Chapter 4

1. Availability of system utility is IS auditor most concerned when conducting an audit of client-
server database security because may enable unauthorized changes to be made to data on the
client-server database.

2. Recovery point objective (RPO) : age of the recovered data (ie. How long ago the data were
backed up)->if RPO is very low like minutes, it means org cannot afford to even lose even a few
minutes of data->data mirroring should be used

IF RPO is high->other backup procedures such as tape backup and recovery could be used

High Recovery time Objective (RTO):IT system may not be needed immediately after the disaster
declaration (it can be recovered later)

3. Mobile site: specially designed trailers that can be quickly transported to a business location or to
an alternate site to provide ready-conditioned information processing facility

Warm site: partially configured usually with network connections and selected peripheral equipment
but without main computer

Cold site: have only basic environment to operate IPF, ready to receive equipment but do not offer
any components at site in advance

Hot site: fully configured and ready to operate within several hours or even minutes

A4-2. Transition clause from old supplier to new supplier in the case of expiration or termination is
most important because there is a risk the old supplier may simply pull the plug make no data
available to the org

A4-3 Right to audit is most important in an outsourcing contract with a service provider

A4-11 To ensure system availability, test plans and procedures should be exist and closely followed

A4-12 ** Incident response plan determines the information security responses to incidents such as
cyberattacks on systems. This plan establishes procedures to enable security personnel to identify,
mitigate and recover from malicious computer incidents

A4-14 **Open system architecture

Open systems are those which suppliers provide components whose interfaces are defined by public
standards, thus facilitating interoperability (help with each other) between systems made by
different vendors

A4-15: Unshielded twisted pair: reduce likelihood of crosstalk

A4-16: Critical element of disaster recovery plan: offsite storage of backup data

A4-17 Continuous monitoring

A4-24 Quality of Service: traffic prioritization and resource reservation control mechanisms rather
than the achieved service quality->priority to business applications and end users through
allocation of dedicated parts of bandwidth to specific traffic

A4-28

Retention time: duration of time for which the information should be maintained 
Network diagnostic tool: client/server program that provides network configuration and
performance testing to a user desktop or laptop

Online monitor: measure telecommunication transmissions and determine whether transmissions

were accurate and complete

Downtime report: track availability of telecommunication lines and circuits

Help desk report: prepared by help desk, staffed or supported by IS technical support personnel
trained to handle problems

Protocol analyzers: network diagnostic tools that monitor and record network information from
packets travelling in the link to which the analyser is attached

Fallback procedures: restore a system to a previous state->when software is being upgraded byt
the upgrade does not work and requires a fallback to its former state

A4-36 Normalize a table: group tables together->reduce redundancy

Denormalize a table: increase redundancy->useful when u are retrieving a data->increase risk of

loss of data integrity because there is a lack of consistency of data

A4-39 Concurrency control: prevent data integrity problems, which can arise when two update
processes access the same data item at the same time

A4-40
Network monitoring tools: mainly focus on availability

A4-55 Capacity monitoring: ensure compliance with internal SLA

A4-69 Escrow agreement: ensure customer can continue to use the software and obtain technical
support if a vendor were to go out of business
Object oriented technology

1. inheritance

-> both have similar features so you can simply inherit

2. encapsulation

3. polymorphism
SQL: structured query language->used to communicate with a database->SQL statements are sed to
perform tasks such as update data on database or retrieve data from database

Referential integrity: Primary key vs foreign key

Business process reengineering

Stress testing: relates to capacity and availability

Black box testing: performed on individual modules

Interface testing: test the interaction with external systems but would not validate the performance
of changed system

System testing: test all functionality and interfaces between modules

Network topology: arrangement of the elements (links, nodes etc) of a communication network,
used to define or describe the arrangement of various types of telecommunication networks
Redundant Array of Inexpensive Disks (RAID) level 1:
Provides disk mirroring, data written to one disk are also written to another disk->if one disk fails,
the second disk take over->ensure availability of data

