Security Analyst Module 2

Student Handbook SSC/ Q0901 Security Analyst
UNIT VI
Information
Security
Performance Metrics
This Unit covers:

Lesson Plan
6.1. Introduction Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security Measuring Systems
LESSON PLAN
Outcomes
To be competent, you must be able to:
PC7. analyze information security
performance metrics to highlight
variances and issues for action by
appropriate people
PC3. carry out security assessment of
information security systems using
automated tools
PC9. update your organizations
knowledge base promptly and
accurately with information security
issues and their resolution
PC2. monitor systems and apply
controls in line with information
security policies, procedures and
guidelines
You need to know and understand:
KA1. your organizations policies,
procedures, standards and guidelines
for managing information security
KA2. your organizations knowledge
base and how to access
and update this
KA10. how to access and analyze
information security performance
metrics
Performance
Measures
Ensuring Work
Environment
Requirement
QA session and a Descriptive

write up on understanding.
Group presentation and peer
evaluation along with
Faculty.
Team work (IM and chat
applications) and group
activities (online forums)
including templates to be
prepared.
Project charter, Architecture
(charts), Project plan, Poster
presentation and execution
plan.
Lab
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Networking EquipmentRouters & Switches
Firewalls and Access Points
Access to all security sites like
ISO, PIC DSS
Commercial Tools like HP Web
Inspect and IBM
AppScan etc.,
Open
Source tools
like
sqlmap, Nessus etc.,
Creation of templates based

on the learnings
KA1. QA session and a
Descriptive write up on
understanding.
KA2 Group presentation and
peer evaluation along with
Faculty.
KA10, KA11. Team work (IM
and chat applications) and
group activities (online
forums) including templates
to be prepared.
KA11. who to involve

managing information security
when KA12.
Project
charter,
Architecture (charts), Project
plan, Poster presentation and
KA12. your organizations information execution plan.
security systems and tools and how to
access and maintain these
KA13. Creation of templates
PCs/Tablets/Laptops
Internet with WiFi
ISO, PIC DSS
Inspect and IBM
AppScan etc.,
Open
Source tools
like
based on the learnings

KA13. standard tools and templates
available and how to use these
KB3. common issues and variances of
performance metrics that require
action and who to report these to
Lesson
6.1 Introduction Security Metrics (Edited)
In the face of regular, high-profile news reports of serious security breaches, as well as
intense scrutiny of institutional costs, security managers are more than ever being held accountable
for demonstrating effectiveness of their security programs. What means should managers be using
to meet this challenge? Key among these should be security metrics.
It helps to understand what metrics are by drawing a distinction between metrics and
measurements. Measurements provide single-point-in-time views of specific, discrete factors, while
metrics are derived by comparing to a predetermined baseline of two or more measurements taken
over time. Measurements are generated by counting; metrics are generated from analysis. In other
words, measurements are objective raw data and metrics are either objective or subjective human
interpretations of those data.
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable,
and time dependent. Truly useful metrics indicate the degree to which security goals, such as data
confidentiality, are being met, and they drive actions taken to improve an organizations overall
security program. Distinguishing metrics meaningful primarily to those with direct responsibility for
security management from those that speak directly to executive management interests and issues
is
critical to development of an effective security metrics program.
While there are multiple ways to categorize metrics, guidance from the National Institute for
Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag
names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP
800-55 Revision 1) divides security metrics into three categories and links each to levels of security
program maturity.
The categories are:
Implementation metrics used to show progress in implementing policies and procedures and
individual security controls.
Effectiveness/efficiency metrics used to monitor results of security control implementation for a
single control or across multiple controls.
Impact metrics used to convey the impact of the information security program on the
institution's mission, often through quantifying cost avoidance or risk reduction produced by the
overall security program.
As mentioned earlier, truly useful metrics indicate the degree to which security goals are
being met and they drive actions taken to improve an organization's overall security program. Before
expending resources producing metrics in any of these three categories, it is essential that goals and
objectives of the security program be articulated.
6.2 Types of Security Metrics (Edited)

Three distinct types of metrics classified according to level:
Strategic security metrics

Security management metrics
Operational security metrics
Strategic security metrics:

These are measures concerning the information security elements of high level business
goals, objectives and strategies. For example, if the organization needs to bolster its information
security capabilities and competences in order to support various business initiatives, without
expanding the budget, metrics concerning the efficiency and effectiveness of information security
are probably relevant.
Broad-brush metrics relating to information security risks, capabilities and value tend to
exist at this high level. The reporting period may be one or more years.
Security management metrics:
There are numerous facets to managing information security risks that could be measured,
hence many possible metrics. We recommend making a special effort to identify management
metrics
that directly relate to achieving specific business objectives for information security, supplementing
those that are needed to manage the information security department, function or team just like
any other part of the business (e.g. expenditure against budget).
Management-level metrics tend to be reported/updated on a monthly or quarterly basis.
Metrics concerning information security projects/initiatives (e.g. implementing dual-factor
authentication) and the information security management system (e.g. security incident statistics)
are typical examples.
Operational security metrics:
At the lowest level of analysis, most information security controls, systems and processes
need to be measured in order to operate and control them. Metrics supporting security operations
are
normally only of direct concern to those managing and performing security activities. They include
both technical and non-technical security metrics that are often updated on a weekly, daily or
hourly basis. They are unlikely to be of much interest or value beyond the information security and
related technical functions, although some
Another classification is by object of measurement:
Process Security Metrics

Network Security Metrics
Software Security Metrics
People Security Metrics
4
Process Security Metrics:

These metrics measure processes and procedures. Examples are number of policy violations,
percentage of systems with formal risk assessments, percentage of system with tested security
controls, percentage of weak passwords (noncompliant), number of identified risks and their
severity, percentage of systems with contingency plans, etc. These are usually
Compliance/Governance driven. While they generally support better security, but the actual impact
is hard to define.
Network Security Metrics:
These are driven by products (firewalls, IDS, etc.) Readily available and widely used, they
give a sense of control. Usually have a level of data presentation through charts and interfaces.
These can be misleading though. Examples are Successful/unsuccessful logons, number of incidents,
number of viruses blocked, number of patches applied, number of spam blocked, number of virus
infections, number of port probes, traffic analysis, etc.
Software Security Metrics:
Software measures are usually troublesome (LOC, FPs, Complexity, etc.) Metrics are context
sensitive and environment-dependent and architecture dependent. Examples are Size and
complexity, defects/LOC, defects (severity, type) over time, cost per defect, attack surface (# of
interfaces), layers of security and design flaws
People Security Metrics:
Are usually relevant, but unreliable. As people behavior is difficult to model. There are biases
and non-standard responses that make it difficult to predict. Examples include
associates/contractors that have completed information security policy training, team size, etc.
A sample list of metrics is given below. These metrics cover the following business functions:
Application Security
o Number of Applications
o Percentage of Critical Applications
o Risk Assessment Coverage
o Security Testing Coverage
Configuration Change Management
o Mean-Time to Complete Changes
o Percent of Changes with Security Review
o Percent of Changes with Security Exceptions
Financial
o Information Security Budget as % of IT Budget
o Information Security Budget Allocation
Incident Management
o Mean-Time to Incident Discovery
5

o Incident Rate
o Percentage of Incidents Detected by Internal Controls
o Mean-Time Between Security Incidents
o Mean-Time to Recovery
Patch Management
o Patch Policy Compliance
o Patch Management Coverage
o Mean-Time to Patch
Vulnerability Management
o Vulnerability Scan Coverage
o Percent of Systems Without Known Severe Vulnerabilities
o Mean-Time to Mitigate Vulnerabilities
o Number of Known Vulnerability Instances
6.3 Using Security Metrics (Edited)

Using security metrics involves data acquisition. This may be automated or manually collected. Data
collection automation depends on the availability of data from automated sources versus the
availability of data from people. Manual data collection involves developing questionnaires and
conducting interviews and surveys with the organizations staff.
More useful data becomes available from semi-automated and automated data sources,
such
as self-assessment tools, certification and accreditation (C&A) databases, incident reporting
and response databases, and other data sources as a security program matures.
Metrics data collection is fully automated when all data is gathered by using automated data
sources without human involvement or intervention.
6.4 Development of the Metrics Process (Edited)

Regardless of the underlying framework, the seven key steps below could be used to
guide the process of establishing a security metrics program.
1. Define the metrics program goal(s) and objectives
2. Decide which metrics to generate
3. Develop strategies for generating the metrics
4. Establish benchmarks and targets
5. Determine how the metrics will be reported
6. Create an action plan and act on it, and
7. Establish a formal program review/refinement cycle
This seven-step methodology should yield a firm understanding of the purpose of the
security metrics program, its specific deliverables, and how, by whom, and when these
deliverables will be provided. The steps are briefly described below, and outcome
examples, where appropriate, are provided.
Step 1: Define the metrics program goal(s) and objectives

Because developing and maintaining a security metrics program could take considerable
effort and divert resources away from other security activities, it is critical that the goal(s) and
objectives of the program be well-defined and agreed upon up front. Although there is no hard and
fast rule about this, a single goal that clearly states the end toward which all measurement and
metrics gathering efforts should be directed is a good approach. A goal statement might be, for
example:
Provide metrics that clearly and simply communicate how efficiently and effectively our company is
balancing security risks and preventive measures, so that investments in our security program can be
appropriately sized and targeted to meet our overall security objectives.
Statements of objective should indicate high-level actions that must be collectively accomplished to
meet the goal(s). An action plan should be directly derivable from these statements. A few
objectives for the goal above, for example, might be:
a) To base the security metrics program on process improvement best practices within
our company.
b) To leverage any relevant measurements currently being collected.
c) To communicate metrics in formats custom-tailored to various audiences.
d) To involve stakeholders in determining what metrics to produce.
Step 2: Decide which metrics to generate

Any underlying corporate framework for process improvement, as discussed at the
beginning of this section, could dictate what metrics are needed. For example, a Six Sigma
approach would focus on security processes for which defects could be detected and managed, and
Step 2 of building a metrics program would, therefore, be to identify those specific security
processes. A compliance-based approach would assess how closely established security standards
are being followed. In this case, Step 2 would identify those standards for which compliance should
be tracked.
In the absence of any preexisting framework, a top-down or a bottom-up approach for
determining which metrics might be desirable could be used. The top-down approach starts with the
objectives of the security program, and then works backward to identify specific metrics that would
help determine if those objectives are being met, and lastly measurements needed to generate
those metrics. For example:
TOP-DOWN APPROACH
a. Define/list objectives of the overall security
program
Example objective: To reduce the number of

virus infections within the company by 30% by
2002
b. Identify metrics that would indicate progress

toward each objective
Example metric: Current ratio of virus alerts to

actual infections as compared to the baseline
2000 figure
c. Determine measurements needed for each

metric
Example measurement: Number of virus alerts

issued to the organization by month
Example measurement: Number of virus
8

infections reported
The bottom-up approach entails first defining which security processes, products, services, etc. are
in place that can be or already are measured, then considering which meaningful metrics could be
derived from those measurements, and finally assessing how well those metrics link to objectives for
the overall security program. To illustrate:
BOTTOM-UP APPROACH
a. Identify measurements that are/could be
collected for this process
Example measurement: Average number of

Level 1 vulnerabilities detected per server by
department using our xyz scanning too
b. Determine metrics that could be generated

from the measurements
Example metric: Change in number of critical

vulnerabilities detected on servers by
department since last reporting period
c. Determine the association between the

derived metrics and established objectives of
the overall security program
Example objective: To reduce the level of

detectable vulnerabilities on servers in every
department within the company.
The top-down approach will more readily identify the metrics that should be in place given the
objectives of the overall security program, while the bottom-up approach yields the most easily
obtainable metrics. Both approaches assume that overall security program objectives have already
been established. If they have not been, defining these high-level objectives is obviously important
and a prerequisite.
Step 3: Develop Strategies for Generating the Metrics
Now that what is to be measured is well understood, strategies for collecting needed
data and deriving the metrics must be developed. These strategies should specify the source of the
data, the frequency of data collection, and who is responsible for raw data accuracy, data
compilation into measurements, and generation of the metric.
Although a formal risk assessment is one method for collecting some of the data that might
be needed, experts disagree on its value for generating metrics. One line of thought is that
quantitative risk assessment provides close enough metrics,14 while another is that risk
assessments are not standardized and are too subjective and speculative to provide good
comparative metrics over time.15 There are, however, other suggested sources of data, such as help
desk logs, system logs, firewall logs, audit reports, and user surveys.
Early on there were few automated tools available to make data collection, analysis, and
reporting cost-effective, but in recent years products have been introduced into the marketplace to
make these activities more viable.
9

Step 4: Establish benchmarks and targets
In this step appropriate benchmarks would be identified and improvement targets set.
Benchmarking is the process of comparing ones own performance and practices against peers
within the industry or noted best practice organizations outside the industry. Not only does this
process provide fresh ideas for managing an activity, but also can provide comparative data needed
to make metrics more meaningful. Benchmarks also help establish achievable targets for driving
improvements in existing practices. A security manager should consult industry-specific data
resources for possible benchmarks and best practices, but also may find national and global metrics
provided by SecurityStats.com,16 CIO Magazine,17 and other services and publications helpful.
Step 5: Determine how the metrics will be reported
Obviously, no security metrics efforts are worthwhile if the results are not effectively
communicated. While conventional management wisdom on disseminating information of this
nature should prevail, current security metrics literature does reveal some guidance in this area. One
analyst, for example, cautions that over-simplification in the name of clarity is a mistake. Executives
are accustomed to dealing with financial and other trend lines, so complex security-related data can
be valuable to this group if presented well. Graphic representations are particularly effective.
Some metrics may be meaningful only to the security manager and staff and should not be
distributed further. Security managers may, however, use other metrics to help trigger needed
remedial actions with the organization. For example, a widely distributed metric, such as one that
shows levels of vulnerability for each department in the organization, might spawn healthy
competition among departments to become the least vulnerable department by the next reporting
period -- a security managers dream!
In any case, the context, format, frequency, distribution method, and responsibility for
reporting metrics should be defined up front, so that the end product can be visualized early on by
those who will be involved in producing the metrics and those who will be using them for decisionmaking.
Step 6: Create an action plan and act on it

Now it is time to get the real work done. The action plan should contain all tasks that need
to be accomplished to launch the security metrics program, along with expected completion dates
and assignments. As mentioned in Step 1, action items should be directly derivable from the
objectives. Documenting the linkage of actions in the plan to these objectives is useful, so that no
one will lose sight of why a given action is important.
In the same manner that software should be developed, it is critical to include a testing
process in the plan. Deficiencies in collected data may, for example, prove some metrics unusable
and require reexamination of what is to be measured and how.
Step 7: Establish a formal program review/refinement cycle

10

Formal, regular reexamination of the entire security metrics program should be built
into the overall process. Is there reason to doubt the accuracy of any of the metrics? Are the metrics
useful in determining new courses of action for the overall security program? How much effort is it
taking to generate the metrics? Is the value derived worth that effort? These and other questions
like them will be important to answer during the review process. A fresh scan of security metrics
standards and best practices within and outside the industry should also be conducted to help
identify new
developments and opportunities to fine-tune the program.
Conclusion
The task of developing a security metrics program may seem daunting to some, but it
need not be. The seven-step methodology can guide development of very simple metrics programs,
as well as highly ambitious ones. In fact, some individuals with experience in security metrics
recommend that simple starts be made. They advise managers to do what is easy, cheap, fast, and
leverage existing measures and metrics. The important thing to keep in mind is that the metrics
generated should be useful enough to drive improvement in the overall security program and to
help prove the value of that program to the organization as a whole.
6.5 Metrics and Reporting (Edited)

The frequency of reports depends on organizational norms, the volume and gravity of information
available, and management requirements. Regular reporting periods may vary from daily or weekly
to monthly, quarterly, six-monthly or annual. The latter ones are more likely to identify and discuss
trends and strategic issues, and to include status reports on security-relevant development projects,
information security initiatives and so forth, in other words they provide the context to make sense
of the numbers.
Here are some options for your consideration:
An annual, highly-confidential information security report for the CEO, the board and other
senior management (including internal audit). This report might include commentary on the
success or otherwise of specific security investments. A forward-looking section can help to set
the scene for planned future investments, and is a good opportunity to point out the ever
changing legal and regulatory environment and the corresponding personal liabilities on senior
managers.
Quarterly status reports to the most senior body directly responsible for information security,
physical security, risk and/or governance. Traffic light status reports are common and KPIs (Key
Performance Indicators) may be required, but the information security managers commentary
(supplemented or endorsed by that of the CTO/CIO) is a good value add.
Monthly reports to the CTO/CIO, listing projects participated in and security incidents, along
with their monetary value (the financial impacts do not need to be precisely accurate, they are
11

used to indicate the scale of losses).
6.6 Designing information security measurement

systems (As it is)
In order to design an information security measurement system one has to ask the following
fundamental questions.
1. What are we going to measure?
Identifying the right metrics, we shouldnt implement a measurement process if we dont intend
to follow it routinely and systematically - we need repeatable and reliable measures; we shouldnt
capture data that we dont intend to analyse, that is simply an avoidable cost. We shouldnt
analyse data if we dont intend to make practical use of the results.
2. How will we measure things?
Where will the data come from and where will they be stored? If the source information is not
already captured and available, there will be a need to put in place the processes to gather it. This
in turn raises the issue of who will capture the data. Will it be centralized or will we distribute the
data collection processes? If departments and functions outside central control are reporting,
how far can they be trusted not to manipulate the figures? Will they meet deadlines and
formatting requirements? How much data gathering and reporting can be automated?
3. How will we report?
What do senior management actually want? To get senior management buy-in it is important to
discuss the purpose and outputs with managers and peers. Provide alternative formats initially to
assess their preference. It may be required to report differently from other functions in the
organization, using different presentation formats as well as different content. Managers are
likely to feel more comfortable with conventional management reports, so look at a range of
sample reports to pick out the style cues.
4. How should we implement our reporting system?
When developing metrics, its worth testing out the feasibility and effectiveness of the
measurement processes and the usefulness of chosen metrics on a limited scale before rolling
them out across the entire corporation. Pilot studies or trials are useful ways to iron-out any
glitches in the processes for collecting and analysing metrics, and for deciding whether the metrics
are truly indicative of what you are trying to measure.
Even after the initial trial period, continuous feedback on the metrics can help to refine the
measurement system. Changes in both the organization and the information security risks it faces
mean that some metrics are likely to become outdated over time.
5. Setting targets
12

Measuring and reporting leads to the identification and benchmarking of Key Performance
Indicators (KPIs) and then tracking measures to evaluate performance.
Before publishing the chosen metrics it is important to figure out which ones would truly indicate
making progress towards the organizations information security goals.
Summary
Good security metrics are those that are SMART, i.e. specific, measurable, attainable,
repeatable and time-dependent.
The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1)
divides security metrics into three categories and links each to levels of security program
maturity, namely Implementation, Effectiveness/Efficiency & Impact
Security Metrics are classified into three distinct categories such as o Strategic security
metrics which are measures concerning the information security elements of high level
business goals, objectives and strategies
o Security management metrics which are numerous facets to managing information
security risks that could be measured, hence many possible metrics
o Operational security metrics which are at the lowest level of analysis, most
information security controls, systems and processes need to be measured in order to
operate and control them
Using security metrics involves data acquisition and the latter may be automated or manually
collected.
The frequency of reports depends on organizational norms, the volume and gravity of
information available, and management requirements. Regular reporting periods may vary
from daily or weekly to monthly, quarterly, six-monthly or annual.
The following questions should be asked while designing information security measurement
systems o What are we going to measure? o How will we measure things? o How will we
report?
o How should we implement our reporting system? o How to set targets?
Practical activities:
Activity 1:
13

Work in teams and gather as much information from industry and the internet about
the various information security performance metrics they use in their organisations.
Discuss the various challenges in identifying, monitoring and inferencing performance
through these metrics.
Activity 2:
Develop performance metrics for various aspects of their own academic and
nonacademic behaviours and track these over a period of a week. Draw out various
inferences from this monitoring. Present the object of your study, the metric you chose,
and the challenges in implementing these metrics and your process of inferencing.
Debate the inferences and validity of each others findings.
Check your understanding:

