, particularly in
eCommerce environments where
customers are unknown, untrusted
entities
● Symmetric key cryptographic systems are - Additional: cannot be used to sign
based on a symmetric encryption algorithm, electronic documents or messages,
which uses a secret key to encrypt the due to the fact that the mechanism
plaintext to the ciphertext and the same key to placed on a shared secret by at least
decrypt the ciphertext to the corresponding two parts
plaintext.
● In this case, the key is said to be symmetric
7.3 Public (Asymmetric) Key Cryptographic
because the encryption key is the same as the
Systems
decryption key
● Data Encryption Standard (DES): most
common symmetric key cryptographic system
- Based on a public algorithm approved
by the NIST
- employs 56 bits (plus 8 bits for parity
checking)
- withdrawn by NIST because its entire
key space is prone to brute force
weakness by a moderately large
system within a relatively short period
INTRODUCTION
of time
● Triple DES or 3DES: extension of DES; ● Two keys work together as a pair, they
- applies DES 3x its data block are inversely related based on a
- were proposed to extend the DES mathematical inteqer factorization
while maintaining backward ● One of the keys is private and the other
compatibility
is publicly-disclosed
● Encryption works by feedinq the public
● Advanced Encryption Standard (AES):
key of the recipient to the underlyinq
replaced DES;
- Public algorithm that supports keys alqorithm, where the resultinq
with 128 to 256 bits in size ciphertext can be decoded usinq the
 private key
● The private key avoids requirement of
the owner’s key pair to share the
private information and their
communication
1.) QUANTUM CRYPTOGRAPHY
● Quantum cryptoqraphy: possibility to use
quantum computing (computer technoloqy
based on quantum theory) for
cryptographic purposes
● Quantum Key Distribution (QKD) schemes:
allow distribution of a shared encryption
key between two parties,
○ can detect unauthorized party
eavesdropping
○ Most important application
● Quantum computing: easily breaks the
security schemes
○ Postquantum encryption
algorithms solve the problem and
are resistant to quantum attacks
2.) DIGITAL SIGNATURES
● Public Key systems: the underlying
algorithm should work even if private key
is used for encryption and public key is
for decryption
● Digital signature: authenticates origin of
the encoded message
○ Even if found counter-intuitive, a
public key system would realize
this digital signature scheme
○ Nonrepudiation/Non-denial:
because the private key is known
only by the owner of the key pair,
one can ensure that if a ciphertext
is correctly decrypted using a
public key, the owner of the public
key cannot deny having performed
the encryption process
● In most practical implementation of digital
signature schemes, the public key or
symmetric key system is never applied to the
whole document as it would take a lot of
processing power to calculate the signed
data
● Instead, a digest or pre-hashed is first derived
from the document to be signed usinq a
hashing function/algorithm. Then, the public
key algorithm is applied to the digest (encrypt
process using the sender’s private key) in
order to produce an encoded key of data that
is a digital signature, sent alongside the
document
● To authenticate the sender (as the originator
of the document), the hashing
function/algorithm is applied by the recipient
upon receiving the message and the resulting
digest or post-hash is compared with the
decrypted key using the sender’s public key
● In case of a match, the receiver can conclude
that a document was actually signed by the
owner of the public key
Digital signature schemes ensure:
a. Data integrity: changes in plaintext message
will result in failed computing of the same
hash value or digest
- Any chanqe to the plaintext messaqe
will result in the recipient failinq to
compute the same document
b. Authentication: document is ensured to be
sent by the sender since only the sender has
the private key
- Recipient can ensure that the
 document has been sent by the plain a) TRANSPORT LAYER SECURITY
sender, because only the plain sender ● Transport layer security (TLS): a
has the private key cryptographic protocol that provides secure
c. Nonrepudiation: sender cannot later deny communications on the Internet
generating the document
○ Is a connection-layered protocol
partly used for communications
3. DIGITAL ENVELOPE
between browsers and web servers
● Digital envelope: electronic container used ● TLS provides endpoint authentication, aside
to protect data or a message through the from communication privacy
use of encryption data authentication ○ TLS allows client-server application
○ Similar to a digital signature communication in a way designed to
● Message is encrypted using symmetric prevent eavesdropping, tampering,
encryption; code or key to decode and messaqe forgery
message is secured using public b) IP SECURITY
(asymmetric) key encryption ● IP security or IPSec: used to secure
○ A more convenient option for communications at IP level among two or
encryption more hosts, subnets, or hosts & subnets
● Combination of encrypted message and ○ This IP layer packet security protocol
encrypted secret key establishes VPNs via transport and
7.4 Applications of Cryptographic Systems tunnel-mode encryption models
● Sender uses digital certificates for
INTRODUCTION authentication
○ The connection is made secure by
● Asymmetric and symmetric systems can be
combined to leverage on each system’s supporting the generation,
peculiarity authentication, and distribution of
● Common scheme: encrypt data using a SAs and those of the cryptographic
symmetric algorithm with the secret key which keys
is randomly generated, then the secret key is ● Security Associations (SAs): define the
encrypted using an asymmetric algorithm security parameters that should be applied
○ It allows the secure distribution between communicating parties as
among those parties who access encryption algorithms, keys, lifespan of keys,
among the encrypted data
etc.
