Domain 2 Information Security
What three processes are involved in an Identity Access Managment (IAM) system?
-Provisioning -Identity Management -Enforcement
IT Operational Controls Examples
-Segregation of IT duties -Financial and budgetary IT controls -Operational change management -Operational data security controls -Security level management
Segregation of IT Duties
-Segregation of IT duties can occur at the IT general control (ITGC) level or the application level. -Segregation of duties at the ITGC level relates primarily to restrictions to the roles of individuals, while application-level segregations are primarily automated controls within systems.
User authentication can require up to three levels. The three basic levels, or factors, for authenticating an individual to provide physical access, access to a device, or access to an application are:
-Something the person has, such as a key, a keycard/badge, a credit card, a cryptographic key, or a registered mobile device -Something the person knows, such as a user name and alphanumeric password or a numeric code -Something unique to the individual, in other words, a biometric trait (e.g., fingerprint)
Fair Information Practices (FIPs)
-The privacy laws in Europe and in the United States, Canada, and other countries are based in part on fair information practices (FIPs). -FIPs acknowledge that the parties in a transaction have obligations to each other. -Individuals have rights to privacy but need to prove their identity; organizations have responsibilities over the collection and use of information.
Encryption: The relative security of a key
-The relative security of a key is determined by its bit length. -When passwords are used to create keys, effective password creation rules must be applied. -External aids include cryptographic module testing (CMT) labs and validation programs for cryptographic modules and their algorithms. -Digital signatures verify the authenticity of a public key user (including non-repudiation) and the integrity of the message itself. -A server certificate can establish the authenticity of a site.
Identity and Access Management
-The various policies, procedures, activities, and technologies used to identify authorized users comprise a process called identity and access management (IAM). -The IAM process is designed to allocate identities and provide appropriate access.
Data Privacy Risks Three Categories
-Threats to organizations -Threats to stakeholders -Threats to individuals
Who has responsibility for information security?
-Information security is a management responsibility. -This responsibility includes all the important information of the organization, regardless of how the information is stored.
Malware
-Malware is malicious software designed to gain access to a computer system without the owner's permission for the purpose of controlling or damaging the system or stealing data. -The types of attacks that are increasing are ransomware (see below), attacks that gain unrestricted access to user systems and data, and attacks that gather network passwords and financial data.
COBIT (Control Objectives for Information and Related Technology)
COBIT, formerly known as Control Objectives for Information and Related Technology, is an internationally accepted framework created by ISACA that helps enterprises to achieve their objectives for the governance and management of information technology.
INTERNAL THREATS - ILLEGAL PROGRAM ALTERATIONS: Data hiding
Data hiding is manipulation of file names or extensions or other tricks to hide a file so that it can be manipulated (e.g., hiding an audit log).
PRIVACY RISK: Application Risk
Evaluating software involves reviewing privacy risk assessments and whether there is "privacy by design," such as use of data classification standards, defaults to least privileges to user access, or external interface authorization limits.
Mobile Device Management (MDM)
MDM software monitors the device and informs the user of policy violations.
VirWare
VirWare includes viruses, worms, and ransomware.
OTHER EXTERNAL THREATS: Phishing
Phishing is creating a website that appears identical to an organization's site and then luring the organization's users to that site through social engineering to capture IDs, passwords, government IDs, etc.
OTHER EXTERNAL THREATS: Piggybacking
Piggybacking is either physically following someone through a secure door or using someone's legitimate password to access a network.
Preventive Maintenance
Preventive maintenance should be performed on hardware and software systems and on their controls, because doing so is almost always less expensive than dealing with problems arising from poor maintenance.
Privacy
Privacy is essentially the right to be left alone and to be free from surveillance by individuals, organizations, or the government.
5 FUNCTIONS OF NIST CYBERSECURITY FRAMEWORK: Protect
Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. CATEGORIES -Identity management and access control -Awareness and training -Data security -Information protection processes and procedures -Maintenance -Protective technology
Public Sector and Data Privacy
Public Sector -Governments collect PII in a vast number of areas, for example, real estate, voter registration, taxation, welfare, and law enforcement. -Compliance requirements may be specific to different levels of public entities. -The risk of files being misused, lost, or stolen is high. -There may be rules or laws that prevent (or permit, given an approval process) one agency from comparing PII with others, called data matching (e.g., law enforcement reviewing driver databases).
5 FUNCTIONS OF NIST CYBERSECURITY FRAMEWORK: Recover
Recover Maintain plans for resistance and to restore capabilities or services that were impaired due to a cybersecurity event. CATEGORIES -Recovery planning -Improvements -Communications
Sensitive Financial Information
-Account numbers (e.g., bank accounts, credit card numbers) -Financial history -Salary information
Data Centers (or Safes)
-Data centers (or safes) should not be located along an exterior wall but should be in an inconspicuous location with as few doors as fire codes allow. -If the data is extremely sensitive, sturdy walls may need to extend all the way to the permanent ceiling above.
OTHER EXTERNAL THREATS: Evil Twin
An evil twin is a Wi-Fi network operated by a cybercriminal that mirrors a legitimate network.
Examples of OTHER MALWARE
-Adware -Key logger -Dialer
Smaller Companies and Segregation of Duties
-Smaller organizations may not have the luxury of this level of segregation of duties -If this is the case, combined roles require greater scrutiny
INTERNAL THREATS - ILLEGAL PROGRAM ALTERATIONS: Data diddling
Data diddling is intentionally manipulating data in a system.
Integrity
Integrity is assurance that the data has not been improperly altered, is correct, and is reliable.
The effectiveness of ITGCs is measured by...
-The number of incidents that damage the enterprise's public reputation. -The number of systems that do not meet security criteria. -The number of violations in segregation of duties.
Device Tampering
-Device tampering includes jailbreaking/rooting of smart devices or other hardware manipulations. -It may enable piracy or installation of apps that contain malware. -Device tampering is dangerous and should also be prohibited by policy.
Types of Trojan Horses
---Trojan-clickers require clicking on a hyperlink ---Banker programs steal bank account data ---Root kits are tools installed at the root (administrator) level ---Trojan-proxies use an infected computer as a proxy
Firewall
-A firewall is a hardware/software combination through which all communications to or from the outside world are routed. -The firewall compares access rules (controlled by network administrators) against the IP addresses, names, files, and applications attempting to enter the system and blocks unauthorized traffic.
Smart Device Controls
-A general smart device control is an acceptable use policy with a clear indication of penalties for noncompliance. -This can include a mandate for all organizational and BYOD devices to have up-to-date anti-malware software installed, to keep the OS updated, to use only official app stores, and to not do jailbreaking/rooting. -End users need to be educated on weak versus strong passwords or other forms of authentication. -Basic security training for organizational or BYOD devices can be provided, such as promptly reporting thefts or ensuring that user devices have user authentication turned on in case the device is stolen. -Controls also exist at the hardware and software levels. Authentication controls need to be in place. Devices that have hardware encryption (which encrypts all data and apps when not in use) can be selected. Software encryption is a must. Some devices also support encryption in transit.
Bring Your Own Device (BYOD) Policy
-A key issue around the security impact of smart devices is a bring-your-own-device (BYOD) policy. -A BYOD policy relates to whether or not an employee or contractor can (or is required to) bring their own laptop or mobile device to the workplace and use it for work purposes. -Note that prohibitions on laptops or tablets might be enforceable so long as a suitable device is provided to the employee or contractor, but prohibitions on mobile phones would be feasible only in very high security environments.