Q: Fill in the blanks with the most appropriate answer:
Measurements are generated by counting whereas metrics are generated

by__________________.
____________________ metrics are usually compliance driven.
Q. State TRUE or FALSE as to which of the following accurately describe some of the misconceptions
regarding metrics.
Metrics provide single-point-in-time views of specific, discrete factors, while measurements are
derived by comparing to a predetermined baseline of two or more measurements taken over
time. (
)
Metrics efforts are finite, while in reality a measurement programme is aimed at continual
improvement and long term benefits (
)
Measurement can be automated easily/rapidly, attempting to automate metrics that have not
yet been thoroughly tested and proven to be effective can be ultimately counterproductive.
(
)
Q. Which type of security metrics is used to monitor results of security control implementation for a
single control or across multiple controls?
_______________________________________________________
Q. The reporting/updating of which of the following types of security metrics is carried out monthly
or quarterly:
a) Strategic security metrics
b) Security management metrics
c) Operational security metrics
14

Q. Which of the following is not a part of Incident Management security metrics?
a) Mean-Time to Incident Discovery
b) Incident Rate
c) Mean-Time to Mitigate Vulnerabilities
d) Mean-Time Between Security Incidents
e) Mean-Time to Recovery
Q. Data capturing process plays vital role in determining appropriate information security
measurement systems. Give one example in support of the statement.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
15

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
16
UNIT VII
Risk Assessment
This Unit covers:

Lesson Plan
Resource Material
7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
17
LESSON PLAN
Outcomes
Performance
Measures
EnsuringWork
Environment
Requirement
To be competent, you must be able

to:


guidelines
Group presentation and

peer evaluation along with
Faculty.
PC11. comply with your

organizations policies, standards,
procedures and guidelines when
contributing to managing
information security

prepared.
Lab
PCs/Tablets/Laptops
for
Internet with WiFi
ISO, PCI DSS,
Center
Internet Security
Project charter,
Architecture (charts),
Project plan, Poster
plan.
Creation of templates based
on the learnings
You must know and understand:
KA6, KA7, KA8. Peer review
KA6.
how
to
carry
out with faculty with appropriate
information security assessments
feedback.
KA13. Creation of templates
based on the learnings
KA13. standard tools and
templates available and how to use KB1 KB4
these
Going through the security
standards over Internet by
KB4. how to identify and resolve
visiting sites like ISO, PCI DSS
information security vulnerabilities etc., and understand various
and issues
methodologies and usage of
algorithms
PCs/Tablets/Laptops
Internet with WiFi
ISO, PCI DSS, Center
for
Internet Security
18
Lesson
7.1 Risk Overview (Edited)
A security risk is any event that could result in the compromise of organizational assets i.e. the
unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit,
personal interest or political interests of individuals, groups or other entities constitutes a
compromise of the asset, and includes the risk of harm to people. Compromise of organizational
assets may adversely affect the enterprise, its business units and their clients.
As reliance on computer systems and electronic data has grown, information security risk
has joined the array of risks that governments and businesses must manage. Regardless of the types
of risk being considered, all risk assessments generally include the following elements. Identifying
threats that
could harm and, thus, adversely affect critical operations and assets. Threats include such things as
intruders, criminals, disgruntled employees, terrorists, and natural disasters.
Estimating the likelihood that such threats will materialize based on historical information
and
judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality
of
the operations and assets that could be affected should a threat materialize in order to determine
which operations and assets are the most important.
Estimating, for the most critical and sensitive assets and operations, the potential losses or damage
that could occur if a threat materializes, including recovery costs. Identifying cost-effective actions to
mitigate or reduce the risk. These actions can include implementing new organizational policies and
procedures as well as technical or physical controls. Documenting the results and developing an
action plan. There are various models and methods for assessing risk, and the extent of an analysis
and the resources expended can vary depending on the scope of the assessment and the availability
of reliable data on risk factors. In addition, the availability of data can affect the extent to which risk
assessment results can be reliably quantified.
A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on
(1) the likelihood that a damaging event will occur,
(2) the costs of potential losses, and
(3) the costs of mitigating actions that could be taken.
When reliable data on likelihood and costs are not available, a qualitative approach can be taken by
defining risk in more subjective and general terms such as high, medium, and low. In this regard,
qualitative assessments depend more on the expertise, experience, and judgment of those
conducting
the assessment. It is also possible to use a combination of quantitative and qualitative methods.
19
7.2 Risk Identification (Edited)

Risk identification is the process of determining risks that could potentially prevent the program,
enterprise, or investment from achieving its objectives. It includes documenting and communicating
the concern. The objective of risk identification is the early and continuous identification of events
that, if they occur, will have negative impacts on the project's ability to achieve performance or
capability outcome goals. They may come from within the project or from external sources.
There are multiple types of risk assessments:
including program risk assessments

risk assessments to support an investment decision
analysis of alternatives and
assessments of operational or cost uncertainty.
Risk identification needs to match the type of assessment required to support risk informed
decision making. For an acquisition program, the first step is to identify the program goals and
objectives, thus fostering a common understanding across the team of what is needed for program
success. This gives context and bounds the scope by which risks are identified and assessed.
There are multiple sources of risk. For risk identification, the project team should review the
program scope, cost estimates, schedule (to include evaluation of the critical path), technical
maturity, key performance parameters, performance challenges, stakeholder expectations vs.
current plan, external and internal dependencies, implementation challenges, integration,
interoperability, supportability, supply-chain vulnerabilities, ability to handle threats, cost deviations,
test event expectations, safety, security, and more. In addition, historical data from similar projects,
stakeholder interviews, and risk lists provide valuable insight into areas for consideration of risk.
Risk identification is an iterative process. As the program progresses, more information will
be gained about the program (e.g., specific design), and the risk statement will be adjusted to reflect
the current understanding. New risks will be identified as the project progresses through the life
cycle.
20
7.3 Risk Analysis (As it is)

This is the next step in the risk assessment program, Risk Analysis, requires an entity to, conduct an
accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected information held by the entity. In other words, Risk
analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats,
and assessing the possible damage to determine where to implement security safeguards.
Risk analysis steps:

Identify the scope of the analysis.
Gather data.
Identify and document potential threats and vulnerabilities.
Assess current security measures.
Determine the likelihood of threat occurrence.
Determine the potential impact of threat occurrence.
Determine the level of risk.
Identify security measures and finalize documentation.
A risk analysis has four main goals:

Identify assets and their values
Identify vulnerabilities and threats
Quantify the probability and business impact of these potential threats
Provide an economic balance between the impact of the threat and the cost of the
countermeasure
Risk Evaluation
The risk evaluation process receives as input the output of risk analysis process. It compares each risk
level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.
7.4 Risk Treatment (As it is)

21

Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls. Control includes:
applying appropriate controls to avoid, eliminate or reduce risks;

transferring some risks to third parties as appropriate (e.g., by insurance);
knowingly and objectively accepting some risks; and
documenting the risk treatment choices made, and the reasons for them.
Risk treatments should take account of:
legal-regulatory and private certificatory requirements;
organizational objectives, operational requirements and constraints; and

implementation and operation relative to risks being reduced.
costs of
Risk treatment strategies include:
Risk reduction
Taking the mitigation steps necessary to reduce the overall risk to an asset. Often this will
include selecting countermeasures that will either reduce the likelihood of occurrence or reduce
the severity of loss, or achieve both objectives at the same time. Countermeasures can include
technical or operational controls or changes to the physical environment. For example, the risk
of computer viruses can be mitigated by acquiring and implementing antivirus software. When
evaluating the strength of a control, consideration should be given to whether the controls are
preventative or detective. The remaining level of risk after the controls/countermeasures have
been applied is often referred to as residual risk. An organization may choose to undergo a
further cycle of risk treatment to address this.
Risk sharing/transference
The organization shares its risk with third parties through insurance and/or service providers.
Insurance is a post-event compensatory mechanism used to reduce the burden of loss if the
event were to occur. Transference is the shifting of risk from one party to another. For example,
when hard-copy documents are moved offsite for storage at a secure-storage vendor location,
the responsibility and costs associated with protecting the data transfers to the service
provider. The cost of storage may include compensation (insurance) if documents are damaged,
lost, or stolen.
Risk avoidance
The practice of eliminating the risk by withdrawing from or not becoming involved in the activity
that allows the risk to be realized. For example, an organization decides to discontinue a
business process in order to avoid a situation that exposes the organization to risk.
Risk acceptance
An organization decides to accept a particular risk because it falls within its risk-tolerance
parameters and therefore agrees to accept the cost when it occurs. Risk acceptance is a viable
strategy where the cost of insuring against the risk would be greater over time than the total
losses sustained. All risks that are not avoided or transferred are accepted by default
22
7.5 Risk Management Feedback Loops (As it is)
Risk management is a comprehensive process that requires organizations to:
frame risk (i.e., establish the context for risk-based decisions);

assess risk;
respond to risk once determined; and
monitor risk on an ongoing basis using effective organizational communications and a
feedback loop for continuous improvement in the risk-related activities of organizations.
Risk management is carried out as a holistic, organization wide activity that addresses risk from the
strategic level to the tactical level, ensuring that risk based decision making is integrated into every
aspect of the organization. The following sections briefly describe each of the four risk management
components. The first component of risk management addresses how organizations frame risk or
establish a risk contextthat is, describing the environment in which risk-based decisions are made.
The purpose of the risk framing component is to produce a risk management strategy that addresses
how organizations intend to assess risk, respond to risk, and monitor riskmaking explicit and
transparent the risk perceptions that organizations routinely use in making both investment and
operational decisions. The risk frame establishes a foundation for managing risk and delineates the
boundaries for risk-based decisions within organizations.
Establishing a realistic and credible risk frame requires that organizations identify:
risk assumptions (e.g., assumptions about the threats, vulnerabilities, consequences/impact,

and likelihood of occurrence that affect how risk is assessed, responded to, and monitored
over time);
risk constraints (e.g., constraints on the risk assessment, response, and monitoring
alternatives under consideration);
risk tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are
acceptable); and
priorities and trade-offs (e.g., the relative importance of missions/business functions,

tradeoffs among different types of risk that organizations face, time frames in which
organizations must address risk, and any factors of uncertainty that organizations consider in
risk responses).
The risk framing component and the associated risk management strategy also include any
strategiclevel decisions on how risk to organizational operations and assets, individuals, other
organizations, and the Nation, is to be managed by senior leaders/executives.
The second component of risk management addresses how organizations assess risk within the
context of the organizational risk frame. The purpose of the risk assessment component is to identify:
threats to organizations (i.e., operations, assets, or individuals) or threats directed through

organizations against other organizations or the Nation;
vulnerabilities internal and external to organizations;

23
the harm (i.e., consequences/impact) to organizations that may occur given the potential for
threats exploiting vulnerabilities; and
the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of
harm and likelihood of harm occurring).
To support the risk assessment component, organizations identify:
the tools, techniques, and methodologies that are used to assess risk;
the assumptions related to risk assessments;
the constraints that may affect risk assessments;
roles and responsibilities;
how risk assessment information is collected, processed, and communicated throughout
organizations;
how risk assessments are conducted within organizations;

the frequency of risk assessments; and
how threat information is obtained (i.e., sources and methods).
The third component of risk management addresses how organizations respond to risk once that risk
is determined based on the results of risk assessments.
The purpose of the risk response component is to provide a consistent, organization-wide, response
to risk in accordance with the organizational risk frame by:
developing alternative courses of action for responding to risk;

evaluating the alternative courses of action;
determining appropriate courses of action consistent with organizational risk tolerance; and
implementing risk responses based on selected courses of action.
To support the risk response component, organizations describe the types of risk responses that can
be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk).
Organizations also identify the tools, techniques, and methodologies used to develop courses of
action for responding to risk, how courses of action are evaluated, and how risk responses are
communicated across organizations and as appropriate, to external entities (e.g., external service
providers, supply chain partners).
The fourth component of risk management addresses how organizations monitor risk over time. The
purpose of the risk monitoring component is to:
verify that planned risk response measures are implemented and information security
requirements derived from/traceable to organizational missions/business functions, federal
legislation, directives, regulations, policies, and standards, and guidelines, are satisfied;
determine the ongoing effectiveness of risk response measures following implementation;

and
identify risk-impacting changes to organizational information systems and the environments in

which the systems operate.
To support the risk monitoring component, organizations describe how compliance is verified and
how the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques,
and methodologies used to determine the sufficiency/correctness of risk responses and if risk
24

mitigation measures are implemented correctly, operating as intended, and producing the desired
effect with regard to reducing risk). In addition, organizations describe how changes that may impact
the ongoing effectiveness of risk responses are monitored.
25
7.6 Risk Monitoring (As it is)
Risk monitoring provides organizations with the means to:

verify compliance;
determine the ongoing effectiveness of risk response measures; and
identify risk-impacting changes to organizational information systems and environments of
operation.
Analysing monitoring results gives organizations the capability to maintain awareness of the risk
being incurred, highlight the need to revisit other steps in the risk management process, and initiate
process improvement activities as needed.
Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness,
helping senior leaders/executives develop a better understanding of the ongoing risk to
organizational operations and assets, individuals, other organizations, and the Nation. Organizations
can implement risk monitoring at any of the risk management tiers with different objectives and
utility of information produced. For example, Tier 1 monitoring activities might include ongoing
threat assessments and how changes in the threat space may affect Tier 2 and Tier 3 activities,
including enterprise architectures (with embedded information security architectures) and
organizational information systems. Tier 2 monitoring activities might include, for example, analyses
of new or current technologies either in use or considered for future use by organizations to identify
exploitable weaknesses and/or deficiencies in those technologies that may affect mission/business
success. Tier 3 monitoring activities focus on information systems and might include, for example,
automated monitoring of standard configuration settings for information technology products,
vulnerability scanning, and ongoing assessments of security controls. In addition to deciding on
appropriate monitoring activities across the risk management tiers, organizations also decide how
monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of
monitoring activities based on, for example, the frequency with which deployed security controls
change, critical items on plans of action and milestones, and risk tolerance.
26
Summary
Definition of Risk: A probability or threat of damage, injury, liability, loss, or any other
negative occurrence that is caused by external or internal vulnerabilities, and that may be
avoided through pre-emptive action.
A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on o the likelihood that a damaging event will occur, o the costs of
potential losses, and o the costs of mitigating actions that could be taken.
Risk identification is an iterative process.
Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities
and threats, and assessing the possible damage to determine where to implement security
safeguards.
The risk evaluation process receives as input the output of risk analysis process.
Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls.
Risk management is carried out as a holistic, organization wide activity that addresses risk
from the strategic level to the tactical level, ensuring that risk based decision making is
integrated into every aspect of the organization.
Analysing monitoring results gives organizations the capability to maintain awareness of the
risk being incurred, highlight the need to revisit other steps in the risk management process,
and initiate process improvement activities as needed. h as laptop, appropriate software such
as packet sniffers, digital forensics, back up devices, blank media etc.
Activity 1:
Research various risks for their institute in the area of information security. Prepare a
process report highlighting your approach towards identifying risk, recording, monitoring,
analysing and treating risk. The approach should be shared with the faculty and the report
should be submitted for evaluation.
27

Q. State TRUE or FALSE
Risk identification and risk assessment are co-related in function. (

)
Implementation of risk monitoring at different risk management tiers with different objectives
within an organization increase risk awareness and capability. (
)
Q. Analyse and state the differences between risk analysis and risk evaluation in two lines.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Suggest one of the appropriate measures that can curb the problem of residual risk.
__________________________________________________________________________________
__________________________________________________________________________________
Q. In what ways do service/insurance providers facilitate risk sharing/transference?

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Complete the following requirements that an organization needs to identify in order to build a
realistic and credible risk frame
a) risk constraints
b) ________________
c) risk tolerance
d) ________________
28
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
29
UNIT VIII
Configuration review
This Unit covers:

Lesson Plan
8.1. Configuration Management
8.2. Organisational SecCM Policy
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
30
LESSON PLAN
Outcomes
to:
PC4. carry out configuration
reviews of information security
systems using automated tools,
where required
Performance
Measures
Ensuring Work
Environment
Requirement
Performance evaluation from

Faculty and Industry with
reward points


KA6, KA7 Performance
KA6.
how
to
carry
out
evaluation from Faculty
information security assessments
and Industry with reward
points
KA7.
how
to
carry
out
configuration reviews
KA9. QA session and a
Descriptive write up on
understanding.
KA9. different types of automation
tools and how to use these
Lab
PCs/Tablets/Laptops
Internet with WiFi
Networking Equipment - Routers
& Switches
ISO, PIC DSS
Inspect and IBM AppScan etc.,
Open Source tools like sqlmap,
Nessus etc.,
PCs/Tablets/Laptops
Internet with WiFi
ISO, PCI DSS, Center for Internet
Security
31
Lesson
8.1 Configuration Management (As it is)
An information system is typically in a constant state of change in response to new, enhanced,
corrected, or updated hardware and software capabilities, patches for correcting software flaws and
other errors to existing components, new security threats, changing business functions, etc.
Implementing information system changes almost always results in some adjustment to the system
configuration. To ensure that the required adjustments to the system configuration do not adversely
affect the security of the information system or the organization from operation of the information
system, a well-defined configuration management process that integrates information security is
needed.
Organizations apply configuration management (CM) for establishing baselines and for tracking,
controlling, and managing many aspects of business development and operation (e.g., products,
services, manufacturing, business processes, and information technology). Organizations with a
robust and effective CM process need to consider information security implications with respect to
the development and operation of information systems including hardware, software, applications,
and documentation. Effective CM of information systems requires the integration of the
management of secure configurations into the organizational CM process or processes. For this
reason, this document assumes that information security is an integral part of an organizations
overall CM process; however, the focus of this document is on implementation of the information
system security aspects of CM, and as such the term security-focused configuration management
(SecCM) is used to emphasize the concentration on information security. Though both IT business
application functions and security-focused practices are expected to be integrated as a single
process, SecCM in this context is defined as the management and control of configurations for
information systems to enable security and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing and
maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware,
documentation, or a combination thereof) that is a discrete target of configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through
change control procedures. The baseline configuration is used as a basis for future builds, releases,
and/or changes.
The basic parts of a CM Plan include:
Configuration Control Board (CCB) Establishment of and charter for a group of qualified people
with responsibility for the process of controlling and approving changes throughout the
development and operational lifecycle of products and systems; may also be referred to as a change
control board;
Configuration Item Identification methodology for selecting and naming configuration items that
need to be placed under CM;
32

Configuration Change Control process for managing updates to the baseline configurations for the
configuration items; and
Configuration Monitoring process for assessing or testing the level of compliance with the
established baseline configuration and mechanisms for reporting on the configuration status of
items placed under CM.
Security-Focused Configuration Management (SecCM) is the management and control of secure
configurations for an information system to enable security and facilitate the management of risk.
SecCM builds on the general concepts, processes, and activities of configuration management by
attention on the implementation and maintenance of the established security requirements of the
organization and information systems.
Information security configuration management requirements are integrated into (or complement)
existing organizational configuration management processes (e.g., business functions, applications,
products) and information systems. SecCM activities include:
identification and recording of configurations that impact the security posture of the
information system and the organization;
the consideration of security risks in approving the initial configuration;
the analysis of security implications of changes to the information system configuration; and
documentation of the approved/implemented changes.
SecCM requires an ongoing investment in time and resources. Product patches, fixes, and updates
require time for security impact analysis even as threats and vulnerabilities continue to exist. As
changes to information systems are made, baseline configurations are updated, specific
configuration settings confirmed, and configuration items tracked, verified, and reported. SecCM is a
continuous activity that, once incorporated into IT management processes, touches all stages of the
system development life cycle (SDLC).
In the context of SecCM of information systems, a configuration item (CI) is an aggregation of
information system components that is designated for configuration management and treated as a
single entity throughout the SecCM process. This implies that the CI is identified, labelled, and
tracked during its life cycle the CI is the target of many of the activities within SecCM, such as
configuration change control and monitoring activities. A CI may be a specific information system
component (e.g., server, workstation, router, application), a group of information system
components (e.g., group of servers with like operating systems, group of network components such
as routers and switches, an application or suite of applications), a non-component object (e.g.,
firmware, documentation), or an information system as a whole. CIs give organizations a way to
decompose the information system into manageable parts whose configurations can be actively
managed.
The purpose of breaking up an information system into CIs is to allow more granularity and control
in managing the secure configuration of the system. The level of granularity will vary among
organizations and systems and is balanced against the associated management overhead for each CI.
In one organization, it may be appropriate to create a single CI to track all of the laptops within a
system, while in another organization, each laptop may represent an individual CI.
Baseline configuration
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within a
system, that has been formally reviewed and agreed on at a given point in time, and which can be
33

changed only through change control procedures. The baseline configuration is used as a basis for
future builds, releases, and/or changes.
Security-focused configuration management of information systems involves a set of activities that
can be organized into four major phases Planning, Identifying and Implementing Configurations,
Controlling Configuration Changes, and Monitoring.
Planning - Planning includes developing policy and procedures to incorporate SecCM into existing
information technology and security programs, and then disseminating the policy throughout the
organization.
Identifying and implementing configurations - After the planning and preparation activities are
completed, a secure baseline configuration for the information system is developed, reviewed,
approved, and implemented. The approved baseline configuration for an information system and
associated components represents the most secure state consistent with operational requirements
and constraints. For a typical information system, the secure baseline may address configuration
settings, software loads, patch levels, how the information system is physically or logically arranged,
how various security controls are implemented, and documentation. Where possible, automation is
used to enable interoperability of tools and uniformity of baseline configurations across the
information system.
Controlling configuration changes - Given the continually evolving nature of an information system
and the mission it supports, the challenge for organizations is not only to establish an initial baseline
configuration that represents a secure state (which is also cost-effective, functional, and supportive
of mission and business processes), but also to maintain a secure configuration in the face of the
significant waves of change that ripple through organizations.
Monitoring
Monitoring activities are used as the mechanism within SecCM to validate that the information
system is adhering to organizational policies, procedures, and the approved secure baseline
configuration. Monitoring identifies undiscovered/ undocumented system components,
misconfigurations, vulnerabilities, and unauthorized changes, all of which, if not addressed, can
expose organizations to increased risk. Using automated tools helps organizations to efficiently
identify when the information system is not consistent with the approved baseline configuration and
when remediation actions are necessary. In addition, the use of automated tools often facilitates
situational awareness and the documentation of deviations from the baseline configuration.
34
8.2 Organizational SecCM Policy (As it is)

