Chapter 5  Protection of Information Assets 2007   CISA   Review Course
Chapter Overview <ul><li>Importance of Information Security Management </li></ul><ul><li>Logical Access Exposures and Cont...
Chapter  Objective <ul><li>Ensure that the CISA candidate… </li></ul><ul><li>“ understands and can provide assurance that ...
Chapter 5  Summary <ul><li>According to the CISA Certification Board, this content area will represent approximately 31% o...
5.1. Importance of Information Security Management
5.1. Importance of Information Security Management <ul><li>Security objectives to meet organization’s business  requiremen...
5.1. Importance of Information Security Management <ul><li>5.1.1.  Key Elements of Information Security Management  </li><...
<ul><li>5.1.2. Information Security Management Roles and Responsibilities </li></ul><ul><ul><li>IS security steering commi...
5.1. Importance of Information Security Management <ul><li>5.1.3. Information Asset Inventories </li></ul><ul><ul><li>Clea...
<ul><li>5.1.4. Classification of Information Assets </li></ul><ul><ul><li>Who has access rights and to what? </li></ul></u...
<ul><ul><li>5.1.5.  System Access Permissions </li></ul></ul><ul><ul><ul><ul><li>Logically or physically based </li></ul><...
5.1. Importance of Information Security Management <ul><li>5.1.6. Mandatory and Discretionary Access Controls </li></ul><u...
<ul><li>5.1.7. Privacy Management Issues and the Role of IS Auditors </li></ul><ul><ul><li>- The goals of a privacy impact...
<ul><li>5.1.8. Critical success factors to information security management </li></ul><ul><ul><li>Information Security Poli...
<ul><li>5.1.9. Information security and External Parties </li></ul><ul><ul><li>Identification of Risks Related to External...
<ul><li>5.1.10.  HUMAN RESOURCES SECURITY AND THIRD PARTIES   </li></ul><ul><ul><li>Screening  </li></ul></ul><ul><ul><li>...
<ul><li>5.1.11. Computer crime issues and exposures </li></ul><ul><ul><li>Threats to business include the following: </li>...
<ul><li>5.1.11. Computer crime issues and exposures (Cont.) </li></ul><ul><ul><li>Computer crime vs. computer abuse </li><...
<ul><li>5.1.11. Computer crime issues and exposures (Cont.)  </li></ul><ul><li>Possible perpetrators include: </li></ul><u...
5.2. Logical Access Exposures  and Controls
<ul><li>Logical access controls are the primary means of managing and protecting resources to reduce risks to a level acce...
5.2. Logical Access Exposures  and Controls <ul><ul><li>Trojan horses or backdoors  </li></ul></ul><ul><ul><li>Rounding do...
<ul><li>5.2.2. Familiarization with the organization's IT environment </li></ul><ul><ul><li>These layers are:  </li></ul><...
<ul><li>5.2.3. Paths of Logical Access </li></ul><ul><ul><li>General points of entry </li></ul></ul><ul><ul><ul><li>Networ...
<ul><li>5.2.4. Logical Access Control Software </li></ul><ul><ul><li>Prevents unauthorized access and  </li></ul></ul><ul>...
<ul><li>5.2.4. Logical access control software functionality </li></ul><ul><li>General operating systems access control fu...
<ul><li>5.2.4. Logical Access Control Software  </li></ul><ul><ul><li>-  Database and/or application-level access control ...
<ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Logon-ids and passwords </li></ul></ul><ul><ul><ul>...
<ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Single sign-on (SSO) </li></ul></ul><ul><ul><li>SSO...
<ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Single sign-on (SSO) advantages  </li></ul></ul><ul...
<ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Single sign-on (SSO) disadvantages include: </li></...
<ul><li>5.2.6. Social Engineering </li></ul><ul><ul><li>Is the human side of breaking into a corporate network.  </li></ul...
5.2. Logical Access Exposures  and Controls <ul><li>Phishing </li></ul><ul><li>This normally takes the form of an e-mail, ...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Typical access restrictions at the file level include:  </li></u...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Access control lists refer to: </li></ul></ul><ul><ul><ul><li>Us...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Logical access security administration </li></ul></ul><ul><ul><u...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>-  Advantages of conducting security in a decentralized environm...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>-  Risks associated with distributed responsibility for security...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><li>  Remote access security </li></ul><ul><ul><li>Today’s organizations...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Remote access security risks include: </li></ul></ul><ul><ul><ul...
<ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Remote access security controls include: </li></ul></ul><ul><ul>...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization   Issues </li></ul><ul><ul><li>Remote access usin...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Access issues with m...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Audit logging in mon...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><li>Audit logging in monitor...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Audit logging in mon...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Audit logging in mon...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Restrict and monitor...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Naming conventions f...
5.2. Logical Access Exposures  and Controls <ul><li>5.2.8. Storing, Retrieving, Transporting and  </li></ul><ul><li>Dispos...
<ul><li>Which of the following  BEST  provides access control to payroll data being processed on a local server?  </li></u...
<ul><li>A utility is available to update critical tables in case of data inconsistency. This utility can be executed at th...
<ul><li>An organization is proposing to install a single sign-on facility giving access to all systems. The organization s...
5.3. Network Infrastructure  Security
<ul><li>5.3.1. LAN Security </li></ul><ul><li>Local area networks facilitate the storage and retrieval of programs and dat...
<ul><li>5.3.2. Client-Server Security   </li></ul><ul><ul><li>Control techniques in place </li></ul></ul><ul><ul><ul><li>S...
<ul><li>5.3.2. Client/Server  Security </li></ul><ul><ul><li>Client/server  risks and issues </li></ul></ul><ul><ul><ul><l...
<ul><li>5.3.2. Client/Server  Security </li></ul><ul><ul><li>Client/server  risks and issues </li></ul></ul><ul><ul><ul><l...
<ul><li>5.3.3. Wireless Security Threats and Risk  Mitigation </li></ul><ul><ul><li>Threats categorization : </li></ul></u...
<ul><li>5.3.3. Wireless Security Threats and Risk  Mitigation </li></ul><ul><ul><li>Security requirements </li></ul></ul><...
<ul><li>5.3.4. Internet Threats and Security </li></ul><ul><ul><li>Network Security Threats </li></ul></ul><ul><ul><li>Pas...
<ul><li>5.3.4. Internet Threats and Security </li></ul><ul><ul><li>Threat impact </li></ul></ul><ul><ul><ul><li>Loss of in...
<ul><li>5.3.4. Internet Threats and Security </li></ul><ul><ul><li>Causal factors for internet attacks </li></ul></ul><ul>...
<ul><li>Firewall Security Systems </li></ul><ul><ul><li>Firewall general features </li></ul></ul><ul><ul><li>Firewall type...
<ul><li>Firewall Security Systems </li></ul><ul><ul><li>Examples of firewall implementations </li></ul></ul><ul><ul><ul><l...
<ul><li>Firewall Security Systems </li></ul><ul><ul><li>Firewall issues </li></ul></ul><ul><ul><ul><li>A false sense of se...
5.3. Network Infrastructure  Security <ul><li>Firewall Security Systems </li></ul><ul><li>Firewall Platforms </li></ul><ul...
<ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><li>An IDS works in conjunction with routers and firewalls by moni...
<ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Components: </li></ul></ul><ul><ul><ul><li>Sensors that ar...
<ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Types include: </li></ul></ul><ul><ul><ul><li>Signature-ba...
<ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Features: </li></ul></ul><ul><ul><ul><li>Intrusion detecti...
<ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Limitations: </li></ul></ul><ul><ul><ul><li>Weaknesses in ...
5.3. Network Infrastructure  Security <ul><li>Honeypots and Honeynets </li></ul><ul><ul><ul><li>High interaction – Give ha...
<ul><li>5.3.5. Encryption </li></ul><ul><ul><li>Key elements of encryption systems </li></ul></ul><ul><ul><ul><li>Encrypti...
<ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Elliptical curve cryptosystem (ECC) </li></ul></ul><ul><ul><li...
<ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Digital signatures </li></ul></ul><ul><ul><ul><ul><li>Data int...
5.3.   Network Infrastructure  Security <ul><li>Digital Envelope   </li></ul><ul><ul><li>Used to send encrypted informatio...
<ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Public key infrastructure </li></ul></ul><ul><ul><ul><li>Digit...
<ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Use of encryption in OSI protocols </li></ul></ul><ul><ul><ul>...
5.3. Network Infrastructure  Security <ul><li>Encryption risks and password protection </li></ul><ul><li>Viruses </li></ul...
