Digital Accounting and Assurance Board

The Institute of Chartered Accountants of India ISA 3.0

(Set up by an Act of Parliament)

Module - 5

Protection of Information Assets

1
 Learning Objectives
 Risk response and definition of controls for protection of
information assets
 Essentials of information security management like
objectives, processes, policies, procedures, and
compliance.
 Information asset protection based on information
classification
 Essentials of Physical and environmental security
 Logical access controls
 Network and related security processes
 Audit guidelines for information protection controls

2
 Chapter 1
Introduction to Protection of
Information

3
Risk Response

Information security objectives

Threat Modeling Tools

• OWASP – Open Web Application Security
Project (Application Threat Modeling)
• DREAD – Risk Assessment Model
• STRIDE – Threat Modeling

4
Threat Modeling Tools (Contd…)
DREAD – Risk Assessment Model
Damage – how bad would an attack be?
Reproducibility – how easy is it to reproduce the
attack?
Exploitability – how much work is it to launch the
attack?
Affected users – how many people will be
impacted?
Discoverability – how easy is it to discover the
threat?

STRIDE – Threat Modeling

Spoofing
Tampering
Repudiation
Information disclosure
5
Denial of service
Cyber/ Computer Attacks
• Backdoor
• Blue Jacking
• Buffer Overflow
• Cyber Stalking
• Cyber Terrorism
• Cyber warfare
• Data Diddling
• Denial of Service
• DNS Spoofing
• Email Spoofing
• Identity Theft
• Keystroke Logger

6
Cyber/ Computer Attacks (Contd…)
• Logic Bomb
• Piggybacking
• Salami Theft
• Sensitive Data Exposure
• Injection
• Trojan
• Virus
o Compiled Viruses
o Interpreted Viruses
• Worms
o Network Service Worms
o Mass mailing Worms
• Website Defacement

7
Information systems controls
• Need for IS Controls
• Objectives of Controls
• Internal Controls
• Types of Controls
o Preventive Controls
o Detective Controls
o Corrective Controls
• Control rating - Very high, High, Moderate,
Low, and Negligible

8
Risk and Control Ownership

Periodic Review and Monitoring of Risk

and Control
• Control Assessment
• Control Self-Assessment

9
Role of IS Auditor in Information Risk Management

IS Auditor should: IS Auditor should not:

• To give assurance on risk • Setting the risk appetite
management process • Imposing risk management
• To give assurance that the process
risks are being evaluated • Taking decision on risk
correctly responses
• Evaluate Risk • To implement risk
Management process response on management’s
• Review the management behalf.
of key risks.

10
 Summary

 Information Security is a paramount risk management

concern.
 Investments are prioritized based on the amount of risk a
given activity entails relative to the potential business
reward, and in keeping with the organization’s appetite
for risk.
 Once enterprise information has been located and a risk
assessment performed, next step is to implement controls
— including policies, technologies, and tools — to
mitigate that risk.

11
Practice Questions

12
1. Which of the following shall BEST help in deciding
upon the protection level for information asset?
A. Location of asset.
B. Impact of risk.
C. Vulnerabilities in asset.
D. Inventory of threats
 
B is the correct answer.
Other options i.e. location of asset, existing vulnerabilities
in asset shall be covered during risk assessments. Inventory
of threats only will not help, impact due to threat must be
assessed.

13
 
2. Which of the following is a risk response option?
A. Determine likelihood of threat
B. Determine probability of risk
C. Deciding amount of insurance cover
D. Prepare risk profile report
 
 
C is the correct answer.
Of the four main risk response options accept, avoid,
mitigate and transfer, Insurance cover is a risk response
option of risk transfer.

14
3. After a Tsunami, a business decides to shift the
location of data centre from coastal area to mid
land? Which type of risk response option it has
exercised?
A. Accept
B. Avoid
C. Mitigate
D. Transfer

B is the correct answer.

BY shifting location the business has avoided the risk
associated with Tsunami.

15
4. Organizations capacity to sustain loss due to
uncertainty and expressed in monetary terms is best
known as:
A. Risk appetite
B. Risk tolerance
C. Risk acceptance
D. Risk mitigation

A is the correct answer.