The organization is typically responsible for defining documented policies for the SecCM program.
The SecCM program manager develops, disseminates, and periodically reviews and updates the
SecCM policies for the organization. The policies are included as a part of the overall organizationwide security policy.
The SecCM policy normally includes the following:
1. Purpose the objective(s) in establishing organization-wide SecCM policy;
2. Scope the extent of the enterprise architecture to which the policy applies;
3. Roles the roles that are significant within the context of the policy;
4. Responsibilities the responsibilities of each identified role;
5. Activities the functions that are performed to meet policy objectives;
6. Common secure configurations federal and/or organization-wide standardized benchmarks for
configuration settings along with how to address deviations; and
7. Records the records of configuration management activities to be maintained; the information
to be included in each type of record; who is responsible for writing/keeping the records; and
procedures for protecting, accessing, auditing, and ultimately deleting such records.
SecCM policy may also address the following topics:
SecCM training requirements;

Use of SecCM templates;
Use of automated tools;
Prohibited configuration settings; and
Requirements for inventory of information systems and components.
SecCM Training
SecCM is a fundamental part of an organizational security program, but often requires a change in
organizational culture. Staff is provided training to ensure their understanding of SecCM policies and
procedures. Training also provides a venue for management to communicate the reasons why
SecCM is important. SecCM training material is developed covering organizational policies,
procedures, tools, artefacts, and monitoring requirements. The training may be mandatory or
optional as appropriate and is targeted to relevant staff (e.g., system administrators,
system/software developers, system security officers, system owners, etc.) as necessary to ensure
that staff has the skills to manage the baseline configurations in accordance with organizational
policy.
35
8.3 Identify SecCM Tools (As it is)

Managing the myriad configurations found within information system components has become an
almost impossible task using manual methods like spreadsheets. When possible, organizations look
for automated solutions which, in the long run, can lower costs, enhance efficiency, and improve the
reliability of SecCM efforts.
In most cases, tools to support activities in SecCM phases two, three, and four are selected for use
across the organization by SecCM program management, and information system owners are
responsible for applying the tools to the SecCM activities performed on each information system.
Similarly, tools and mechanisms for inventory reporting and management may be provided to
information system owners by the organization. In accordance with federal government and
organizational policy, if automated tools are used, the tools are Security Content Automation
Protocol (SCAP)-validated to the extent that such tools are available.
There are a wide variety of configuration management tools available to support an organizations
SecCM program. At a minimum, the organization considers tools that can automatically assess
configuration settings of IS components. Automated tools should be able to scan different
information system components (e.g., Web server, database server, network devices, etc.) running
different operating systems, identify the current configuration settings, and indicate where they are
noncompliant with policy. Such tools import settings from one or more common secure
configurations and then allow for tailoring the configurations to the organizations security and
mission/functional requirements.
Tools that implement and/or assess configuration settings are evaluated to determine whether they
include requirements such as:
Ability to pull information from a variety of sources (different type of components, different
operating systems, different platforms, etc.);
Use of standardized specifications such as XML and SCAP;
Integration with other products such as help desk, inventory management, and incident response
solutions;
Vendor-provided support (patches, updated vulnerability signatures, etc.);
Compliance with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidelines and link vulnerabilities to SP 800-53 controls;
Standardized reporting capability (e.g. SCAP, XML) including ability to tailor output & drill
down;
Data consolidation into Security Information and Event Management (SIEM) tools and dashboard
products.
Organizations may consider implementation of an all-in-one solution for configuration management.

For example, various configuration management functions are included in products for managing IT
servers, workstations, desktops, and services provided by applications. These products may include
functions such as:
o Inventory/discovery of IS components; o
Software distribution; o Patch management; o
Operating system deployment; o Policy
management; o Migration to new baseline
configuration; and o Backup/recovery.
36
8.4 Implementing secure configurations (As it is)

Implementing secure configurations for IT products is no simple task. There are many IT products,
and each has a myriad of possible parameters that can be configured. In addition, organizations have
mission and business process needs which may require that IT products be configured in a particular
manner. To further complicate matters, for some products, the configuration settings of the
underlying platform may need to be modified to allow for the functionality required for mission
accomplishment such that they deviate from the approved common secure configurations.
Using the secure configuration previously established as a starting point, the following structured
approach is recommended when implementing the secure configuration:
1)
2)
3)
4)
5)
Prioritize Configurations
Test Configurations
Resolve Issues and Document Deviations
Record and Approve the Baseline Configuration
Deploy the Baseline Configuration
i. Prioritize Configurations
In the ideal environment, all IT products within an organization would be configured to the most
secure state that still provided the functionality required by the organization. However, due to
limited resources and other constraints, many organizations may find it necessary to prioritize which
information systems, IT products, or CIs to target first for secure configuration as they implement
SecCM.
In determining the priorities for implementing secure configurations in information systems, IT
products, or CIs, organizations consider the following criteria:
System impact level Implementing secure configurations in information systems with a high or
moderate security impact level may have priority over information systems with a low security
impact level.
Risk assessments Risk assessments can be used to target information systems, IT products, or
CIs having the most impact on security and organizational risk.
Vulnerability scanning Vulnerability scans can be used to target information systems, IT
products, or CIs that are most vulnerable. For example, the Common Vulnerability Scoring
System (CVSS) is a specification within SCAP that provides an open framework for
communicating the characteristics of software flaw vulnerabilities and in calculating their
relative severity. CVSS scores can be used to help prioritize configuration and patching activities.
Degree of penetration The degree of penetration represents the extent to which the same
product is deployed within an information technology environment. For example, if an
organization uses a specific operating system on 95 percent of its workstations, it may obtain
the most immediate value by planning and deploying secure configurations for that operating
system. Other IT products or CIs can be targeted afterwards.
ii. Test Configurations

Organizations fully test secure configurations prior to implementation in the production
environment. There are a number of issues that may be encountered when implementing
37

configurations including software compatibility and hardware device driver issues. For example,
there may be legacy applications with special operating requirements that do not function correctly
after a common secure configuration has been applied. Additionally, configuration errors could
occur if OS and multiple application configurations are applied to the same component. For
example, a setting for an application configuration parameter may conflict with a similar setting for
an OS configuration parameter.
Virtual environments are recommended for testing secure configurations as they allow organizations
to examine the functional impact on applications without having to configure actual machines.
iii. Resolve Issues and Document Deviations
Testing secure configuration implementations may introduce functional problems within the system
or applications. For example, the new secure configuration may close a port or stop a service that is
needed for OS or application functionality. These problems are examined individually and either
resolved or documented as a deviation from, or exception to, the established common secure
configurations.
In some cases, changing one configuration setting may require changes to another setting, another
CI, or another information system. For instance, a common secure configuration may specify
strengthened password requirements which may require a change to existing single sign-on
applications. Or there may be a requirement that the OS-provided firewall be enabled by default. To
ensure that applications function as expected, the firewall policy may need to be revised to allow
specific ports, services, IP addresses, etc. When conflicts between applications and secure
configurations cannot be resolved, deviations are documented and approved through the
configuration change control process as appropriate. iv. Record and Approve the Baseline
Configuration
The established and tested secure configuration, including any necessary deviations, represents the
preliminary baseline configuration and is recorded in order to support configuration change
control/security impact analysis, incident resolution, problem solving, and monitoring activities.
Once recorded, the preliminary baseline configuration is approved in accordance with
organizationally defined policy. Once approved, the preliminary baseline configuration becomes the
initial baseline configuration for the information system and its constituent CIs.
The baseline configuration of an information system includes the sum total of the secure
configurations of its constituent CIs and represents the system-specific configuration against which
all changes are controlled.
The baseline configuration may include, as applicable, information regarding the system
architecture, the interconnection of hardware components, secure configuration settings of
software components, the software load, supporting documentation, and the elements in a release
package. There could be a different baseline configuration for each life cycle stage (development,
test, staging, production) of the information system.
When possible, organizations employ automated tools to support the management of baseline
configurations and to keep the configuration information as up to date and near real time as
possible. There are a number of solutions which maintain baseline configurations for a wide variety
of hardware and software products. Some comprehensive SecCM solutions integrate the
maintenance of baseline configurations with component inventory and monitoring tools.
38

v. Deploy the Baseline Configuration
Organizations are encouraged to implement baseline configurations in a centralized and automated
manner using automated configuration management tools, automated scripts, vendor-provided
mechanisms, etc.
SecCM monitoring is accomplished through assessment and reporting activities. For organizations
with a large number of components, the only practical and effective solution for SecCM monitoring
activities is the use of automated solutions that use standardized reporting methods such as SCAP.
An information system may have many components and many baseline configurations. To manually
collect information on the configuration of all components and assess them against policy and
approved baseline configurations is not practical, or even possible, in most cases. Automated tools
can also facilitate reporting for Security Information and Event Management applications that can be
accessed by management and/or formatted into other reports on baseline configuration status. Care
is exercised in collecting and analyzing the results generated by automated tools to account for any
false positives.
SecCM monitoring may be supported by numerous means, including, but not limited to:
Scanning to discover components not recorded in the inventory. For example, after testing of a
new firewall, a technician forgets to remove it from the network. If it is not properly configured,
it may provide access to the network for intruders. A scan would identify this network device as
not a part of the inventory, enabling the organization to take action.
Scanning to identify disparities between the approved baseline configuration and the actual
configuration for an information system.
Example I. A technician rolls out a new patch but forgets to update the baseline configurations of the
information systems impacted by the new patch. A scan would identify a difference between the
actual environment and the description in the baseline configuration enabling the organization to
take action.
Example II. A new tool is installed on the workstations of a few end users of the information system.
During installation, the tool changes a number of configuration settings in the browser on the users
workstations, exposing them to attack. A scan would identify the change in the workstation
configuration, allowing the appropriate individuals to take action.
Implementation of automated change monitoring tools (e.g., change/configuration management
tools, application whitelisting tools). Unauthorized changes to information systems may be an
indication that the systems are under attack or that SecCM procedures are not being followed or
need updating. Automated tools are available that monitor information systems for changes and
alert system staff if unauthorized changes occur or are attempted.
Querying audit records/log monitoring to identify unauthorized change events.

Running system integrity checks to verify that baseline configurations have not been changed.
Reviewing configuration change control records (including system impact analyses) to verify
conformance with SecCM policy and procedures.
When possible, organizations seek to normalize data to describe their information system in order
that the various outputs from monitoring can be combined, correlated, analysed, and reported in a
consistent manner. SCAP provides a common language for describing vulnerabilities,
misconfigurations, and products and is an obvious starting point for organizations seeking a
39

consistent way of communicating across the organization regarding the security status of the
enterprise architecture.
When inconsistencies are discovered as a result of monitoring activities, the organization may want
to take remedial action. Action taken may be via manual methods or via use of automated tools.
Automated tools are preferable since actions are not reliant upon human intervention and are taken
immediately once an unauthorized change is identified. Examples of possible actions include:
Implementing non-destructive remediation actions (e.g., quarantining of unregistered

device(s), blocking insecure protocols, etc.);
Sending an alert with change details to appropriate staff using email;
Rolling back changes and restoring from backups;
Updating the inventory to include newly identified components; and
Updating baseline
configurations to represent new configurations.
Many applications support configuration management interfaces and functionality to allow

operators and administrators to change configuration parameters, update Web site content, and to
perform routine maintenance. Top configuration management threats include:
Unauthorized access to administration interfaces

Unauthorized access to configuration stores
Retrieval of plaintext configuration secrets
Lack of individual accountability
Over-privileged process and service accounts
Unauthorized Access to Administration Interfaces
Administration interfaces are often provided through additional Web pages or separate Web
applications that allow administrators, operators, and content developers to managed site content
and configuration. Administration interfaces such as these should be available only to restricted and
authorized users. Malicious users able to access a configuration management function can
potentially deface the Web site, access downstream systems and databases, or take the application
out of action altogether by corrupting configuration data.
Counter measures to prevent unauthorized access to administration interfaces include:
Minimize the number of administration interfaces.

Use strong authentication, for example, by using certificates.
multiple gatekeepers.
Use strong authorization with
Consider supporting only local administration. If remote administration is absolutely essential, use
encrypted channels, for example, with VPN technology or SSL, because of the sensitive nature of the
data passed over administrative interfaces. To further reduce risk, also consider using IPSec policies
to limit remote administration to computers on the internal network.
40
8.5 Unauthorized Access to Configuration Stores

(As it is)
Because of the sensitive nature of the data maintained in configuration stores, you should ensure that
the stores are adequately secured.
Countermeasures to protect configuration stores include:
Configure restricted ACLs on text-based configuration files such as Machine.config and
Web.config.
Keep custom configuration stores outside of the Web space. This removes the potential to
download Web server configurations to exploit their vulnerabilities.
Retrieval of Plaintext Configuration Secrets
Restricting access to the configuration store is a must. As an important defence in depth mechanism,
you should encrypt sensitive data such as passwords and connection strings. This helps prevent
external attackers from obtaining sensitive configuration data. It also prevents rogue administrators
and internal employees from obtaining sensitive details such as database connection strings and
account credentials that might allow them to gain access to other systems.
Lack of Individual Accountability
Lack of auditing and logging of changes made to configuration information threatens the ability to
identify when changes were made and who made those changes. When a breaking change is made
either by an honest operator error or by a malicious change to grant privileged access, action must
first be taken to correct the change. Then apply preventive measures to prevent breaking changes to
be introduced in the same manner. Keep in mind that auditing and logging can be circumvented by a
shared account; this applies to both administrative and user/application/service accounts.
Administrative accounts must not be shared. User/application/service accounts must be assigned at
a level that allows the identification of a single source of access using the account, and that contains
any damage to the privileges granted that account.
Over-privileged Application and Service Accounts
If application and service accounts are granted access to change configuration information on the
system, they may be manipulated to do so by an attacker. The risk of this threat can be mitigated by
adopting a policy of using least privileged service and application accounts. Be wary of granting
accounts the ability to modify their own configuration information unless explicitly required by
design.
41
Summary
SecCM is defined as the management and control of configurations for information systems to
enable security and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing
and maintaining the integrity of products and systems, through control of the processes for
initializing, changing, and monitoring the configurations of those products and systems.
The activities of SecCM include the following: o identification and recording of configurations
that impact the security posture of the information system and the organization;
o the consideration of security risks in approving the initial configuration;
o the analysis of security implications of changes to the information system
configuration;
o documentation of the approved/implemented changes.
Product patches, fixes, and updates require time for security impact analysis even as threats
and vulnerabilities continue to exist.
Configuration Item (CI) is identified, labelled, and tracked during its life cycle the CI is the
target of many of the activities within SecCM. It may be o specific information system
component (e.g., server, workstation, router, application) o group of information system
components (e.g., group of servers with like operating systems, group of network components
such as routers and switches, an application or suite of applications)
o non-component object (e.g., firmware, documentation)
o an information system as a whole. CIs give organizations a way to decompose the
information system into manageable parts whose configurations can be actively
managed
A baseline configuration is a set of specifications for a system, or Configuration Item (CI)
within a system, that has been formally reviewed and agreed on at a given point in time, and
which can be changed only through change control procedures.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose
organizations to increased risk.
The organization is typically responsible for defining documented policies for the SecCM
program. A SecCM policy should include the following :
Purpose the objective(s) in establishing organization-wide SecCM policy;
Scope the extent of the enterprise architecture to which the policy applies;
Roles the roles that are significant within the context of the policy;
Responsibilities the responsibilities of each identified role;
Activities the functions that are performed to meet policy objectives
Tools to support SecCM activities are selected for use across the organization by SecCM
program management, and information system owners are responsible for applying the tools
to the SecCM activities performed on each information system
42
Activity 1:
Work in groups to research configuration management tools available in the industry.
Compare and categorise these tools based on their features, area of strengths and
limitations. These should be presented in class for shared understanding.
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a sequential
process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.

Q. List two countermeasures to protect configuration store
a. ________________________________________
b. ________________________________________
Q. State the key criteria on which priority for implementing SecCM secure configurations are
determined?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. If Configuration Item is an identifiable part of a system then what does Configuration Item
Identification mean?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
There could be a different baseline configuration for each life cycle stage (development, test,
staging, production) of the information system. (
)
Semi-automated tools works best to scan Web server, database server, network devices, etc. in
SecCM program. (
)
43
Q. Rank the phases/stages of security-focused configuration management in the correct order

____Identifying and Implementing Configurations
____Planning
____Monitoring
____Controlling Configuration Changes
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
44
UNIT IX
Log Correlation and
Management
This Unit covers:

Lesson Plan
9.1. Event Log Concepts
9.2. Log Management and its need
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
9.6. Analysis and Response
45
LESSON PLAN
Outcomes
to:
PC6. maintain accurate daily
records/logs of information
security performance parameters
using standard templates and tools
PC7. analyze information security
performance metrics to highlight
variances and issues for action by
appropriate people
Performance
Measures
Ensuring Work
Environment
Requirement
Going through various

organizations websites
and understand the
policies and guidelines.
(Research)
Understand, summarize
and articulate.
Peer group, Faculty group
and Industry experts.
PC8. provide inputs to root cause

analysis and the resolution of
information security issues, where
required
Peer review with faculty

with appropriate
feedback.
PC9. update your organizations

knowledge base promptly and
accurately with information
security issues and their resolution
Going through various

and understand the
(Research)
PC3. carry out security assessment

of information security systems
using automated tools
Lab
PCs/Tablets/Laptops
Internet with WiFi

ISO, PIC DSS
Commercial Tools like HP

Web Inspect and IBM
AppScan etc.,

Nessus etc.,

prepared
46

KA1. your organizations policies,
procedures, standards and
guidelines for managing
information security
KA1. Going through various

and understand the
(Research)
KA2. your organizations knowledge KA2, Understand, summarize

base and how to access
and articulate.
and update this
KA4, KA5. Peer group, Faculty

group and Industry
experts.
KA4. the organizational systems,

procedures and tasks/checklists
within the domain and how to use
these
KA5. how to analyze root causes of
information security issues
KA8. Peer review with faculty

with appropriate
feedback.
KA8. how to correlate devices and

logs
KA9. Going through various

and understand the
KA9.