A common example of two-level identification:
-A person entering a password (something he or she knows) but also receiving an access code on a mobile device (something that is registered to him or her) -Many mobile devices and laptops also now have built-in fingerprint or facial recognition as an alternate level of authentication
Heating, ventilation, and air conditioning (HVAC)
-Heating, ventilation, and air conditioning (HVAC) are vital for all facilities but especially in climates with extreme temperatures -HVAC systems need to be kept maintained and free from pathogens -Building occupant satisfaction may also be an objective -Backup power supplies or systems may be needed
Privileged Accounts - Controls
-A privileged account is an identity that has administrative access to an organization's information systems, enabling the role to make high-level and sometimes (improperly) undocumented changes to the IT environment, possibly including the establishment and provisioning of other identities. -Privileged accounts require additional controls. -To prevent unnecessary or inappropriate access to these accounts, the organization should include a section in its IAM policy on provisioning, administration, and enforcement of privileged accounts. -To prevent unnecessary or inappropriate access to these accounts, the organization should include a section in its IAM policy on provisioning, administration, and enforcement of privileged accounts. -IT management needs to periodically review the list of users with privileged access and the activities and online activities of privileged accounts (whenever possible). -IT management should also check online activities of privileged accounts due to the possibility of inappropriate transmission of data or introduction of unapproved applications. - In addition, as part of segregation of duties, privileged and IT account identities should be reviewed by an appropriate manager or system owner.
Virus
-A virus attaches itself to storage media, documents, or executable files and is spread when the files are shared with others. -One type is a macro virus, which uses the macro function of software such as Microsoft Word® to create executable code. -In response, Microsoft created file extensions (e.g., .xlsx—no macros, .xlsm—macros allowed).
The internal audit activity may assess information security risks using the following techniques and tools:
-ANALYSIS OF REPORTED INCIDENTS: Records can provide valuable information about potential and actual losses. -REVIEW OF EXPOSURE STATISTICS: Statistics from insurance carriers, industry associations, and regulatory agencies can provide guidance about potential risk exposures. -MAPPING KEY PROCESSES: Developing process maps and identifying potential risk points provide helpful insights. -PERIODIC INSPECTIONS: Health and safety inspections can surface compliance lapses and also uncover opportunities to decrease risks. -PERIODIC PROCESS AND PRODUCT AUDITS: Such internal audits can incorporate specific questions to identify potential risks. -ASSESSMENT OF MANAGEMENT SYSTEM EFFECTIVENESS: Beyond internal audits conducted to verify conformance to one or more standards or to assess continual improvement, this technique can identify gaps in management systems that expose the organization to potential losses. -SCENARIO ANALYSIS: Tools such as brainstorming and mind mapping are effective to identify all the consequences that could occur in a worst-case scenario.
Access
-Access may be defined as the right to perform certain transactions (e.g., copying or transferring data) -These access rights are termed the user's "entitlements."
Identity
-An identity is defined as a unique descriptor (or combination of descriptors) of a person or machine—for example, a name, a password, an ID number, or a biometric identifier. -Proper identity provides access to information systems and data.
Information Secutity Policies
-An information security policy should be coordinated with multiple departments—including systems development, change control, disaster recovery, compliance, and human resources—to ensure consistency. -Additionally, an information security policy should state Internet and email ethics and access limitations and define the confidentiality policy. -Good policies also need to provide precise instructions on how to handle security events and escalation procedures (e.g., how to escalate situations where a risk is likely exceeding the organization's risk appetite). -One essential information security policy is to ensure that the organization's Three Lines roles also cover information security roles and responsibilities, as is discussed more next.
CYBERSECURITY RISK ASSESSMENT FRAMEWORK: 4) Information Access Management
-An internal audit activity review of user access can determine if preventive controls, such as review and approval of privileges based on a new or transferred job role, are appropriate and working. -An emphasis is placed on preventive controls for privileged administrative access because this is a leading indicator of cybersecurity program effectiveness.
Types of Intrusion Detection/Prevention Systems
-An intrusion detection system (IDS) combined with a firewall is called an intrusion prevention system (IPS). -Host IPS (HIPS) software can detect and block abnormal application behavior before it executes by assuming that abnormal behavior is an unknown form of attack. -Network IPS (NIPS) are hardware and software systems on a network that analyze incoming packet content, dropping malicious packets.
Internal Audit Checking Firewalls
-An organization's firewalls should be installed on dedicated hardware that has no unnecessary software. -Internal auditors verify that firewalls are located in front of critical systems and are configured to restrict workstation connection to only those authorized. -Auditors need to determine if firewalls can be bypassed or the controls overridden by alternative transactions. -User prompts for allow/deny communications can be the most risky. -Auditors should work with the network administrator to determine the efficacy of a firewall, how specific its rules are, and whether the lists of acceptable users, IP addresses, and applications are kept up-to-date such as by promptly removing terminated employees. -Because a firewall is a chokepoint, it can be used to audit controls or trace the source of an incoming attack. -Firewall logs could be used as legal audit evidence if the data was collected, processed, and retained properly.
Information security needs to be a holistic endeavor so that a strong protection in one area is not simply bypassed in some other way, such as:
-An outside person bypassing external access security by accessing the network through someone's computer with weak protections (or stealing a laptop with sensitive data). -An unscrupulous programmer adding a backdoor into a computer system during systems development or a system update.
Anivirus Software
-Antivirus software maintains lists of known viruses and prevents them from being installed or helps recover a computer once a virus is removed. -Such software scans both incoming and outgoing data. -Automated downloads and regularly scheduled scans are important controls to keep such systems up to date. -Some antivirus programs use nature-based models that look for any unusual code and can detect new viruses. -Policies can also help, such as allowing downloads only from reputable locations with security seals. -Other tools include blockers for spyware, spam, macros, and pop-ups.
Server/mainframe Malware
-Attacks on mainframes are rare because of the specific knowledge needed for a particular mainframe. -Nevertheless, publicly available servers connected to the web are assumed to be under a constant barrage of attacks. -Server attacks start by attempting to gain low-security access followed by an attempt to elevate the security level. -Once inside, changes include hiding tracks, stealing data, and breaking or taking control of the system. -Microsoft servers have security issues that are regularly patched and publicly announced, but hackers will exploit systems that aren't updated. -In addition to system attacks, publicly available servers can be attacked through their applications. -For example, an intranet server might use a distributed application to allow employees to check customer data. Hackers find flaws in such applications.
Other logical access controls include:
-Automatic log-off procedures -Monitoring and controlling access to computers with remote control privileges (e.g., help desk) -Access logs (application and Internet logs) -Single-use access codes or codes with defined start and end dates for contractors -Digital signatures. (These can be used for user authentication of electronically stored or transmitted documents, such as contracts.)
Different Countries Have Different Privacy Laws and Regulation
-Because many nations have privacy laws that may differ considerably, the Organisation for Economic Cooperation and Development (OECD) and similar organizations are working to create consistency in privacy laws and laws on the transborder flow of information. -While many countries (and even some regions, such as California in the United States) have privacy laws or regulations, the best way to study for the exam is to learn the principles behind these laws since they share many principles.
Intrusion Detection/Prevention Systems
-Browsers process so much data that firewalls alone may not be sufficient. Intrusion detection/prevention systems monitor systems for intrusions from browsers. -These systems usually are more conservative than other types of firewalls and provide more detailed reports.
CYBERSECURITY RISK ASSESSMENT FRAMEWORK: 3) Standard Security Configurations
-Centralized, automated configuration management software can establish baselines for devices, operating systems, and software. -Standardized configurations are more effective and easier to use for global updates than a patchwork. -Risk assessments can determine where higher-security configurations are needed.
EMERGING TECHNOLOGY: Cloud Computing Secrurity
-Cloud computing security refers to controls, technologies, and policies in place to protect data, applications, and the infrastructure of cloud computing. -Cloud security architecture can use numerous controls, such as deterrents, prevention, and detective and corrective controls to safeguard potential system weaknesses. -In addition, cloud access security brokers (CASBs) provide software that aligns itself between end users and the cloud applications to monitor activity and enforce security policies. -ISO 27017 focuses on the protection of information in cloud-based services.
Cybercrime
-Cybercrime is a growing area of organized crime. -Profit is the motive. -Organized crime organizations may have large-scale operations in certain nations that suffer from poor enforcement or graft and corruption.
CYBERSECURITY RISK ASSESSMENT FRAMEWORK: 1) Cybersecurity Governance
-Cybersecurity governance is evidenced by clearly defined policies, relevant tools, sufficient staffing, and insightful training. -Red flags of lack of governance include fragmented governance structures, incomplete strategy, unnecessary delays, budget cuts, attrition, or lack of accountability enforcement. A cybersecurity governance committee with representatives from the board, management, and internal audit can be formed to help: ---Establish a culture of cybersecurity risk awareness. ---Set a related risk appetite. ---Develop cybersecurity business continuity and disaster recovery plans. ---Collect cybersecurity risk intelligence. ---Collaborate and share expertise. -Such a committee would also oversee prompt management responses to security breaches, including root cause analysis. -This committee can help avoid a common pitfall of management in that emerging threats or vulnerabilities are not considered proactively. -The committee enlists the right types of expertise, does ongoing research, creates metrics, and reviews security defense tests.