It is the definition of risk appetite. Risk tolerance is capacity
to tolerate down time due to risk materialization. Risk
acceptance and risk mitigation are risk response decision
based on risk appetite.

16
5. Main use of maintaining and updating risk register
is to:
A. Define controls
B. Identify risk owner
C. Built risk profile
D. Maintain evidence

C is the correct answer.

Main use of risk register is to develop risk profile of the
organization for management’s review and enable risk
informed decisions.

17
6. Of the following who is accountable for deciding
and implementing controls based on risk mitigation
plan?
A. Chief risk officer
B. Risk owner
C. IT operations manager
D. Board of directors

B is the correct answer.

Risk owner is primarily accountable for deciding and
implementing on nature of controls. Generally risk
owner is process owner. Chief risk office guides risk
owner, IT head is responsible for responding to risk
owned by IT head. Although board of directors is
ultimately accountable, for specific risk, risk owners
are responsible. 18
7. Which of the following is a risk factor that may have
impact on organization?
A. Management decides to acquire new application
software.
B. A new application required by organization is released.
C. Vendor decides to stop supporting existing application.
D. Organization retires old application that is not in use.

C is the correct answer.

Vendor decides to stop supporting existing software
changes the market situation that will affect organization,
since it has to take decision on replacing application.
Release of new application though changes market, it may
not affect the organization immediately as the organization
may not need to take action. Options A and D are internal
decisions and will be done after risk assessment and hence
19
these are not risk factors.
8. While auditing risk monitoring process which of the
following IS auditor should review FIRST?
A. Risk assessment process
B. Risk management framework
C. Alignment with business risks
D. Annual review of risk register

D is the correct answer.

Risk monitoring refers to review of identified and assed
risks based on changes, incidents, and periodically. Other
options are part of risk management framework.

20
9. The quantum of risk after enterprise has
implemented controls based on risk mitigation plan is:
A. Accepted risk
B. Residual risk
C. Inherent risk
D. Current risk

B is the correct answer.

Accepted risk is where controls are not implemented is part
of residual risk, Inherent risk is total risk before
implementing controls. Current risk is residual risk at a
point in time during control implementation.

21
10. Which of the following shall best help in aligning IT
risk with enterprise risk?
A. Presenting IT risk results in business terms.
B. Conducting business impact analysis.
C. Making Chief risk officer accountable.
D. Align IT strategy with business strategy.

A is the correct answer.

Expressing IT risk in business terms i.e. as impact on
business will help business in understating relevance of IT
risks. Business impact analysis may be useful however it
may or may not help depending upon scope of project.
Making chief risk officer accountable may help but best is
A. Aligning IT strategy with business strategy shall help in
defining better IT plan, but it is at higher level.
22
 Chapter 2
Administrative Controls of
Information Assets

23
Information Security management
Senior management commitment and support
• Policies and procedures,
• Organization structure and roles and
responsibilities,
• Security awareness and education,
• Monitoring,
• Compliance,
• Incident handling and response.
• Continual improvement

24
Critical Success Factors to Information
Security Management

• Alignment with business objectives

• Organizational culture
• Establish and enforce an information security
program
• Adoption of standard
• Spend resources wisely and transparently

25
Information Security Organization
• Segregation of Duties
• The ‘Four Eyes’ (Two-Person) Principle
• Rotation of Duties
• Key Man Policy

26
Information Security Policies, Procedures,
Standards and Guidelines

Components of Information Security Policies

• Statement
• Scope
• Objective
• Ownership
• Roles and Responsibility
• Business requirement of Information security
• Policy Exceptions
• Compliance
• Periodic review

27
Other Common Security Policies
• Data classification and Privacy Policies
• Acceptable Use of Information Assets Policy
• Physical Access and Security Policy
• Asset Management Policy
• Network Security Policy
• Password Policy

Controls over Policy

Exceptions to the Policy

28
Information Classification
• Benefits from Information Classification
• Information Classification Policy
• Classification Schema
o Company Confidential Data – Confidential

customer business data

o Client Confidential Data – Product
information developed for client
o Sensitive – Company developed software

code
o Unclassified/Public – Information available

in public domain

29
The Concept of Responsibility in Information
Security
• Ownership
• Custodianship
• Controlling
• Human Resources Security
o Job descriptions and screening,
o User awareness and training,
o A disciplinary process, and
o An exit process