(Research)
different
types of automation
tools and how to use these
KA10. how to access and analyze
information security performance
metrics
PCs/Tablets/Laptops
Internet with WiFi
Networking EquipmentsRouters & Switches
ISO, PIC DSS
Inspect and IBM AppScan etc.,
Nessus etc.,
KA10, KA11. Team work (IM

and chat applications) and
group activities (online
forums) including
templates to be prepared.
47
Lesson
9.1 Event Logs - Concepts (As it is)
A log is a record of the events occurring within an organizations systems and networks. Logs are
composed of log entries; each entry contains information related to a specific event that has
occurred within a system or network. Originally, logs were used primarily for troubleshooting
problems, but logs now serve many functions within most organizations, such as optimizing system
and network performance, recording the actions of users, and providing data useful for investigating
malicious activity.
Logs have evolved to contain information related to many different types of events occurring within
networks and systems. Within an organization, many logs contain records related to computer
security; common examples of these computer security logs are audit logs that track user
authentication attempts and security device logs that record possible attacks
Key Concepts
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes. Data logging devices collect incredible amounts of
information on security, operational and application events log management comprises the tools
to search and parse this data for trends, anomalies and other relevant information.
Security information event management (SIEM): Like log management, SIEM also involves the
collection and analysis of data. The key distinction to be made is that SIEM is a specialized tool for
information security. SIEM appliances enable event reduction and real-time alerting, and they
provide specific workflows to address security breaches as they occur. Another key feature of SIEM
is the incorporation of non-event based data, such as vulnerability scanning reports, for correlation
and analysis.
A lot of money has been invested in security products such as firewalls, intrusion detection, and
strong authentication over the past several years. However, system penetration attempts continue
to occur and go unnoticed until it is too late. It is not that security countermeasures are ineffective
against intrusive activity. Indeed, they can be very effective within an organization where security
policies and procedures require analysis of security events and appropriate incident response.
However, deploying and analysing a single device in an effort to maintain situational awareness with
respect to the state of security within an organization is the "computerized version of tunnel vision.
Security events must be analysed from as many sources as possible in order to assess threat and
formulate appropriate response. Extraordinary levels of security awareness can be attained in an
organization's network by simply listening to what its devices are telling you.
Security software logs primarily contain computer security-related information.

Operating system logs and application logs typically contain a variety of information, including
computer security-related data
48
Security Software
Most organizations use several types of network-based and host-based security software to detect
malicious activity, protect systems and data, and support incident response efforts. Accordingly,
security software is a major source of computer security log data. Common types of network-based
and host based security software include the following:
Antimalware Software. The most common form of antimalware software is antivirus software, which
typically records all instances of detected malware, file and system disinfection attempts, and file
quarantines.
Additionally, antivirus software might also record when malware scans were performed and when
antivirus signature or software updates occurred. Antispyware software and other types of
antimalware software (e.g., rootkit detectors) are also common sources of security information.
Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention
systems record detailed information on suspicious behaviour and detected attacks, as well as any
actions intrusion prevention systems performed to stop malicious activity in progress.
Some intrusion detection systems, such as file integrity checking software, run periodically instead of
continuously, so they generate log entries in batches instead of on an ongoing basis.
Remote Access Software
Remote access is often granted and secured through virtual private networking (VPN). VPN systems
typically log successful and failed login attempts, as well as the dates and times each user connected
and disconnected, and the amount of data sent and received in each user session. VPN systems that
support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed
information about the use of resources.
Web Proxies
Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web
page requests on behalf of users, and they cache copies of retrieved Web pages to make additional
accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to
add a layer of protection between Web clients and Web servers. Web proxies often keep a record of
all URLs accessed through them.
Vulnerability Management Software
Vulnerability management software, which includes patch management software and vulnerability
assessment software, typically logs the patch installation history and vulnerability status of each
host, which includes known vulnerabilities and missing software updates.
Vulnerability management software may also record additional information about hosts
configurations. Vulnerability management software typically runs occasionally, not continuously,
and is likely to generate large batches of log entries.
49
Authentication Servers
Authentication servers, including directory servers and single sign-on servers, typically log each
authentication attempt, including its origin, username, success or failure, and date and time.
Routers
Routers may be configured to permit or block certain types of network traffic based on a policy.
Routers that block traffic are usually configured to log only the most basic characteristics of blocked
activity.
Firewalls
Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more
sophisticated methods to examine network traffic.
Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to
have more complex policies and generate more detailed logs of activity than routers.
Network Quarantine Servers
Some organizations check each remote hosts security posture before allowing it to join the
network. This is often done through a network quarantine server and agents placed on each host.
Hosts that do not respond to the servers checks or that fail the checks are quarantined on a
separate virtual local area network (VLAN) segment. Network quarantine servers log information
about the status of checks, including which hosts were quarantined and for what reasons.
Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches)
usually log a variety of information related to security. The most common types of security-related
OS data are as follows:
System Events
System events are operational actions performed by OS components, such as shutting down the
system or starting a service. Typically, failed events and the most significant successful events are
logged, but many OSs permit administrators to specify which types of events will be logged. The
details logged for each event also vary widely; each event is usually timestamped, and other
supporting information could include event, status, and error codes; service name; and user or
system account associated with an event.
Audit Records
Audit records contain security event information such as successful and failed authentication
attempts, file accesses, security policy changes, account changes (e.g., account creation and
deletion, account privilege assignment), and use of privileges. OSs typically permit system
administrators to specify which types of events should be audited and whether successful and/or
failed attempts to perform certain actions should be logged.
50

OS logs are most beneficial for identifying or investigating suspicious activity involving a particular
host. After suspicious activity is identified by security software, OS logs are often consulted to get
more information on the activity.
Applications
Operating systems and security software provide the foundation and protection for applications,
which are used to store, access, and manipulate the data used for the organizations business
processes. Most organizations rely on a variety of commercial off-the-shelf (COTS) applications, such
as e-mail servers and clients, Web servers and browsers, file servers and file sharing clients, and
database servers and clients. Some applications generate their own log files, while others use the
logging capabilities of the OS on which they are installed. Applications vary significantly in the types
of information that they log. The following lists some of the most commonly logged types of
information and the potential benefits of each:
Client requests and server responses, which can be very helpful in reconstructing sequences of
events and determining their apparent outcome. If the application logs successful user
authentications, it is usually possible to determine which user made each request. Some applications
can perform highly detailed logging, such as e-mail servers recording the sender, recipients, subject
name, and attachment names for each e-mail; Web servers recording each URL requested and the
type of response provided by the server; and business applications recording which financial records
were accessed by each user. This information can be used to identify or investigate incidents and to
monitor application usage for compliance and auditing purposes.
Account information such as successful and failed authentication attempts, account changes (e.g.,
account creation and deletion, account privilege assignment), and use of privileges. In addition to
identifying security events such as brute force password guessing and escalation of privileges, it can
be used to identify who has used the application and when each person has used it.
Usage information such as the number of transactions occurring in a certain period (e.g., minute,
hour) and the size of transactions (e.g., e-mail message size, file transfer size). This can be useful for
certain types of security monitoring (e.g., a ten-fold increase in e-mail activity might indicate a new
e-mail borne malware threat; an unusually large outbound e-mail message might indicate
inappropriate release of information).
Significant operational actions such as application startup and shutdown, application failures, and
major application configuration changes. This can be used to identify security compromises and
operational failures.
Much of this information, particularly for applications that are not used through unencrypted
network communications, can only be logged by the applications, which makes application logs
particularly valuable for application-related security incidents, auditing, and compliance efforts.
However, these logs are often in proprietary formats that make them more difficult to use, and the
data they contain is often highly context-dependent, necessitating more resources to review their
contents.
51
9.2 Log Management and its need (As it is)

Log management can benefit an organization in many ways. It helps to ensure that computer
security records are stored in sufficient detail for an appropriate period of time. Routine log reviews
and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and
operational problems shortly after they have occurred, and for providing information useful for
resolving such problems. Logs can also be useful for performing auditing and forensic analysis,
supporting the organizations internal investigations, establishing baselines, and identifying
operational trends and long term problems
A log management infrastructure typically comprises the following three tiers:

Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers in
the second tier. Other hosts make their logs available through other means, such as
allowing the servers to authenticate to them and retrieve copies of the log files.
Log Analysis and Storage
The second tier is composed of one or more log servers that receive log data or copies of
log data from the hosts in the first tier. The data is transferred to the servers either in a
real-time or near-real-time manner, or in occasional batches based on a schedule or the
amount of log data waiting to be transferred. Servers that receive log data from multiple log
generators are sometimes called collectors or aggregators. Log data may be stored on the
log servers themselves or on separate database servers.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis. Log monitoring consoles can also be used to generate
reports. In some log management infrastructures, consoles can also be used to provide
management for the log servers and clients. Also, console user privileges sometimes can
be limited to only the necessary functions and data sources for each user.
Log management infrastructures typically perform several functions that assist in the storage, analysis,
and disposal of log data. These functions are normally performed in such a way that they do not alter
the original logs.
The following items describe common log management infrastructure functions:
Log parsing is extracting data from a log so that the parsed values can be used as input for another
logging process. A simple example of parsing is reading a text-based log file that contains 10
commaseparated values per line and extracting the 10 values from each line.
Parsing is performed as part of many other logging functions, such as log conversion and log
viewing.
52

Event filtering is the suppression of log entries from analysis, reporting, or long-term storage
because their characteristics indicate that they are unlikely to contain information of interest.
For example, duplicate entries and standard informational entries might be filtered because they
do not provide useful information to log analysts. Typically, filtering does not affect the generation
or short-term storage of events because it does not alter the original log files.
In event aggregation, similar entries are consolidated into a single entry containing a count of the
number of occurrences of the event. For example, a thousand entries that each record part of a
scan could be aggregated into a single entry that indicates how many hosts were scanned.
Aggregation is often performed as logs are originally generated (the generator counts similar related
events and periodically writes a log entry containing the count), and it can also be performed as part
of log reduction or event correlation processes, which are described below.
Storage
Log rotation is closing a log file and opening a new log file when the first file is considered to be
complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or
when a log file reaches a certain size. The primary benefits of log rotation are preserving log entries
and keeping the size of log files manageable. When a log file is rotated, the preserved log file can be
compressed to save space. Also, during log rotation, scripts are often run that act on the archived
log. For example, a script might analyse the old log to identify malicious activity, or might perform
filtering that causes only log entries meeting certain characteristics to be preserved. Many log
generators offer log rotation capabilities; many log files can also be rotated through simple scripts or
third-party utilities, which in some cases offer features not provided by the log generators.
Log archival is retaining logs for an extended period of time, typically on removable media, a storage
area network (SAN), or a specialized log archival appliance or server. Logs often need to be preserved
to meet legal or regulatory requirements.
There are two types of log archival: retention and preservation. Log retention is archiving logs on a
regular basis as part of standard operational activities. Log preservation is keeping logs that normally
would be discarded, because they contain records of activity of particular interest. Log preservation
is typically performed in support of incident handling or investigations.
Log compression is storing a log file in a way that reduces the amount of storage space needed for
the file without altering the meaning of its contents. Log compression is often performed when logs
are rotated or archived.
Log reduction is removing unneeded entries from a log to create a new log that is smaller. A similar
process is event reduction, which removes unneeded data fields from all log entries. Log and event
reduction are often performed in conjunction with log archival so that only the log entries and data
fields of interest are placed into long-term storage.
Log conversion is parsing a log in one format and storing its entries in a second format. For example,
conversion could take data from a log stored in a database and save it in an XML format in a text file.
Many log generators can convert their own logs to another format; third party conversion utilities
are also available. Log conversion sometimes includes actions such as filtering, aggregation, and
normalization. In log normalization, each log data field is converted to a particular data
53

representation and categorized consistently. One of the most common uses of normalization is
storing dates and times in a single format. For example, one log generator might store the event
time in a twelve-hour format (2:34:56 P.M. EDT) categorized as Timestamp, while another log
generator might store it in twenty-four (14:34) format categorized as Event Time, with the time zone
stored in different notation (-0400) in a different field categorized as Time Zone. 24 Normalizing the
data makes analysis and reporting much easier when multiple log formats are in use. However,
normalization can be very resource-intensive, especially for complex log entries (e.g., typical
intrusion detection logs).
Log file integrity checking involves calculating a message digest for each file and storing the message
digest securely to ensure that changes to archived logs are detected. A message digest is a digital
signature that uniquely identifies data and has the property that changing a single bit in the data
causes a completely different message digest to be generated. The most commonly used message
digest algorithms are MD5 and Secure Hash Algorithm 1 (SHA- 1). 25 If the log file is modified and its
message digest is recalculated, it will not match the original message digest, indicating that the file
has been altered. The original message digests should be protected from alteration through
FIPSapproved encryption algorithms, storage on read-only media, or other suitable means. Analysis
Event correlation is finding relationships between two or more log entries. The most common form
of event correlation is rule-based correlation, which matches multiple log entries from a single
source or multiple sources based on logged values, such as timestamps, IP addresses, and event
types.
Event correlation can also be performed in other ways, such as using statistical methods or
visualization tools. If correlation is performed through automated methods, generally the result of
successful correlation is a new log entry that brings together the pieces of information into a single
place. Depending on the nature of that information, the infrastructure might also generate an alert
to indicate that the identified event needs further investigation. Log viewing is displaying log
entries in a human-readable format. Most log generators provide some sort of log viewing
capability; third-party log viewing utilities are also available. Some log viewers provide filtering and
aggregation capabilities.
Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize
significant activity over a particular period of time or to record detailed information related to a
particular event or series of events.
Disposal
Log clearing is removing all entries from a log that precede a certain date and time. Log clearing is
often performed to remove old log data that is no longer needed on a system because it is not of
importance or it has been archived.
54
9.3 Log Management Process (As it is)

System-level and infrastructure administrators should follow standard processes for managing the
logs for which they are responsible.
Major operational processes for log management are as follows:
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log
data.
Configure Log Sources

System-level administrators need to configure log sources so that they capture the necessary
information in the desired format and locations, as well as retain the information for the
appropriate period of time.
The process includes:
administrators determine which of their hosts and host components must or should participate
in the log management infrastructure,
A single log file might contain information from several sources, such as an OS log containing
information from the OS itself and several security software programs and applications.
Administrators ascertain which log sources use each log file.
For each identified log source, administrators determine which types of events each log source
must or should log, as well as which data characteristics must or should be logged for each type
of event.
The administrators ability to configure each log source is dependent on the features offered by that
particular type of log source. For example, some log sources offer very granular configuration
options, while some offer no granularity at alllogging is simply enabled or disabled, with no control
over what is logged. This section discusses log source configuration in three categories: log
generation, log storage and disposal, and log security.
Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs
on to the computer or when a program encounters an error.
Example: Windows Event Log
Whenever the significant types of events occur, Windows records the event in an event log that you
can read by using Event Viewer. Advanced users might find the details in event logs helpful when
troubleshooting problems with Windows and other programs.
55
Event Viewer tracks information in several different logs. Windows Logs include:
Application (program) events
Events are classified as error, warning, or information, depending on the severity of the event. An
error is a significant problem, such as loss of data. A warning is an event that isn't necessarily
significant, but might indicate a possible future problem. An information event describes the
successful operation of a program, driver, or service.
Security-related events
These events are called audits and are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was successful.
Setup events
Computers that are configured as domain controllers will have additional logs displayed here.
System events
System events are logged by Windows and Windows system services, and are classified as error,
warning, or information.
Forwarded events
These events are forwarded to this log by other computers.
Applications and Services Logs vary. They include separate logs about the programs that run on your
computer, as well as more detailed logs that pertain to specific Windows services.
Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel,
clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer.
Administrator permission is required if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.
Click an event log in the left pane.
Double-click an event to view the details of the event.
56
9.4 Configuring Windows Event Log (As it is)

Authorized administrators can define security settings for the event logs. The choices are somewhat
limited, and include log size, the length of time a log should be stored, and when the log should be
cleared. Each event log can be configured individually.
1.
2.
Click Start, select Programs, select Administrative Tools, click Computer Management.
In the console tree, click Event Viewer. Right-click Security and select Properties.
3.
The Security Properties window will appear. Here authorized administrators can set
take when the maximum log size is reached.
To restore the default settings, click Restore
Defaults.
To clear the log, click Clear Log.
Under Log size, select one of these options:
the Maximum log size and select what action to

If the log is not to be archived, click Overwrite events as needed.
To archive the log at scheduled intervals, click Overwrite events older than and specify the
appropriate number of days. Be sure that the Maximum log size is large enough to accommodate the
interval.
57
To retain all the events in the log, click Do not overwrite events (clear log manually). This option
requires that logs be cleared manually. When the maximum log size is reached, new events are
discarded. If the event log is not cleared and archived regularly, the following message will appear.
1.
After establishing the security log settings,
click the Apply button.
2.
The Security Properties window also provides
the ability to set filters on the event log to perform
searches and sorting of audit data. To filter an existing
event log in order to view or save specific security
events, select the Filter tab and configure the filter.
3.
To configure the filter, select the Event types
that will be included by checking or unchecking a
selection
box
next to Information,
Warning, Error, Success Audit, and/or Failure audit,
then input any additional desired filtering
requirements by Event source, Category,
Event ID, User, or Computer.
4.
By default the entire event log will be filtered
for viewing by the parameters selected above. If desired, select a date and time range for the
logs that will be filtered for viewing. This is accomplished by first clicking on the From: drop
down menu and changing the selection to Events On. The date and time dialog boxes will
become active. Change the date by selecting the drop down menu and choosing a date from the
calendar that is presented. Change the time by scrolling the up and down arrows in the time
dialog box. Follow the same procedures clicking on the To: drop down menu and changing the
selection to Events On. Set the date and time for the last as described above.
5.
Once all the desired filtering options have been selected, click the Apply button and click
OK. The Event Viewer will filter the log and display the information as defined by the
filter.
Windows Logon Types

58

Logon Types are logged in the Logon Type field of logon events (event IDs 528 and 540 for successful
logons, and 529-537 and 539 for failed logons).
Windows supports the following logon types and associated logon type values:
2: Interactive logonThis is used for a logon at the console of a computer. A type 2 logon is
logged when you attempt to log on at a Windows computers local keyboard and screen.
3: Network logonThis logon occurs when you access remote file shares or printers. Also, most
logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons
that use the basic authentication protocol (those are logged as logon type 8).
4: Batch logonThis is used for scheduled tasks. When the Windows Scheduler service starts a
scheduled task, it first creates a new logon session for the task, so that it can run in the security
context of the account that was specified when the task was created.
5: Service logonThis is used for services and service accounts that log on to start a service. When
a service starts, Windows first creates a logon session for the user account that is specified in the
service configuration.
7: UnlockThis is used whenever you unlock your Windows machine.
8: Network clear text logonThis is used when you log on over a network and the password is
sent in clear text. This happens, for example, when you use basic authentication to authenticate to
an IIS server.
9: New credentials-based logonThis is used when you run an application using the RunAs
command and specify the /netonly switch. When you start a program with RunAs using /netonly,
the program starts in a new logon session that has the same local identity (this is the identity of
the user you are currently logged on with), but uses different credentials (the ones specified in the
runas command) for other network connections. Without /netonly, Windows runs the program on
the local computer and on the network as the user specified in the runas command, and logs the
logon event with type 2.
10: Remote Interactive logonThis is used for RDP-based applications like Terminal Services,
Remote Desktop or Remote Assistance.
11: Cached Interactive logonThis is logged when users log on using cached credentials, which
basically means that in the absence of a domain controller, you can still log on to your local
machine using your domain credentials. Windows supports logon using cached credentials to ease
the life of mobile users and users who are often disconnected.
How to Read the Windows Application, Security, and System Log Files
The Windows application, security, and system log files can be read with a Windows application called
Event Viewer, which is accessed through the Control Panel:
Click the Start button on the desktops Taskbar
Click the Control Panel menu item
The Control Panels window will open
In the Control Panel, double-click the Administrative Tools icon
The Administrative Tools window will open with a list of different icons
Double click the Event Viewer icon
How to Read Other Windows Log Files
Many log files that software applications use are written as plain text file, making it possible to use
any freeware text editor, Notepad or WordPad, to read the generated log files. To read .txt files
in WordPad:
59
Click the Start button on the desktops Taskbar

Click All Programs option
Click Accessories menu item
Click WordPad application
A new WordPad window will open
Click the File menu
Click the Open menu item
Navigate to the desired log file and click the Open button
There are also programs that allow the user to monitor log files as they occur in real-time. Examples
of such software include Tail For Win32 and Hoo WinTail. These programs make it easy to read new
entries from the bottom (tail) of the log file.
9.5 IIS log files (As it is)