5.3. Network Infrastructure  Security <ul><li>Virus and Worm Controls   </li></ul><ul><li>Management Procedural Controls  ...
5.3. Network Infrastructure  Security <ul><li>5.3.7. VOICE-OVER IP </li></ul><ul><ul><ul><li>-  Advantages </li></ul></ul>...
5.3. Network Infrastructure  Security <ul><li>5.3.7. VOICE-OVER IP </li></ul><ul><ul><ul><li>-  VoIP Security Issues </li>...
5.3. Network Infrastructure  Security <ul><li>5.3.8. Private Branch Exchange  ( PBX   ) </li></ul><ul><ul><ul><li>Attribut...
<ul><li>Which of the following is the  MOST  effective anti-virus control?:  </li></ul><ul><li>A.  Scanning e-mail attachm...
<ul><li>An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment ...
<ul><li>A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hack...
<ul><li>Which of the following  BEST  determines whether complete encryption and authentication protocols for protecting i...
<ul><li>Which of the following concerns about the security of an electronic message would be addressed by digital signatur...
<ul><li>Which of the following would be  MOST  appropriate to ensure the confidentiality of transactions initiated via the...
5.4. Auditing Information Security  Framework
<ul><li>5.4.1. AUDITING INFORMATION SECURITY FRAMEWORK </li></ul><ul><ul><li>Review written policies, procedures and stand...
<ul><li>5.4.1. Auditing Information Security Management (Cont.)  </li></ul><ul><ul><li>Data custodians </li></ul></ul><ul>...
<ul><li>5.4.2. Auditing Logical Access </li></ul><ul><ul><li>Familiarization with the organization's IT environment </li><...
<ul><li>5.4.3. Techniques for Testing Security </li></ul><ul><ul><li>Use of terminal cards and keys </li></ul></ul><ul><ul...
<ul><li>5.4.3. Techniques for Testing Security   (Continued) </li></ul><ul><ul><li>Follow-up access violations </li></ul><...
<ul><li>5.4.4.  INVESTIGATION  TECHNIQUES </li></ul><ul><ul><li>Investigation of Computer Crime </li></ul></ul><ul><ul><li...
<ul><li>An IS auditor reviewing the log of failed logon attempts would be  MOST  concerned if which of the following accou...
5.5. Auditing Network Infrastructure Security
<ul><li>5.5.1. Auditing Remote Access </li></ul><ul><ul><li>Auditing Internet “Points of Presence” </li></ul></ul><ul><ul>...
5.5. Auditing Network Infrastructure Security <ul><li>5.5.1. Auditing Remote Access </li></ul><ul><li>Computer Forensics  ...
5.6. Environmental Exposures and Controls
<ul><li>5.6.1. Environmental Issues and Exposures   </li></ul><ul><li>Environmental exposures are due primarily to natural...
<ul><li>5.6.1. Environmental Issues and Exposures </li></ul><ul><ul><li>Power failures can be grouped into distinct catego...
<ul><li>5.6.2. Controls for Environmental Exposures </li></ul><ul><ul><li>Alarm control panels </li></ul></ul><ul><ul><li>...
<ul><li>5.6.2. Controls for Environmental Exposures (cont.) </li></ul><ul><ul><li>Regular inspection by fire department </...
<ul><li>5.6.2. Controls for Environmental Exposures (cont.) </li></ul><ul><ul><li>Wiring placed in electrical panels and c...
<ul><li>5.6.3. Auditing Environmental Controls </li></ul><ul><ul><li>Water and smoke detectors </li></ul></ul><ul><ul><li>...
<ul><li>5.6.3. Auditing Environmental Controls (cont.) </li></ul><ul><ul><li>Power leads from two substations </li></ul></...
5.7. Physical Access Exposures  and Controls
<ul><li>5.7.1. Physical Access Issues and Exposures </li></ul><ul><ul><li>Physical access exposures </li></ul></ul><ul><ul...
<ul><li>5.7.1. Physical Access Issues and Exposures </li></ul><ul><ul><li>Possible perpetrators </li></ul></ul><ul><ul><ul...
<ul><li>5.7.2. Physical Access Controls </li></ul><ul><ul><li>Bolting door locks </li></ul></ul><ul><ul><li>Combination do...
<ul><li>5.7.2. Physical Access Controls (continued) </li></ul><ul><ul><li>Identification badges (photo IDs) </li></ul></ul...
<ul><li>5.7.2. Physical Access Controls (continued) </li></ul><ul><ul><li>Not advertising the location of sensitive facili...
<ul><li>5.7.3. Auditing Physical Access </li></ul><ul><ul><li>Touring the information processing facility  (IPF) </li></ul...
5.8. Mobile  Computing
5.9. Case Study
<ul><li>CASE STUDY SCENARIO </li></ul><ul><li>Management is currently considering ways in which to enhance the physical se...
<ul><li>CASE STUDY SCENARIO  (Cond…) </li></ul><ul><li>A total of 22 operations personnel require regular access. Currentl...
<ul><li>CASE STUDY SCENARIO  (Cont…) </li></ul><ul><li>Two of the doors to the data center also have key locks that bypass...
5.10. Practice Questions
<ul><li>CASE STUDY QUESTIONS </li></ul><ul><li>1. Which of the following risks would be mitigated by supplementing the pro...
<ul><li>CASE STUDY QUESTIONS </li></ul><ul><li>2. Which of the following access mechanisms would present the greatest diff...
5.11. Answers to Practice Questions
5.12. Suggested Resources for Reference
<ul><li>Group Discussion </li></ul>Chapter 5 Recap
Upcoming SlideShare
Loading in...5
×

Chap5 2007 Cisa Review Course

3,750

Published on

Published in: Technology, Education

Chap5 2007 Cisa Review Course

  1. 1. Chapter 5 Protection of Information Assets 2007 CISA  Review Course
  2. 2. Chapter Overview <ul><li>Importance of Information Security Management </li></ul><ul><li>Logical Access Exposures and Controls </li></ul><ul><li>Network Infrastructure Security </li></ul><ul><li>Auditing Information Security Management Framework </li></ul><ul><li>Auditing Network Infrastructure Security </li></ul><ul><li>Environmental Exposures and Controls </li></ul><ul><li>Physical Access Exposures and Controls </li></ul><ul><li>Mobile Computing. </li></ul>
  3. 3. Chapter Objective <ul><li>Ensure that the CISA candidate… </li></ul><ul><li>“ understands and can provide assurance that the security architecture (policies, standards, procedures and controls) ensures the confidentiality, integrity and availability of information assets. ” </li></ul>
  4. 4. Chapter 5 Summary <ul><li>According to the CISA Certification Board, this content area will represent approximately 31% of the CISA examination. (approximately 62 questions) </li></ul>
  5. 5. 5.1. Importance of Information Security Management
  6. 6. 5.1. Importance of Information Security Management <ul><li>Security objectives to meet organization’s business requirements include : </li></ul><ul><ul><li>Ensure the continued availability of their information systems. </li></ul></ul><ul><ul><li>Ensure the integrity of the information stored on their computer systems. </li></ul></ul><ul><ul><li>Preserve the confidentiality of sensitive data. </li></ul></ul><ul><ul><li>Ensure conformity to applicable laws, regulations and standards. </li></ul></ul><ul><ul><li>Ensure adherence to trust and obligation in relation to any information relating to an identified or identifiable individual </li></ul></ul><ul><ul><li>Preserve the confidentiality of sensitive data in store and in transit. </li></ul></ul>
  7. 7. 5.1. Importance of Information Security Management <ul><li>5.1.1. Key Elements of Information Security Management </li></ul><ul><ul><li>Senior management commitment and support </li></ul></ul><ul><ul><li>Policies and procedures </li></ul></ul><ul><ul><li>Organization </li></ul></ul><ul><ul><li>Security awareness and education </li></ul></ul><ul><ul><li>Monitoring and compliance </li></ul></ul><ul><ul><li>Incident handling and response </li></ul></ul>5.1. Importance of Information Security Management
  8. 8. <ul><li>5.1.2. Information Security Management Roles and Responsibilities </li></ul><ul><ul><li>IS security steering committee </li></ul></ul><ul><ul><li>Executive management </li></ul></ul><ul><ul><li>Security advisory group </li></ul></ul><ul><ul><li>Chief Privacy Officer (CPO) </li></ul></ul><ul><ul><li>Chief security officer (CSO) </li></ul></ul><ul><ul><li>Process owners </li></ul></ul><ul><ul><li>Information assets owners and data owners </li></ul></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>External parties </li></ul></ul><ul><ul><li>Security specialists/advisors </li></ul></ul><ul><ul><li>IT developers </li></ul></ul><ul><ul><li>IS auditors </li></ul></ul>5.1. Importance of Information Security Management