30
Training and Education
• Mandatory security awareness
• Training for third parties
• Training is required before access is granted
• Acknowledge policy
• Training at least annually
• Cyber security training

31
Implementation of Information Security
Policies
• Increasing Awareness
• Communicating Effectively
• Simplify Enforcement
o Creating a manageable number of policies
o Making policies understandable for target

audiences
o Making it easy to comply
o Integrating security with business processes
o Aligning policies with job requirements

32
Integrating Security with the Corporate
Culture
• Making employees a partner in the security
challenge
• Making security policy part of a larger compliance
initiative
• Tying security policies to company's code of
business conduct

Issues and Challenges of Information Security

Management
• Organization’s strategic drivers
• Regulatory requirements
• Information security as an afterthought
• Lack of integration in system design and security
design 33
 Summary

 Information security management has become more

important over the years due to increased use of
information system for conducting business.
 Information security management is a business issue and
it needs to be properly integrated into the organization’s
overall business goals and objectives
 The objectives of information security are to provide
confidentiality, integrity and availability to data and
resources.

34
Practice Questions

35
1. The Primary objective of implementing Information
security management is to:
A. Ensure reasonable security practices
B. Comply with internal audit requirements
C. Adopt globally recognized standards
D. Protect information assets

A is the correct answer.

The primary objective of information security management
is to provide adequate level of protection to information
security assets.

36
2. Which of the following is primary function of
information security policies?
A. Align information security practices with strategy
B. Communicate intent of management to stakeholders
C. Perform risk assessment of IT operations and assets
D. Ensure compliance with requirements of standards

B is the correct answer.

Policies are vehicle to communicate management’s intent
to all stakeholders. Information security practices are
aligned with business objectives and not with the strategy.
Information security policies are defined as outcome of
risk assessment. Compliance with standard is not primary
function of policies.

37
3. Information security policies are set of various
policies addressing different information systems areas
based on the IT infrastructure of organization. Which
of the following policy is most common in all
organizations?
A. Acceptable use policy
B. BYOD (Bring Your Own Device) policy
C. Data encryption policy
D. Biometric security policy

C is the correct answer.

Acceptable use policy that address the use of information
assets by users is most common in all organizations that
depends upon IT. Policies in other option depend upon
organization’s use of BYOD or Encryption or Biometric.
38
4. Protecting integrity of data primarily focuses on:
A. Intentional leakage of data
B. Accidental loss of data
C. Accuracy and completeness
D. Data backup procedures

C is the correct answer.

Integrity primarily refers to reliability that is achieved by
implementing controls to ensure accuracy and
completeness of data.

39
5. Which of the following is primary reason for
periodic review of security policy?
A. Compliance requirements
B. Changes on board of directors’
C. Changes in environment
D. Joining of new employees

C is the correct answer.

Changes in environment introduce new risks. In order to
address them it is necessary to review the information
security policy based on assessment of new risks. Other
options are secondary reasons.

40
6. Which of the following is best evidence indicting
support and commitment of senior management for
information security initiatives?
A. Directive for adopting global security standard
B. Higher percentage of budget for security projects
C. Assigning responsibilities for security to IT head
D. Information security is on monthly meeting agenda

D is the correct answer.

Without senior management’s support information security
can’t have a success. There are many activities senior
management is involved in effective information security
initiative. Reviewing progress of information security in
monthly meeting is one of them. Other options may or may
not indicate unless there is more evidence to conclude.
41
7. Which of the following is a concern for compliance
with information security policy?
A. Decrease in low risk findings in audit report
B. High number of approved and open policy exceptions
C. Security policy is reviewed once in two years
D. Security policy is signed by Chief Information Officer

B is the correct answer.

Policy exceptions are temporary and must be reviewed and
closed as per defined plan. Increased number of exceptions
indicates that the policy provisions may not be appropriate
and hence need to be reviewed. Other options are not
concerns.

