Management Security and

Auditing
Course Objectives
• Analyze and resolve security controls in different IT systems.

• Understand the process of auditing IT systems.

• Understand various activities related to IT governance and management.

• Understand controls related to IT application development and acquisition.

• Understand security controls and auditing in IT operations and

maintenance.
Course Books
Mike Kegerreis, Mike Schiller and Chris Davis., IT Auditing Using
Controls to Protect Information Assets., 3rd Edition. Mc Graw Hill

CISA Review Manual, 27th Edition. ISACA

Online Resources
• ISACA: https://www.isaca.org/resources/it-audit
• NIST: http://www.csrc.nist.org/
Course Assessment
Midterm : 30%
Term Paper / Project: 15%
Assignment/ Case Studies: 15%
Final Exam: 40%
 The security problem in computing
The meaning of computer security:

• The term computer security has evolved in recent years.

• Before the problem of data security became widely publicized in the

media, most people’s idea of computer security focused on the
physical machine.
‫ كانت مرافق الكمبيوتر محمية ماديا لثالثة أسباب‬،‫تقليديا‬:

• Traditionally, computer facilities have been physically protected for

three reasons:
• ‫ كانت مرافق الكمبيوتر محمية ماديا لثالثة أسباب‬،‫تقليديا‬:
The security problem in computing
:‫يمنع‬

1. To prevent theft of or damage to the hardware

2. To prevent theft of or damage to the information

‫خلل‬

3. To prevent disruption of service ‫لمنع انقطاع الخدمة‬

IT Security
• IT security is a set of cybersecurity strategies that prevents
unauthorized access to organizational assets such as
- computers,
- networks, and
- data
‫يحافظ‬

• It maintains the integrity and confidentiality of sensitive information,

blocking the access of sophisticated hackers.
IT Security
• Some important terms used in IT security are:

Vulnerability:
Vulnerability is a weakness which allows an attacker to reduce a system's
information assurance.
‫قابلية‬

Vulnerability is the intersection of three elements:

- a system susceptibility or flaw, ‫خلل‬
- attacker access to the flaw, and
- attacker capability to exploit the flaw
‫امكانية‬ ‫استغالل‬
IT Security
‫ مع محاولة البقاء دون أن يتم اكتشافك‬،‫ وما إىل ذلك‬،‫ والحصول عىل الوصول إىل النص العادي‬،‫ وتأمي الوصول عن بعد إىل الكمبيوتر‬،‫الخلف يف نظام الكمبيوتر هو طريقة لتجاوز المصادقة العادية‬
‫ي‬ ‫الباب‬.

Backdoors:
A backdoor in a computer system, is a method of bypassing normal
authentication, securing remote access to a computer, obtaining access
to plaintext, and so on, while attempting to remain undetected.
Denial-of-service attack:
Unlike other exploits, denials of service attacks are not used to gain
unauthorized access or control of a system. They are instead designed
to render it unusable. ُ
‫ بل إنها مصممة لجعله غي قابل‬.‫ ال تستخدم هجمات رفض الخدمة للحصول عىل وصول غي مرصح به أو التحكم يف النظام‬،‫عىل عكس الثغرات األخرى‬
‫لالستخدام‬
IT Security
‫فعىل إىل جهاز كمبيوتر (أو جزء منه) أن يقوم بالعديد من الوظائف مثل تثبيت أنواع مختلفة من‬
‫يحصل عىل وصول ي‬ ‫يمكن للمستخدم غي المرصح له الذي‬
‫ وأجهزة التنصت الرسية‬،‫ ومسجالت المفاتيح‬،‫اليامج‬ ‫ر‬
‫ وديدان ر‬،‫ بما يف ذلك تعديالت نظام التشغيل‬،‫األجهزة الخياق األمان‬.
Direct-access attacks:
An unauthorized user gaining physical access to a computer (or part
thereof) can perform many functions install different types of devices
to compromise security, including operating system modifications,
software worms, key loggers, and covert listening devices.
ً ً
‫ عادة بي مضيفي عىل شبكة ما‬،‫التنصت هو عملية االستماع رسا إىل محادثة خاصة‬.