  9. 9. 5.1. Importance of Information Security Management <ul><li>5.1.3. Information Asset Inventories </li></ul><ul><ul><li>Clear identification of asset </li></ul></ul><ul><ul><li>Location </li></ul></ul><ul><ul><li>Security/risk classification </li></ul></ul><ul><ul><li>Asset group </li></ul></ul><ul><ul><li>Owner </li></ul></ul>
  10. 10. <ul><li>5.1.4. Classification of Information Assets </li></ul><ul><ul><li>Who has access rights and to what? </li></ul></ul><ul><ul><li>The level of access to be granted </li></ul></ul><ul><ul><li>Who is responsible for determining the access rights and access levels? </li></ul></ul><ul><ul><li>What approvals are needed for access? </li></ul></ul>5.1. Importance of Information Security Management
  11. 11. <ul><ul><li>5.1.5. System Access Permissions </li></ul></ul><ul><ul><ul><ul><li>Logically or physically based </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Need-to-know basis </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Four IT layers of security provided for networks </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Access to information resources </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Access Capabilities </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reviews of access authorization </li></ul></ul></ul></ul>5.1. Importance of Information Security Management
  12. 12. 5.1. Importance of Information Security Management <ul><li>5.1.6. Mandatory and Discretionary Access Controls </li></ul><ul><li>- Mandatory </li></ul><ul><ul><li>Enforces corporate security policy </li></ul></ul><ul><ul><li>Compares sensitivity of information resources </li></ul></ul><ul><li>Discretionary </li></ul><ul><ul><li>- Enforces data-owner-defined sharing of information resources. </li></ul></ul>
  13. 13. <ul><li>5.1.7. Privacy Management Issues and the Role of IS Auditors </li></ul><ul><ul><li>- The goals of a privacy impact assessment </li></ul></ul><ul><ul><ul><li>Pinpoint the nature of personally identifiable information associated with business processes </li></ul></ul></ul><ul><ul><ul><li>Document the collection, use, disclosure and destruction of personally identifiable information </li></ul></ul></ul><ul><ul><ul><li>Ensure that accountability for privacy issues exists </li></ul></ul></ul><ul><ul><ul><li>Be the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk . </li></ul></ul></ul>5.1. Importance of Information Security Management
  14. 14. <ul><li>5.1.8. Critical success factors to information security management </li></ul><ul><ul><li>Information Security Policy </li></ul></ul><ul><ul><li>Senior management commitment and support on security training </li></ul></ul><ul><ul><li>Security Awareness Training </li></ul></ul><ul><ul><li>Professional Risk-based Approach </li></ul></ul>5.1. Importance of Information Security Management
  15. 15. <ul><li>5.1.9. Information security and External Parties </li></ul><ul><ul><li>Identification of Risks Related to External Parties </li></ul></ul><ul><ul><li>Addressing Security When Dealing With Customers </li></ul></ul><ul><ul><li>Addressing Security in Third-party Agreements </li></ul></ul>5.1. Importance of Information Security Management
  16. 16. <ul><li>5.1.10. HUMAN RESOURCES SECURITY AND THIRD PARTIES </li></ul><ul><ul><li>Screening </li></ul></ul><ul><ul><li>Terms and Conditions of Employment </li></ul></ul><ul><ul><li>During Employment </li></ul></ul><ul><ul><li>Termination or Change of Employment </li></ul></ul><ul><ul><li>Removal of Access Rights </li></ul></ul>5.1. Importance of Information Security Management
  17. 17. <ul><li>5.1.11. Computer crime issues and exposures </li></ul><ul><ul><li>Threats to business include the following: </li></ul></ul><ul><ul><ul><li>Financial loss </li></ul></ul></ul><ul><ul><ul><li>Legal repercussions </li></ul></ul></ul><ul><ul><ul><li>Loss of credibility or competitive edge </li></ul></ul></ul><ul><ul><ul><li>Blackmail/industrial espionage </li></ul></ul></ul><ul><ul><ul><li>Disclosure of confidential, sensitive or embarrassing information </li></ul></ul></ul><ul><ul><ul><li>Sabotage </li></ul></ul></ul>5.1. Importance of Information Security Management
  18. 18. <ul><li>5.1.11. Computer crime issues and exposures (Cont.) </li></ul><ul><ul><li>Computer crime vs. computer abuse </li></ul></ul><ul><ul><li>“ Crime” depending on statistics of the jurisdiction </li></ul></ul><ul><ul><li>Civil offense vs. criminal offence </li></ul></ul><ul><ul><li>When should a crime be suspected? </li></ul></ul>5.1. Importance of Information Security Management
  19. 19. <ul><li>5.1.11. Computer crime issues and exposures (Cont.) </li></ul><ul><li>Possible perpetrators include: </li></ul><ul><ul><ul><li>Hackers </li></ul></ul></ul><ul><ul><ul><li>Script Kiddies </li></ul></ul></ul><ul><ul><ul><li>Crackers </li></ul></ul></ul><ul><ul><ul><li>Employees (authorized or unauthorized) </li></ul></ul></ul><ul><ul><ul><ul><ul><li>IS personnel </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>End users </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Former employees </li></ul></ul></ul><ul><ul><ul><li>Interested or educated outsiders </li></ul></ul></ul><ul><ul><ul><li>Part-time and temporary personnel </li></ul></ul></ul><ul><ul><ul><li>Third parties </li></ul></ul></ul><ul><ul><ul><li>Accidental ignorant </li></ul></ul></ul>5.1. Importance of Information Security Management
  20. 20. 5.2. Logical Access Exposures and Controls
  21. 21. <ul><li>Logical access controls are the primary means of managing and protecting resources to reduce risks to a level acceptable to an organization. </li></ul>5.2. Logical Access Exposures and Controls
  22. 22. 5.2. Logical Access Exposures and Controls <ul><ul><li>Trojan horses or backdoors </li></ul></ul><ul><ul><li>Rounding down </li></ul></ul><ul><ul><li>Salami techniques </li></ul></ul><ul><ul><li>Viruses </li></ul></ul><ul><ul><li>Worms </li></ul></ul><ul><ul><li>Logic bombs </li></ul></ul><ul><ul><li>Trap Doors </li></ul></ul><ul><ul><li>Asynchronous attacks </li></ul></ul><ul><ul><li>Data leakage </li></ul></ul><ul><ul><li>Wire-tapping </li></ul></ul><ul><ul><li>War driving </li></ul></ul><ul><ul><li>Piggybacking </li></ul></ul><ul><ul><li>Computer shutdown </li></ul></ul><ul><ul><li>Denial of service attack </li></ul></ul>5.2.1. Logical Access Exposures
  23. 23. <ul><li>5.2.2. Familiarization with the organization's IT environment </li></ul><ul><ul><li>These layers are: </li></ul></ul><ul><ul><ul><li>the network </li></ul></ul></ul><ul><ul><ul><li>operating system platform </li></ul></ul></ul><ul><ul><ul><li>database and application layers </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  24. 24. <ul><li>5.2.3. Paths of Logical Access </li></ul><ul><ul><li>General points of entry </li></ul></ul><ul><ul><ul><li>Network connectivity </li></ul></ul></ul><ul><ul><ul><li>Remote access </li></ul></ul></ul><ul><ul><ul><li>Operator console </li></ul></ul></ul><ul><ul><ul><li>Online workstations or terminals </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  25. 25. <ul><li>5.2.4. Logical Access Control Software </li></ul><ul><ul><li>Prevents unauthorized access and </li></ul></ul><ul><ul><li>modification to an organization’s sensitive data and use of system critical functions </li></ul></ul>5.2. Logical Access Exposures and Controls