Cybersecurity Policies
-Cybersecurity policies and related training and testing are designed by IT risk management and IT compliance functions (second line roles) and administered by IT operations management roles (first line roles) -Internal audit (third line roles) provides independent ongoing evaluations of cybersecurity policy effectiveness -Many cybersecurity policies are based on cybersecurity frameworks
EMERGING TECHNOLOGY: Data Loss Prevention
-Data loss prevention ensures that end users do not send sensitive or critical data outside their corporate network. -The key to successful data loss prevention is technology such as encryption and tokenization, which can provide data protection down to a subfield level.
Ethics in Data Storage
-Data needs to be safeguarded per data privacy policies, regulations, etc. -However, it may also need to be protected from deletion for audits or evidence of compliance. Electronic data such as emails are considered legal evidence (in the United States, this is covered under the Federal Rules of Evidence), and some companies have received large fines for denying access to or deleting such evidence. -Internal auditors need to develop an awareness of these and other ethical implications when providing assurance or consulting on data storage or deletion policies.
SMART DEVICE RISKS: Information Security Risks
-Data on smart devices could be accessed if left unencrypted. -Backups may not be performed. -Controls built into operating systems (OS) could be bypassed to enable prohibited software to be installed that could contain malware; this is called "jailbreaking" for the Apple OS and "rooting" for the Android OS. Note that either practice can prevent remote wiping of the memory (a control). -Persons on organizational or BYOD devices could join untrusted networks and their devices could be hijacked. GPS could be used for tracking or nefarious uses.
Data Policies
-Data policies are enforced through data standards, which define how things need to be done to meet policy objectives -Enforced standards keep systems functioning efficiently and smoothly. -Standards should be set for systems development processes, software configuration, application controls, data structures, and documentation
CAEs can ask questions such as the following related to data security practices:
-Does a board committee exist to consider risk appetite related to privacy risk? -What is management's privacy risk appetite? -What are the current or likely forthcoming applicable privacy laws and regulations? -What PII does the organization collect, who defines what is private, and are the definitions consistent or appropriate? -Does the organization have privacy procedures and programs with defined responsibilities and accountabilities and sufficient resources to be effective? -Does the organization know where all personal information is stored and who has access? -How is PII protected at the database, network, system platform, application, and business process layers? -Is any PII disclosed to or processed by third parties? -Do employees receive privacy awareness training specific to their responsibilities? -Does management periodically assess program effectiveness and need for meeting new requirements
Data Privacy and Employee Data
-Employees and their employers are in conflict on privacy, because organizations want to both protect their interests and guard against improper activity, while employees want to feel that they have a measure of privacy at work. -Software can log websites visited and track every keystroke a user makes. -Higher levels of monitoring can provide control but at the possible price of lower morale. -Clear communication of the privacy policy will help with morale. -The policy should inform employees what is and isn't monitored as well as what is expected of them, such as using the Internet only for specific activities. -Logical controls over possible sites that can be visited can reduce the need to monitor employee activities.
Encryption
-Encryption is an information security control that uses a mathematical algorithm to scramble data. -The data cannot be unscrambled without a numeric key code, which can be designated as a public key (able to encrypt but not decrypt messages) or a private key (able to both encrypt and decrypt messages). -Public keys add a layer of security because the private key does not need to be distributed. -Encryption is used on stored data, physically transmitted data (e.g., on a flash drive), and electronically transmitted data. -Wireless data can also be encrypted to prevent compromise if it is intercepted.
Password Training
-End-user security training can make a huge difference to application authentication security -Password and log-on methodology training teaches users to avoid common mistakes. -Users will be trained to avoid storing their password near their computer or using easily deduced passwords such as their child's name or the word "password"
Examples of other controls related to data security:
-End-user training in the proper use of email and the Internet is important. -Logical controls should prevent end-users from installing new software. -Applications should be safeguarded by keeping them in computer program libraries, which should be restricted by physical and logical access controls. -There should be a secure process for removing of old IT hardware due to the possibility of sensitive data being on the drives. This basically means ensuring that deleted files are really deleted by using special file deletion software or by physical electromagnetic wiping. This should be done on hard drives or backup tapes being resold or discarded.
Encryption: Auditing Issues
-Evaluating encryption includes evaluating physical controls over computers that have password keys, testing policies to see if they are being followed, and implementing and monitoring logic controls. -Protection of private keys from disclosure to outside parties is paramount. -Each security domain should be able to share its local identity and security data without compromising its internal directories.
Fire and Flood Protection
-Fire and flood protection systems need to be in place per local building codes, and testing and maintenance schedules need to be validated and tests or maintenance observed -Media storage should be fire-rated, and backup and disaster contingency measures should be in place -Fire alarms and moisture detectors should be used -Sprinkler systems may be required
Segregation of duties at the ITGC level includes:
-Following the identity and access management (IAM) principle of allowing access only if the job function requires it -Ensuring that initiation, authorization, input, processing, and validation of data are all done by different individuals and possibly by different departments -Ensuring that employees with physical custody of assets do not have access to the related computer records or have any other related authorization rights or privileges -Separating systems development and operations: --->Programming and change deployment should be organizationally and physically separate from users with access to production systems, and neither should be able to do the others' tasks. --->Neither should have access to file libraries (a function of a system librarian) or input/output controls (a function of the systems controller). -Other segregations include systems analysis and data entry
6 Principles of the Three Lines Model
-Governance -Governing body roles -Management and first and second line roles -Third line roles -Third line independence -Creating and protecting value
Multi-factor Authentication
-Greater security may be provided by increasing the complexity of one of these levels or by requiring multi-factor authentication -Two-level (or two-factor) authentication is usually "adequate to meet the highest security requirements,
Hacker
-Hacker is a person who accesses systems and information, often illegally and without authorization. -Unethical organizations employ hackers to perform industrial espionage. -Hackers could harm the organization's employees, contractors, customers, and other stakeholders and its competitive advantage. -They could cause direct monetary loss as well as reputation damage if certain information were made public.
EMERGING TECHNOLOGY: Hardware Authentification
-Hardware authentication incorporates authentication into a user's hardware. -An end user may be required to enter a code sent to their mobile device in order to achieve authentication. -This can be combined with other forms of authentication.
Asset Controls
-Hardware not in a data center, such as laptops or PCs, can be physically secured with locks and have their own small uninterruptible power supplies (UPSs) and surge suppressors -Exposed wiring should be minimized using wiring closets or patch panelss
IT General Controls
-IT general controls (ITGC) are those IT controls that form the basis of the IT control environment (a framework for ensuring comprehensive information security) and apply to all systems, components, processes, and data for a given organization or systems environment. -The other broad category of IT controls is application controls, which relate to a specific application and so are not general. -Some ITGCs are business-related, such as segregation of duties, and others are technical and relate to the underlying IT infrastructure
OTHER EXTERNAL THREATS: Identify Theft
-Identity theft is the illegal use of sensitive information to impersonate an individual over computer networks in order to defraud the person or commit a crime without the perpetrator's true identity being known. -The human-to-browser phase of transactions is where most identity theft occurs, not in the space between browser and web server. -Most of the problem is due to poor password controls and social engineering.
Cybersecurity, Managment and System Administrators
-In terms of cybersecurity, management is accountable for developing, funding, monitoring, and controlling data administration, data processes, data risk management, and data controls. -They usually delegate to qualified systems administrators who recruit and train certified and qualified staff.