42
8. Which of the following is Primary purpose of
Information classification?
A. Comply with regulatory requirement
B. Assign owner to information asset
C. Provide appropriate level of protection
D. Reduce costs of data protection

C is the correct answer.

Primary purpose of information classification is to
provide appropriate level of protection to information
assets. Options A, B and D are the secondary with respect
to information classification.

43
9. Classification of information is primarily based on:
A. Where the information is stored?
B. Who has access to information?
C. What will happen if information is not available?
D. Why attachments to mail are encrypted?

C is the correct answer.

It helps in assessing the risks associated and determine
the protection level i.e. class of information. A, B and C
are determined based on classification.

44
10. Which of the following best helps in classifying the
information within organizations?
A. Using minimum classes in classification schema
B. Conducting training on classification schema
C. Labeling all information based on classification schema
D. Determining storage based on classification schema

B is the correct answer.

Training users on how to classify information as per
definition provided in classification schema shall best help
users in classifying the information. A. Number of classes
shall depend upon organization’s objectives. C and D are
performed after classification of information.

45
 Chapter 3
Physical and Environmental
controls

46
Objectives of Physical Access Controls
• Primary computer facilities
• Cooling system facilities
• Microcomputers
• Telecommunication equipment and lines

Physical Security Threats and Exposures

Sources of Physical Security Threats
Physical Access Exposures to Assets - Unintentional or
accidental, deliberate

47
Physical Security Control Techniques
Choosing and Designing a Secure Site
• Local considerations
• External services
• Visibility
• Windows
• Doors

Security Management

Emergency Procedures

Human Resource Controls

48
Perimeter Security
• Guards
• Dogs
• Compound walls and perimeter fencing
• Lighting
• Dead man doors
• Bolting door locks
• Combination or cipher locks
• Electronic door locks
• Biometric locks
• Perimeter intrusion detectors
o Photo electronic sensors
o Dry Contact switches
• Video cameras
• Identity badge
49
Perimeter Security
• Manual logging
• Electronic logging
• Controlled single point of access
• Bonded personnel
• Wireless proximity readers
• Alarm system/Motion detectors
• Secured distribution carts
• Cable locks
• Port controls
• Switch controls
• Peripheral switch controls
• Biometric Mouse
• Laptop security

Smart Cards
50
Auditing Physical Access Controls
• Risk assessment
• Controls assessment
• Review of documentation
• Testing of controls

51
Environmental Controls
Objectives of Environmental Controls
• Hardware and Media
• Information Systems Supporting
Infrastructure or Facilities
• Documentation
• Supplies
• People

52
Environmental Threats and Exposures
• Natural Threats and Exposure
• Man-made Threats exposure

Techniques of Environmental Controls

Choosing and Designing a Safe Site

• Natural disasters, windows, doors

53
Facilities Planning
• Walls
• Ceiling
• Floors
• Fire-resistance walls, floors and ceilings
• Concealed protective wiring
• Media protection

54
• Emergency Plan

• Maintenance Plans - MTBF and MTTR

• Ventilation and Air Conditioning

• Power Supplies
o UPS/ Generator
o Electrical surge protectors/Line conditioners
o Power leads from two sub-stations

55
Fire Detection and Suppression System
• Smoke and Fire Detectors
• Fire Alarms
• Emergency Power Off
• Water Detectors
• Fire Suppression Systems
• Water Based Systems
o Wet pipe sprinklers
o Dry-pipe sprinklers
o Pre-action
• Gas Based Systems
o Carbon dioxide
o FM200

56
Auditing Environmental Controls

• Walkthrough of the information processing facility

• Visual examination of controls
• Examination of safety controls
• Verification of documentation
• Examination of power sources
• Examination of environmental control equipment
• Verification of logs of activities
• Observation of undesired activities

57
 Summary

 The first step in providing a secured physical

environment for the information system assets is listing
the various assets in the computing environment and to
identify the various threats and vulnerabilities the assets
are exposed to.
 The main source of threats is from outside people and the
employees of the organization.
 However, the information assets are exposed to various
other sources of threats like natural damage due to
environmental factors like food, earthquake, fire and rain
etc.