● Benefits: Secure communication; speed of
● Digital Certificates: authenticates the web
symmetric systems and ease of key
credentials that of the sender and lets the
distribution of asymmetric systems
recipient of an encrypted message know
● Creating secret key is effortless; hence, this
can be employed to a limited amount of data that the data is from a trusted source or a
after which a new secret key can be chosen sender who claims to be one
○ limit malicious third-party to decrypt ○ Is issued by a certification authority
the whole set of data, because they (CA)
would be required to attack multiple ○ Used to install signatures and
secret keys message encryption
c) SECURE SHELL
● Secure Shell (SSH): a client-server program
that opens a secure and encrypted shell
session from Internet for remote logon
● SSH uses strong cryptography to protect data
(passwords, binary files, and administrative
commands) transmitted between systems
○ Similar to a VPN
● SSH is implemented to validate credentials
between two parties by validating each
other’s credentials using digital certificates
● SSH is useful in replacing Telnet and
implemented at the application layer
○ as opposed to operating at the
network layer, like that of the IT
Security implementation
d) SECURE MULTIPURPOSE INTERNET
MAIL EXTENSIONS (S/MIME)
Secure Multipurpose Internet Mail Extensions
(S/MIME):
● A standard secure email protocol
● Authenticates identity of sender and
receiver
● Verifies integrity of message
● Ensures privacy of a message’s content,
including the attachments
Chapter 8:
VIRTUALIZED ENVIRONMENTS
Introduction
VIRTUALIZATION
● Provides an enterprise with significant
opportunities to;
● Increases efficiency and decreases costs
in IT operations
● Introduces additional risk; a high-level
virtualization allows multiple OSs to coexist
in the same physical server or host in
isolation of one another
● Creates layer between hardware and guest
OSs, to manage their processing and memory
resources on the host
● Management console: often provides
administrative access in managing the
virtualized system
● Data centers in many other organizations use
virtualization techniques to create an
abstraction of the physical hardware and
make large pools of logical resources
consisting of:
1) CPUs
2) Memory
3) Disks
4) File Storage
5) Applications
6) Networking
- the approach enables greater availability of
resources to the user base
● MAIN FOCUS: to enable a single physical
computing environment to run multiple
logical, yet independent systems of the same
kind
● Most common use: operational efficiency —
uses existing hardware more efficiently by
placing greater loads on each computer
● Second use: using full virtualization of
desktops enables end-users to have one
computer hosting multiple OSs, if needed to
support various dependent OS applications
● Further use: an IT organization can better
control deployed OSs, to ensure that they
meet the organization’s security requirements
○ Security threat and respective contro
requirements are dynamic
● Virtual desktop images can be changed to
respond to new threats
ELEMENTS OF A VIRTUALIZED COMPUTING
ENVIRONMENT
a. Server or other hardware parts
b. Virtualization hypervisor: a piece of guest OS that provides utilities to control
computer software, firmware, or hardware that virtualization, while in a guest OS
creates/runs the virtual machine environment; - Ability to share files with the host OS
“HOST“ 3. Containerization: containers include the
● HYPERVISOR: a hardware virtualiz ation application and its dependencies but share
technique that allows multiple guest
the kernel with the other containers;
operating systems or OSs to run on a
● Containers run as an isolated
single whole system at the same time
process in user space on the host
- the guest OS shares the hardware
of the host computer, such that operating system
each OS appears to have its own
processor, memory, and other
hardware resources
- AKA Virtual Machine Manager
(VMM)