General Data Protection Regulation (GDPR)
-In the European Union (EU), the General Data Protection Regulation (GDPR) is a binding regulation. -The GDPR obliges EU member states to protect the fundamental rights and freedoms of persons, in particular their right to personal data privacy. Much like the FIPs described above, the GDPR gives individuals the right to: --Be informed of how organizations are using their personal data (i.e., a privacy policy). --Access their personal data. --Rectify incorrect information. --Be forgotten. (Individuals can request deletion of their personal information.) --Have data portability. (Individuals can request a copy of their personal information.) --Object or opt out of future data collection at any time. -While this is an EU regulation, any organization in any part of the world that collects or holds the personal data of persons residing in the EU will need to have policies, procedures, and IT systems in place as appropriate. -Many organizations who do business globally have welcomed the GDPR as a gold standard for privacy that may prevent needing to instead comply with a patchwork of national regulations.
Three Lines Model
-In the Three Lines Model, the first and second line roles for an organization are management (including its support functions) and the third is the internal audit activity. -First line management roles deliver products and services to customers and are responsible for managing risk. -Second line roles provide complementary expertise, support, monitoring, and challenge to first line roles.
What are the risks of inadequate segregation of duties?
-Inadequate segregation of duties could heighten the potential for fraud, including misappropriation of assets and fraudulent financial reporting or statement -It could also result in data tampering and loss of data privacy.
The risks of failing to properly authenticate users or systems or to provide proper authorization controls include but are not limited to the following:
-Inappropriate employee or contractor access to confidential information (e.g., payroll) -External access allowing: -->Theft of proprietary information (e.g., patented formularies for drugs at a pharmaceutical company) -->Modification, corruption, or encryption of data -->Installation of malware or spyware -->Access to other systems -->Deletion of information -Compliance risk such as material breach of privacy -Loss of customer trust (reputation risk) and loss of market share (market risk
Worms Not Using Email
-Instant message (IM) worms, worms for mobile devices, and net-worms have been increasing because they don't need to rely on users opening email. -Email worms have been decreasing, partly due to the rapid response system and improved antivirus software.
Evaluating the Organization's Data Privacy Framework
-Internal audit determines whether a data privacy framework exists and evaluates the framework to ensure that the board has set a risk appetite related to privacy risks and that the framework is effective in identifying and addressing significant risks. -Internal auditors also need to determine how the framework and related policies classify organizational data and evaluate whether the levels of classification and related controls are appropriate. -Classifications are usually based on the level of harm a data breach or misuse could cause and/or the regulatory penalties for noncompliance. -Another area of review is whether the framework has a privacy incident response plan and related templates.
Third Line's Role in Cybersecurity
-Internal audit maintains its independence and objectivity in part so that it can properly function as the third line role. -In the event that the first two lines fail to provide adequate protection, have an incomplete strategy, or fail to implement recommended remediation, internal auditors will be in a position to make these observations to senior management and/or the board. -This might entail evaluating: ---Cybersecurity preventive and detective controls for adequacy and completeness. ---The IT assets of privileged users to ensure that they have standard security configurations and are free from malware. ---External business relationships by conducting cyber risk assessments.
Internal Audit and Smart Devices
-Internal auditors may need to audit the security impact of smart devices as well as related systems that may be under the control of third parties. -Understanding the business context will help internal auditors determine the real business needs for smart devices, which could highlight opportunities for business advantage or a lack of real need (i.e., too much risk, too little reward). -A risk assessment will help determine the engagement's objectives and scope and required resources as well as the relevant risk and controls that the internal audit activity should recommend.
Types of Emerging Technology
-Internet of Things (IoT) -Hardware authentication -User-behaviour analytics -Data loss prevention -Machine learning and artificial intelligence -Cloud computing security
Other Controls to Protect From Malware
-Other controls include taking sensitive information offline and performing background checks on new employees and users with security clearance. -Browsers contain phishing filters, which send data to the browser manufacturer for validation. -Controls associated with proper user identification and authentication of identity are critical. -Authentication mechanisms must be secured and assessed. -Users must be aware of the dangers of sharing or not securing passwords or creating weak passwords.
Examples of Physical Access Controls
-Keys or keycards -Some type of code or password -A biometric scan -Security guards -Checkpoints with metal detectors -There may be a process to grant access to facilities such as log books and monitoring of all entry points -Visitor escorts may be required -All persons may be required to have visible identification badges with area-specific access rights -All areas of a building should be covered by a general security system, including motion sensors and cameras in key areas as well as devices to detect break-ins -There may need to be perimeter restrictions such as fences
Categories of Privacy Risk
-Legal and organizational risk -Infrastructure risk -Application risk -Business process risk
PRIVACY RISK: Legal and Organizational Risk
-Legal and organizational risk. Internal auditors ensure that relevant privacy laws and other regulations are communicated to clearly designated responsible parties. --Personnel are told what is expected of them and what the individual and organizational penalties are for noncompliance. --Auditors assess personnel competency levels and whether they have a process to keep current with new laws, regulations, and technologies (e.g., cloud computing). --Proof of compliance is required, not just compliance, so documentation must be addressed. --Auditors determine if management is spending too much on privacy controls (e.g., expensive encryption for routine data).
EMERGING TECHNOLOGY: Machine Learning and Arificial Intelligence
-Machine learning and artificial intelligence can be used to automate certain protocols or detect trends in big data. - Rather than looking at the end user only, these systems can also distinguish between good and bad software and provide an advanced threat detection and elimination solution.
Physical Security: Maintenance
-Maintenance and housekeeping schedules for dust removal should be set and adhered to as per manufacturer recommendations -Logs of hardware cleaning and malfunctions should be kept -Internal auditors can check to see if actual maintenance patterns match suggested patterns; they can also check on the lag between when issues are reported and when they are fixed
CYBERSECURITY RISK ASSESSMENT FRAMEWORK: 2) Inventory of Information Assets
-Management is responsible for creating an inventory of information assets, technology devices, and related software. -This priority-ranked list of information assets can help determine where to apply stronger controls and where IT general controls and periodic evaluations should suffice. -The most valuable assets will need preventive and detective controls that are continually monitored for ongoing effectiveness. -This inventory will be enhanced if a process map is used or created to show how the information assets interact. -A key benefit of having an inventory is that it will enable detection when unknown devices have accessed a network. -If these are the employees' own devices (used under a bring-your-own-device policy), they can be authenticated and inventoried. -An inventory will consider data by type (e.g., transactional, unstructured), classification (e.g., health data), and storage environment. A comprehensive inventory will include: ---A physical inventory of servers and network, storage, and end-user devices. ---A comprehensive list of all applications. ---All third-party-hosted environments and data shared with external organizations, including regulatory agencies and vendors.
What does the internal audit activity need ensure when auditing information security?
-Management recognizes this responsibility. -The information security function cannot be breached. -Management is aware of any faulty security provisions. -Corrective measures are taken to resolve all information security problems. -Risk-based and cost-benefit-based preventive, detective, and corrective controls are in place to ensure information security.
CYBERSECURITY RISK ASSESSMENT FRAMEWORK: 5) Prompt Response and Remediation
-Mature programs continuously shorten the time to management response. -The second line roles communicate important risks to management, enact remediation, track issues to resolution, and create trend reports on resolutions.
Sensitive Health Information
-Medical records -Health plan beneficiary information -Physical or mental health information -Provided health services or information collected during visits
Examples of controls that can be built into IT organizational structure include:
-Minimizing the number of users with administrative privileges -Using software tools and direct observation by supervisors to monitor the activities of users with administrative privileges -Setting policy guidelines for all employees to take a certain minimum number of consecutive days off at least annually, with special emphasis and/or required job rotations for persons with sensitive roles or access privileges such as systems controllers
Examples of Fair Information Pracitces (FIPs)
-NOTICE: Prior to collecting data, websites must disclose who is collecting the data, its uses, other recipients, what is voluntary, and what will be done to protect the data. -CHOICE: Consumers should be able to choose how the information is used outside of support for the current transaction. -ACCESS: Consumers should be able to access and modify their personal information without great expense or hardship. -SECURITY: Data collectors must ensure that they have adequate data controls. Enforcement. FIPs must be enforced via self-regulation, legislation giving recourse rights to consumers, and other laws.