58
Practice Questions

59
1. Which of the following is first action when a fire
detection system raises the alarm?
A. Turn off the air conditioner
B. Determine type of fire
C. Evacuate the facility
D. Turn off power supply

C is the correct answer.

Life safety takes precedence. Although other answers are
important steps human life always is a priority.

60
 2. Which of the following are most important controls
for unmanned data center?
A. Access control for entry and exit for all doors
B. The humidity levels need not be maintained
C. The temperature must be at sub-zero level
D. Halon gas based fire suppression system

A is the correct answer.

Unmanned data center requires strong physical access
controls and environmental access controls too. However
most essential are strong access controls. B, C and D are
inappropriate controls. Halon is environmentally hazardous
gas.

61
3. Primary purpose of access controlled deadman door,
turnstile, mantrap is to:
A. Prevent unauthorized entry
B. Detect perpetrators
C. Meet compliance requirement
D. Reduce cost of guard

A is the correct answer.

Primary purpose of all types of physical access control is
to prevent unauthorized entry. Other objectives are
secondary.

62
4. Which of the following is the main reason for
appointing human guards at main entrance of
facilities?
A. Address visitors’ requirements to visit
B. Issue the access cards to visitors
C. Cost of automation exceeds security budget
D. Deter the unauthorized persons

A is the correct answer.

Human guard makes decisions and can address visitor’s
requirement and direct them appropriately. Others are
supplementary functions.

63
5. Which of the following is major concern associated
with biometric physical access control?
A. High acceptability
B. High false positives
C. High false negatives
D. High cost

B is the correct answer.

False positive is a concern in biometric access security as it
results in unauthorized access. Other option does not result
in unauthorized access.

64
6. Which of the following evidence is best to provide
assurance on automated environmental controls?
A. Annual maintenance contract with vendor
B. Simulation testing of devices during audit
C. Device implementation report by vendor
D. Documented results of periodic testing

D is the correct answer.

Automated environmental controls must be tested
periodically by expert and provide report on effective
performance of equipment. Simulated tests may not be
possible for all controls. AMC is a contract; periodic
testing is performance of contract.

65
7. What are the problems that may be caused by
humidity in an area with electrical devices?
A. High humidity causes excess electricity, and low
humidity causes corrosion
B. High humidity causes power fluctuations, and low
humidity causes static electricity
C. High humidity causes corrosion, and low humidity
causes static electricity
D. High humidity causes corrosion, and low humidity
causes power fluctuations.

C is the correct answer.

High humidity can cause corrosion, and low humidity can
cause excessive static electricity. Static electricity can
short out devices or cause loss of information.

66
8. Automated access controls opens doors based on access
cards, pins, and/or biometric devices and are powered by
electricity. Which of the following is the best policy in case
of power failure?
A. Keep the door in locked state
B. Open door and appoint guard
C. Find root cause of power failure
D. Arrange for battery backup

B is the correct answer.

Best policy is to keep door open and appoint guard
temporarily for monitoring accesses. Keeping doors locked
shall be a problem in evacuation in case of emergency.
Finding root cause can be done independently. Arranging
Battery backup after power failure is not right policy.
67
9. While selecting site for a data center which of the site
is best to be selected?
A. On topmost floor to delay the unauthorized visitor to
reach
B. In the basement not easily accessible to perpetrator
C. On ground floor so that users can access it easily
D. On middle floor to strike the balance for above concerns

D is the correct answer.

Top floor and basement has risk of seepage and flooding.
Ground floor has risk of easy attack.

68
10. Which of the following is main reason for not
allowing mobile devices into data center?
A. Unauthorized changes and access in configuration
B. Prevent photography of data center layout
C. User can provide information to attacker on phone
D. Mobile devices generate wireless communication

A is the correct answer.

Mobile devices can be connected to servers, resulting in
unauthorized changes. Other concerns are secondary.