  26. 26. <ul><li>5.2.4. Logical access control software functionality </li></ul><ul><li>General operating systems access control functions include: </li></ul><ul><ul><ul><li>User identification and authentication mechanisms </li></ul></ul></ul><ul><ul><ul><li>Restricted logon IDs </li></ul></ul></ul><ul><ul><ul><li>Rules for access to specific information resources </li></ul></ul></ul><ul><ul><ul><li>Create individual accountability and auditability </li></ul></ul></ul><ul><ul><ul><li>Create or change user profiles </li></ul></ul></ul><ul><ul><ul><li>Log events </li></ul></ul></ul><ul><ul><ul><li>Log user activities </li></ul></ul></ul><ul><ul><ul><li>Report capabilities </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  27. 27. <ul><li>5.2.4. Logical Access Control Software </li></ul><ul><ul><li>- Database and/or application-level access control functions include: </li></ul></ul><ul><ul><ul><li>Create or change data files and database profiles </li></ul></ul></ul><ul><ul><ul><li>Verify user authorization at the application and transaction levels </li></ul></ul></ul><ul><ul><ul><li>Verify user authorization within the application </li></ul></ul></ul><ul><ul><ul><li>Verify user authorization at the field level for changes within a database </li></ul></ul></ul><ul><ul><ul><li>Verify subsystem authorization for the user at the file level </li></ul></ul></ul><ul><ul><ul><li>Log database/data communications access activities for monitoring access violations </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  28. 28. <ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Logon-ids and passwords </li></ul></ul><ul><ul><ul><li>Features of passwords </li></ul></ul></ul><ul><ul><ul><li>Password syntax (format) rules </li></ul></ul></ul><ul><ul><li>Token devices- one time passwords </li></ul></ul><ul><ul><li>Biometric </li></ul></ul><ul><ul><ul><li>Management of Biometrics </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  29. 29. <ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Single sign-on (SSO) </li></ul></ul><ul><ul><li>SSO is the process for the consolidating all organization platform-based administration, authentication and authorization functions into a single centralized administrative function. A single sign-on product that interfaces with: </li></ul></ul><ul><ul><ul><li>client-server and distributed systems </li></ul></ul></ul><ul><ul><ul><li>mainframe systems </li></ul></ul></ul><ul><ul><ul><li>network security including remote access mechanisms </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  30. 30. <ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Single sign-on (SSO) advantages </li></ul></ul><ul><ul><ul><li>Multiple passwords are no longer required, therefore, whereby a user may be more inclined and motivated to select a stronger password </li></ul></ul></ul><ul><ul><ul><li>It improves an administrator’s ability to manage users’ accounts and authorizations to all associates systems </li></ul></ul></ul><ul><ul><ul><li>It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications </li></ul></ul></ul><ul><ul><ul><li>It reduces the time taken by users to log into multiple applications and platforms </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  31. 31. <ul><li>5.2.5. Identification and Authentication </li></ul><ul><ul><li>Single sign-on (SSO) disadvantages include: </li></ul></ul><ul><ul><ul><li>Support for all major operating system environments is difficult </li></ul></ul></ul><ul><ul><ul><li>The costs associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary </li></ul></ul></ul><ul><ul><ul><li>The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  32. 32. <ul><li>5.2.6. Social Engineering </li></ul><ul><ul><li>Is the human side of breaking into a corporate network. </li></ul></ul><ul><ul><li>The best means of defense for social engineering is an ongoing security awareness program, wherein all employees are educated about the risks involved in attacks. </li></ul></ul>5.2. Logical Access Exposures and Controls
  33. 33. 5.2. Logical Access Exposures and Controls <ul><li>Phishing </li></ul><ul><li>This normally takes the form of an e-mail, </li></ul><ul><li>though it may be a personal or telephone approach, pretending to be an authorized person or organization legitimately </li></ul><ul><ul><li>requesting information. </li></ul></ul>5.2.6. Social Engineering
  34. 34. <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Typical access restrictions at the file level include: </li></ul></ul><ul><ul><ul><li>Read, inquiry or copy only </li></ul></ul></ul><ul><ul><ul><li>Write, create, update or delete only </li></ul></ul></ul><ul><ul><ul><li>Execute only </li></ul></ul></ul><ul><ul><ul><li>A combination of the above </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  35. 35. <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Access control lists refer to: </li></ul></ul><ul><ul><ul><li>Users (including groups, machines, processes) </li></ul></ul></ul><ul><ul><ul><li>who have been given permission to use a </li></ul></ul></ul><ul><ul><ul><li>particular system resource </li></ul></ul></ul><ul><ul><ul><li>The types of access permitted </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  36. 36. <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Logical access security administration </li></ul></ul><ul><ul><ul><li>Centralized environment </li></ul></ul></ul><ul><ul><ul><li>Decentralized environment </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  37. 37. <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>- Advantages of conducting security in a decentralized environment </li></ul></ul><ul><ul><ul><li>The security administration is on-site at the distributed location </li></ul></ul></ul><ul><ul><ul><li>Security issues are resolved in a more timely manner </li></ul></ul></ul><ul><ul><ul><li>Security controls are monitored on a more frequent basis </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  38. 38. <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>- Risks associated with distributed responsibility for security administration </li></ul></ul><ul><ul><ul><li>Local standards might be implemented rather than those required </li></ul></ul></ul><ul><ul><ul><li>Levels of security management might be below chat can be maintained by central administration. </li></ul></ul></ul><ul><ul><ul><li>Unavailability of management checks and audits. </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  39. 39. <ul><li>5.2.7. Authorization Issues </li></ul><ul><li> Remote access security </li></ul><ul><ul><li>Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives. In providing this capability, a variety of methods and procedures are available to satisfy an organization’s business need for this level of access. </li></ul></ul>5.2. Logical Access Exposures and Controls
  40. 40. <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Remote access security risks include: </li></ul></ul><ul><ul><ul><li>Denial of service </li></ul></ul></ul><ul><ul><ul><li>Malicious third parties </li></ul></ul></ul><ul><ul><ul><li>Misconfigured communications software </li></ul></ul></ul><ul><ul><ul><li>Misconfigured devices on the corporate computing infrastructure </li></ul></ul></ul><ul><ul><ul><li>Host systems not secured appropriately </li></ul></ul></ul><ul><ul><ul><li>Physical security issues over remote users’ computers </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  41. 41. <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Remote access security controls include: </li></ul></ul><ul><ul><ul><li>Policy and standards </li></ul></ul></ul><ul><ul><ul><li>Proper authorizations </li></ul></ul></ul><ul><ul><ul><li>Identification and authentication mechanisms </li></ul></ul></ul><ul><ul><ul><li>Encryption tools and techniques, such as the use of VPN </li></ul></ul></ul><ul><ul><ul><li>System and network management </li></ul></ul></ul>5.2. Logical Access Exposures and Controls
  42. 42. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Remote access using personal digital assistants (PDAs). </li></ul></ul><ul><ul><li>- Control issues to address include: </li></ul></ul><ul><ul><ul><li>Compliance </li></ul></ul></ul><ul><ul><ul><li>Approval </li></ul></ul></ul><ul><ul><ul><li>Standard PDA applications </li></ul></ul></ul><ul><ul><ul><li>Due care </li></ul></ul></ul><ul><ul><ul><li>Awareness training </li></ul></ul></ul><ul><ul><ul><li>PDA applications </li></ul></ul></ul><ul><ul><ul><li>Synchronization </li></ul></ul></ul><ul><ul><ul><li>Encryption </li></ul></ul></ul><ul><ul><ul><li>Virus detection and control </li></ul></ul></ul><ul><ul><ul><li>Device registration </li></ul></ul></ul><ul><ul><ul><li>Camera use </li></ul></ul></ul>
  43. 43. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Access issues with mobile technology </li></ul></ul><ul><ul><ul><li>These devices should be strictly controlled both by policy and by denial of use. Possible actions include: </li></ul></ul></ul><ul><ul><ul><li>Banning all use of transportable drives in the security policy </li></ul></ul></ul><ul><ul><ul><li>Where no authorized used of USB ports exists, disabling use with a logon script which removes them form the system directory </li></ul></ul></ul><ul><ul><ul><li>If they are considered necessary for business use, encrypting all data transported or saved by these devices </li></ul></ul></ul>