Security Level Management
-Not every system needs the highest level of security -The cost of the security measures should be commensurate with the level of risk mitigation required, so this requires customization for the organization
In general, data security must be maintained:
-On site -During transmission -When stored on third-party systems
Protection from malware: A minimum set of agreed-upon Controls, called baseline controls (explained in GTAG)
-One method of self-protection from malware in general is to follow a minimum set of agreed-upon controls, called baseline controls. -One example is the VISA® Cardholder Information Security Program (CISP), which has made a set of security guidance rules available to credit card network users. -This advice, called the "Digital Dozen," can be found in the Global Technology Audit Guide (GTAG) 1, "Information Technology Risk and Controls," 2nd Edition.
PRIVACY RISK: Business Process Risk
-PII needs to be used for its legitimate business process purposes, and this creates a risk that it will be at risk at person's desks in printed form and so on. -Discretion should be used in areas open to the public, and basic controls should exist, such as clean desks or timed locking of computers not in use.
PRIVACY RISK: Infrastructure Risk
-PII processing steps may include paper or online forms, data entry, or fully automated steps. -Each time PII moves and changes format, new vulnerabilities to confidentiality, integrity, and availability of data occur. -Internal auditors should trace PII in operations as well as in backup storage, such as by reviewing encryption in storage and in transit. -Controls include: ---Paper shredders, locked files, or other physical controls. ---IT general controls and application controls. ---Each platform or technology should have a data map and inventory of all PII, including transfers to third parties.
The Three Processes Involved in Idenity Access Management
-PROVISIONING: The most visible aspect of IAM is provisioning—the creation, changing, termination, validation, approval, propagation, and communication of an identity. The IT department is responsible for developing and universally applying a policy statement on provisioning using input from business units. One role of the internal audit activity is to determine if there is proper segregation of duties for the approval of provisioning to an identity. -IDENTITY MANAGEMENT: Identity management refers to the establishment, communication, and management of IAM strategies, policies, and processes. It entails monitoring, auditing and reconciling, and reporting system performance. -ENFORCEMENT: Enforcement occurs automatically, through processes or mechanisms, as identities are authenticated and authorized and activity is logged. This forms an audit trail.
SMART DEVICE RISKS: Privacy Risks
-Personally identifiable information (PII) is stored on smart devices. -Also, the organization could use smart devices to monitor its employees. -BYOD practices and devices of vendors, guests, or visitors increase the risks to PII compromise.
Examples of OTHER EXTERNAL THREATS
-Phishing -Evil twin -Idenity theft -Piggybacking -Denial-of-service attack
Physical Access Controls
-Physical access controls are the real-world (tangible) means of providing and limiting access to buildings, data centers, record rooms, inventory areas, and key operational areas to only authorized persons (and denying access to unauthorized persons). -Note that many of these same types of access controls can be used to provide or deny access to computer systems or other devices.
ITGCs are classified in the Global Technology Audit Guide (GTAG) 1, "Information Technology Risk and Controls," 2nd Edition, as follows:
-Physical security -Logical access management -Systems development life cycle controls -Program change management controls -System and data backup and recovery controls -IT operational controls
General Physical Security Control
-Physical security awareness training for personnel -Pre-employment background reference checks -Post-employment security clearances -Separation of job duties are additional general measures that can help mitigate physical security risks (e.g., theft).
Physical Security
-Physical security involves the physical and procedural measures used to protect an organization's buildings, the occupants, and the building contents -The goal in workplace security is to eliminate or reduce the risk of harm to facility occupants first, followed by risk of loss of organizational assets—tangible and intangible—from human and natural disasters
Physical Access Controls - Increasing Levels of Complexity to Increase Security
-Preventing access to an asset could use a lock and a physical key, but there would be no audit trail of who accessed that door (except perhaps for security camera footage) -Keycard systems identify a particular user badge. A security computer checks the badge against a list for access, and an access log indicates which badge was used and when -Biometric devices check a user's identity through fingerprints, palm scans, iris photos, face recognition, and/or other unique physical identifiers. The scan is compared to a copy in a security database, so there is also an audit trail here -Even greater security could require two-level identification (or even three-level identification): a keycard and a password, a keycard and a biometric scan, etc
DATA PRIVACY RISKS: Threats to Organizations
-Privacy breaches can get significant attention from the press, supervisory authorities, and privacy watchdogs. -An organization could fail to achieve its objectives and could experience operational disruptions, inefficiency, or reputation damage, with severe financial impacts. Specific control weaknesses when processing PII include: --Excessive collection --Incomplete or outdated information --Damaged data --Inadequate access controls --Excessive sharing --Incorrect processing --Inadequate use --Undue disclosure --Undue retention
What are the benefits of good data privacy controls?
-Public image and brand protection -Customer, employee, donor, and business partner PII protection -Credibility, confidence, and goodwill leading to competitive advantage -Compliance
Other Sensitive Information
-Racial or ethnic origin -Religious or philosophical beliefs -Political opinions -Trade union membership -Legal proceedings and civil actions -Combinations of certain information
Change management controls at the operations level include:
-Reviewing exception reporting and transaction logs -Separating testing and production environments by formal data migration processes -Ensuring that adequate audit trails exist
Information Security: Infrastructure
-Security infrastructure can be part of end-user applications, and/or it can be integral to servers and mainframes, called security software. --When the focus on security is primarily at the application level, such as for small environments, user and role-based access controls are generally strong but controls over expert programmers often tend to be weak. --Security software resides at the server, client, or mainframe level and provides enhanced security for key applications, such as wire transfer software.Info
Smart Devices
-Smart devices enable working in a truly mobile way. -Examples include cell phones, tablets, wearable devices (e.g., watches, glasses), and specialized devices such as for warehouse picking. -Smart devices have operating systems, data storage, and security mechanisms, and they connect to cellular and/or Wi-Fi networks for data, voice, and/or video. -They may include GPS or specialized sensors such as for radio frequency identification (RFID).
Examples of how physical security begins with workspace design...
-Smoke alarms -Adequate lighting throughout a facility -Installation of an electronic security system for building entry -A reception area with staff or a security guard, sign-in sheets, and visitor badges -Restricted areas, such as the data center (Physical security can also be role-based, with certain areas more secure than others, even to IT staff)
Software Piracy
-Software piracy is the illegal copying of software or distribution of software access to more users than is allowed in the organization's contract. -Software organizations may be able to detect illegal use of software remotely or have their own right-to-audit clauses with the purchasing or leasing organization. -Financial penalties for noncompliance can be severe. -A policy prohibiting piracy is an important control. -Risk-based internal audits may be needed to provide assurance that software is not being pirated.
GTAG Internal Audit Recommendations/Best Practices Related to Insider Threats
-The GTAG, "Auditing Insider Threat Programs" cites the CERT® Insider Threat Center's "Common Sense Guide to Mitigating Insider Threats, Fifth Edition," for a set of best practices or control objectives. Internal audit activity recommendations may include one or more of these best practices, as reproduced below, depending on the results of the engagement: --Know and protect your critical assets. --Develop a formalized insider threat program. --Clearly document and consistently enforce policies and controls. --Starting at the hiring process, monitor and respond to suspicious or disruptive behavior. --Anticipate and manage negative issues in the work environment. --Consider threats from insiders and business partners in enterprise-wide risk assessments. --Be especially vigilant regarding social media. --Structure management and tasks to minimize unintentional insider stress and mistakes. --Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. --Implement strict password and account management policies and practices. --Institute stringent access controls and monitoring policies for privileged users. --Deploy solutions for monitoring employee actions and correlating information from multiple data sources. --Monitor and control remote access from all end points, including mobile devices. --Establish a baseline of normal behavior for both networks and employees. --Enforce separation of duties and least privilege. --Define explicit security agreements for any cloud servers, especially access restrictions and monitoring capabilities. --Institutionalize system change controls. --Implement security backup and recovery processes. --Close the doors to unauthorized data exfiltration. --Develop a comprehensive employee termination procedure.
EMERGING TECHNOLOGY: Internet of Things (IoT)
-The Internet of things (IoT) refers to a system of interrelated physical devices around the world connected to the Internet, collecting and sharing data. -It allows for the transfer of data over a network independently without human action. IoT has emerged to allow machine-generated data to be analyzed for insights to drive improvements. -The benefits of IoT to businesses are that it allows more access to data about an organization's products and internal systems and a greater ability to make changes as a result, such as pushing out new security updates. -However, this raises new concerns about data privacy and security. -The increase in connected devices gives cybercriminals more entry points and leaves sensitive information vulnerable. -Establishing a standardized security protocol to address the scope and diversity of devices is a central challenge.