Internet Information Services (IIS) is a web server developed by Microsoft for use with Windows
Server. The server is meant for a variety of hosting uses while attempting to maintain a high level of
flexibility and scalability.
To help with server use and analysis, IIS is integrated with several types of log files. These log file
formats provide information on a range of websites and specific statistics, including Internet
Protocol (IP) addresses, user information and site visits as well as dates, times and queries.
Log File Formats in IIS (IIS 6.0)
IIS provides six different log file formats that you can use to track and analyse information about
your IIS-based sites and services. In addition to the six available formats, you can create your own
custom log file format.
The following log file formats and logging options are available in IIS:
W3C Extended Log File Format Text-based, customizable format for a single site. This is the
default format.
W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C
log file format.
NCSA Common Log File Format Text-based, fixed format for a single site.
IIS Log File Format Text-based, fixed format for a single site.
ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database.
Centralized Binary Logging Binary-based, unformatted data that is not customizable. Data is
recorded from multiple Web sites and sent to a single log file. To interpret the data, you need
a special parser.
HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
60

You can read text-based log files using a text editor such as Notepad, which is included with Windows,
but administrators often import the files into a report-generating software tool for further analysis.
IIS logs, when properly analysed, provide information about demographics and usage of the IIS web
server. By tracking usage data, web providers can better tailor their services to support specific
regions, time frames or IP ranges. Log filters also allow providers to track only the data deemed
necessary for analysis.
Analyse an IIS Log file
IIS logs contain crucial information for improving the web site. Log files for an IIS server are the key
source of information for managing the websites hosted on the server. The log files contains a
record of each request from a web user and the response provided by the IIS server. This data is
crucial for marketing, site performance and security. Logs are often the only indication that a user is
attempting to hack into your IIS server. Patterns and trends can be spotted in this data to help you
segment your users for marketing opportunities. IIS log analysis is a critical tool in improving your
website.
Internet Information Services (IIS) 6.0 offers a number of ways to record the activity of your Web
sites, File Transfer Protocol (FTP) sites, Network News Transfer Protocol (NNTP) service, and Simple
Mail Transfer Protocol (SMTP) service and allows you to choose the log file format that works best
for your environment. IIS logging is designed to be more detailed than the event logging or
performance monitoring features of the Microsoft Windows Server 2003, Standard Edition,
Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition,
operating systems. IIS log files can include information such as who has visited your site, what was
viewed, and when the information was last viewed. You can monitor attempts to access your sites,
virtual folders, or files and determine whether attempts were made to read or write to your files. IIS
log file formats allow you to record events independently for any site, virtual folder, or file.
Using a text editor the following steps can be used to analyse the IIS file:
Open the log file labeled as "ex010110.log" in your text editor. The six digits in the log file
name are in the format day, month and year the file was created.
Locate the header information. This is a line starting with "#Fields:." Use this line to determine
the corresponding values in each column.
Use the date and time to identify when the request was created. The "sitename" and
"computername" will indicate what server responded to the request.
Identify the visitor to your web server by the "c-ip" which is the ip address of the visitors
computer.
The "cs-method" column will most often contain either "post" or "get" depending on the
request made by the visitors browser. The fields "cs-uri-stem" and "cs-uri-query" will denote
the resource such as an image or web page the visitor requested.
Use the "sc-status" column to determine whether the web server was capable of correctly
responding to the request. A link is provided in the resource section of this article to a
complete list of response codes.
Use the "cs(User-Agent)" to determine what type of browser the visitor used, or if the
visitor is actually a search engine. A link to a list of common user agents has been provided in
the resource area of this article.
61
9.6 Log Analysis and Response (As it is)

Analyse Log Data
Effective analysis of log data is often the most challenging aspect of log management, but is also
usually the most important. Although analysing log data is sometimes perceived by administrators as
uninteresting and inefficient (e.g., little value for much effort), having robust log management
infrastructures and automating as much of the log analysis process as possible can significantly
improve analysis so that it takes less time to perform and produces more valuable results.
The most effective way to gain a solid understanding of log data is to review and analyse portions of
it regularly (e.g., every day). The goal is to eventually gain an understanding of the baseline of typical
log entries, likely encompassing the vast majority of log entries on the system. (Because a few types
of entries often comprise a significant percentage of the log entries, this is not as difficult as it may
first sound.) Daily log reviews should include those entries that have been deemed most likely to be
important, as well as some of the entries that are not yet fully understood. Because it can make
considerable effort to understand the significance of most log entries, the initial days, weeks, or
even months of performing the log analysis process are the most challenging and time-consuming.
Over time, as the baseline of normal activity is broadened and deepened, the daily log reviews
should take less time and be more focused on the most important log entries, thus leading to more
valuable analysis results.
Another motivation for understanding the log entries is so that the analysis process can be
automated as much as possible. By determining which types of log entries are of interest and which
are not, administrators can configure automated filtering of the log entries. This allows events
known to be malicious to be recognized and responded to automatically (e.g., alerting
administrators, reconfiguring other security controls). Another purpose for filtering is to ensure that
the manual analysis performed by administrators is prioritized appropriately. The filtering should be
configured so that it presents administrators with a reasonable number of entries for manual
analysis.
Web log analysis software (also called a web log analyzer) is a kind of web analytics software that
passes a server log file from a web server, and based on the values contained in the log file, derives
indicators about when, how, and by whom a web server is visited. Usually reports are generated
from the log files immediately, but the log files can alternatively be passed for a database and
reports generated on demand.
There are free, open source and paid software tools available for log analysis or management.
Response to events
During their log analysis, infrastructure and system-level administrators may identify events of
significance, such as incidents and operational problems that necessitate some type of response.
When an administrator identifies a likely computer security incident, as defined by the
organizations incident response policies, the administrator should follow the organizations incident
response procedures to ensure that it is addressed appropriately. Examples of computer security
62

incidents include a host being infected by malware and a person gaining unauthorized access to a
host.
Administrators should perform their own responses to non-incident events, such as minor
operational problems (e.g., misconfiguration of host security software). Some organizations require
system-level administrators to report incidents and logging-related operational problems to
infrastructure administrators so that the infrastructure administrators can better identify additional
instances of the same activities and patterns that cannot be seen at the individual system level.
Infrastructure and system-level administrators should also be prepared to assist incident response
teams with their efforts. For example, when an incident occurs, affected system-level administrators
may be asked to review their systems logs for particular signs of malicious activity or to provide
copies of their logs to incident handlers for further analysis. Administrators should also be prepared
to alter their logging configurations as part of a response. Adverse events such as worms often cause
unusually large numbers of events to be logged. This can cause various negative impacts, such as
slowing system performance, overwhelming logging processes, and overwriting recent log entries.
Analysts may not be able to see other events of significance because their records are hidden among
all of the other log entries. Accordingly, administrators may need to reconfigure logging for the short
term, long term, or permanently, depending on the source of the log data, to prevent it from
overwhelming the system and the logs. Administrators may also need to adjust logging to capture
more data as part of a response effort, such as collecting additional information on a particular type
of activity. To identify similar incidents, especially in the short term, administrators may need to
perform additional log monitoring and analysis, such as more closely examining the types of logging
sources that recorded pertinent information on the initial incident.
63
Summary
Log management: Log management refers to the broad practice of collecting, aggregating
and analysing network data for a variety of purposes.
Security information event management (SIEM) involves the collection and analysis of
data Security software is a major source of computer security log data.
Web proxies often keep a record of all URLs accessed through them.
Routers and Firewalls permit or block certain types of network traffic based on a policy
however, they differ in terms of the level of complexity
OS logs are most beneficial for identifying or investigating suspicious activity involving a
particular host.
Operating systems and security software provide the foundation and protection for
applications; Applications vary significantly in the types of information that they log and
some of the most commonly logged types of information include:
o Client requests and server responses
o e-mail servers recording the sender, recipients, subject name, and attachment names
for each e-mail
o web servers recording each URL requested and the type of response provided by the
server;
o business applications recording which financial records were accessed by each user o
successful and failed authentication attempts, account changes (e.g., account creation
and deletion, account privilege assignment), and use of privileges
o brute force password guessing and escalation of privileges o number of transactions
occurring in a certain period and size of transactions, etc.
Log management ensures that computer security records are stored in sufficient detail for
an appropriate period of time. A log management infrastructure typically comprises the
following three tiers:
Log Generation: contains the hosts that generate the log data
Log Analysis and Storage: composed of one or more log servers that receive log
data or copies of log data
Log Monitoring: contains consoles that may be used to monitor and review log
data and the results of automated analysis
Log management infrastructures typically perform several functions that assist in the
storage, analysis, and disposal of log data. These functions are normally performed in such
a way that they do not alter the original logs.
Major operational processes for log management are as follows:
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log data
Authorized administrators can define security settings for the event logs. The choices are
somewhat limited, and include log size, the length of time a log should be stored, and
when the log should be cleared.
Internet Information Services (IIS) is a web server developed by Microsoft for use with
Windows Server. The server is meant for a variety of hosting uses while attempting to
maintain a high level of flexibility and scalability.
The most effective way to gain a solid understanding of log data is to review and analyse
portions of it regularly (e.g., every day)
64

Infrastructure and system-level administrators may identify events of significance, such as
incidents and operational problems that necessitate some type of response during log
analysis.
65
Activity 1:
Study various log report templates and sources which provide guidance on using log
reports. The various information available in the report should be understood and
possible anomalies listed.
Activity 2:
Work in groups to explore the log configurations of your own training institute server
and generate reports from the servers each week. These should be analysed and
activity reports and inferences from it presented in class by a different group each
week.

Q. State the key distinction between log management and security information event management.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What do you understand by the technical phrase computerized version of tunnel vision?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Mention the common features shared by Routers and Firewalls
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Fill in the blanks
Web
proxies are
intermediate hosts that
acts
as
a
layer
between
_______________________________and______________________________________.
Status
of
checks and
quarantined
retrieved from__________________.
hosts
log
information
can
be
66

Q. State the type of log which is most beneficial for identifying or investigating suspicious activity
involving a particular host
__________________________________________________________________________________
Q. Tick the best answers to the following question
Log monitoring consoles can
a) receive log data or copies of log data
b) generate reports
c) provide management for the log servers and clients
d) All of the above
The most common form of antimalware software is antivirus software. (
Event Filtering is extracting data from a log so that the parsed values can be used as input for
another logging process. (
)
Q. Define the two types of log archival.

__________________________________________________________________________________
__________________________________________________________________________________
Q. Why are log and event reduction performed simultaneously with log archival?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
67
UNIT X
Data Backup
This Unit covers:

Lesson Plan
10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
10.5. Features of a Good Backup Strategy
68
LESSON PLAN
Outcomes
to:
guidelines
PC5. carry out backups of security
devices and applications in line
with information security policies,
procedures and guidelines, where
required
KA12. your organizations
information security systems and
tools and how to access and
maintain these
KB2. different types of backups for
security devices and applications
and how to carry out backups
Performance
Measures
Ensuring Work
Environment
Requirement
Project charter, Architecture

(charts), Project plan, Poster
plan.
Going through the security
standards over Internet by
visiting sites like ISO, PCI DSS
etc., and understand various
algorithms
KA12. Project charter,
Architecture (charts),
Project plan, Poster
presentation and
execution plan.
KB2. Going through the
security standards over
Internet by visiting sites like
ISO, PCI DSS etc., and
understand various
algorithms
Lab
PCs/Tablets/Laptops
Internet with WiFi
Networking Equipment- Routers
& Switches
Backup
devices and
storage media
PCs/Tablets/Laptops

Internet with WiFi
Networking EquipmentsRouters & Switches
Backup devices and storage

media
69
Lesson
10.1 Data Backup - Overview (As it is)
Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe. Backup is usually a routine part of the operation of large
businesses with mainframes as well as the administrators of smaller business computers. For
personal computer users, backup is also necessary but often neglected. The retrieval of files you
backed up is called restoring them.
Purpose
All electronic information considered of institutional value should be copied onto secure storage
media on a regular basis (i.e., backed up), for disaster recovery and business resumption. Special
backup needs, identified through technical risk analysis that exceeds these requirements, should be
accommodated on an individual basis.
Scope
Data custodians are responsible for providing adequate backups to ensure the recovery of data and
systems in the event of failure. Backup provisions allow business processes to be resumed in a
reasonable amount of time with minimal loss of data. Since hardware and software failures can take
many forms, and may occur over time, multiple generations of institutional data backups need to be
maintained.
70
10.2 Types of Backup (As it is)
Full backup
Full backup is a method of backup where all the files and folders selected for the backup will be
backed up. It is commonly used as an initial or first backup followed with subsequent incremental or
differential backups. After several incremental or differential backups, it is common to start over
with a fresh full backup again.
Some also like to do full backups for all backup runs typically for smaller folders or projects that do not
occupy too much storage space.
Advantages
Restores are fast and easy to manage as the entire list of files and folders are in one backup set.
Easy to maintain and restore different versions.
Disadvantages
Backups can take very long as each file is backed up again every time the full backup is run.
Consumes the most storage space compared to incremental and differential backups. The exact
same files are be stored repeatedly resulting in inefficient use of storage.
Incremental backup
Incremental backup is a backup of all changes made since the last backup. The last backup can be a
full backup or simply the last incremental backup. With incremental backups, one full backup is done
first and subsequent backup runs are just the changed files and new files added since the last
backup.
Advantages
Much faster backups
Efficient use of storage space as files is not duplicated. Much less storage space used compared to
running full backups and even differential backups.
Disadvantages
Restores are slower than with a full backup and differential backups.
Restores are a little more complicated. All backup sets (first full backup and all incremental backups)
are needed to perform a restore.
Differential backups
Differential backups fall in the middle between full backups and incremental backup. A differential
backup is a backup of all changes made since the last full backup. With differential backups, one full
backup is done first and subsequent backup runs are the changes made since the last full backup.
The result is a much faster backup then a full backup for each backup run. Storage space used is less
than a full backup but more then with Incremental backups. Restores are slower than with a full
backup but usually faster then with Incremental backups.
71

Advantages
Much faster backups then full backups
More efficient use of storage space then full backups since only files changed since the last full
backup will be copied on each differential backup run.
Faster restores than incremental backups
Disadvantages
Backups are slower then incremental backups
Not as efficient use of storage space as compared to incremental backups. All files added or edited
after the initial full backup will be duplicated again with each subsequent differential backup.
Restores are slower than with full backups.
Restores are a little more complicated then full backups but simpler than incremental backups. Only
the full backup set and the last differential backup are needed to perform a restore.
Mirror backups
Mirror backups are as the name suggests a mirror of the source being backed up. With mirror
backups, when a file in the source is deleted, that file is eventually also deleted in the mirror backup.
Because of this, mirror backups should be used with caution as a file that is deleted by accident,
sabotage or through a virus may also cause that same file in mirror to be deleted as well. Some do
not consider a mirror to be a backup.
Many online backup services offer a mirror backup with a 30 day delete. This means that when you
delete a file on your source, that file is kept on the storage server for at least 30 days before it is
eventually deleted. This helps strike a balance offering a level of safety while not allowing the
backups to keep growing since online storage can be relatively expensive.
Many backup software utilities do provide support for mirror backups.
Advantages
The backup is clean and does not contain old and obsolete files
Disadvantages
There is a chance that files in the source deleted accidentally, by sabotage or through a virus may
also be deleted from the backup mirror.
Full PC backup
Full PC backup of full computer backup typically involves backing up entire images of the computers
hard drives rather than individual files and folders. The drive image is like a snapshot of the drive. It
may be stored compressed or uncompressed.
With other file backups, only the users document, pictures, videos and music files can be restored
while the operating system, programs etc. need to be reinstalled from is source download or disc
media.
With the full PC backup however, you can restore the hard drives to its exact state when the backup
was done. Hence, not only can the documents, pictures, videos and audio files be restored but the
72

operating system, hardware drivers, system files, registry, programs, emails etc. In other words, a
full PC backup can restore a crashed computer to its exact state at the time the backup was made.
Full PC backups are sometimes called Drive Image Backups
Advantages
A crashed computer can be restored in minutes with all programs databases emails etc intact. No
need to install the operating system, programs and perform settings etc.
Ideal backup solution for a hard drive failure.
Disadvantages
May not be able to restore on a completely new computer with a different motherboard, CPU,
Display adapters, sound card etc.
Any problems that were present on the computer (like viruses, or mis-configured drivers, unused
programs etc.) at the time of the backup may still be present after a full restore.
Local backup
A local backup is any backup where the storage medium is kept close at hand. Typically, the storage
medium is plugged in directly to the source computer being backed up or is connected through a
local area network to the source being backed up.
Advantages
Offers good protection from hard drive failures, virus attacks, accidental deletes and deliberate
employee sabotage on the source data.
Very fast backup and very fast restore.
Storage cost can be very cheap when the right storage medium is used like external hard drives
Data transfer cost to the storage medium can be negligible or very cheap
Since the backups are stored close by, they are very conveniently obtained whenever needed for
backups and restore.
Full internal control over the backup storage media and the security of the data on it. There is no
need to entrust the storage media to third parties.
Disadvantages
Since the backup is stored close by to the source, it does not offer good protections against theft,
fire, flood, earthquakes and other natural disasters. When the source is damaged by any of these
circumstances, theres a good chance the backup will be also damaged.
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from the
source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
73
Advantages
Offers additional protection when compared to local backup such as protection from theft, fire,
flood, earthquakes, hurricanes and more.
Disadvantages
Except for online backups, it requires more due diligence to bring the storage media to the offsite
location.
May cost more as people usually need to rotate between several storage devices. For example
when keeping in a bank deposit box, people usually use 2 or 3 hard drives and rotate between
them. So at least one drive will be in storage at any time while the other is removed to perform
the backup.
Because of increased handling of the storage devices, the risk of damaging delicate hard disk is
higher. (does not apply to online storage)
Online backup
An online backup is a backup done on an ongoing basis to a storage medium that is always
connected to the source being backed up. The term online refers to the storage device or facility
being always connected. Typically the storage medium or facility is located offsite and connected to
the backup source by a network or Internet connection. It does not involve human intervention to
plug in drives and storage media for backups to run.
Many commercial data centers now offer this as a subscription service to consumers. The storage
data centers are located away from the source being backed up and the data is sent from the source
to the storage center securely over the Internet.
Typically a client application is installed on the source computer being backed up. Users can define
what folders and files they want to backup and at one times of the day they want the backups to
run. The data may be compressed and encrypted before being sent over the Internet to the storage
data center.
The storage facility is a commercial data center located away from the source computers being
backed up. Typically they are built to certain fire and earthquake safety specifications. They have
higher security standards with CCTV and round the clock monitoring. They typically have backup
generators to deal with grid power outages and the facility is temperature controlled. Data is not
just stored in one physical media but replicated across several devices. These facilities are usually
serviced by multiple redundant Internet connection so there is no single point of failure to bring the
service down.
Advantages
Offers the best protection against fires, theft and natural disasters.
Because data is replicated across several storage media, the risk of data loss from hardware failure
is very low.
Because backups are frequent or continuous, data loss is very minimal compared to other backups
that are run less frequently.
Because it is online, it requires little human or manual interaction after it is setup.
Disadvantages
Is a more expensive option then local backups.
74
Student Handbook SSC/ Q0904/0905 Security Analyst
Initial or first backups can be a slow process spanning a few days or weeks depending on Internet
connection speed and the amount of data backed up.
Can be slow to restore.
Remote backups
Remote backups are a form of offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location. The term
remote refers to the ability to control or administer the backups from another location.
You do not need to be physically present at the backup storage facility to access the backups.
Putting your backup hard drive at your bank safe deposit box would not be considered a remote
backup. You cannot administer or access it without making a trip to the bank. The term remote
backup is often used loosely and interchangeably with online backup and cloud backup.
Advantages
Much better protection from natural disasters than local backups.
Easier administration as it does not need a physical trip to the offsite backup location.
Disadvantages
More expensive then local backups
Can take longer to backup and restore than local backups
Cloud backup
Cloud backup is a term often used loosely and interchangeably with Online Backup and Remote
Backup. This is a type of backup where data is backed up to a storage server or facility connected to
the source via the Internet. With the proper login credentials, that backup can then be accessed
securely from any other computer with an Internet connection. The term cloud refers to the
backup storage facility being accessible from the Internet.
Advantages
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Data is replicated across several storage devices and usually serviced by multiple internet
connections so the system is not at the mercy of a single point of failure.
When the service is provided by a good commercial data center, service is managed and
protection is un-paralleled.
Disadvantages
Can take longer to backup and restore
75
FTP Backup
This is a kind of backup where the backup is done via the File Transfer Protocol (FTP) over the
Internet to an FTP Server. Typically the FTP Server is located in a commercial data center away from
the source data being backed up. When the FTP server is located at a different location, this is
another form of offsite backup.
Advantages
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Disadvantages
Can take longer to backup and restore. Backup and restore times are dependent to the Internet
connection.
76
10.3 Backup Procedures (As it is)