  44. 44. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Audit logging in monitoring system access </li></ul></ul><ul><ul><ul><li>provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID </li></ul></ul></ul>
  45. 45. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><li>Audit logging in monitoring system access </li></ul><ul><ul><li>- Access rights to system logs </li></ul></ul><ul><ul><ul><li>A periodic review of system-generated logs can detect security problems, including attempts to exceed access authority or gain system access during unusual hours. </li></ul></ul></ul>
  46. 46. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Audit logging in monitoring system access </li></ul></ul><ul><ul><ul><li>- Tools for audit trails (logs) analysis </li></ul></ul></ul><ul><ul><ul><li>Audit reduction tools </li></ul></ul></ul><ul><ul><ul><li>Trends/variance-detection tools </li></ul></ul></ul><ul><ul><ul><li>Attack signature-detection tools </li></ul></ul></ul>
  47. 47. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Audit logging in monitoring system access </li></ul></ul><ul><ul><ul><li>Cost consideration </li></ul></ul></ul><ul><ul><ul><li>Audit concerns </li></ul></ul></ul><ul><ul><ul><li>Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive application </li></ul></ul></ul><ul><ul><ul><li>Violations (such as attempting computer file access that is not authorized) and/or use of incorrect passwords </li></ul></ul></ul><ul><ul><ul><li>effectiveness of IDs and IPs and management of detected and prevented intrusion </li></ul></ul></ul>
  48. 48. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Restrict and monitor access to computer features that bypass cost consideration </li></ul></ul><ul><ul><ul><li>Generally, only system software </li></ul></ul></ul><ul><ul><ul><li>programmers should have access to: </li></ul></ul></ul><ul><ul><ul><li>Bypass label processing (BLP) </li></ul></ul></ul><ul><ul><ul><li>System exits </li></ul></ul></ul><ul><ul><ul><li>Special system logon IDs </li></ul></ul></ul>
  49. 49. 5.2. Logical Access Exposures and Controls <ul><li>5.2.7. Authorization Issues </li></ul><ul><ul><li>Naming conventions for logical access controls </li></ul></ul><ul><ul><ul><li>Are structures used to govern user access to </li></ul></ul></ul><ul><ul><ul><li>the system and user authority to access/use </li></ul></ul></ul><ul><ul><ul><li>computer resources, such as files, programs </li></ul></ul></ul><ul><ul><ul><li>and terminals. </li></ul></ul></ul>
  50. 50. 5.2. Logical Access Exposures and Controls <ul><li>5.2.8. Storing, Retrieving, Transporting and </li></ul><ul><li>Disposing of Confidential Information </li></ul><ul><ul><li>- Management should define and implement procedures to prevent access to, or loss of, sensitive information and software from computers, disks, and other equipment or media when they are stored, disposed of or transferred to another user. </li></ul></ul>
  51. 51. <ul><li>Which of the following BEST provides access control to payroll data being processed on a local server? </li></ul><ul><li>A. Logging of access to personal information </li></ul><ul><li>B. Separate password for sensitive </li></ul><ul><li>transactions </li></ul><ul><li>C. Software restricts access rules to </li></ul><ul><li>authorized staff </li></ul><ul><li>D. System access restricted to business </li></ul><ul><li>hours </li></ul>Chapter 5 Question 1
  52. 52. <ul><li>A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the OS prompt or as one of menu options in an application. The BEST control to mitigate the risk of unauthorized manipulation of data is to: </li></ul><ul><li>A. delete the utility software and install it as and when required. </li></ul><ul><li>B. provide access to the utility on a need-to-use basis. </li></ul><ul><li>C. provide access to the utility to user management. </li></ul><ul><li>D. define access so that the utility can be executed only in the menu option. </li></ul>Chapter 5 Question 5
  53. 53. <ul><li>An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that: </li></ul><ul><li>A. maximum unauthorized access would be possible if a password is disclosed. </li></ul><ul><li>B. user access rights would be restricted by the additional security parameters. </li></ul><ul><li>C. the security administrator’s workload would increase. </li></ul><ul><li>D. user access rights would be increased . </li></ul>Chapter 5 Question 6
  54. 54. 5.3. Network Infrastructure Security
  55. 55. <ul><li>5.3.1. LAN Security </li></ul><ul><li>Local area networks facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data. </li></ul><ul><ul><li>LAN risk and issues </li></ul></ul><ul><ul><li>Dial-up access controls </li></ul></ul>5.3. Network Infrastructure Security
  56. 56. <ul><li>5.3.2. Client-Server Security </li></ul><ul><ul><li>Control techniques in place </li></ul></ul><ul><ul><ul><li>Securing access to data or application </li></ul></ul></ul><ul><ul><ul><li>Use of network monitoring devices </li></ul></ul></ul><ul><ul><ul><li>Data encryption techniques </li></ul></ul></ul><ul><ul><ul><li>Authentication systems </li></ul></ul></ul><ul><ul><ul><li>Use of application level access control programs </li></ul></ul></ul>5.3. Network Infrastructure Security
  57. 57. <ul><li>5.3.2. Client/Server Security </li></ul><ul><ul><li>Client/server risks and issues </li></ul></ul><ul><ul><ul><li>Access controls may be weak in a client-server environment. </li></ul></ul></ul><ul><ul><ul><li>Change control and change management procedures. </li></ul></ul></ul><ul><ul><ul><li>The loss of network availability may have a serious impact on the business or service. </li></ul></ul></ul><ul><ul><ul><li>Obsolescence of the network components </li></ul></ul></ul><ul><ul><ul><li>The use of modems to connect the network to other networks </li></ul></ul></ul>5.3. Network Infrastructure Security
  58. 58. <ul><li>5.3.2. Client/Server Security </li></ul><ul><ul><li>Client/server risks and issues </li></ul></ul><ul><ul><ul><li>The connection of the network to public switched telephone networks may be weak </li></ul></ul></ul><ul><ul><ul><li>Changes to systems or data </li></ul></ul></ul><ul><ul><ul><li>Access to confidential data and data modification may be unauthorized </li></ul></ul></ul><ul><ul><ul><li>Application code and data may not be located on a single machine enclosed in a secure computer room, as with mainframe computing </li></ul></ul></ul>5.3. Network Infrastructure Security
  59. 59. <ul><li>5.3.3. Wireless Security Threats and Risk Mitigation </li></ul><ul><ul><li>Threats categorization : </li></ul></ul><ul><ul><ul><li>Errors and omissions </li></ul></ul></ul><ul><ul><ul><li>Fraud and theft committed by authorized or unauthorized users of the system </li></ul></ul></ul><ul><ul><ul><li>Employee sabotage </li></ul></ul></ul><ul><ul><ul><li>Loss of physical and infrastructure support </li></ul></ul></ul><ul><ul><ul><li>Malicious hackers </li></ul></ul></ul><ul><ul><ul><li>Industrial espionage </li></ul></ul></ul><ul><ul><ul><li>Malicious code </li></ul></ul></ul><ul><ul><ul><li>Foreign government espionage </li></ul></ul></ul><ul><ul><ul><li>Threats to personal privacy </li></ul></ul></ul>5.3. Network Infrastructure Security
  60. 60. <ul><li>5.3.3. Wireless Security Threats and Risk Mitigation </li></ul><ul><ul><li>Security requirements </li></ul></ul><ul><ul><ul><li>Authenticity </li></ul></ul></ul><ul><ul><ul><li>Nonrepudiation </li></ul></ul></ul><ul><ul><ul><li>Accountability </li></ul></ul></ul><ul><ul><ul><li>Network availability </li></ul></ul></ul>5.3. Network Infrastructure Security
  61. 61. <ul><li>5.3.4. Internet Threats and Security </li></ul><ul><ul><li>Network Security Threats </li></ul></ul><ul><ul><li>Passive attacks </li></ul></ul><ul><ul><ul><li>Network analysis </li></ul></ul></ul><ul><ul><ul><li>Eavesdropping </li></ul></ul></ul><ul><ul><ul><li>Traffic analysis </li></ul></ul></ul><ul><ul><ul><li>Active attacks </li></ul></ul></ul><ul><ul><ul><li>Brute-force attack </li></ul></ul></ul><ul><ul><ul><li>Masquerading </li></ul></ul></ul><ul><ul><ul><li>Packet replay </li></ul></ul></ul><ul><ul><ul><li>Phishing </li></ul></ul></ul><ul><ul><ul><li>Message modification </li></ul></ul></ul><ul><ul><ul><li>Unauthorized access through the Internet or web-based services </li></ul></ul></ul><ul><ul><ul><li>Denial of service </li></ul></ul></ul><ul><ul><ul><li>Dial-in penetration attacks </li></ul></ul></ul><ul><ul><ul><li>E-mail bombing and spamming </li></ul></ul></ul><ul><ul><ul><li>E-mail spoofing </li></ul></ul></ul>5.3. Network Infrastructure Security