NIST Cybersecurity Framework
-The U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, or CSF, provides a risk-based iterative approach to the adoption of a vigilant cybersecurity stance for public and private organizations. It also includes guidance on self-assessment. -The NIST CSF Framework Core includes cybersecurity activities, desired outcomes, and references from industry standards, guidelines, and practices. -The Framework Core has five functions, which are further divided into 23 categories.
Where should the audit trail be kept?
-The audit trail is either kept in a separate file or sent to the system activity log file -It must be secure from as many users as possible, and access restrictions should be reviewed.
Second Line's Role in Cybersecurity
-The first and second line roles that include risk, control, and compliance functions help assess whether the controls are functioning adequately and whether they are complete. -The second line role is expected to implement a monitoring strategy designed to generate behavioral change. -First and second line roles need qualified, talented, and certified individuals who can conduct cyber risk assessments and gather intelligence on cyber threats. -The roles need adequate policies, including for ongoing training. They may be involved in helping to: ---Design roles to have least-privilege access. ---Assess external business relationships. ---Plan and test business continuity and disaster recovery.
Internal Audit Activity and Compliance Related to Security
-The internal audit activity can report to management and the board on the level of compliance with security rules, significant violations, and their disposition. -With regard to information security, high-level compliance can be achieved through the implementation of codes of practice for information security compliance. An example is ISO/IEC 27002:2013, which: -Focuses on information security controls and establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. -Contains best practices for control objectives and controls that can be applied by any organization, regardless of size or industry.
Firewall: DMZ (Demilitarized zone)
-The location of a firewall can create a DMZ. DMZs (from military jargon for "demilitarized zones") are portions of a network that are not part of either the Internet or the internal network, such as between the Internet access router and the host. -If the access router has an access control list, it creates a DMZ that allows only recognized traffic to contact the host.
Internal Audit's Role in terms of Information Security Management
-The primary monitoring role over information security (and other areas) is with management rather than internal audit -Internal audit's role is to periodically monitor the effectiveness of information security management. This includes assessing the organization's information confidentiality, integrity, and availability practices and recommending, as appropriate, enhancements to, or implementation of, new controls and safeguards. -The CAE determines whether information integrity breaches and conditions that might represent a threat to the organization will promptly be made known to senior management, the board, and the internal audit activity. -Internal auditors assess the effectiveness of preventive, detective, and mitigation measures against past attacks, as appropriate, and future attempts or incidents deemed likely to occur. They determine whether the board has been appropriately informed of threats, incidents, vulnerabilities exploited, and corrective measures.
Insider Threat Programs
-The primary purpose of an insider threat program is to protect critical assets, which include valuable data, people, facilities, and systems. -Insider threats cannot be completely eliminated, and trying to do so can be prohibitively expensive.
CYBERSECURITY RISK ASSESSMENT FRAMEWORK: 6) Ongoing Monitoring
-The second line role is expected to implement a monitoring strategy designed to generate behavioral change. Successful behavior change can include the following results: --Users who do critical processes or access sensitive data are monitored at the access level. --A systematic process to find IT vulnerabilities and remediate them is developed, including by regularly scanning systems. --For external-facing systems, first and second line roles help define and agree on service level agreements (SLAs), service organization controls (SOCs), and other risk assessment and oversight programs such as technical architecture evaluations and compliance monitoring. --The second line roles do announced and unannounced penetration testing. --A method of ongoing monitoring and remote updating of smart devices for malware security should be in place.
Information Security
-The set of policies, processes, and procedures used to protect the organization's intellectual property by ensuring the confidentiality, integrity, and availability of the organization's data and information in any format (electronic, print, or other media). -In addition to establishing preventive and detective controls, information security involves continuously monitoring and responding to security threats. Information security extends to the data in storage, processing, and transit.
Controls to Protect Operating Systems
-The use of homogenous operating systems allows wide-scale exploitation of bugs. -Controls include: -Frequent updates and patches to operating systems. -Running systems with administrative privileges turned off. -Operating systems that restrict rights given to code, such as use of a virtual area or sandbox, which fixes a security flaw of over-privileged code (when systems allow any code executed on a system to receive all rights of the system user).
SMART DEVICE RISKS: Compliance Risks
-The variety and number of smart devices creates a risk of organizational smart devices failing to be regularly updated per policies and procedures. -BYOD update risks are even higher, since the organization may not control updates. For example, a person could avoid updates due to performance concerns.
Internal Audit Effectively Communicating the Risks Related to Insider Threats
-To effectively communicate the risks related to insider threats to the board, internal auditors must translate audit findings into terms of financial loss, reputation damage, operational disruption, and other organizational performance indicators. -Best practices include referring to existing industry reports and educating the board that only reasonable assurance of security is possible.
Trojan Horses
-Trojan horses are malicious programs disguised to be innocuous or useful using social engineering. -Social engineering is a set of rhetorical techniques used to make fraudulent messages seem inviting; it is initiated through deceptive emails, instant messages, or phone contact. - A key control is to educate users to initiate all contact themselves (i.e., don't click on an email link; go to the site directly). -Once installed, Trojan horses can install more harmful software, such as spyware. -Spyware is malware installed without the user's knowledge to surreptitiously transmit data to an unauthorized third party. -Trojan horses are smaller and easier to transmit and cheaper to develop because they do not need to be capable of self-delivery. Trojan horses include the following: ---Trojan-clickers require clicking on a hyperlink ---Banker programs steal bank account data ---Root kits are tools installed at the root (administrator) level ---Trojan-proxies use an infected computer as a proxy
Cybercrime: Insiders and Service Providers
-Two other sources of cybersecurity risks are insiders and service providers, especially service providers who develop substandard offerings that have security vulnerabilities or who do not promptly patch known vulnerabilities. -Aside from negligence, insiders and service providers could use their inside knowledge and access to take advantage of inside information to perpetrate or conceal fraud.
Sources of Physical Security Vulnerabilities
-Unauthorized access to facilities, systems, etc. -Natural disasters (e.g., fires, floods, hurricanes, tornadoes, earthquakes) -Service disruptions (e.g., telecommunications, network, Internet access, electrical power, equipment, supply chain) -Human error -Theft and vandalism -Terrorism or sabotage
Access Based on Role
-Under the concept of least privilege, users and/or departments are assigned roles or profiles granting them access only to areas where there is a genuine business need. -Access rights are based on a role name set in a hierarchy, which should be audited to see if roles are too broad and some users have unnecessary rights. -Roles can be used to enforce laws and regulations, such as allowing only authorized roles to create prescriptions. -They can also be segregation-of-duties controls, such as preventing a cash manager from creating journal entries. -Roles can allow for some users to have read-only access (no modifications).
User Authentication & Authorization Controls for Applications/Application authentication
-User authentication and authorization controls for applications are sometimes called application authentication -With application authentication, a software application is able to grant access only to authorized users or systems and prevent unauthorized access -Application authentication also depends on implementing logical access controls, which are basically a framework for allocating appropriate access
Externally Stored Data and Third-Party Cybersecurity Risk - CONTRACTS
-When data is stored external to the organization, such as in a third-party cloud, it is vital for the organization to ensure that vendors are properly managing relevant risks. Critical steps for management to take include due diligence and strong contracts that require: ---Service organization control (SOC) reports ---Right-to-audit clauses, including use of cybersecurity engagements ---Service level agreements (SLAs), including reporting requirements related to information security protections -Oversight and data and information security governance include monitoring the vendors and the key metrics they report to ensure conformance with the SLAs. -Remedies for deficiencies include asking for timely resolution of concerns, enforcing penalties, and enforcing the right to audit. -Vendors who do not remediate issues in a timely manner may need to be replaced.
Three Fundemental Questions Around Identity and Access Management (IAM) (GTAG 9)
-Who has access to what information? -Is the access appropriate for the job being performed? -Are the access and activity monitored, logged, and reported appropriately?