- The hypervisor installed in the
server hardware consults the guest
operating system running on the
host machine. ● Bare metal: hypervisor runs directly on the
- Main job is to cater to the needs of underlying hardware without a Host OS
the guest operating system & ● Hosted: the hypervisor runs on top of the host
effectively manage it, such that the OS
instances of multiple operating
systems do not interrupt with one
Advantages and Disadvantages of Virtualization
another
c. Guest machine: virtual environmental Advantages Disadvantages
elements residing in the computer on
which a hypervisor host machine has been
-Server hardware costs -Inadequate
installed may decrease for both confiquration of the host
1. OS server builds and server could create
2. Switches maintenance vulnerabilities that affect
3. Routers not only the host, but
-Multiple OSs can also the quests
4. Firewalls, etc.
share processinq
capacity and storaqe -Exploits vulnerabilities
METHODS OF DEPLOYING A VIRTUALIZED
that often goes to Within the host’s
ENVIRONMENT configuration, or a
waste in traditional
servers, thereby denial-Of-service
1. Bare metal/native virtualization: attack against the host,
reducinq operatinq
hypervisor runs directly on the underlying costs could affect all of the
hardware, without a host OS; host’s quests
-The physical footprint
2. Hosted virtualization: hypervisor runs on of servers may - A compromise of the
top of the host OS (Windows, Linux, or decrease within the management console
MAC OS) data center
could qrant
● Its architecture has an additional layer of -A single host can have unapproved
software (virtualization application) in the multiple versions of the administrative access
same OS, or even to the host’s quests
different OSs, to
facilitate testing of -Performance issues of
applications for the host’s own OS
● To determine whether the enterprise has
performance could impact each of
considered the applicable risk in its decision
differences the host’s quests
to adopt, implement, and maintain this
-Creation of duplicate technology
copies in alternate -Data could leak
● Risks must be managed effectively; the host
locations can support between quests if
in a virtualized environment represents a
business continuity memory is not released
potential, single-point of failure in the system
and allocated by the
efforts ○ A successful attack on the host could
host in a controlled
-Application support result in a compromise that is larger in
manner
personnel can have both scope and impact
-Insecure protocols for
multiple versions of the
remote access to the PRINCIPLES AND GOOD PRACTICES FOR A
same OS, or even
management console VIRTUALIZED ENVIRONMENT
different OSs, on a
and quests could result
sinqle host to more ● To address the risks, an enterprise can often
in exposure of
easily support users implement or adapt the same principles and
administrative
operating in different good practices for a virtualized server
credentials
environments environment, that it will use for a server form
- a single machine can a. Strong physical and logical access controls,
house a multitier especially over the host and its management
network in an console
b. Sound configuration management practices
educational lab
and system hardening for the host including:
environment without
i. Patching
costly reconfigurations
ii. Antivirus
of physical equipment
iii. Limited services
iv. Logging
-smaller organizations v. Appropriate permission
that had performed vi. Other configuration settings
tests in the production c. Appropriate network segregation including the
environment may be avoidance of virtual machines in the DMZ and
better able to set up the placement of management tools on a
logically separate, separate network segment
d. Strong change management practices
cost-effective
development & test
Key Risk Areas
environments
-if set up correctly, a ● Migrating computer resources to virtualized
well-built, single access environment DOES NOT change the threats
control on the host can plane for most of the system’s vulnerabilities
provide tighter control and threats
for the host’s multiple ○ If a service has inherent vulnerabilities
on a physical server/network products
guests
and it is migrated to a virtualized
 server, the server remains vulnerable
to exploitations
● The use of virtualization: increase in likelihood
of attacks due to additional virtual
environment attack paths (vectors; hypervisor
configuration or security flaws, memory
leakage, etc.)
HIGH-LEVEL RISKS IN VIRTUALIZED SYSTEMS
(representative of the majority of virtualized systems in
use)
1. Rootkits on the host: installing themselves as
a hypervisor below the OS enables
interception of operations of any of the guest
OS (logging password entry, etc.)
a. Antivirus may not detect this because
the malware runs below the entire OS
2. Improper configuration of hypervisor
partitioning resources:
a. CPU
b. Memory
c. disk space
d. Storage
- Leads to unauthorized access
to resources, wherein one
guest OS injecting malware to
another or placing malware
code into another guest OS
memory
3. Guest tools: this mechanism enable guest OS
to access files, directories, the copy­paste
buffer, and other resources on the host OS or
another guest OS
- this functionality can inadvertently
provide attack paths (vector) for
malware or allow an attacker to gain
access to particular resources
- snapshots or images of test
environments containing sensitive
data (password, personal data, etc.)
make a physical hardware
- Snapshots are a holder of
risks than images because the
snapshots contain the
contents of random­access
memory (RAM) at the time the
snapshot was taken; include
sensitive information that was
no stored on the drive itself
4. Absence of hypervisor controls in hosted
virtualization: anyone who can launch an
application on host OS can run hypervisor
● In contrast to bare-metal installations,
hosted virtualization products rarely
have hypervisor access controls
● The only access control to address
this is whether someone can log into
the host OS
Typical Controls
An IS auditor should understand the following
concepts:
a. Securely configure hypervisors and guest
images (OS & networks) according to industry
standards
● Apply hardening to these virtual
components, as closely as one would
do to a physical server (switch,
firewall, or other
b. Protect hypervisor communications on a
dedicated management network
● Management communications carry
on a trusted network, should be
encrypted and encryption should
encapsulate the management traffic
c. Patch the hypervisor, as the vendor releases
the fixes
d. Synchronize the virtualized infrastructure to
trusted authoritative timeserver
e. Disconnect unused physical hardware from
the host system
f. Disable all hypervisor services (flipboard or file
sharing between guest OS or host OS), unless
needed
g. Enable host inspection capabilities to monitor
security of each guest OS
h. Enable host inspection capabilities to monitor
security of activities occurring between guest
OSs
 ● Of special focus is communications in a
non-virtualized environment carried and
monitored over networks by network security
controls such as:
○ Network firewalls
○ Security appliances
○ Network IDPS sensor
I. Use file integrity monitoring of the hypervisor
to monitor for signs of compromise

REFERENCES:
ISACA. (2019). CISA review manual (27th ed.).

Prepared By:
Krishia Angeles
Justine Angela Cureg
Marian Martina Firme
Jyruenth Llausas
Pam Porciuncula
Jenny Rose Villegas
Nicole Vinuya