 Will not protect against natural disaster

Before image dump: last transaction in the dump will not have updated the database prior to the
dump being taken

For online systems, it is particularly important to ensure periodic dumps of transaction logs is the
only safe way of preserving timely historic data because online system do not have a paper trail that
can be used to recreate data, maintaining transaction logs is critically important to prevent data loss

Back up addresses availability not integrity

Containment=stop

Cyclic redundancy check (CRC): error detection

A CRC-enabled device calculates a short, fixed-length binary sequence, known as the check
value or CRC, for each block of data to be sent or stored and appends it to the data, forming
a codeword.
When a codeword is received or read, the device either compares its check value with one
freshly calculated from the data block, or equivalently, performs a CRC on the whole codeword
and compares the resulting check value with an expected residue constant.
If the CRC values do not match, then the block contains a data error.
The device may take corrective action, such as rereading the block or requesting that it be sent
again. Otherwise, the data is assumed to be error-free (though, with some small probability, it
may contain undetected errors; this is inherent in the nature of error-checking).
Incremental backup: minimise media storage
Disk to disk backup: primary backup is written to disk instead of tape. That backup can then be
copied, cloned or migrated to tape at a later time ->allows the backup of data to be performed
without impacting system performance and allows large quantity of data to be backed up in a very
short backup window. In case of a failure, the fault tolerant system can transafer immediately to the
other disk set
Domain 5

Parameter tampering  a form of Web-based attack in which

certain parameters in the Uniform Resource
Locator (URL) or Web page form field data
entered by a user are changed without that
user's authorization.
Cross site scripting Bypass access controls such as same origin
policy
-insert script languages in a text field that other
users can see
-Types: reflected/stored/DOM
-involves the compromise of the web page to
redirect users to content on the attacker web
site
Cookie poisoning Change cookie files in order to steal
someone’s identity or financial information.
 Many different kinds of hacking that focus
on taking data from cookies can be called
cookie poisoning, including theft of
passwords, credit card numbers or other
identifiers that are stored on cookie files.
Stealth commanding Insert a code in text field to take control of an
application

Encryption Hashing
Both ways One way, you cant get the original file with the
hash value
Unique file In rare occasion, there will be hash conflict

Document hashing: ensure accuracy

Password hashing: increase security
Detect transmission error (better than parity
bit)

Check digit->transposition and transcription errors->check accuracy (you have formula and calculate
into a certain number and you add it in the last number)

Parity bits: detect data transmission error->ensure data completion-> ensure data integrity (how?
You check how many 1 in the file and if 4 use 0)

Checksum: same as parity but able to identify complex errors by increasing the complexity of
arithmetic

CRC: more advanced version of parity and checksum and increase complexity of the arithmetic

Forward error control: correct data transmission error

Primary reason for establishing audit trails: establish accountability and responsibility for processed
transactions

Intrusion detection systems (IDS) Detect network or host-based errors

Data mining Detect trends or patterns of transactions or
data
Firewall Protect network and system
Packet filtering router Operates at network level
 Network IDS Host IDS
Monitor activities on identified network Monitor activities on particular single system
Check for attacks by inspecting contents and Detect activity on host computer eg. Deletion
header information of all packets of files, modification of programs

Componenets of IDS: Sensors(collect data)->analyser (analyse data and determine intrusive activity)-
>user interface (users view result and take actions)-> administration console (manage IDS rules and
function)

Signature-based IDS: intrusion is identified on the basis of known type of attacks

Statistical based IDS: generate most false positive, determine normal (known and expected)
behaviour of the system

Neural network: similar to statistical based IDS with added self learning , capable of capturing
relationship missed by other statistical methods

IDS : monitor and record intrusion activities

IPS: also prevent intrusion activities

*IDS wont detect application level vulnerabilities, will not detect encrypted traffic

Types of firewall:

Packet filtering filter -simplest and earliest kind

(network) -allow or deny action is done per IP address and
port no of source and destination of packets
Stateful inspection -keep track of destination of each packet that
(network) leaves the internal network
* allow traffic from outside in response to -ensure incoming message is in response to the
traffic from internal host request that went out
Application level firewall (most secured) -works on bastion host and proxy server
(application) -separate proxy for each application
-control FTP and http
Circuit level firewall -works on bastion host and proxy server
(session)
Most robust configuration: deny all traffic and allow specific traffic

What is bastion host: kind of reception area in office premise, only cpt allows to be addressed
directly from public network and designed to protect the rest of network from exposure

-no critical application or data are hosted in bastion host

Proxy: middleman, stands between internal and external network; will not allow direct
communication between two networks
Firewall Implementation

Screened host firewall Characterisitics: one packet filtering router, one

bastion host
Dual homed firewall One packet filtering router
One bastion host with two network interface
card
Most restrictive form of screened host firewall
Screened Subnet firewall Two packet filtering router
*most secure One bastion host
For Confidentiality & Authenticity: Hash-encrypt using sender’s private key; message-encrypt using
receiver’s public key

For Confidentiality & Authenticity & Integrity: Hash-encrypt using sender’s private key; message-
encrypt using receiver’s public key

Digital signature:

Encrypt by sender’s private key and decrypt by sender’s public key

-use both hash and encryption

-ensure authentication and integrity and non repudication

-wont ensure confidentiality

Non-repudiation: sender cannot deny him sending the message

Classification of Information assets: have inventory of information assets->establish ownership-

>classification of IS resources->labelling of IS resources(who can access)

Telecommunication network:

1)Broadband network digital transmission

2) Baseband network-shared with many other users and requires encryption of traffic but still may
allow some traffic analysis by an attacker

3)

Testing

Blind testing Black box testing

-where penetration tester is not given any
information and is forced to rely on publicly
available information
-simulates a real attack, except target org is
aware of testing being conducted
Targeted testing White box testing
-penetration tester is provided with info and
target org is aware of testing activities
Double blind testing Zero knowledge testing
-penetration tester is not given any information
 and the target organization is not given any
warning-both parties are blind
External testing External penetration tester launches attacks on
target’s network perimeter outside target
network

Denial of service attack Make it unavailable to user want to use

Spoofing Impersonation where one computer tries to
take on identity of another computer->bypass
firewalls and other network security controls
Port scanning Gather information about a target before a
more active attack
A man in the middle attack Active eaverdropping
Attacked intercepts a computerized
conversation between two parties and then
allows the conversation to continue by relaying
the appropriate data to both parties while
simultaneousl monitoring the same data
passing

Data Encryption Standard Susceptible to brute force attack and has been
broken publicly ->no assurance that data
encrypted using DES will be protected from
unauthorized disclosure
Message digest 5 Generate one way hash of data to testand
verify data integrity
Does not encrypt data but put data through
mathematical process that cannot be reversed
Advanced Encryption Standard Greatest assurance that data are protected
Secure Shell (SSH) Encrypt data transmitted during a session, but
cant encrypt data at rest including USB
Social engineering attack: gather sensitive information to launch an attack, can be exercised ver any
kind of telephony
Responsibility:

1. Information asset owner: assign criticality levels to data

2. Data custodians: implement information security, access rules to data and programs

3. Security admin: provision of physical and logical security for data

Race condition Involves timing of two events and an action

that causes one event to happen later than
expected
Privilege escalation Higher level system authority is obtained by
various methods
Buffer overflow Involve applications of actions that take
advantage of a defect in the way an application
or systems uses memory. By overloading the
memory storage mechanism, system will
perform in unexpected ways
Impersonation Error in identification of a privileged user
In discretionary access control permissions are set usually by the resource owner.
In mandatory access control permissions are set by fixed rules based on policies and
cannot be overridden by users.

electromagnetic emission 電磁輻射

->low risk to health
->wont damage or erase nearby storage media
->can be detected and displayed->unauthorized person access to data