Ransomware
-With ransomware, software encrypts all files on a computer or network and the criminal sends the user a demand indicating that the encryption key won't be released unless a payment is made quickly, usually through a cryptocurrency. -Avenues of attack include links or attachments in unsolicited emails as well as malvertising, or malicious advertising on websites that can direct users to criminal servers even if the user never clicks on an ad. -Ad-blocking software is a partial defense.
Worms
-Worms are self-replicating malware that can disrupt networks or computers. -Unlike a virus, a worm does not attach itself to an existing program or to code. It spreads by sending copies of itself throughout a network. -Worms may act to open holes in network security or trigger a denial-of-service attack
Domain 2 Information Security Percentage of the Exams
25%
OTHER MALWARE: Dialer
A dialer automatically dials a 900 number (a high-fee line) to generate huge debts.
Limitations of a Firewall
A firewall has limitations, for example: -Data can still be stolen via USB flash drive or use of a persona modem on a voice line. -Employees or visitors could have a conflict of interest (industrial espionage), or they could simply be gullible and "help" someone by providing access. -Firewalls can be configured incorrectly.
OTHER MALWARE: Key Logger
A key logger records keystrokes to steal passwords, etc.
Password Authenitcation
A primary logical access control is password authentication. Authentication includes: -Digitally enforced use of alphanumeric passwords -Enforced password changes -Password management such as deleting unused passwords and user accounts (provisioning) or detecting user accounts that have no password or use a default password
OTHER MALWARE: Adware
Adware is malware intended to provide undesired marketing and advertising, including pop-ups and banners on a user's screen.
INTERNAL THREATS - ILLEGAL PROGRAM ALTERATIONS: Asynchronous attack
Asynchronous attacks cause an initial system action and then a subsequent system reaction. For example, after a system has been shut down and before it restarts automatically, changes may be made to the restart parameters to weaken security.
Antivirus Software
Antivirus software exists to block known cybersecurity threats. This type of preventive control is effective only if it is regularly updated to address emerging threats.
Audit Trails
Audit trails log the functions performed and the changes made in a system, including who made the change and when, for example: -An audit log could show repeated incorrect password entries to investigate -Comparisons of users to their activities can highlight unusual activities -Use of sensitive or powerful command codes can be reviewed
Availability
Availability is ensuring that authorized roles and individuals have access to the information and information systems required to perform their duties without unreasonable outages.
Bring Your Own Device (BYOD) Policies
BYOD policies should require an employee signature and may include: -What devices are allowed and the individual's maintenance responsibilities -Policies on downloading, use, and transmission of organizational data, with specific prohibitions for sensitive data -Minimum security requirements -Backup policies, including if home backups are allowed. (Home backups could be prohibited to maintain U.S. HIPAA compliance.) -Enabling remote wiping (for stolen devices) or possibly mobile device management (MDM) for remote software updating, monitoring, etc -Selling, discarding, or sending in for maintenance policy (e.g., proper wiping of memory) -Requirements to use a virtual private network (VPN) and not use Wi-Fi networks if a VPN exists
INTERNAL THREATS - ILLEGAL PROGRAM ALTERATIONS: Backdoors
Backdoors can bypass normal authentication and be installed by direct code manipulation (or by Trojan horses).
COBIT
COBIT systems security objectives reflect the breadth and complexity of the systems security environment: -Manage IT security, as aligned with business requirements. -Implement an IT security plan that balances organizational goals and risks and compliance requirements with the organization's IT infrastructure and security culture. -Implement identity management processes to ensure that all users are identified and have appropriate access rights. -Manage user accounts through appropriate policies and processes for establishing, modifying, and closing them. -Ensure security testing, surveillance, and monitoring to achieve a baseline level of system security and to prevent, identify, and report unusual activity. -Provide sufficient security incident definition to allow problems to be classified and treated. -Protect security technology by preventing tampering and ensuring the confidential nature of security system documentation. -Manage cryptographic keys to ensure their protection against modification and unauthorized disclosure. -Prevent, detect, and correct malicious software across the organization in both information systems and technology. -Implement network security to ensure authorized access and flow of information into and from the enterprise. -Ensure that sensitive data is exchanged only over trusted paths or through reliable media with adequate controls to ensure authenticity of content, proof of submission, proof of receipt, and proof of nonrepudiation of origin.
Common Questions When Designing Information Security Policies
Common questions that this assessment should ask include: -What information is considered business-critical? -Who creates that critical information? -Who uses that information? -What would happen if the critical data were to be lost, stolen, or corrupted? -How long can our business operate without access to this critical dat
Components of an Insider Threat Program that Internal Auditors Should Review
Components of the program to review include: -Stakeholders involved and their requirements. -Senior management and board buy-in and oversight, including governance structure and policy. -Management's insider threat planning process. -Management's insider threat risk management process: ---How it identifies critical assets ---How it identifies threats ---How it assesses vulnerabilities -Management's insider threat operations: ---Communications, training, and awareness programs (which should be improved using feedback loops from issue resolutions to improve these processes) ---Preventive and detective controls. ---Data and tool requirements. ---Analysis and incident management: Initial and internal investigations Referrals and reporting External criminal investigation decisions Final actions, management reporting, and feedback and lessons learned. Subprocesses may also be reviewed, such as the employee application, screening, hiring, onboarding, reaccreditation (changing access privileges when employees shift to new positions), and termination process for employees.
Confidentiality
Confidentiality is enabling only authorized persons to access or view the information.
Multi-tiered Corporate Firewalls
Corporate firewalls are often multi-tiered: -A firewall is placed before the web server and any other public access servers. -A firewall is placed between the public access servers and the private network areas. -Additional firewalls can be used to protect sensitive data such as payroll.
Cyber Risks/Cyber Threats
Cyber risks (or cyber threats) involve persons or entities that seek unauthorized access to a system, network, or device, either remotely or via inside access.
What do cyber risks/threats involve?
Cyber risks (or cyber threats) involve persons or entities that seek unauthorized access to a system, network, or device, either remotely or via inside access.
Cybersecurity
Cybersecurity, also referred to as computer or IT security, is the protection of computers, networks, programs, and data from attack, unauthorized access, damage, change, or destruction.
Data Privacy
Data privacy is the individual's right to have a voice in how his or her personally identifiable information is collected, handled, and used, to control who has access to that information, and to amend, change, or delete the information.
Information Security: Data Security
Data security should ensure that only authorized users can access a system, their access is restricted by user role, unauthorized access is denied, and all changes to computer systems are logged to provide an audit trail.
5 FUNCTIONS OF NIST CYBERSECURITY FRAMEWORK: Detect
Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. CATEGORIES -Anomalies and events -Security continuous monitoring -Detection processes
IAM: Enforcement
Enforcement occurs automatically, through processes or mechanisms, as identities are authenticated and authorized and activity is logged. This forms an audit trail.
Common Insider Threats Using IT
FRAUD -Risk: Identity theft or illegal use of data for personal gain -Impact: Financial misstatements or reputation damage IT SABOTAGE -Risk: Use of IT to harm organization or specific individual -Impact: Denial of service or productivity loss THEFT OF INTELLECTUAL PROPERTY -Risk: Industrial espionage involving insiders -Impact: Loss of competitive advantage or revenue THEFT OR DISCLOSURE OF SENSITIVE DATA -Risk: Theft of confidential, proprietary, or private data for financial gain -Impact: Restitution payments to customers or loss of customer trust THEFT OF PERSONAL DATA -Risk: Theft or disclosure of personally identifiable information -Impact: Legal expenses, restitution, or loss of trust; data privacy noncompliance penalties ILLEGAL ACTIVITIES -Use of digital assets to send spam, gamble, or do other prohibited activities -Financial losses and reputation damage
Financial Services and Data Privacy
Financial Services Many regulations and active supervisory bodies exist due to the sensitivity of PII such as credit history.
What can firewalls do?
Firewalls can: -Improve security by blocking access from certain servers or applications. -Reduce vulnerability to external attacks (e.g., through viruses) and ensure IT system efficiency by limiting user access to certain sites. -Provide a means of monitoring communication and detecting external intrusions (through intrusion detection systems, described below) and internal sabotage. -Provide encryption internally (within an enterprise).