Eavesdropping:
Eavesdropping is the act of surreptitiously listening to a private
conversation, typically between hosts on a network.
 ً
IT Security ‫وبالتاىل الحصول عىل‬
‫ي‬
‫مية غي ر‬.
‫مرسوعة‬
‫ر‬
‫ يصف تزييف هوية المستخدم موقفا ينجح فيه شخص أو برنامج يف انتحال شخصية شخص آخر عن طريق تزوير البيانات‬:‫اليييف‬

Spoofing: Spoofing of user identity describes a situation in which one person or

program successfully masquerades as another by falsifying data and thereby
gaining an illegitimate advantage.
‫التالعب‬:
‫يشي التالعب إىل التعديل المتعمد للمنتجات بطريقة تجعلها ضارة للمستهلك‬.

Tampering:
Tampering describes an intentional modification of products in a way that would
make them harmful to the consumer.
‫اإلنكار‬: ً
‫يصف اإلنكار موقفا يتم فيه التشكيك يف صحة التوقيع‬.

Repudiation:
Repudiation describes a situation where the authenticity of a signature is being
challenged.
‫الجرائم الحاسوبية‬:
Computer crime: ‫تشي الجرائم الحاسوبية إىل أي جريمة تتضمن جهاز كمبيوتر وشبكة‬.

Computer crime refers to any crime that involves a computer and a network.
Security Principles
There are five principles of security. They are as follows:
‫ينص مبدأ الرسية عىل أنه يجب أن يكون المرسل والمستقبل المقصود فقط قادرين عىل الوصول إىل محتوى الرسالة‬
1. Confidentiality:
The principle of confidentiality specifies that only the sender and
the intended recipient should be able to access the content of
the message.

2. Integrity: ‫ر‬
‫والت يمكن الوصول إليها بواسطة ج دون إذن أو علم أ و ب‬ ‫ر‬
‫الت يرسلها أ إىل ب ي‬
‫المعلومات الرسية ي‬

The confidential information sent by A to B which is accessed by C

without the permission or knowledge of A and B.
Security Principles
3. Authentication: ‫تساعد آلية المصادقة يف إثبات الهوية‬.
Authentication mechanism helps in establishing proof of
identification.

4. Access control: ‫يحدد التحكم يف الوصول ويتحكم يف من يمكنه الوصول إىل ماذا‬.
Access control specifies and control who can access what.

5. Availability: ‫يعت أن األصول متاحة لألطراف المرصح لها يف األوقات المناسبة‬

‫وهذا ي‬.

It means that assets are accessible to authorized parties at

appropriate times.
Attack??
We want our security system to make sure that no data are disclosed to
unauthorized parties.
- Data should not be modified in illegitimate ways
- Legitimate user can access the data

Types of attacks:
Attacks are grouped into two types:
1. ‫ ال تتضمن أي تعديل عىل محتويات الرسالة األصلية‬:‫الهجمات السلبية‬

1. Passive attacks: does not involve any modification to the contents of an

original message
2. Active attacks: the contents of the original message are modified in some
ways. 2. ‫ يتم تعديل محتوى الرسالة األصلية بطرق ما‬:‫الهجمات النشطة‬.
IT security VS Information security

• Information security refers to the processes and tools designed to

protect sensitive business information from invasion,

• whereas IT security refers to securing digital data, through computer

network security.
Threats to IT security?

• Threats to IT security can come in different forms.

• A common threat is malware, or malicious software, which may come in

different variations to infect network devices, including:

- Ransomware
- Spyware
- Viruses
• ‫تجعل هذه التهديدات من المهم للغاية اتباع ممارسات أمنية موثوقة‬.
• These threats make it even more important to have reliable security
practices in place.
Types of IT security

Network Security:
• Network security is used to prevent unauthorized or malicious users
from getting inside your network.

• Network security ensures that usability, reliability, and integrity are

uncompromised.