The 3-2-1 Rule
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule.
We recommend keeping 3 copies of any important file (a primary and two backups)
We recommend having the files on 2 different media types (such as hard drive and optical media),
to protect against different types of hazards.*
1 copy should be stored offsite (or at least offline).
The data backup procedures must include
frequency,
data backup retention,
testing,
media replacement,
recovery time,
roles and responsibilities
Local data backup procedures must include the following:
Data Backup Retention. Retention of backup data must meet System and institution
requirements for critical data.
Testing - Restoration of backup data must be performed and validated on all types of media
in use periodically.
Media Replacement - Backup media should be replaced according to manufacturer
recommendations.
Recovery Time - The recovery time objective (RTO) must be defined and support business
requirements.
Roles and Responsibilities - Appropriate roles and responsibilities must be defined for data
backup and restoration to ensure timeliness and accountability.
Offsite Storage - Removable backup media taken offsite must be stored in an offsite location
that is insured and bonded or in a locked media rated, fire safe.
Onsite Storage - Removable backup media kept onsite must be stored in a locked container
with restricted physical access.
Media Destruction - How to dispose of data storage media in various situations.
Encryption - Non-public data stored on removable backup media must be encrypted.
Nonpublic data must be encrypted in transit and at rest when sent to an offsite backup
facility, either physically or via electronic transmission.
Third Parties - Third parties' backup handling & storage procedures must meet System, or
institution policy or procedure requirements related to data protection, security and privacy.
These procedures must cover contract terms that include bonding, insurance, disaster
recovery planning and requirements for storage facilities with appropriate environmental
controls.
77
Definitions
Archive: An archive is a collection of historical data specifically selected for long-term retention
and future reference. It is usually data that is no longer actively used, and is often stored on
removable media.
Backup: A copy of data that may be used to restore the original in the event the latter is lost or
damaged beyond repair. It is a safeguard for data that is being used. Backups are not intended to
provide a means to archive data for future reference or to maintain a versioned history of data to
meet specific retention requirements.
Critical Data: Data that needs to be preserved in support of the institution's ability to recover from
a disaster or to ensure business continuity.
Data: Information collected, stored, transferred or reported for any purpose, whether in
computers or in manual files. Data can include: financial transactions, lists, identifying information
about people, projects or processes, and information in the form of reports. Because data has
value, and because it has various sensitivity classifications defined by federal law and state
statute, it must be protected.
Destruction: Destruction of media includes: disintegration, incineration, pulverizing, shredding, and
melting. Information cannot be restored in any form following destruction.
Media Rated, Fire Safe: A safe designed to maintain internal temperature and humidity levels low
enough to prevent damage to CDs, tapes, and other computer storage devices in a fire. Safes are
rated based on the length of time the contents of a safe are preserved while directly exposed to
fire and high temperatures.
Information Technology Resources: Facilities, technologies, and information resources used for
System information processing, transfer, storage, and communications. Included in this definition
are computer labs, classroom technologies, computing and electronic communications devices
and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax
transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive,
but rather, reflects examples of System equipment, supplies and services.
Recovery Point Objective (RPO): Acceptable amount of service or data loss measured in time. The
RPO is the point in time prior to service or data loss that service or data will be recovered to.
Recovery Time Objective (RTO). Acceptable duration from the time of service or data loss to the
time of restoration.
Automated Backup
If the data backup plan defines a daily interval, making manual backups becomes quite time
consuming, and one may discover now and then that they have skipped making backups because
they had something else more important to do at same time. It is better to foresee the risk of not
making backups and try to automate the whole backup process as much as possible.
78
10.4 Types of storage (As it is)
Local Storage Options

1. External Hard Drive
These are hard drives similar to the type that is installed within a desktop computer or laptop
computer. The difference being that they can be plugged in to the computer or removed and kept
separate from the main computer.
Advantages:
Very good option for local backups of large amounts of data.

The cheapest storage option in terms of cost per GB. Very reliable when handled with care
Disadvantages:
Can be very delicate. May be damaged if dropped or through electrical surge
2. Solid State Drive (SSD)

Solid State Drives look and function similar to traditional mechanical/ magnetic hard drives but the
similarities stop there. Internally, they are completely different. They have no moving parts or
rotating platers. They rely solely on semiconductors and electronics for data storage making it a
more reliable and robust than traditional magnetic. No moving parts also means that they use less
power than traditional hard drives and are much faster too.
With the prices of Solid State Drives coming down and is lower power usage, SSDs are used
extensively on laptops and mobile devices. External SSDs are also a viable option for data backups.
Advantages:
Faster read and write performance

More robust and reliable than traditional magnetic hard drives
Highly portable. Can be easily taken offsite
Disadvantages:
Still relatively expensive when compared to traditional hard drives

Storage space is typically less than that of traditional magnetic hard drives.
3. Network Attached Storage (NAS)

NAS are simply one or more regular IDE or SATA hard drives plugged in an array storage enclosure
and connected to a network Router or Hub through a Ethernet port. Some of these NAS enclosures
have ventilating fans to protect the hard drives from overheating.
Advantages:
Very good option for local backups especially for networks and small businesses.
79
As several hard drives can be plugged in, NAS can hold very large amounts of data
Can be setup with Redundancy (RAID) increasing the reliability and/ or read and write
performance. Depending on the type of RAID level used, the NAS can still function even if
one hard drive in the RAID set fails. Or two hard drives can be setup to double the read and
write speed of single hard drive.
The drive is always connected and available to the network making the NAS a good option
for implementing automated scheduled backups.
Disadvantages:
Significantly more expensive than using single External Hard Drives

Difficult to bring offsite making it very much a local backup hence still susceptible to some
events like theft and floods, fire etc.
4. USB Thumb Drive or Flash Drive

These are similar to Solid State Drives except that it is much smaller in size and capacity. They have
no moving parts making them quite robust. They are extremely portable and can fit on a keychain.
They are Ideal for backing up a small amount of data that need to be brought with you on the go.
Advantages:
The most portable storage option. Can fit on a keychain making it an offsite backup when
you bring it with you.
Much more robust than traditional magnetic hard drives
Disadvantages:
Relatively expensive per GB so can only be used for backing up a small amount of data
5. Optical Drive (CD/ DVD)

CDs and DVDs are ideal for storing a list of songs, movies, media or software for distribution or for
giving to a friend due to the very low cost per disk. They do not make good storage options for
backups due to their shorter lifespan, small storage space and slower read and write speeds.
Advantages:
Low cost per disk
Disadvantages:
Relatively shorter life span than other storage options

Not as reliable as other storage options like external hard disk and SSD. One damaged disk in
a backup set can make the whole backup unusable.
Remote Storage Options

1. Cloud Storage
Cloud storage is storage space on commercial data center accessible from any computer with
Internet access. It is usually provided by a service provider. A limited storage space may be provided
80
free with more space available for a subscription fee. Examples of service providers are Amazon S3,
Google Drive, Sky Drive etc.
Advantages:
A very good offsite backup. Not affected by events and disasters such as theft, floods, fire etc
Disadvantages:
More expensive than traditional external hard drives. Often requires an ongoing subscription.
Requires an Internet connection to access the cloud storage.
Much slower than other local backups
81
10.5 Features of a Good Backup Strategy (As it is)
The following are features to aim for when designing your backup strategy:
Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes
Able to recover as quickly as possible with minimum effort, cost and data loss.
Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
Planning Your Backup Strategy

1. What to Backup
The first step in planning your backup strategy is identifying what needs to be backed up. Identify
the files and folders that you cannot afford to lose? It involves going through your documents,
databases, pictures, videos, music and program setup or installation files. Some of these media
like pictures and videos may be irreplaceable. Others like documents and databases may be
tedious or costly to recover from hard copies. These are the files and folders that need to be in
your backup plan.
2. Where to Backup to
This is another fundamental consideration in your backup plan. In light of some content being
irreplaceable, the backup strategy should protect against all events. Hence a good backup strategy
should employ a combination of local and offsite backups.
Local backups are needed due to its lower cost allowing you to backup a huge amount of data.
Local backups are also useful for its very fast restore speed allowing you to get back online in
minimal time. Offsite backups are needed for its wider scope of protection from major disasters or
catastrophes not covered by local backups.
3. When to Backup
Frequency: How often you backup your data is the next major consideration when planning your
backup policy. Some folders are fairly static and do not need to be backed up very often. Other
folders are frequently updated and should correspondingly have a higher backup frequency like
once a day or more.
Your decision regarding backup frequency should be based on a worst case scenario. For example,
if tragedy struck just before the next backup was scheduled to run, how much data would you lose
since the last backup. How long would it take and how much would it cost to re key that lost data?
82
Backup Start Time: You would typically want to run your backups when theres minimal usage on
the computers. Backups may consume some computer resources that may affect performance.
Also, files that are open or in use may not get backed up.
Scheduling backups to run after business hours is a good practice providing the computer is left on
overnight. Backups will not normally run when the computer is in sleep or hibernate mode.
Some backup software will run immediately upon boot up if it missed a scheduled backup the
previous night.
So if the first hour on a business day morning is your busiest time, you would not want your
computer doing its backups then. If you always shut down or put your computer in sleep or
hibernate mode at the end of a work day, maybe your lunch time would be a better time to
schedule a backup. Just leave the computer on but logged-off when you go out for lunch.
Since servers are usually left running 24 hours, overnight backups for servers are a good choice.
4. Backup Types
Many backup software offer several backup types like Full Backup, Incremental Backup and
Differential backup. Each backup type has its own advantages and disadvantages. Full backups are
useful for projects, databases or small websites where many different files (text, pictures, videos
etc.) are needed to make up the entire project and you may want to keep different versions of the
project.
5. Compression & Encryption
As part of your backup plan, you also need to decide if you want to apply any compression to your
backups. For example, when backing up to an online service, you may want to apply compression
to save on storage cost and upload bandwidth. You may also want to apply compression when
backing up to storage devices with limited space like USB thumb drives.
If you are backing up very private or sensitive data to an offsite service, some backup tools and
services also offer support for encryption. Encryption is a good way to protect your content should
it fall into malicious hands. When applying encryption, always ensure that you remember your
encryption key. You will not be able to restore it without your encryption key or phrase.
6. Testing Your Backup
A backup is only worth doing if it can be restored when you need it most. It is advisable to
periodically test your backup by attempting to restore it. Some backup utilities offer a validation
option for your backups. While this is a welcome feature, it is still a good idea to test your backup
with an actual restore once in a while.
7. Backup Utilities & Services
Simply copying and pasting files and folders to another drive would be considered a backup.
However the aim of a good backup plan is to set it up once and leave it to run on its own. You
would check up on it occasionally but the backup strategy should not depend on your ongoing
interaction for it to continue backing up. A good backup plan would incorporate the use of good
quality, proven backup software utilities and backup services.
To access further security logs, access the following web links

https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-logfiles2074
http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
83
Summary
Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe.
Data custodians are responsible for providing adequate backups to ensure the recovery of data
and systems in the event of failure. Types of Backup include:
Full backup where all the files and folders selected for the backup will be backed up
Incremental backup is a backup of all changes made since the last backup
Differential backups fall in the middle between full backups and incremental backup
Mirror backups are mirror of the source being backed up
Full PC backup involves backing up entire images of the computer hard drives
Local backup is any backup where the storage medium is kept close at hand
Offsite Backup where the backup storage medium is kept at a different geographic location
Online backup is ongoing backup to a storage medium that is always connected to the
source being backed up
Remote backups are offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location
Cloud backup where data is backed up to a storage server or facility connected to the
source via the Internet
FTP Backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule. To
keep 3 copies of any important file (a primary and two backups); have files on 2 different media
types (such as hard drive and optical media); 1 copy should be stored offsite (or at least
offline). Different types of Local Storage Options
External Hard Drive are hard drives similar to the type that is installed within a desktop
computer or laptop computer
Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic
hard drives but different
Network Attached Storage (NAS) are simply one or more regular IDE or SATA hard
drives plugged in an array storage enclosure and connected to a network Router or
Hub through a Ethernet port
USB Thumb Drive or Flash Drive are similar to Solid State Drives except that it is much
smaller in size and capacity
Optical Drive (CD/ DVD) are ideal for storing a list of songs, movies, media or software
for distribution or for giving to a friend due to the very low cost per disk.
Cloud Storage is storage space on commercial data center accessible from any
computer with Internet access
Ask the key questions while planning your backup strategy
What to Backup
Where to Backup to
When to Backup
Backup Types
Compression & Encryption
Testing Your Backup
Backup Utilities & Services
84
Activity 1:
Backup data available in the institute and evaluate the backup requirements for the
institute. If there isnt a policy for backup then work in a group to develop one and
define all necessary steps for successful implementation.
Activity 2:
Work in a group prepare a report on difference between backup of individual data
and of security devices and applications. The same should focus on requirements,
challenges, products and means available, advantages and disadvantages, media
used, and other differences.
Activity 3:
Collect information on various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
85

Q. State the advantages of full backup over incremental backup.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Explain why is Full PC backup also known as Drive Image Backups?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. How does Offsite backup differ from Remote backup?

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic hard drives
but are different. State the difference.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Is it possible to retrieve a file deleted in a source with a mirror backup? Explain your answer in
brief.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
86
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
87
Student Handbook SSC/ Q0904/0905

Q0904/0905 Security Analyst
SSC/ N 0904:
SSC/ N 0905:
Contribute to information security audits

Support teams to prepare for and
undergo information security audits
UNIT I: Information Security Audit

UNIT II: Types of Security Audits
UNIT III: Role of an Auditor
UNIT IV: Vulnerability Analysis
UNIT V: Penetration Testing
UNIT VI: Information Security Audit Tasks
UNIT VII: Audit Report and Actions
UNIT VIII: Audit Support Activities
88
Unit Code
SSC/ N 0904
Unit Title (Task)
Contribute to information security audits
Description
This unit is about carrying out specific audit tasks as part of information security
audits.
89
Scope
This unit/task covers the following:

Appropriate people:
line manager
members of the security team
subject matter experts
Information security audits may cover:
Identify and Access Management (IdAM)

networks (wired and wireless)
devices
endpoints/edge devices
storage devices
servers
software
application hosting
application security
application support
application penetration
application testing
content management
messaging
web security
security of infrastructure
infrastructure devices (e.g. routers, firewall services)
computer assets, server s and storage networks
messaging
intrusion detection/prevention
security incident management
third party security management
personnel security requirements
physical security
risk assessment
business continuity
disaster recovery planning
Performance Criteria(PC) w.r.t. the Scope

The user / individual on the job should be able to: establish the nature and
PC1. scope of information security audits and your role and responsibilities
within them
90
PC2.
PC3.
PC4.
identify the procedures/guidelines/checklists for the audit tasks you are

required to carry out
identify any issues with procedures/guidelines/checklists for carrying out
audit tasks and clarify these with appropriate people
collate information, evidence and artefacts when carrying out audits
PC5.
carry out required audit tasks using standard tools and following
established procedures/guidelines/checklists
PC6.
refer to appropriate people where audit tasks are beyond your levels of
knowledge, skills and competence
PC7.
record and document audit tasks and audit results using standard tools and
templates
PC8.
review results of audit tasks with appropriate people and incorporate their
inputs
PC9.
comply with your organizations policies, standards, procedures, guidelines
and checklists when contributing to information security audits
Knowledge and Understanding (K)
A. Organization The user/individual on the job needs to know and understand:
al
KA1. your organizations policies, standards, procedures, guidelines, systems
Context
and checklists for information security testing and auditing and your role
(Knowledge
in applying these scope of work to be carried out and the importance of
of the
keeping within these boundaries
KA2.
company /
limits of your knowledge, skills and competence and who to seek
organization
guidance from different types of information/security audits
KA3.
and its
processes)
KA4.
KA5.
who to involve when carrying out information security audits
KA6.
KA7.
how to record and report audit tasks

the importance of recording the results of audit tasks
KA8.
how to obtain and use input from others when carrying out information
security audit tasks
KA9. the purpose of information security audits and importance of taking part in
these
KA10. how to improve the process and outcomes of future audits
KA11. the range of standard tools, templates and checklists available and how to
use these
KA12. the role of teams in information security audits
B. Technical
Knowledge
KA13. methods and techniques used when working with others

The user/individual on the job needs to know and understand: common issues
that may affect carrying out audit tasks and how to deal with these
KB1.
91
KB2.
KB3.
KB4.
KB5.
KB1.
different systems and structures that may need information security audits
and how they operate, including:
servers and storage devices
infrastructure and networks
application hosting and content management
communication routes such as messaging
features, configuration and specifications of information security systems
and devices and associated processes and architecture
the importance of auditing and the key principles and rules of conduct that
apply when auditing
common audit techniques and how to record and report audit tasks
methods and techniques for testing compliance against your organizations
security criteria, legal and regulatory requirements
92
Unit Code
SSC/N0905
Unit Title
(Task)
Support teams to prepare for and undergo information security audits
Description
This unit is about supporting functional teams to prepare for and undergo information
security audits carried out by internal or external auditors.
Scope
This unit/task covers the following:

Information security audits:
internal
external
Appropriate people:
line manager
members of functional teams
subject matter experts Audit tasks on:
Identify and Access Management (IdAM)

physical security
networks
storage devices
servers
applications
application penetration and testing
application support
application hosting
content management
messaging
infrastructure devices (e.g. routers, firewall services)
computer assets, servers and storage networks
third parties
personnel requirements
support functions (e.g. HR support)
Performance Criteria (PC) w.r.t. the Scope

To be c mpetent, you must be able to:
PC1.
establish the nature and scope of information security audits and your role
and responsibilities in preparing for them
PC2.
identify the procedures/guidelines/checklists that will be used for

information security audits
PC3.
identify the requirements of information security audits and prepare for

audits in advance
93
PC4.
liaise with appropriate people to gather data/information required for

PC5.
organize data/information required for information security audits using

standard templates and tools
PC6.
provide immediate support to auditors to carry out audit tasks
PC7.
participate in audit reviews, as required
PC8.
comply with you organizations policies, standards, procedures, guidelines and

checklists when supporting teams to prepare for and undergo information
security audits
Knowledge and Understanding (K)

A. Organizational
Context
(Knowledge of the
company/
organization and
its processes)

KA1. your organizations policies, standards, procedures, guidelines, systems and
checklists for information security audits and your role in applying these
scope of work to be carried out and the importance of keeping within these
KA2.
boundaries limits of your role, responsibilities, skills and competence and
who to seek guidance from when these are exceeded
KA3.
KA4.
the purpose of information security audits and importance in taking part in

these
KA5.
the role of teams in information security audits
KA6.
what information is required for information security audits and the

importance of preparing this is advance of the audit
KA7.
how to improve the process and outcomes for future audits
KA8.
types of support required by teams for information security audits and

how to provide this
KA9. different types of information security audits

KA10. different approaches and ways of working for internal and external information
security audits
KA11. who to involve when carrying out information security audits
KA12. your organizations knowledge base and how to use this to support information
security audits
KA13. how to carry out, record and report audit tasks
KA14. the range of data and information required for information security audits and
where to obtain this
KA15. methods and techniques used when working with others
KA16. standard tools, templates and checklists available and how to use these
KA17. the importance of providing immediate support to auditors as required
94
B. Technical
Knowledge

KB1. different information systems that may require audit tasks:
servers and storage devices

infrastructure, assets and networks
application hosting, testing, penetration and support
content management
communication routes such as messaging
physical security
support functions such as personnel and HR services

third party systems
KB2.
features, configuration and specifications of information security systems and

devices which may be audited
KB3.
how to collate data for information security audits
KB4.
additional information that may be required by auditors and where to source

this
95
THE UNITS
The module for this NOS is divided in 8 Units based on the learning objectives as given below.
UNIT I: Information Security Audit

1.1. Information Systems Audit versus Information Security Audit
1.2. What is an Information Security Audit?
1.3. Scope of the Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
UNIT II: Security Audits Features

2.1. Types of Security Audits
2.2. Phases of Information Security Audit
2.3. Information Security Audit Methodology
2.4. Security Testing Frameworks
2.5. Audit Process and Audit Security Practices
2.6. Testing Security Technology and Templates
UNIT III: Information Security Auditor