  62. 62. <ul><li>5.3.4. Internet Threats and Security </li></ul><ul><ul><li>Threat impact </li></ul></ul><ul><ul><ul><li>Loss of income </li></ul></ul></ul><ul><ul><ul><li>Increased cost of recovery </li></ul></ul></ul><ul><ul><ul><li>Increased cost of retrospectively securing systems </li></ul></ul></ul><ul><ul><ul><li>Loss of information </li></ul></ul></ul><ul><ul><ul><li>Loss of trade secrets </li></ul></ul></ul><ul><ul><ul><li>Damage to reputation </li></ul></ul></ul><ul><ul><ul><li>Legal and regulatory noncompliance </li></ul></ul></ul><ul><ul><ul><li>Failure to meet contractual commitments </li></ul></ul></ul><ul><ul><ul><li>Legal action by customers for loss of confidential data </li></ul></ul></ul>5.3. Network Infrastructure Security
  63. 63. <ul><li>5.3.4. Internet Threats and Security </li></ul><ul><ul><li>Causal factors for internet attacks </li></ul></ul><ul><ul><ul><li>Availability of tools and techniques on the Internet </li></ul></ul></ul><ul><ul><ul><li>Lack of security awareness and training </li></ul></ul></ul><ul><ul><ul><li>Exploitation of security vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Inadequate security over firewalls </li></ul></ul></ul><ul><ul><li>Internet security controls </li></ul></ul>5.3. Network Infrastructure Security
  64. 64. <ul><li>Firewall Security Systems </li></ul><ul><ul><li>Firewall general features </li></ul></ul><ul><ul><li>Firewall types </li></ul></ul><ul><ul><ul><li>Router packet filtering </li></ul></ul></ul><ul><ul><ul><li>Application firewall systems </li></ul></ul></ul><ul><ul><ul><li>Stateful inspection </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  65. 65. <ul><li>Firewall Security Systems </li></ul><ul><ul><li>Examples of firewall implementations </li></ul></ul><ul><ul><ul><li>Screened-host firewall </li></ul></ul></ul><ul><ul><ul><li>Dual-homed firewall </li></ul></ul></ul><ul><ul><ul><li>Demilitarized zone (DMZ) </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  66. 66. <ul><li>Firewall Security Systems </li></ul><ul><ul><li>Firewall issues </li></ul></ul><ul><ul><ul><li>A false sense of security </li></ul></ul></ul><ul><ul><ul><li>The circumvention of firewall </li></ul></ul></ul><ul><ul><ul><li>Misconfigured firewalls </li></ul></ul></ul><ul><ul><ul><li>What constitutes a firewall </li></ul></ul></ul><ul><ul><ul><li>Monitoring activities may not occur on a regular basis </li></ul></ul></ul><ul><ul><ul><li>Firewall policies </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  67. 67. 5.3. Network Infrastructure Security <ul><li>Firewall Security Systems </li></ul><ul><li>Firewall Platforms </li></ul><ul><ul><li>Using hardware or software </li></ul></ul><ul><ul><li>appliances versus normal servers </li></ul></ul>5.3.4. Internet Threats and Security
  68. 68. <ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><li>An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. </li></ul><ul><ul><ul><li>Network-based IDSs </li></ul></ul></ul><ul><ul><ul><li>Host-based IDSs </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  69. 69. <ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Components: </li></ul></ul><ul><ul><ul><li>Sensors that are responsible for collecting data </li></ul></ul></ul><ul><ul><ul><li>Analyzers that receive inputo from sensors and determine intrusive activity </li></ul></ul></ul><ul><ul><ul><li>An administration console </li></ul></ul></ul><ul><ul><ul><li>A user interface </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  70. 70. <ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Types include: </li></ul></ul><ul><ul><ul><li>Signature-based </li></ul></ul></ul><ul><ul><ul><li>Statistical-based </li></ul></ul></ul><ul><ul><ul><li>Neural networks </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  71. 71. <ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Features: </li></ul></ul><ul><ul><ul><li>Intrusion detection </li></ul></ul></ul><ul><ul><ul><li>Gathering evidence on intrusive activity </li></ul></ul></ul><ul><ul><ul><li>Automated response </li></ul></ul></ul><ul><ul><ul><li>Security monitoring </li></ul></ul></ul><ul><ul><ul><li>Interface with system tolls </li></ul></ul></ul><ul><ul><ul><li>Security policy management </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  72. 72. <ul><li>Intrusion Detection Systems (IDS) </li></ul><ul><ul><li>Limitations: </li></ul></ul><ul><ul><ul><li>Weaknesses in the policy definition </li></ul></ul></ul><ul><ul><ul><li>Application-level vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Backdoors into applications </li></ul></ul></ul><ul><ul><ul><li>Weaknesses in identification and authentication schemes </li></ul></ul></ul>5.3. Network Infrastructure Security 5.3.4. Internet Threats and Security
  73. 73. 5.3. Network Infrastructure Security <ul><li>Honeypots and Honeynets </li></ul><ul><ul><ul><li>High interaction – Give hackers a real environment to attack </li></ul></ul></ul><ul><ul><ul><li>Low interaction – Emulate production environments </li></ul></ul></ul>5.3.4. Internet Threats and Security
  74. 74. <ul><li>5.3.5. Encryption </li></ul><ul><ul><li>Key elements of encryption systems </li></ul></ul><ul><ul><ul><li>Encryption algorithm </li></ul></ul></ul><ul><ul><ul><li>Encryption key </li></ul></ul></ul><ul><ul><ul><li>Key length </li></ul></ul></ul><ul><ul><li>Private key cryptographic systems </li></ul></ul><ul><ul><li>Public key cryptographic systems </li></ul></ul>5.3. Network Infrastructure Security
  75. 75. <ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Elliptical curve cryptosystem (ECC) </li></ul></ul><ul><ul><li>Quantum cryptography </li></ul></ul><ul><ul><li>Advanced Encryption Standard (AES) </li></ul></ul><ul><ul><li>Digital signatures </li></ul></ul>5.3. Network Infrastructure Security
  76. 76. <ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Digital signatures </li></ul></ul><ul><ul><ul><ul><li>Data integrity </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Authentication </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Nonrepudiation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Replay protection </li></ul></ul></ul></ul>5.3. Network Infrastructure Security
  77. 77. 5.3. Network Infrastructure Security <ul><li>Digital Envelope </li></ul><ul><ul><li>Used to send encrypted information and the relevant key along with it. </li></ul></ul><ul><ul><li>The message to be sent, can be encrypted by using either: </li></ul></ul><ul><ul><ul><li>Asymmetric key </li></ul></ul></ul><ul><ul><ul><li>Symmetric key </li></ul></ul></ul>5.3.5. Encryption (Continued)
  78. 78. <ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Public key infrastructure </li></ul></ul><ul><ul><ul><li>Digital certificates </li></ul></ul></ul><ul><ul><ul><li>Certificate authority (CA) </li></ul></ul></ul><ul><ul><ul><li>Registration authority (RA) </li></ul></ul></ul><ul><ul><ul><li>Certificate revocation list (CRL) </li></ul></ul></ul><ul><ul><ul><li>Certification practice statement (CPS) </li></ul></ul></ul>5.3. Network Infrastructure Security
  79. 79. <ul><li>5.3.5. Encryption (Continued) </li></ul><ul><ul><li>Use of encryption in OSI protocols </li></ul></ul><ul><ul><ul><li>Secure sockets layer (SSL) </li></ul></ul></ul><ul><ul><ul><li>Secure Hypertext Transfer Protocol (S/HTTP) </li></ul></ul></ul><ul><ul><ul><li>IP security </li></ul></ul></ul><ul><ul><ul><li>SSH </li></ul></ul></ul><ul><ul><ul><li>Secure multipurpose Internet mail extensions (S/MIME) </li></ul></ul></ul><ul><ul><ul><li>Secure electronic transactions (SET) </li></ul></ul></ul>5.3. Network Infrastructure Security
  80. 80. 5.3. Network Infrastructure Security <ul><li>Encryption risks and password protection </li></ul><ul><li>Viruses </li></ul><ul><li>Virus and worm controls </li></ul><ul><li>Technical controls </li></ul><ul><li>Anti-virus software implementation strategies </li></ul>5.3.5. Encryption (Continued )