Social engineering No use of computer tools

Info will be revealed during different
 situation eg interview
Usually do not require physical presence of
the intruder
Sniffer Cpt tool to monitor the traffic in network
Back door Cpt programs left by hackers to exploit
vulnerabilities
Trojan horses Pretend to supplant a real program-
>program Is not authorized and is malicious
*False Acceptance rate->best performance indicator
CER->overall best performance indicator
The main accuracy measures used for a biometric solution:
1. FAR-> FRR->CER/EER
Biometric life cycle: enrolment, transmission and storage, verification, identification,
termination
PKI
Replay->residual biometrics characteristics
Mimic->Faking the characteristics
Crypto->attack on cryptography or encryption
Bruce force attack->sending numerous attack
*Retina scan has highest reliability

*key difference between elliptic curve encryption vs RSA encryption

=computation speed
(ECE use small keys in ECC algorithm)
Masquerading: alters data by modifying the origin->active attack
Examples of active attack: masquerading, denial of service, email spoofing
Examples of passive attack: network analysis, traffic analysis, evasdropping

*Security level of private key system depends on number of encryption key bits(key length)-
>larger number of bits, more difficult it would be difficult to brute force

Digital Signature vs Digital certificate

Single Sing on
-Advantage: multiple pw not required->encourage user to select a stronger pw; improve
admin’s ability to manage user’s accounts; reduce admin overhead cost in resetting pw due
to lower number of IT help; reduce time taken to log on
-Disadvantages:single authentication point for multiple app=>risk->single point of failure;
support of all major operating system environment is difficult
** acts as single authentication point for multiple app as well as single point of failure
**most important control for SSO: strong implementation of pw policy
Example: Kerberos
*Encapsulation: encrypt the traffic payload so that it can be securely transmitted over an
insecure network

Back door: opening implanted into or left in software that enables unauthorized entry into a
system
Ways to connect a private network over internet in small medium org:
-VPN(best)>dedicated line(exp)>leased line(exp but private option)>Integreated services
digital network (not encrypted)
Function of VPN:
-hide information from sniffers on internet using tunnel->works based on encapsulation and
encryption of sensitive traffic
-using tunnelling->confidentiality is ensured
Web of trust: suitable for secure communication within a small group
Keberos Authentication system: for a file to access to file server, it must pass through key
distribution centre, request for a ticket with encrypted key, distribution centre decrypt the
key and verify the client->send back a ticket encrypted with a secret key
*Voltage regulator->protect against short-term power fluctuations
Peer to peer computing: In peer-to-peer (P2P) networking, a group of computers are
linked together with equal permissions and responsibilities for processing data. Unlike
traditional client-server networking, no devices in a P2P network are designated solely to
serve or to receive data.
Filtering techniques:

Heuristic (rule-based) Exception rules need to be defined when a

valid
Signature based
Pattern matching
Bayesian (statistical) Perform a frequency anaylsis on each word
within the message and then evaluating the
message as a whole->ignore suspicious
keyword if the entire message is within
normal bounds
UDP (User Datagram Protocol) :is a communications protocol that is primarily used for
establishing low-latency and loss-tolerating connections between applications on the
internet. It speeds up transmissions by enabling the transfer of data before an agreement is
provided by the receiving party
Dynamic Host Configuration Protocol:
-automatically assign IP addresses to anyone connecting to the network->with it disabled,
static IP addresses must be used and this require either admin support or higher level of
technical skill to attach to the network and gain internet access
-suitable for all sizes of company
-does not provide IP addresses when disabled
Domain 1
-Impact: measure of the consequence (including financial loss, reputation)
-Vulnerability: lack of adequate controls, exposing sensitive information and data to the risk
of malicious damage, attack or unauthorized access by hackers
-Asset: sth of either tangible or intangible value worth protecting, include people,
-Threat: potential cause of an unwanted incident
-when internal controls are strong, a lower confidence coefficient can be adopted->enable
the use of a smaller sample size