3.1
3.2
3.3
3.4
3.5
Role of an Auditor
Hiring an Information Security Auditor
Required Skills Sets of an Information Security Auditor
Ethics of an Information Security Auditor
What Makes an Information Security Auditor
UNIT IV: Vulnerability Analysis

4.1. What Is Vulnerability Assessment?
4.2. Vulnerability Classification
4.3. Types of Vulnerability Assessment
4.4. How to Conduct a Vulnerability Assessment
4.5. Vulnerability Analysis Tools
UNIT V: Penetration Testing

5.1. About penetration testing
5.2. Penetration testing stages
UNIT VI: Information Security Audit Tasks

6.1
6.2
6.3
6.4
6.5
6.6
Pre-audit tasks
Information Gathering
External Security Audit
Internal Network Security Auditing
Firewall Security Auditing
IDS Security Auditing
UNIT VII: Audit Reports and Actions

UNIT VIII: Audit Support Activities
96
UNIT I
97
Information Security Audit
This Unit covers:

Lesson Plan
1.1. Information Systems Audit versus Information Security Audit
1.2. What is an Information Security Audit?
1.3. Scope of the Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
98
LESSON PLAN
Outcomes
To be competent, you must be
able to:
PC1. establish the nature and
scope of information security
audits and your role and
responsibilities in preparing for
them (0904/0905)
You need to know and
understand:
Work Environment / Lab

Performance Ensuring Measures Requirement
1. Research the meaning of audit
and what it entails. Which
2. are the various aspects of an

organisation that are audited?
Research the scope of an IT
3. Security Audit and make a
presentation on scope of the
audit
1. Listing various systems

requiring audits
2. Research and list the
KA2. scope of work to be carried
difference between an IT
out and the importance of
Systems Audit and an
keeping within these
Information Security Audit.
boundaries (0904/0905)
KB1. different information

systems that may require audit
tasks (0905)
KA4. the purpose of information
security audits and importance
in taking part in these
PCs/Tablets/Laptops
Projection facilities
PCs/Tablets/Laptops
Internet with WiFi
Firewalls and Access
Points
Access to all security
sites like ISO, PCI DSS,
Center for Internet
Security
KB4. the importance of auditing

and the key principles and rules
of conduct that apply when
auditing (0905)
99
Lesson
An information security audit is one of the best ways to determine the security of an organization's
information without incurring the cost and other associated damages of a security incident.
1.1. Information Systems Audit versus Information

Security Audit (Edited)
The rapid growth of computers and internet, and its use for storage and use of data has also
meant ever increasing worries about the safety and integrity of data because of growing
cybercrimes, presence of hackers and corruption of data through malware. All this has led to
development of numerous disciplines and systems meant to safeguard interests of
organizations. Information System Audit and Information Security Audit are two such tools
that are used to ensure safety and integrity of information and sensitive data. People are
often confused by the difference between these two tools and feel they are same. But there
are differences that will be highlighted in this article.
Information systems audit is a large, broad term that encompasses demarcation of
responsibilities, server and equipment management, problem and incident management,
network division, safety, security and privacy assurance etc. On the other hand, as the name
implies, information security audit has a one-point agenda and that is security of data and
information when it is in the process of storage and transmission. Here data must not be
confused with only electronic data as print data is equally important and its security is
covered in this audit.
Both audits have many overlapping areas which is what confuses many people. However,
from a physical point of view, information system audit is related to the core, whereas
information security audit is related to the outer circles. Here core can be taken as system,
servers, storage and even printouts and pen drives, whereas outer circles mean network,
firewalls, internet etc.
If one were to look from a logical point of view, it would emerge that while information
systems audit deals with operations, and infrastructure whereas information security audit
deals with data on the whole.
100
In brief:
Information systems audit is a broader term that includes information security audit
System audit includes operations, network segmentation, server and device management
etc., whereas security audit focuses on security of data and information.
1.2. What is an Information Security Audit? (Edited)

A security audit is a systematic evaluation of the security of a company's information system
by measuring how well it conforms to a set of established criteria. A thorough audit typically
assesses the security of the system's physical configuration and environment, software, information
handling processes, and user practices. Security audits are often used to determine
regulatory compliance, in the wake of legislation that specifies how organizations must deal with
information.
Some of the purpose of audits are listed below:
a)
b)
c)
d)
e)
f)
Build awareness of current practices and risks

Reducing risk, by evaluating, planning and supplementing security efforts
Strengthening controls including both automated and human
Compliance with customer and regulatory requirements and expectations
Building awareness and interaction between technology and business teams
Improving overall IT governance in the organization
An information security audit is an audit on the level of information security in an

organization. Within the broad scope of auditing information security there are multiple types of
audits, multiple objectives for different audits, etc. Most commonly the controls being audited can
be categorized to technical, physical and administrative. Auditing information security covers topics
from auditing the physical security of data centers to auditing the logical security of databases and
highlights key components to look for and different methods for auditing these areas.
According to Ira Winkler, president of the Internet Security Advisors Group, there are three
main types of security diagnostics, namely:
Security Audits
Vulnerability Assessments
Penetration Testing
Security Audits measure an information system's performance against a list of criteria.

A vulnerability assessment, on the other hand, involves a comprehensive study of an entire
information system, seeking potential security weaknesses.
101
Penetration testing is a covert operation, in which a security expert tries a number of attacks to
ascertain whether or not a system could withstand the same types of attacks from a malicious
hacker. In penetration testing, the feigned attack can include anything a real attacker might try, such
as social engineering.
Each of the approaches has inherent strengths, and using two or more of them in
conjunction may be the most effective approach of all.
1.3. Scope of the Audit (Edited)
As with any Audit, a risk assessment should be one of the first steps to be completed when
examining a new process. The risk assessment will help determine whether the process warrants
expending a significant amount of audit resources on the project. The scope of the audit depends on
the risk. But even for the high-risk systems, the scope should be limited to testing the critical internal
controls upon which the security of the process depends.
The scope of the audit depends upon:

a. Site business plan
b. Type of data assets to be protected
c. Value of importance of the data and relative priority
d. Previous security incidents
e. Time available
f.
Auditors experience and expertise
102
1.4 What should be covered in audits? (As it is)
There are a number of key questions that security audits attempt to answer which include but
are not limited to:
Are passwords secure and difficult to crack?
Are access control lists (ACLs) in place on network devices to control who has access to
shared data?
Are there audit logs to record to identify who accesses data?
Are the audit logs reviewed effectively and how are they reviewed?
Are the security settings for operating systems in accordance with accepted industry
security practices?
How are unnecessary applications and computer services managed? Are they eliminated
in a timely and effective manner for each system?
Are these operating systems and commercial applications patched? How and when did
the patching take place?
How is backup media stored? What is the backup policy and is it followed? Who has
access to the backup media and is it up-to-date?
103
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed
the disaster recovery plan? Does it have gaps in its construct?
Are there adequate cryptographic tools in place to govern data encryption, and have
these tools been properly configured?
What security considerations were used while writing custom-built applications, are
these adequate and well documented?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these
records reviewed and who conducts the review?
The duration of the cross-cutting audit depends on the size as well as the complexity of the
organisation. The size of the organisation is determined by the number of employees and locations.
The selection of the level of complexity of an organisation can only be performed on an
organisation-by-organisation basis according to the following criteria, for example:
What does the system landscape look like (number of systems and level of heterogeneity
of the systems used)?
How many network gateways are there?
Which and how many IT applications are used in the organisation? Are they used to
support critical business processes?
Are higher-level procedures used that may affect realms outside of the organisation?
How high is the protection requirement for the infrastructure, systems, and IT
applications?
Is the organisation active in areas critical to security (for example, is it a security agency)?
104
1.5 What makes a good security audit? (As it is)
The development and dissemination of the IS Auditing Standards by Information Systems Audit
and Control Association (ISACA) is already in circulation for further information.
A good security audit is part of a regular and comprehensive framework of information security.
A good security audit may likely include the following:
Clearly defined objectives

Coverage of security is comprehensive and cross-cutting audit across the entire
organisation. Partial audits may be done for specific purposes.
Audit team is experienced, independent and objective. Every audit team should consist of at
least two auditors to guarantee the independence and objectivity of the audit (twoperson
rule). There credentials should be verifiable.
There is unrestricted right to obtain and view information.
Important IS audit meetings such as the opening and the closing meetings as well as the
interviews should be conducted as a team. This procedure ensures objectivity,
thoroughness, and impartiality.
No member of the audit team, for reasons of independence and objectivity, should have
participated directly in supporting or managing the areas to be audited, e.g. they must not
have been involved in the development of concepts or the configuration of the IT systems.
It should be ensured that actual operations in the organisation are not significantly
disrupted by the audit when initiating the audit. The auditors never actively intervene in
systems, and therefore should not provide any instructions for making changes to the
objects being audited.
Management responsibility for supporting the conduct of a fair and comprehensive audit.
Appropriate communication and appointment of central point of contact and other support
for the auditors.
The execution is planned and carried out in a phase wise manner
Functions in an Audit
All audits have common functions that must be performed if they are to be successful. These usually
include:
A. Define the security perimeter what is being examined?
105
Determine how intensive the audit is going to be. Are all facets of the organization to be
examined, or is this to be a common security audit based on the IT infrastructure.
Detail how intrusive the audit is. It is important to avoid adversely impacting the production
environment during the audit process; whether this is by equipment downtime or personnel
being taken away from their primary duties to participate in the audit.
Does the corporation have existing methodologies to actively mitigate risk on an ongoing
basis?
B. Describe the components and be detailed about it.
Assemble a detailed list of the components within the security perimeter. While this is not
an exhaustive list, these devices often include:
o Computing equipment (main frames, servers, desktops, laptops, terminals). o
Networking equipment (firewalls, routers, and switches, hubs, and UPS devices). o
Communications equipment (PBX, phones, cell/smart phones, PDAs, fax machines).
o Input / Output devices (printers, copiers, scanners, cameras, web-cams, tablets).
o Data storage (databases: sales, customer, employee, other; email, voicemail, files
on server, files in cabinets, customer and employee information, log files). o
Common security items (passwords, access scanners / cards and ID cards, physical
security, data diagrams, daily schedules and employee activity charts).
o Internet exposure (company websites: internet and intranet, collaborative sites,
outbound access availability and restrictions, open ports and other visible devices).
C. Determine threats what kinds of damage could be done to the systems
Generate a list of threat vectors based on the scope of the audit. i.e.: if physical security is
beyond the scope of the audit you wont have to check to see if the server room is locked.
Examine each type of device on the components list for known vulnerabilities.
D. Delineate the available tools what documents and tools are in use or need to be created?
Assemble the various documents and datagrams of the systems under audit.
Gather the tools already in use to mitigate risk o Determine if the existing tools are
functional. o Determine if new tools are needed.
E. Reporting mechanism how will you show progress and achieve validation in all areas?
Determine what the reporting mechanism will be.

o What is the report format? o Who will sign off on the report as being acceptable? o
Who determines that a specific threat on a particular component is mitigated? F.
Review history is there institutional knowledge about existing threats?
Determine what threats existed in the past and determine if those have been mitigated.
Interview members of the institution to determine if any known threats exist. G. Determine
Network Access Control list who really needs access to this?
106
Develop a matrix of all personnel that need access to each device on the component chart.
Develop a matrix of all devices that need access to other devices on the component chart.
Each device on the component list should have a minimal set of entry points.
How much privilege is required for each person or system to perform their functions?
H. Prioritize risk calculate risk as Risk = probability * harm
I.
Given the list of possible threats, what are the possibilities a given threat will materialize.
If a threat were to materialize, how great would its impact be?
Establish the greatest pain points for the company. Determine if the approach is to work on
the big stuff first, or get all of the minor issues out of the way before making any major
changes.
Delineate mitigation plan what are the exact steps required to minimize the threats?
Generate a detailed project plan to reach the goal. Include tasking, timelines, costs,
reporting methods, checkpoints all the components of a successful project plan are
necessary.
Ensure that the organization is in agreement with the plan to mitigate risks. J. Implement
procedures start making changes.
Begin the mitigation process, using the priority decided upon by the stakeholders.
K. Review results perform an After Action Review (AAR) on the audit process
Perform a standard AAR on the audit.
o What went well? o What process needs revision before it will go
well?
o What issues are still outstanding at this time?
o Who is responsible for ensuring that outstanding issues will be
addressed?
o What is the timeline for issue resolution? o Who will validate issue
resolution?
Risks that are extremely unlikely happen but that have the potential to cause catastrophic damage
are called Black Swans. These risks are often not cost effective to address, so a formal acceptance
from management for these risks may the only strategy available. Every audit needs to have
managements participation to be completely successful.
107
1.6 Constraints of a security audit (As it is)
Time constraints
Third party access constraints
Business operations continuity constraints
Scope of audit engagement
Technology tools constraints
Summary
An information security audit is one of the best ways to determine the security of an
organization's information without incurring the cost and other associated damages of a
security incident.
Information systems audit is a large, broad term that encompasses demarcation of
responsibilities, server and equipment management, problem and incident management,
network division, safety, security and privacy assurance etc.
Information security audit is only focused on security of data and information (electronic and
print) when it is in the process of storage and transmission. Both audits have many
overlapping areas.
Security audits are a formal process, carried out by certified auditing professionals to measure
an information system's performance against a list of criteria.
A vulnerability assessment, on the other hand, involves a comprehensive study of an entire
information system, seeking potential security weaknesses, usually carried out by industry
experts who may or may not be certified.
A good security audit may likely include the following: o Clearly defined objectives
o Coverage is comprehensive and cross-cutting o Audit team is experienced,
independent and objective with verifiable credentials o There is unrestricted right to
obtain and view information. o Important IS audit meetings such as the opening and
the closing meetings as well as the interviews should be conducted as a team.
o No member of the team should have participated directly in supporting or managing
the areas to be audited
o It should be ensured that actual operations in the organisation are not significantly
disrupted by the audit.
o The auditors never actively intervene in systems or provide change advice.
o Management should support the audit.
o Appropriate communication and appointment of central point of contact and other
support for the auditors.
o The execution is planned and carried out in a phase wise manner
Constraints of a security audit o Time constraints
o
Third party access constraints o Business operations continuity constraints o Scope of

audit engagement o Technology tools constraints
108
Activity 1:
List the various vulnerabilities in any organisation and various activities to check those
vulnerabilities.
Activity 2:
Conduct an audit of your surroundings, of things such as cleanliness, safety and security,
hygiene, etc. Share your report in class, detailing the approach and the various aspects of
auditing.

Q. The three main types of security diagnostics are?
a. ________________________________________
b. ________________________________________
c. ________________________________________
Q. What is the full form of ACL in information security terms?
__________________________________________
Q. What is the purpose of an ACL?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What is the purpose of an information security audit?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
State TRUE or FALSE
a.
Previous security incidents are not important in a security audit, the auditors are only
concerned about what the situation is at the present time of the audit. (
)
109
b.
c.
Information Security Audit is carried out by an audit team which usually has a representative
from the team which has been involved in the development of the IT configuration to be
audited. (
)
A key purpose of the Audit team is to correct and modify practices followed in the
organisation while conducting the audit so as to make the system less vulnerable. (
)
d.
AAR is another term used for the audit, it stands for After Attack Responsibility. (
)
e.
IS Auditing Standards developed by Information Systems Audit and Control Association

(ISACA) is already in circulation.
Tick the right option

f.
Information
Security
Audit is
/informal)
process
by
(certified/uncertified) auditing professional.
carried out
as
(formal
An IS audit is focused on current data in use (and is also/but is not) concerned with past data
stored in back up media, etc.
h. Passwords are (within/beyond) the purview of the audit.
g.
110
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
111
UNIT II
Security Audit Features
This Unit covers:

Lesson Plan
2.1. Planning Work and Work environment
2.2. Types of Security Audits
2.3. Phases of Information Security Audit
2.4. Information Security Audit Methodology
2.5. Security Testing Frameworks
2.6. Audit Process and Audit Security Practices
2.7. Testing Security Technology and Templates
112
LESSON PLAN
Outcomes
To be competent, you must
be able to:
PC2. identify the
procedures/guidelines/chec
klists for the audit tasks you
are required to carry out
(0904/0905)
Performance Ensuring Measures
1. Identify and access sources for

standard checklists, guidelines and
templates for carrying out different
ypes of audits
t
PC5. organize
data/information required for
using standard templates and
tools (0905)
understand:
KA4./KA9. different types of
information/security audits
(0904/0905)
KA10. different approaches
and ways of working for
internal and external
(0905)

Requirement
1. Research and list the various types

of security audits, their purpose
and requirements
2. Research and list the process for

using and carrying out various
audit techniques
PCs/Tablets/Laptops
Internet with WiFi (Min
2 Mbps Dedicated)
Access to all security sites
like ISO, PCI DSS,
Center for Internet
Security
Security Templates from
ITIL, ISO
PCs/Tablets/Laptops
2 Mbps Dedicated)
like ISO, PCI DSS,
Center for Internet
Security
ITIL, ISO
KB5. common audit

techniques and how to
record and report audit tasks
(0904)
113
KA11. the range of standard

tools, templates and
checklists available and how
to use these (0904)
1. Going through security standards,

benchmarks like ISO 27001, PCI
DSS, Center for Internet Security
and understand the implications of
non-maintenance of such
standards.
KB6. methods and techniques
for testing compliance
2. Collate and compare audit
templates from various sources
against your organizations
and discuss the requirements,
security criteria, legal and
advantages and disadvantages of
regulatory requirements
each.
(0904)
3. Going through latest threats and
breaches in cyberspace to
understand implications of
noncompliance to security
standards.
PCs/Tablets/Laptops
2 Mbps Dedicated)
like ISO, PCI DSS,
Center for Internet
Security
ITIL, ISO
Lesson
2.1 Types of Security Audits (As it is)
Broadly, there are two types of Audit, internal and external.
External audits are commonly conducted by independent, certified parties in an objective manner.
They are scoped in advance, finally limited to identifying and reporting any implementation and
control gaps based on stated policies and standards such as the COBIT (Control Objectives for
Information and related Technology). At the end the objective is to lead the client to a source of
accepted principles and sometimes correlated to current best practices
Internal audits usually are conducted by experts linked to the organisation, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
There is a large variety of audit types based on standards followed. Some examples include SSAE 16
audits (Type I or II), audits of ISO 9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security
standard and audits of Industry specific standards such as HIPPA controls.
Within the broad scope of auditing information security there are multiple types of audits, multiple
objectives for different audits, etc. Audits can be broken down into a number of types, from the
simple analysis of security architecture based on opinion, to a full-blown, end-to-end audit against a
security framework such as ISO27001. Auditing information security covers topics from auditing the
physical security of data centers to auditing the logical security of databases and highlights key
components to look for and different methods for auditing these areas. When centred on the IT
aspects of information security, it can be seen as a part of an information technology audit. It is
often then referred to as an information technology security audit or a computer security audit.
However, information security encompasses much more than IT.
Security Review
114
A security review is when the security posture of an organization is examined based on

professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities. Running a vulnerability
scanner such as Nessus would fall under this category. The tool generates a list of potential
security issues, but the data must be analysed further to determine on what needs to be
acted on. This is the most basic form of security analysis and the primary output is in the form
of an opinion. Examples include: Penetration test, Vulnerability scan, Architecture review,
Policy review, Compliance review, Risk analysis
Security Assessment
Security assessments utilize professional opinion and expertise, but they also analyse the
output for relevancy and criticality to the organization. The analysis aspect of an
assessment attempts to quantify the risk associated with the items discovered to
determine the extent of the problem. If you an organisation has two servers with the same
vulnerability, but one is the financial server, and the other operates as a print server a
security assessment would rank the financial server as a high risk and the print server as a
lower risk based on the severity and damage potential. The biggest differentiator between
an assessment and a review is the depth to which the auditor examines the system and
analyses the results. Examples include: Vulnerability assessment, Risk assessment,
Architecture assessment, Policy assessment
Security Audit
A security Audit examines the organizations security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies. Audits take into account people, processes, and
technologies, and it compares them to a benchmark in a standardized and repeatable way.
Examples include: Compliance audit, Policy audit, Procedure audit, Risk audit.
Some of the specific audits that can be included in the above categories are:
Penetration Test
Vulnerability Audit
Web Application Security Audit
Mobile Application Security Audit
Audit Overall Concept
IT-Risk Analyses
Audit Access Control / Social Engineering
Architecture, Design and Code Review
115
Wireless Systems Audit

Embedded Systems Audit
Information Protection Audit
Roles and Rights Audit
Endpoint Audit (clients)
Digital Guard Service
Configuration Audit (firewalls, servers, etc.)
2.2 Phases of Information Security Audit (As it is)