69
 Chapter 4
Logical Access Controls

70
Objectives of Logical Access Controls

Paths of Logical Access

71
Logical Access Attacks and Exposures
• Masquerading
• Piggybacking
• Wiretapping
• Denial of service
• Social Engineering
• Phishing
• Vishing
• Key Logger
• Malware

72
Access Control Mechanism – IAA

Identification techniques
• Something the user knows (e.g., a password),
• Something the user has (e.g., a token or smart
card), and
• Something the user is (a physical / biometric
comparison)

Authentication Techniques

73
Attacks on Logon/Password Systems
• Brute force
• Dictionary attack
• Trojan
• Spoofing attacks
• Piggybacking

Token Based Authentication

Biometric Authentication

74
Authorization Techniques: Operating Systems
• Pluggable Authentication Modules
• File Permissions
• Access Control Lists (ACL)

75
Logical Access Control Techniques
• User management
• User responsibilities
• Network access controls
• Application access controls
• Database access controls
• Operating system access controls

76
Identity Management and Access Controls
• Privileged Logons

Single Sign-On (SSO)

• Active Directory
• Kerberos
• Weakness of Single sign-on

Access Controls in Operating Systems

• MAC, DAC and RBAC

Audit Trail

77
Auditing Logical Access Controls
• Understanding of an organization’s information
security framework
• Selection and implementation of appropriate access
controls
• Top management’s commitment
• Management controls
• Explicit access permission to information or systems
• Periodic review / audit of access permission

78
 Summary

 It is best to adopt a least privilege policy on the basis of

“need to know, need to do”.
 Auditor should know that access control defines how
users should be identified, authenticated, and authorized.
 This is generally addressed in information security
policies and procedures, hence the starting point of audit
of logical access controls should be to understand the
policies and procedures and ensure that these are
implemented uniformly across the organization.

79
Practice Questions

80
1. Which of the following pair of authentication can
be considered as two factor?
A. Password and passphrase
B. Passphrase and PIN
C. Token and access card
D. Access card and PIN

D is correct answer.
The three factors are what a user knows (PIN, Password,
Passphrase), what user possesses (Access card, Token)
and what unique characteristics of user (Biometric). Use
of any two factors for authentication is called two factor.
Option A, B and C use only one factor.

81
2. Which of the following is primary requirement of
granting user access to information asset?
A. Identification
B. Authorization
C. Authentication
D. Need to know

A is correct answer.
Identification of user is first and primary requirement of
granting access. Next will be authentication method to be
established and finally finding authorization levels based on
role that also addresses need to know.

82
3. Mandatory access controls are those controls that
are:
A. Based on global standards
B. Defined by security policy
C. Part of compliance requirements
D. Granted by asset owner

B is correct answer.
Mandatory accesses are those controls that are to be
applied uniformly across organization and are defined
by information security policy. D is discretionary access
controls. B and C generally do not specify such
requirements.

83
4. Which of the following is a major concern associated
with Single-Sign-on?
A. Multiple passwords are noted
B. User may select easy password
C. It is a single point of failure
D. High maintenance cost

C is correct answer.
Single point of failure is a major concern. One password if
compromised, all accesses for that user are available to
perpetrator.

84
5. Which of the following non-compliance with
information security policy is most difficult to
detect or get evidence for?
A. Use of removable media
B. Password sharing by user
C. Access to banned web sites
D. Passing information over phone

B is correct answer.
Password sharing by user is most difficult to get
evidence for or detect. Others can be monitored or
enforced using technology.

85
6. Which of following processes in user access
management is most essential to detect errors and
omissions resulting in unauthorized or excess accesses to
users?
A. Identification
B. Authentication
C. Authorization
D. Review

D is correct answer.
Periodic user access review helps in ensuring that all users
have appropriate level of accesses. This happens due to
changes in internal environment like role, emergency
situation, resignation and retiring of employees. In such
situations sometimes revocation of accesses is missed out,
which can be corrected during review.
86
7. While auditing compliance with password policy, IS
auditor observed that configuration of password
parameters in system is as per information security policy.
Which of the following the auditor should verify?
A. Review enforcement for sample users
B. Verify all assets have same configuration
C. Review log for password configuration
D. Interview users on policy enforcement

C is correct answer.
Review of log for password configuration may disclose the
compliance of policy because policy is configured in the
system through password configuration. This may also detect
unwarranted changes made by a malicious user (who obtains
administrative access) in the password configuration.
However, option A and D may provide assurance for
compliance of password policy configurations in the system, 87
8. One time password is considered strong because
they are:
A. Active for short period
B. Communicated on mobile
C. Unique for each user
D. Unique for session

A is correct answer.
Strength of one-time password is that it is active for
short time, if user does not login during that time the
one-time password expires. One-time password is
unique for each session and user, however it is not
strength. It can be communicated by suitable means.