  81. 81. 5.3. Network Infrastructure Security <ul><li>Virus and Worm Controls </li></ul><ul><li>Management Procedural Controls </li></ul><ul><li>Technical controls </li></ul><ul><li>Anti-virus software implementation strategies </li></ul>5.3.6. Viruses
  82. 82. 5.3. Network Infrastructure Security <ul><li>5.3.7. VOICE-OVER IP </li></ul><ul><ul><ul><li>- Advantages </li></ul></ul></ul><ul><ul><ul><li>Unlike traditional telephony VoIP innovation progresses at market rates </li></ul></ul></ul><ul><ul><ul><li>Lower costs per call, or even free calls, especially for long-distance calls </li></ul></ul></ul><ul><ul><ul><li>Lower infrastructure costs. Once IP infrastructure is installed, no or little additional telephony infrastructure is needed . </li></ul></ul></ul>
  83. 83. 5.3. Network Infrastructure Security <ul><li>5.3.7. VOICE-OVER IP </li></ul><ul><ul><ul><li>- VoIP Security Issues </li></ul></ul></ul><ul><ul><ul><li>Inherent poor security </li></ul></ul></ul><ul><ul><ul><ul><li>The current Internet architecture does not provide the same physical wire security as the phone lines. </li></ul></ul></ul></ul><ul><ul><ul><li>The key to securing VoIP </li></ul></ul></ul><ul><ul><ul><ul><li>security mechanisms such as those deployed in data networks (e.g., firewalls, encryption) to emulate the security level currently used by PSTN network users . </li></ul></ul></ul></ul>
  84. 84. 5.3. Network Infrastructure Security <ul><li>5.3.8. Private Branch Exchange ( PBX ) </li></ul><ul><ul><ul><li>Attributes </li></ul></ul></ul><ul><ul><ul><li>PBX Risks and Audit </li></ul></ul></ul>
  85. 85. <ul><li>Which of the following is the MOST effective anti-virus control?: </li></ul><ul><li>A. Scanning e-mail attachments on the </li></ul><ul><li>mail server. </li></ul><ul><li>B. Restoring systems from clean copies. </li></ul><ul><li>C. Disabling floppy drives. </li></ul><ul><li>D. An online anti-virus scan with up-to- </li></ul><ul><li>date virus definitions. </li></ul>Chapter 5 Question 2
  86. 86. <ul><li>An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious? </li></ul><ul><li>A. The security officer also serves as the database administrator. </li></ul><ul><li>B. Password controls are not administered over the client-server environment. </li></ul><ul><li>C. There is no business continuity plan for the mainframe system’s noncritical applications. </li></ul><ul><li>D. Most local area networks do not back up file-server-fixed disks regularly . </li></ul>Chapter 5 Question 4
  87. 87. <ul><li>A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? </li></ul><ul><li>A. Intrusion detection systems </li></ul><ul><li>B. Firewalls </li></ul><ul><li>C. Routers </li></ul><ul><li>D. Asymmetric encryption </li></ul>Chapter 5 Question 7
  88. 88. <ul><li>Which of the following BEST determines whether complete encryption and authentication protocols for protecting information while being transmitted exist? </li></ul><ul><li>A. A digital signature with RSA has been implemented. </li></ul><ul><li>B. Work is being done in tunnel mode with the nested services of AH and ESP. </li></ul><ul><li>C. Digital certificates with RSA are being used. </li></ul><ul><li>D. Work is being done in transport mode with the nested services of AH and ESP. </li></ul><ul><li>. </li></ul>Chapter 5 Question 8
  89. 89. <ul><li>Which of the following concerns about the security of an electronic message would be addressed by digital signatures? </li></ul><ul><li>A. Unauthorized reading </li></ul><ul><li>B. Theft </li></ul><ul><li>C. Unauthorized copying </li></ul><ul><li>D. Alteration </li></ul>Chapter 5 Question 9
  90. 90. <ul><li>Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet? </li></ul><ul><li>A. Digital signature </li></ul><ul><li>B. Data Encryption Standard (DES) </li></ul><ul><li>C. Virtual private network (VPN) </li></ul><ul><li>D. Public key encryption </li></ul>Chapter 5 Question 10
  91. 91. 5.4. Auditing Information Security Framework
  92. 92. <ul><li>5.4.1. AUDITING INFORMATION SECURITY FRAMEWORK </li></ul><ul><ul><li>Review written policies, procedures and standards </li></ul></ul><ul><ul><li>Logical access security policies </li></ul></ul><ul><ul><li>Formal security awareness and training </li></ul></ul><ul><ul><li>Data ownership (data classification scheme) </li></ul></ul><ul><ul><li>Data owners </li></ul></ul>5.4. AUDITING INFORMATION SECURITY FRAMEWORK
  93. 93. <ul><li>5.4.1. Auditing Information Security Management (Cont.) </li></ul><ul><ul><li>Data custodians </li></ul></ul><ul><ul><li>Security administrator </li></ul></ul><ul><ul><li>New IT Users </li></ul></ul><ul><ul><li>Data users </li></ul></ul><ul><ul><li>Documented authorizations </li></ul></ul><ul><ul><li>Terminated employee access </li></ul></ul><ul><ul><li>Access standards </li></ul></ul><ul><ul><li>Security Baselines </li></ul></ul><ul><ul><li>Access Standards </li></ul></ul>5.4. AUDITING INFORMATION SECURITY FRAMEWORK
  94. 94. <ul><li>5.4.2. Auditing Logical Access </li></ul><ul><ul><li>Familiarization with the organization's IT environment </li></ul></ul><ul><ul><li>Documenting the access paths </li></ul></ul><ul><ul><li>Interviewing systems personnel </li></ul></ul><ul><ul><li>Reviewing reports from access control software </li></ul></ul><ul><ul><li>Reviewing application systems operations manual </li></ul></ul>5.4. AUDITING INFORMATION SECURITY FRAMEWORK
  95. 95. <ul><li>5.4.3. Techniques for Testing Security </li></ul><ul><ul><li>Use of terminal cards and keys </li></ul></ul><ul><ul><li>Terminal identification </li></ul></ul><ul><ul><li>Logon-ids and passwords </li></ul></ul><ul><ul><li>Controls over production resources </li></ul></ul><ul><ul><li>Logging and reporting of computer access violations </li></ul></ul>5.4. AUDITING INFORMATION SECURITY FRAMEWORK
  96. 96. <ul><li>5.4.3. Techniques for Testing Security (Continued) </li></ul><ul><ul><li>Follow-up access violations </li></ul></ul><ul><ul><li>Investigation of computer crime </li></ul></ul><ul><ul><li>Protection of Evidence </li></ul></ul><ul><ul><li>Identification of methods of bypassing security and compensating controls </li></ul></ul><ul><ul><li>Review access controls and password administration </li></ul></ul>5.4. AUDITING INFORMATION SECURITY FRAMEWORK
  97. 97. <ul><li>5.4.4. INVESTIGATION TECHNIQUES </li></ul><ul><ul><li>Investigation of Computer Crime </li></ul></ul><ul><ul><li>Protection of Evidence and Chain of Custody </li></ul></ul>5.4. AUDITING INFORMATION SECURITY FRAMEWORK
  98. 98. <ul><li>An IS auditor reviewing the log of failed logon attempts would be MOST concerned if which of the following accounts was targeted? </li></ul><ul><li>A. Network administrator </li></ul><ul><li>B. System administrator </li></ul><ul><li>C. Data administrator </li></ul><ul><li>D. Database administrator </li></ul>Chapter 5 Question 3
  99. 99. 5.5. Auditing Network Infrastructure Security
  100. 100. <ul><li>5.5.1. Auditing Remote Access </li></ul><ul><ul><li>Auditing Internet “Points of Presence” </li></ul></ul><ul><ul><li>Network penetration tests </li></ul></ul><ul><ul><li>Full network assessment reviews </li></ul></ul><ul><ul><li>LAN networks assessments </li></ul></ul><ul><ul><li>Development and authorization of network changes </li></ul></ul><ul><ul><li>Unauthorized changes </li></ul></ul>5.5. Auditing Network Infrastructure Security
  101. 101. 5.5. Auditing Network Infrastructure Security <ul><li>5.5.1. Auditing Remote Access </li></ul><ul><li>Computer Forensics </li></ul><ul><li>“ It is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings”. </li></ul>
  102. 102. 5.6. Environmental Exposures and Controls
  103. 103. <ul><li>5.6.1. Environmental Issues and Exposures </li></ul><ul><li>Environmental exposures are due primarily to naturally occurring events, such as lightning storms, earthquakes, volcanic eruptions, hurricanes, tornados and other types of extreme weather conditions. </li></ul>5.6. Environmental Exposures and Controls