Physical Security: Protecting Server Rooms
For server rooms: -Heating, ventilation and air conditioning (HVAC) is particularly important. Servers function better in cool, low-humidity rooms. The air must be clean and free from smoke and particles, especially metallic particles, which can ruin tapes or CPUs. -UPSs (uninterruptible power supplies) and surge suppression should be employed -Devices need to be grounded and the floor covered with static takeoff -Electromagnetic interference from outside devices can be minimized by proper shielding
Data Privacy Controls
Fundamental controls for data security include ensuring adequate governance and oversight by the board and management. -Another general control example is benchmarking the organization's privacy compliance and data-handling practices and weaknesses against international policies, laws, regulations, and best practices. Here are some additional elements of an effective privacy program: -Clear roles and responsibilities -Privacy statement/notice -Written policies and procedures for the collection, use, disclosure, retention, and disposal of PII -Information security practices, incident response plans, and corrective action plans -Training and education of employees -Privacy risk assessments and maturity models -Monitoring, auditing, and compliance with privacy laws and regulations -Inventory of the types and uses of PII Controls over service providers (outsourcing)
Health Care and Research and Data Privacy
Health Care and Research Sensitive patient information is highly regulated. One example of a private-sector law is the U.S. Health Insurance Portability and Accountability Act (HIPAA), which governs the disclosure of medical records. It applies to health plans, health-care clearinghouses, health-care providers, and employers.
5 FUNCTIONS OF NIST CYBERSECURITY FRAMEWORK: Identity
Identify -Identify and communicate cybersecurity objectives and goals. Develop organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. CATEGORIES -Asset management -Business environment -Governance -Risk assessment -Risk management strategy -Supply chain risk management
IAM: Identity Managment
Identity management refers to the establishment, communication, and management of IAM strategies, policies, and processes. It entails monitoring, auditing and reconciling, and reporting system performance.
Domain 2 Information Security
Information Security (A) Differentiate types of common physical security controls (cards, keys, biometrics, etc.)- BASIC (B) Differentiate the various forms of user authentication and authorization controls (password, two-level authentication, biometrics, digital signatures, etc.) and identify potential risks - BASIC (C) Explain the purpose and use of various information security controls (encryption, firewalls, antivirus, etc.) - BASIC (D) Recognize data privacy laws and their potential impact on data security policies and practices - BASIC (E) Recognize emerging technology practices and their impact on security (bring your own device [BYOD], smart devices, internet of things [IoT], etc.) - BASIC (F) Recognize existing and emerging cybersecurity risks (hacking, piracy, tampering, ransomware attacks, phishing attacks, etc.)Basic (G) Describe cybersecurity and information security-related policies - BASIC
Who may internal auditors need to work with to understand data security policies?
Internal auditors may need to work with other parties to understand the context of security policies and guidelines for both internal use and those communicated to customers, including: -Legal counsel, to identify other steps that should be performed -Privacy professionals, to help internal auditors develop an understanding of data privacy framework maturity -IT specialists, to help create a process map of information flows, system controls, and the PII life cycle, including incident response programs
Examples of INTERNAL THREATS - ILLEGAL PROGRAM ALTERATIONS:
Internal threats: illegal program alterations. -Hackers, or more likely, malicious insiders with programming privileges, can alter the code of programs, usually to perpetrate fraud or theft. The following are examples of such data manipulation techniques: -Asynchronous attack -Data - diddling -Data hiding -Back door
International Business and Data Privacy
International Business. Many laws and regulations require that PII not leave the regulated zone of a country. These rules address the concern of loss of control when PII is transferred to another jurisdiction (which may not respect other nations' laws).
Internal Audit Activity and Security Violation Corrections
It is reasonable to expect that the internal audit activity will monitor whether and how well information security violations are corrected when they are discovered (similar to corrective action plans in response to internal audits). In doing so, the focus of the internal auditor should be to ensure that the root causes of the security violations are addressed.
Financial and Budegetary IT Conrols
Management needs to ensure that the sizable investments in IT development and support are effective in helping meet organizational objectives and are efficient from a cost-benefit perspective. Related controls include: -Ensuring that there is a process to justify and approve software projects or ongoing operations using measurable metrics such as projected return on investment or savings -Monitoring and controlling software projects and operations against baselines -Evaluating completed software projects or operational results against their projected results or baselines to determine the accuracy of those projections, and reporting on results
5 FUNCTIONS OF NIST CYBERSECURITY FRAMEWORK: Respond
Respond Develop and implement the appropriate activities to take action regarding a cybersecurity event. CATEGORIES -Response planning -Communications -Analysis -Mitigation -Improvements
Server Acess Control
Server access control is the use of internally encrypted passwords to keep technical persons from browsing password files.
SMART DEVICE RISKS: Physical Securuty Risks
Small devices are at risk of loss, breakage, or theft.
Social Services and Data Privacy
Social Services Government agencies are subject to specific compliance requirements, but other institutions such as churches may be exempt from general legal frameworks, which could lead to lax privacy controls.
What do system administrators need to do?
System administrators need to: -Implement cybersecurity procedures, including training and testing of these procedures -Keep all systems up to date and securely configured, including restriction to least-privilege access roles (i.e., not overprivileged) -Use intrusion detection systems -Conduct penetration testing (simulated attacks such as a denial-of-service attack) and internal and external scans for vulnerability management -Manage and protect network traffic and flow -Employ data and loss prevention programs, including encrypting data when feasible
Personally Identifiable Information (PII)
The "Auditing Smart Devices" Global Technology Audit Guide cites the following U.S. Department of Labor definition of personally identifiable information (PII): Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements (e.g., indirect information). These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors. Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic, or other media. Photographs and biometric identifiers are other examples of PII, as is behavioral information, for example, in a customer relationship management system.
Logical Access Controls Defintion
The ways computer program logic can identify authorized users.
IAM: Provisioning
The most visible aspect of IAM is provisioning—the creation, changing, termination, validation, approval, propagation, and communication of an identity. The IT department is responsible for developing and universally applying a policy statement on provisioning using input from business units. One role of the internal audit activity is to determine if there is proper segregation of duties for the approval of provisioning to an identity.
Challenges Faced by Antivirus Vendors
The number and frequency of network attacks is increasing, sometimes with several versions of the same type of malware appearing in one day. Antivirus vendors have resorted to hourly updates. The antivirus industry rapid response system is challenged by criminals who have their own structure to develop new threats and to scan for and infect vulnerable systems.
Overall Goal of Information Security
The overall goal of information security is to maintain the integrity of information assets and processing and mitigate and remediate vulnerabilities.
Three Types of Cybercrime
There are generally three main types of computer crime: -Those where the computer is the target of a crime -Those where the computer is used as an instrument of a crime -Those where the computer is not necessary to commit the crime, but it is used to make committing the crime faster, to process more information, or make the crime more difficult to identify and trace
Determining Security Levels
To determine appropriate network security levels, the organization assesses its data repositories and physical security requirements and assigns security risk levels. -The highest-security physical area or data in a database defines the area's security level, for example, key projects such as R&D data would have elevated security. -The availability, integrity, and confidentiality requirements for each area are assessed. Once the security level is known, a multi-tiered security system can be designed, including provisions for physical, software, program library, and application security.
EMERGING TECHNOLOGY: User-behavior analytics
User-behavior analytics operates on the premise that by identifying activity that does not fit within the normal routine of an employee, IT can identify a malicious attacker posing as an employee.
Web Applications and Verification
Web applications can also authenticate users, who may be assigned to roles, such as customer, user, manager, etc., and assigned a log-in code, which is sent to the web server for verification. This verification process creates an audit trail.
DATA PRIVACY RISKS: Threats to Individuals
While excessive privacy practices can hinder efficiency and thus investor returns, risks of damaged reputation and litigation usually outweigh this consideration.
DATA PRIVACY RISKS: Threats to Stakeholders
While excessive privacy practices can hinder efficiency and thus investor returns, risks of damaged reputation and litigation usually outweigh this consideration.
Zero-day Attack
Zero-day attacks use malware that is not yet known by the anti-malware software companies.