88
9. Which of the following attack to break the user
password is difficult to control?
A. Brute Force
B. Dictionary attack
C. Spoofing
D. Social engineering

D is correct answer.
In Social engineering attacks, the weakest link is
unsuspecting human user. Attacker uses techniques to
compel users to reveal passwords and other confidential
information. For example in Phishing. Other options are
technology based attacks and can be detected or
controlled.

89
10. Which of the following is a primary objective of
implementing logical access controls?
A. Identify users on the system
B. Fixing accountability of actions
C. Authorize users based on role
D. Compliance with policy

C is correct answer.
Primary objective of implementing access controls is to
restrict access to authorized people. Fixing
accountability of actions is the primary objective of
audit trail. Others are means to implement access
controls not objectives.

90
 Chapter 5
Network security Controls

91
Objective of Network Security Controls
• Confidentiality, Integrity and Availability

Network Threats and Vulnerabilities

• Information Gathering
• Communication Subsystem Vulnerabilities
• Protocol Flaws
• Impersonation
• Message Confidentiality Threats
• Message Integrity Threats
• Web Site Defacement
• Denial of Service

Threats from Cookies, Scripts and Active or

Mobile Code
92
Current Trends in Attacks

Exploiting Application Vulnerabilities

• Injection
• Broken authentication
• Sensitive data exposure
• XML external entities (XXE)
• Broken access control
• Security misconfiguration
• Cross-site scripting XSS
• Insecure deserialization
• Using components with known vulnerabilities
• Insufficient logging & monitoring

Advanced Persistent Threat (APT)

93
Network Architecture
• Segmenting/ zoning
• Redundancy
• Eliminate single point of failure

94
Cryptography

95
Types of Cryptography
• Secret-key cryptography or symmetric-key
cryptography
• Public key Cryptography or asymmetric key
cryptography
• Hash Function or message digest

96
Public Key Infrastructure (PKI)
• Components of PKI
• Digital Certificates
o Digital Signing Certificate: Issued to the
Individuals
o Digital Encryption Certificate: Issued to
individuals or servers
o Code Signer (Software code)
• Digital Signatures
• Controller of Certifying Authority
• Certifying Authority (CA)
• Certificate Revocation List (CRL)

• Quantum Cryptography

97
Application of Cryptographic Systems
• Transport Layer Security
• IPSec
o Tunnel model
o Transport mode
• SSH
• Secure Multipurpose Internet Mail Extension (SMIME)

Remote Access Security

• Dial Back Procedures
• Other Controls
• Authentication Servers

98
Malicious Code
• Viruses
o Master boot record (MBR) viruses
o Stealth viruses
o Polymorphic viruses
o Macro viruses
o Logic bomb/Time bomb
• Worms
• Trojan Horse

Malware Protection Mechanisms

• Anti-virus
• Incident handling
• Training and Awareness

99
Firewalls
• Intranet
• Extranet
• Securing Firewall

Intrusion Detection Systems

• Signature-based intrusion detection systems
• Heuristic intrusion detection systems

10
0
Wireless Security Threats and Risk Mitigation
Threats:
• Ad-hoc networks
• Non-traditional networks
• MAC spoofing
• Man-in-the-middle attacks
• Accidental association
• Denial of service

Common Controls:
• Encryption
• Signal-hiding techniques
• Anti-virus and anti-spyware software
• Default passwords
• MAC address
10
1
Endpoint Security

Voice-over IP Security Controls

• Voice-over IP
• VOIP Security
o Encryption
o Physical security
o Anti-virus and firewalls
o Segregation of voice and data segments

10
2
Vulnerability Assessment and Penetration Testing
• External testing
• Internal testing
• Targeted testing

Types of Penetration System

• Application security testing
• Denial of service (DoS) testing
• War dialing
• Wireless network penetration testing
• Social engineering
Risks Associated with Penetration Testing