  104. 104. <ul><li>5.6.1. Environmental Issues and Exposures </li></ul><ul><ul><li>Power failures can be grouped into distinct categories </li></ul></ul><ul><ul><ul><li>Total failure (blackout) </li></ul></ul></ul><ul><ul><ul><li>Severely reduced voltage (brownout) </li></ul></ul></ul><ul><ul><ul><li>Sags, spikes and surges </li></ul></ul></ul><ul><ul><ul><li>Electromagnetic interference (EMI) </li></ul></ul></ul>5.6. Environmental Exposures and Controls
  105. 105. <ul><li>5.6.2. Controls for Environmental Exposures </li></ul><ul><ul><li>Alarm control panels </li></ul></ul><ul><ul><li>Water detectors </li></ul></ul><ul><ul><li>Handheld fire extinguishers </li></ul></ul><ul><ul><li>Manual fire alarms </li></ul></ul><ul><ul><li>Smoke detectors </li></ul></ul><ul><ul><li>Fire suppression systems </li></ul></ul><ul><ul><li>Strategically locating the computer room </li></ul></ul>5.6. Environmental Exposures and Controls
  106. 106. <ul><li>5.6.2. Controls for Environmental Exposures (cont.) </li></ul><ul><ul><li>Regular inspection by fire department </li></ul></ul><ul><ul><li>Fireproof walls, floors and ceilings surrounding the computer room </li></ul></ul><ul><ul><li>Electrical surge protectors </li></ul></ul><ul><ul><li>Uninterruptible power supply/generator </li></ul></ul><ul><ul><li>Emergency power-off switch </li></ul></ul><ul><ul><li>Power leads from two substations </li></ul></ul>5.6. Environmental Exposures and Controls
  107. 107. <ul><li>5.6.2. Controls for Environmental Exposures (cont.) </li></ul><ul><ul><li>Wiring placed in electrical panels and conduit </li></ul></ul><ul><ul><li>Prohibiting against eating, drinking and smoking within the information processing facility </li></ul></ul><ul><ul><li>Fire resistant office materials </li></ul></ul><ul><ul><li>Documented and tested emergency evacuation plans </li></ul></ul>5.6. Environmental Exposures and Controls
  108. 108. <ul><li>5.6.3. Auditing Environmental Controls </li></ul><ul><ul><li>Water and smoke detectors </li></ul></ul><ul><ul><li>Handheld fire extinguishers </li></ul></ul><ul><ul><li>Fire suppression systems </li></ul></ul><ul><ul><li>Regular inspection by fire department </li></ul></ul><ul><ul><li>Fireproof walls, floors and ceilings surrounding the computer room </li></ul></ul><ul><ul><li>Electrical surge protectors </li></ul></ul>5.6. Environmental Exposures and Controls
  109. 109. <ul><li>5.6.3. Auditing Environmental Controls (cont.) </li></ul><ul><ul><li>Power leads from two substations </li></ul></ul><ul><ul><li>Fully documented and tested business continuity plan </li></ul></ul><ul><ul><li>Wiring placed in electrical panels and conduit </li></ul></ul><ul><ul><li>UPS/generator </li></ul></ul><ul><ul><li>Documented and tested emergency evacuation plans </li></ul></ul><ul><ul><li>Humidity/temperature control </li></ul></ul>5.6. Environmental Exposures and Controls
  110. 110. 5.7. Physical Access Exposures and Controls
  111. 111. <ul><li>5.7.1. Physical Access Issues and Exposures </li></ul><ul><ul><li>Physical access exposures </li></ul></ul><ul><ul><ul><li>Unauthorized entry </li></ul></ul></ul><ul><ul><ul><li>Damage, vandalism or theft to equipment or documents </li></ul></ul></ul><ul><ul><ul><li>Copying or viewing of sensitive ore copyrighted information </li></ul></ul></ul><ul><ul><ul><li>Alteration of sensitive equipment and information </li></ul></ul></ul><ul><ul><ul><li>Public disclosure of sensitive information </li></ul></ul></ul><ul><ul><ul><li>Abuse of data processing resources </li></ul></ul></ul><ul><ul><ul><li>Blackmail </li></ul></ul></ul><ul><ul><ul><li>Embezzlement </li></ul></ul></ul>5.7. Physical Access Exposures and Controls
  112. 112. <ul><li>5.7.1. Physical Access Issues and Exposures </li></ul><ul><ul><li>Possible perpetrators </li></ul></ul><ul><ul><ul><li>Disgruntled </li></ul></ul></ul><ul><ul><ul><li>On strike </li></ul></ul></ul><ul><ul><ul><li>Threatened by disciplinary action or dismissal </li></ul></ul></ul><ul><ul><ul><li>Addicted to a substance or gambling </li></ul></ul></ul><ul><ul><ul><li>Experiencing financial or emotional problems </li></ul></ul></ul><ul><ul><ul><li>Notified of their termination </li></ul></ul></ul>5.7. Physical Access Exposures and Controls
  113. 113. <ul><li>5.7.2. Physical Access Controls </li></ul><ul><ul><li>Bolting door locks </li></ul></ul><ul><ul><li>Combination door locks (cipher locks) </li></ul></ul><ul><ul><li>Electronic door locks </li></ul></ul><ul><ul><li>Biometric door locks </li></ul></ul><ul><ul><li>Manual logging </li></ul></ul><ul><ul><li>Electronic logging </li></ul></ul>5.7. Physical Access Exposures and Controls
  114. 114. <ul><li>5.7.2. Physical Access Controls (continued) </li></ul><ul><ul><li>Identification badges (photo IDs) </li></ul></ul><ul><ul><li>Video cameras </li></ul></ul><ul><ul><li>Security guards </li></ul></ul><ul><ul><li>Controlled visitor access </li></ul></ul><ul><ul><li>Bonded personnel </li></ul></ul><ul><ul><li>Deadman doors </li></ul></ul>5.7. Physical Access Exposures and Controls
  115. 115. <ul><li>5.7.2. Physical Access Controls (continued) </li></ul><ul><ul><li>Not advertising the location of sensitive facilities </li></ul></ul><ul><ul><li>Computer workstation locks </li></ul></ul><ul><ul><li>Controlled single entry point </li></ul></ul><ul><ul><li>Alarm system </li></ul></ul><ul><ul><li>Secured report/document distribution cart </li></ul></ul>5.7. Physical Access Exposures and Controls
  116. 116. <ul><li>5.7.3. Auditing Physical Access </li></ul><ul><ul><li>Touring the information processing facility (IPF) </li></ul></ul><ul><ul><li>Testing of physical safeguards </li></ul></ul>5.7. Physical Access Exposures and Controls
  117. 117. 5.8. Mobile Computing
  118. 118. 5.9. Case Study
  119. 119. <ul><li>CASE STUDY SCENARIO </li></ul><ul><li>Management is currently considering ways in which to enhance the physical security and protection of its data center. The IS auditor has been asked to assist in this process by evaluating the current environment and making recommendations for improvement. The data center consists of 15,000 square feet (1,395 square meters) of raised flooring on the ground floor of the corporate headquarters building. </li></ul>Chapter 5 CASE STUDY
  120. 120. <ul><li>CASE STUDY SCENARIO (Cond…) </li></ul><ul><li>A total of 22 operations personnel require regular access. Currently, access to the data center is obtained using a proximity card, which is assigned to each authorized individual. There are three entrances to the data center, each of which utilizes a card reader and has a camera monitoring the entrance. These cameras feed their signals to a monitor at the building reception desk, which cycles through these images along with views from other cameras inside and outside the building. </li></ul>Chapter 5 CASE STUDY
  121. 121. <ul><li>CASE STUDY SCENARIO (Cont…) </li></ul><ul><li>Two of the doors to the data center also have key locks that bypass the electronic system so that a proximity card is not required for entry. Use of proximity cards is written to an electronic log. This log is retained for 45 days. During the review, the IS auditor noted that 64 proximity cards are currently active and issued to various personnel. The data center has no exterior windows, although one wall is glass and overlooks the entry foyer and reception area for the building. </li></ul>Chapter 5 CASE STUDY
  122. 122. 5.10. Practice Questions
  123. 123. <ul><li>CASE STUDY QUESTIONS </li></ul><ul><li>1. Which of the following risks would be mitigated by supplementing the proximity card system with a biometric scanner to provide two-factor authentication? </li></ul><ul><li>A. Piggybacking or tailgating </li></ul><ul><li>B. Sharing access cards </li></ul><ul><li>C. Failure to log access </li></ul><ul><li>D. Copying of keys </li></ul>Chapter 5 CASE STUDY
  124. 124. <ul><li>CASE STUDY QUESTIONS </li></ul><ul><li>2. Which of the following access mechanisms would present the greatest difficulty in terms of user acceptance? </li></ul><ul><li>A. Hand geometry recognition </li></ul><ul><li>B. Fingerprints </li></ul><ul><li>C. Retina scanning </li></ul><ul><li>D. Voice recognition </li></ul>Chapter 5 CASE STUDY
  125. 125. 5.11. Answers to Practice Questions
  126. 126. 5.12. Suggested Resources for Reference
  127. 127. <ul><li>Group Discussion </li></ul>Chapter 5 Recap
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×