• This type of security is necessary to prevent a hacker from accessing

data inside the network.
Types of IT security
Internet Security:
• Internet security involves the protection of information that is sent
and received in browsers, as well as network security involving web-
based applications.
‫لمراقبة‬

• These protections are designed to monitor incoming internet traffic

for malware as well as unwanted traffic.

• This protection may come in the form of firewalls, antimalware, and

antispyware. ‫ومكافحة راليامج الضارة ومكافحة برامج التجسس‬
Types of IT security
Endpoint Security:
• Endpoint security provides protection at the device level.

• Devices that may be secured by endpoint security include cell phones,

tablets, laptops, and desktop computers.

• Endpoint security will prevent your devices from accessing malicious

networks that may be a threat to your organization.

• Advance malware protection and device management software are

examples of endpoint security.
Types of IT security
Cloud Security: • ‫مبارسة وال يتمتعون بالحماية من خالل حزمة األمان‬
‫التقليدية‬.
‫ر‬
‫باإلنينت ر‬ ‫يعت أن المستخدمي يتصلون‬
‫ مما ي‬،‫تنتقل التطبيقات والبيانات والهويات إىل السحابة‬

• Applications, data, and identities are moving to the cloud, meaning

users are connecting directly to the Internet and are not protected by
the traditional security stack.

• Cloud security can help secure the usage of software-as-a-service

(SaaS) applications and the public cloud.
• ‫اليمجيات كخدمة‬
‫السحاب يف تأمي استخدام تطبيقات ر‬
‫ري‬ ‫( يمكن أن يساعد األمان‬SaaS) ‫والسحابة العامة‬
Types of IT security
‫ للمساعدة يف ضمان عدم تعرضها للهجمات‬،‫ يتم ترمي التطبيقات بشكل خاص يف وقت إنشائها لتكون آمنة قدر اإلمكان‬،‫من خالل أمان التطبيق‬.
Application Security
• With application security, applications are specifically coded at the
time of their creation to be as secure as possible, to help ensure they
are not vulnerable to attacks.

• This added layer of security involves evaluating the code of an app

and identifying the vulnerabilities that may exist within the software.
‫الينامج‬ ‫ر‬
‫الت قد توجد داخل ر‬
‫تتضمن هذه الطبقة اإلضافية من األمان تقييم كود التطبيق وتحديد نقاط الضعف ي‬.
The Need for IT Security
Q. Can we remove all vulnerabilities once and for all????
A. No we can’t! Reasons why that’s impossible:
– ‫االبتكار الرسي ع والتكنولوجيا الجديدة تخلق نقاط ضعف جديدة‬
ً
– ‫غالبا ما يتم تجاهل أمن المعلومات عند تطوير تكنولوجيا المعلومات‬
– ‫اخياع تهديدات جديدة تستغل نقاط الضعف كل يوم‬ ‫يتم ر‬
‫يتم تطوير تقنيات وأدوات هجوم ر‬
– ‫أكي فعالية‬
‫اإلنينت تجعل الهجمات ر‬
– ‫أكي جاذبية‬ ‫زيادة قيمة األصول الرقمية عي ر‬
‫ر‬

– Rapid innovation and new technology creates new vulnerabilities

– Information security is (still) often ignored when developing IT
– New threats that exploit vulnerabilities are invented every day
– More effective attack technique and tools are being developed
– Increased value of online digital assets makes attacks more attractive
The Need for IT Security
Conclusion:
• IT security doesn’t have a final goal, it’s a continuing process.
• ‫يجب عىل المنظمة فحص وتقييم البنية التحتية لتكنولوجيا المعلومات والسياسات والعمليات الخاصة بها بشكل منتظم من أجل تحديد نقاط الضعف ووضع الضوابط يف الوقت‬
‫المناسب‬.

• Organization should examine and evaluate their information

technology infrastructure, policies and operations regularly in order
to identify vulnerabilities and to put timely controls.

Reviewing IT infrastructure with the aim to identify lack or

weaknesses in controls is called IT Audit.