Monitoring Controls – SIEM, SOC

10
3
Auditing Network Security Controls
• Evaluating logical network security policies and
practices
• Evaluate network event logging and monitoring
• Firewalls and filtering routers
• Intrusion detection systems
• Virtual private networks
• Security protocols
• Encryption
• Middleware controls

10
4
 Summary

 It is most essential for organizations to protect their

networks, in order to ensure that reasonable security has
been implemented.
 Cryptography is the science and art of coding messages,
provide us a method to transmit messages over open
networks, like Internet and still achieve the objectives of
confidentiality, integrity, authenticity and non-
repudiation.
 PKI offers us the infrastructure to manage the
Asymmetric keys, and a means of certifying the
authenticity of holder of key.
 Cryptographic systems provide ability of secure
communication over networks.
105
Practice Questions

10
6
1. Which of the following is a method used to gather
information about the communication network?
A. Reconnaissance
B. Brute force
C. Eavesdropping
D. Wiretapping

A is correct answer.
Other methods are active attacks on network after getting
information about networks.

10
7
2. Message digest helps organization in getting
assurance on:
A. Communication delivery
B. Data availability
C. Data integrity
D. Data confidentiality

C is correct answer.
Message digest is a hash function that helps in confirming
integrity of data communicated over network.

10
8
3. While auditing organization’s network which of the
following control IS auditor must verify first?
A. Encrypted communication
B. Network zoning
C. Firewall configuration
D. Penetration test report

B is correct answer.
Network segmentation or zoning is first control to
implement network security. Other controls depend upon
segmentation.

10
9
4. Cryptographic checksum is a network control that:
A. Adds a parity bit after adding the data bits.
B. Translates data in a file into a hash value.
C. Transmits the data after encryption.
D. Translates the data into a parity checksum combination.

B is correct answer.
Checksum is a type of hash that is used to check integrity
of data after communication. It is different that parity bit
that adds an extra bit for each byte and word.

11
0
5. Primary function of Security operations center
(SOC) is to:
A. Define baseline
B. Configure firewall
C. Monitor logs
D. Implement Antivirus

C is correct answer.
Primary function of SOC is to collect and monitor logs
based on identified rules. It also defines correlation
between various logs and identifies possible incidents,
which are communicated to respective asset owners. A is
role of security manager; B and D are roles of network
team.

11
1
6. The intrusion detection monitoring on a host for
data integrity attack by malicious software is a:
A. Technical control
B. Corrective control
C. Detective Control
D. Preventive Control

C is correct answer.
Intrusion detection detects the possible intrusion
attempt. It does not prevent or corrects it. It is a control
implemented using technology.

11
2
7. Which of the following is most important while
performing penetration testing?
A. Maintain secrecy about testing
B. Get consent from affected stakeholders
C. Report to be provided to all users
D. Perform test after office hours
 
B is correct answer.
It is most essential to get consent from affected asset
owners before performing test, so that they can ensure
that operations are not affected. Maintaining secrecy shall
depend upon type of test. Report must be kept
confidential and accessed only by select few. Test
generally is performed when it will have least impact, but
is not most important.
11
3
8. Most web based application attacks can be prevented
by:
A. Input validation
B. Encryption
C. Penetration test
D. Access controls

A is correct answer.
Most web application attacks like SQL injection can be
prevented by validating input, which can reject the attackers
input that can exploit vulnerability. Encryption may or may
not prevent an attack. Penetration test shall provide input on
vulnerability that must be closed. Access controls may
prevent some attacks.

11
4
9. Social engineering attacks can best be prevented by:
A. Intrusion detection system
B. Strong access controls
C. Two factor authentication
D. Awareness training

D is correct answer.
Social engineering attack is attack on human and hence
no technology can prevent it. Awareness training best
prevents it.

11
5
10. Which of the following is a type of malware that
does not use system resources for execution of malicious
codes?
A. Virus
B. Logic bomb
C. Trojan
D. Worm

D is correct answer.
Worms are self-executable. Rest of the options use system
resources for execution of malicious codes.

11
6
? Questions

11
7
Thank You

11
8