Phases of Information Security Audit
Pre-audit agreement stage

Agree scope and objective of the audit. Agree on the level of support that will be provided. Agree
locations, duration and other parameters of the audit. Agree financial and other considerations.
Confidentiality agreements and contracting to be completed at this stage. Developing/creating a
formal agreement (e.g., statement of work, audit memorandum, or engagement memo) to state
the audit objectives, scope, and audit protocol
Initiation and Planning stage
Conducting a preliminary review of the clients environment, mission, operations, polices, and
practices. Performing risk assessments of client environment, data, and technology resources.
Completing research of regulations, industry standards, practices, and issues. Reviewing current
policies, controls, operations, and practices. Holding an Entrance Meeting to review the
engagement memo, to request items from the client, schedule client resources, and to answer
client questions. This will also include laying out the time line and specific methods to be used for
the various activities.
Data collection and fieldwork (Test phase)
This stage is to accumulate and verify sufficient, competent, relevant, and useful evidence to
reach a conclusion related to the audit objectives and to support audit findings and
recommendations. During this phase, the auditor will conduct interviews, observe procedures
and practices, perform automated and manual tests, and other tasks. Fieldwork activities may be
performed at the clients worksite(s) or at remote locations, depending on the nature of the
audit.
Analysis
Analyses are performed after documentation of all evidence and data, to arrive at the audit
findings and recommendations. Any inconsistencies or open issues are addressed at this time.
The auditor may remain on-site during this phase to enable prompt resolution of questions and
issues. At the end of this phase, the auditor will hold an Exit Meeting with the client to discuss
findings and recommendations, address client questions, discuss corrective actions, and resolve
any outstanding issues. A first draft of the findings and recommendations may be presented to
the client during the exit meeting.
Reporting
Generally, the Information Security Audit Program will provide a draft audit report after
completing fieldwork and analysis. Based on client response if changes are required to the draft,
116
the auditor may issue a second draft. Once the client is satisfied that the terms of the audit are
complied with the final report will be issued with the auditors findings and recommendations.
Follow-through
Depending on expectations and agreements the auditor will evaluate the effectiveness of the
corrective action taken by the client, and, if necessary, advise the client on alternatives that may
be utilized to achieve desired improvements. In larger, more complex audit situations, follow-up
may be repeated several times as additional changes are initiated. Additional audits may be
performed to ensure adequate implementation of recommendations. The level of risk and
severity of the control weakness or vulnerability dictate the time allowed between the reporting
phase and the follow-up phase. The follow-up phase may require additional documentation for
the audit client.
2.3 Information Security Audit Methodology (As it is)

Need for a Methodology
Audits need to be planned and have a certain methodology to cover the total material risks of an
organisation. A planned methodology is also important as this clarifies the way forward to all in the
organisation and the audit teams. Which methodology and techniques is used is less important than
having all the participants within the audit approach the subject in the same manner.
Audit methodologies
There are two primary methods by which audits are performed. Start with the overall view of the
corporate structure and drill down to the minutiae; or begin with a discovery process that builds up
a view of the organization.
Audit methods may also be classified according to type of activity. These include three types
a. Testing Pen tests and other testing methodologies are used to explore
vulnerabilities. In other words, exercising one or more assessment objects to
compare actual and expected behaviours.
b. Examination and Review This include reviewing policies, processes, logs, other
documents, practices, briefings, situation handling, etc. In other words checking,
inspecting, reviewing, observing, studying, or analysing assessment objects
c. Interviews and Discussion This involves group discussions, individual interviews,
etc.
The three methods combine together to form an effective methodology for an overall audit.
117
Auditing techniques:
There are various Auditing techniques used:
Examination Techniques
Examination techniques, generally conducted manually to evaluate systems, applications,
networks, policies, and procedures to discover vulnerabilities
Techniques include o
Documentation review o
Log review
o Ruleset and system configuration review o Network
sniffing
o File integrity checking
Target Identification and Analysis Techniques
Testing techniques, generally performed using automated tools used to identify systems, ports,
services, and potential vulnerabilities
Network discovery
o Network port and service identification o Vulnerability
scanning o Wireless scanning
o Application security examination
Target Vulnerability Validation Techniques
Testing techniques that corroborate the existence of vulnerabilities, these may be performed
manually or with automated tools
Password cracking o
Penetration testing o
Social engineering
o Application security testing
Organisations use a combination of these techniques to ensure effectiveness and meeting the
objectives of the audit.
118
2.4 Security Testing Frameworks (As it is)

There are numerous security testing methodologies being used today by security auditors for
technical control assessment.
Four of the most common are as follows:
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISSAF)
NIST 800-115
Open Web Application Security Project (OWASP)
All of these frameworks provide a detailed, process-oriented manner in which to conduct a security
test, and each has its particular strengths and weaknesses. Most auditors and penetration testers
use these frameworks as a starting point to create their own testing process, and they find a lot of
value in referencing them.
OSSTMM
OSSTMM manual highlights the systems approach to security testing by dividing assessment areas
into six interconnected modules:
Information Security: Competitive intelligence, data leakage, and privacy review

Process Security: Access granting processes and social engineering testing
Internet Technologies Security: Network mapping, port scanning, service and operating
system (OS) identification, vulnerability scanning, Internet app testing, router/firewall
testing, IDS testing, malicious code detection, password cracking, denial of service, and
policy review
Communications Security: Private branch exchange (PBX)/phone fraud, voicemail, fax, and
modem
Wireless Security: 802.11, Bluetooth, handheld scanning, surveillance, radio frequency
identification (RFID), and infrared
Physical Security: Perimeter, monitoring, access control, alarm systems, and environment
ISSAF
The ISSAF is one of the largest free-assessment methodologies available. Each control test has
detailed instruction for operating testing tools and what results to look for. It is split into two
primary documents. One is focused on the business aspect of security, and the other is designed as
a penetration test framework. The level of detailed explanation of services, security tools to use,
and potential exploits is high and can help an experienced security auditor and someone getting
started in auditing.
NIST 800-115
119
The NIST 800-115, Technical Guide to Information Security Testing, provides guidance and a
methodology for reviewing security that is required for the U.S. government's various departments
to follow. Like all NIST-created documents, 800-115 is free for use in the private sector. It includes
templates, techniques, and tools that can be used for assessing many types of systems and
scenarios. It is not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for
the conduction of security reviews. The document includes guidance on the following:
Security testing policies

Management's role in security testing
Testing methods
Security review techniques
Identification and analysis of systems
Scanning and vulnerability assessments
Vulnerability validation (pen testing)
Information security test planning
Security test execution
Post-test activities
OWASP
The OWASP testing guide was created to assist web developers and security practitioners to better
secure web applications. A proliferation of poorly written and executed web applications has
resulted in numerous, easily exploitable vulnerabilities that put the Internet community at risk to
malware, identity theft, and other attacks. The OWASP testing guide has become the standard for
web application testing and has helped increase the awareness of security issues in web
applications through testing and better coding practices.
The OWASP testing methodology is split as follows:
Information gathering
Configuration management
Authentication testing
Session management
Authorization testing
Business logic testing
Data validation testing
Denial of service testing
Denial of service testing
Web services testing
AJAX testing
The OWASP project also has a subproject called WEBGOAT that enables one to load a vulnerable
website in a controlled environment to test these techniques against a live system.
Whatever the approach is to testing security controls, it must be ensured that it is consistent,
repeatable, and based on best practices.
120
2.5 Audit Process (Edited)

A successful audit will minimally:
1. Establish a prioritized list of risks to an organization.
2. Delineate a plan to alleviate those risks.
3. Validate that the risks have been mitigated.
4. Develop an ongoing process to minimize risk.
5. Establish a cycle of reviews to validate the process on a perpetual basis.
Every successful audit has common properties.

Define the security perimeter what is being examined?
o Determine how intensive the audit is going to be. Are all facets of the organization to be
examined, or is this to be a common security audit based on the IT infrastructure.
o Detail how intrusive the audit is. It is important to avoid adversely impacting the
production
environment during the audit process; whether this is by equipment downtime or personnel
being taken away from their primary duties to participate in the audit.
o Does the corporation have existing methodologies to actively mitigate risk on an ongoing
basis?
Describe the components and be detailed about it.
o Assemble a detailed list of the components within the security perimeter. While this is not an
exhaustive list, these devices often include:
Computing equipment (main frames, servers, desktops, laptops, terminals).

Networking equipment (firewalls, routers, and switches, hubs, and UPS devices).
Communications equipment (PBX, phones, cell/smart phones, PDAs, fax machines).
Input / Output devices (printers, copiers, scanners, cameras, web-cams, tablets).
Data storage (databases: sales, customer, employee, other; email, voicemail, files on server,
files in cabinets, customer and employee information, log files).
Common security items (passwords, access scanners / cards and ID cards, physical
security, data diagrams, daily schedules and employee activity charts).
Internet exposure (company websites: internet and intranet, collaborative sites, outbound
access availability and restrictions, open ports and other visible devices).
Determine threats what kinds of damage could be done to the systems

o Generate a list of threat vectors based on the scope of the audit. i.e.: if physical security is
beyond the scope of the audit you wont have to check to see if the server room is locked.
o Examine each type of device on the components list for known vulnerabilities.
121
Delineate the available tools what documents and tools are in use or need to be created?
o Assemble the various documents and datagrams of the systems under audit.
o Gather the tools already in use to mitigate risk
Determine if the existing tools are functional.

Determine if new tools are needed.
Reporting mechanism how will you show progress and achieve validation in all areas?
o Determine what the reporting mechanism will be.
What is the report format?

Who will sign off on the report as being acceptable?
Who determines that a specific threat on a particular component is mitigated?
Review history is there institutional knowledge about existing threats?

o Determine what threats existed in the past and determine if those have been mitigated.
o Interview members of the institution to determine if any known threats exist.
Determine Network Access Control list who really needs access to this?
o Develop a matrix of all personnel that need access to each device on the component
chart.
o Develop a matrix of all devices that need access to other devices on the component chart.
o Each device on the component list should have a minimal set of entry points.
o How much privilege is required for each person or system to perform their functions?
Prioritize risk calculate risk as Risk = probability * harm
o Given the list of possible threats, what are the possibilities a given threat will materialize.
o If a threat were to materialize, how great would its impact be?
o Establish the greatest pain points for the company. Determine if the approach is to work
on the big stuff first, or get all of the minor issues out of the way before making any major changes.
Delineate mitigation plan what are the exact steps required to minimize the threats?
o Generate a detailed project plan to reach the goal. Include tasking, timelines, costs,
reporting methods, checkpoints all the components of a successful project plan are necessary.
o Ensure that the organization is in agreement with the plan to mitigate risks.
Implement procedures start making changes.
o Begin the mitigation process, using the priority decided upon by the stakeholders.
Review results perform an AAR on the audit process.
o Perform a standard AAR on the audit.
What went well?

What process needs revision before it will go well?
122
What issues are still outstanding at this time?

Who is responsible for ensuring that outstanding issues will be addressed?
What is the timeline for issue resolution?
Who will validate issue resolution?
Rinse and repeat schedule the next iteration of the process.

Risks that are extremely unlikely happen but that have the potential to cause catastrophic damage
are called Black Swans. These risks are often not cost effective to address, so a formal acceptance
from management for these risks may the only strategy available. Every audit needs to have
managements participation to be completely successful. Work with the executive team to establish
the scope, evaluate the risks, and develop strategies to mitigate what you can. No company can
ever completely avoid risk, but minimizing risk is required to remain successful.
2.6 Auditing Security Practices (As it is)

The first step for evaluating security controls is to examine the organizations policies, security
governance structure, and security objectives because these three areas encompass the business
practices of security.
Security controls are selected and implemented because of security policies or security
requirements mandated by law.
Security is a service provided by IT to the business, so measuring it as such enables you to see many
of the connections to the various functions of the business. There are standards, laws, and
benchmarks that you can use as your baseline to compare against.
Normally, you include content from multiple areas, as businesses may have more than one
regulation with which they must comply. It is easiest to start with the organizations policies and
build your security auditing plan from there. Some criteria you can use to compare the service of
security against are:
Evaluation against the organizations own security policy and security baselines
Regulatory/industry complianceHealth Insurance Portability and Accountability Act
(HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card
Industry (PCI)
Evaluation against standards such as NIST 800 or ISO 27002
Governance frameworks such as COBIT or Coso
After you have identified the security audit criteria that the organization needs to comply with, the
next phase is to perform assessments to determine how well they achieve their goals. A number of
assessments are usually required to determine appropriate means for referring back to the scope,
which defines the boundaries of the audit. The following are types of assessments that might be
performed to test security controls:
123
Risk assessments: This type of assessment examines potential threats to the

organization by listing areas that could be sources of loss such as corporate espionage,
service outages, disasters, and data theft. Each is prioritized by severity, matched to the
identified vulnerabilities, and used to determine whether the organization has adequate
controls to minimize the impact.
Policy assessment: This assessment reviews policy to determine whether the policy
meets best practices, is unambiguous, and accomplishes the business objectives of the
organization.
Social engineering: This involves penetration testing against people to identify whether
security awareness training, physical security, and facilities are properly protected.
Security design review: The security design review is conducted to assess the
deployment of technology for compliance with policy and best practices. These types of
tests involve reviewing network architecture and design and monitoring and alerting
capabilities.
Security process review: The security process review identifies weaknesses in the
execution of security procedures and activities. All security activities should have
written processes that are communicated and consistently followed. The two most
common methods for assessing security processes are through interviews and
observation:
Interviews: Talking to the actual people responsible for maintaining security, from users
to systems administrators, provides a wealth of evidence about the people aspect of
security. How do they feel about corporate security methods? Can they answer basic
security policy questions? Do they feel that security is effective? The kind of information
gathered helps identify any weakness in training and the organizations commitment to
adhering to policy.
Observation: Physical security can be tested by walking around the office and observing
how employees conduct themselves from a security perspective. Do they walk away
without locking their workstations or have sensitive documents sitting on their desks?
Do they leave the data center door propped open, or do they not have a sign-out
procedure for taking equipment out of the building? It is amazing what a stroll through
the cubicles of a company can reveal about the security posture of an organization.
Document review: Checking the effectiveness and compliance of the policy, procedure,
and standards documents is one of the primary ways an auditor can gather evidence.
Checking logs, incident reports, and trouble tickets can also provide data about how IT
operates on a daily basis.
Technical review: This is where penetration testing and technical vulnerability testing
come into play. One of the most important services an auditor offers is to evaluate the
competence and effectiveness of the technologies relied upon to protect a
corporations assets.
This section covered evaluation techniques for auditing security practices within an organization.
Many of the security practices used to protect a company are process - and policy-focused. They
represent the primary drivers for technology purchases and deployment. Technology can automate
many of these processes and policies and needs a different approach to testing effectiveness. The
remainder of this chapter covers tools that can be used to test security technologies.
124
2.7 Testing Security Technology (As it is)

There are many terms used to describe the technical review of security controls. Ethical hacking,
penetration test, and security testing are often used interchangeably to describe a process that
attempts to validate security configuration and vulnerabilities by exploiting them in a controlled
manner to gain access to computer systems and networks. There are various ways that security
testing can be conducted, and the choice of methods used ultimately comes down to the degree to
which the test examines security as a system.
There are generally two distinct levels of security testing commonly performed today:
Vulnerability assessment:
This technical assessment is intended to identify as many potential weaknesses in a host,
application, or entire network as possible based on the scope of the engagement. Configurations,
policies, and best practices are all used to identify potential weaknesses in the deployment or
design of the entity being tested. These types of assessments are notorious for finding an
enormous amount of potential problems that require a security expert to prioritize and validate
real issues that need to be addressed. Running vulnerability scanning software can result in
hundreds of pages of items being flagged as vulnerable when in reality they are not exploitable.
Penetration test:
The penetration test is intended to assess the prevention, detection, and correction controls of a
network by attempting to exploit vulnerabilities and gain control of systems and services.
Penetration testers (also known as pentesters) scan for vulnerabilities as part of the process just
like a vulnerability assessment, but the primary difference between the two is that a pentester
also attempts to exploit those vulnerabilities as a method of validating that there is an exploitable
weakness. Successfully taking over a system does not show all possible vectors of entry into the
network, but can identify where key controls fail. If someone is able to exploit a device without
triggering any alarms, then detective controls need to be strengthened so that the organization
can better monitor for anomalies.
Security control testing is an art form in addition to a technical security discipline. It takes a certain
type of individual and mindset to figure out new vulnerabilities and exploits. Penetration testers
usually fit this mold, and they must constantly research new attack techniques and tools. Auditors,
on the other hand, might not test to that degree and will more than likely work with a penetration
tester or team if a significant level of detailed knowledge in required for the audit.
When performing these types of engagements, four classes of penetration tests can be conducted
and are differentiated by how much prior knowledge the penetration tester has about the system.
The four types are:
Red Team/Blue Team assessment

Whitebox
Blackbox
125
Graybox
What does a Red Team do?

_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
What does a Blue Team do?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Red Team/Blue Team assessment: The terms Red and Blue Team come from the military where
combat teams are tested to determine operational readiness. In the computer world, a Red and
Blue Team assessment is like a war game, where the organization being tested is put to the test in
as real a scenario as possible. Red Team assessments are intended to show all of the various
methods an attacker can use to gain entry. It is the most comprehensive of all security tests. This
assessment method tests policy and procedures, detection, incident handling, physical security,
security awareness, and other areas that can be exploited. Every vector of attack is fair game in this
type of assessment. This is used to simulate attacks and test the ability to develop defences for
these attacks. The Red team designate is the attacker and the Blue team is the defence mechanism
builder.
The two teams sharpen an organisations detection and response capability. This is through sharing
of intelligence data, understanding threat actors' TTPs, mimicking these TTPs through a series of
scenarios and configuring, tuning and improving the detection and response capability.
Penetration tests as part of auditing can be conducted in several ways. The most common
difference is the amount of knowledge of the implementation details of the system being tested
that are available to the testers.
Black box testing
This assumes no prior knowledge of the infrastructure to be tested. The testers must first
determine the location and extent of the systems before commencing their analysis.
White box testing
This provides the testers with complete knowledge of the infrastructure to be tested, often
including network diagrams, source code, and IP addressing information.
Grey box testing
These are the several variations in between the white and the black box, where the testers
have partial information.
126
Penetration tests can also be described as "full disclosure" (white box), "partial disclosure"
(grey box), or "blind" (black box) tests based on the amount of information provided to the
testing party.
Features and Uses

Black box testing simulates an attack from someone who is unfamiliar with the system.
White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive
information, where the attacker has access to source code, network layouts, and possibly even
some passwords.
White box techniques involve direct analysis of the applications source code, and black box
techniques are performed against the applications binary executable without source code
knowledge.
Most assessments of custom applications are performed with white box techniques, since source
code is usually availablehowever, these techniques cannot detect security defects in interfaces
between components, nor can they identify security problems caused during compilation, linking,
or installation-time configuration of the application.
White box techniques still tend to be more efficient and cost-effective for finding security defects in
custom applications than black box techniques.
Black box techniques should be used primarily to assess the security of individual high-risk compiled
components; interactions between components; and interactions between the entire application or
application system with its users, other systems, and the external environment. Black box
techniques should also be used to determine how effectively an application or application system
can handle threats.
Auditors should have a base knowledge of testing tools and techniques. Using testing frameworks is
a useful way to develop a technical testing planning.
2.8 Reliance on Checklists and Templates (Edited)

It is important to develop and use standard checklists for audits as this ensures that data is collected
in a uniform manner. It also ensures that no data point or activity critical to be covered is omitted.
One must ensure the templates and checklists are agreed upon prior to use and from recognized
sources. These should be understood commonly by all participating in the audit. It is important that
those carrying out the audit understand the importance of capturing information in detail.
Pre-audit checklist:
1. Who are members of the audit team, and what are their roles and assignments?
2. What are the credentials and experience of the assigned audit team?
127
3. What orientation or training can you provide them to be comfortable within the
environment?
4. Communicate with your managers and staff in the areas to be audited.
5. If an area was audited before, review the prior report to see the issues raised and
recommended made. Get an update of corrections or changes made as a result of
prior audit work and give your staff and the audit department credit.
Audit checklist:
1.
2.
3.
4.
5.
6.
7.
8.
Purpose of the audit?

Scope and objectives?
Who are the audit staff assigned? (Ask to be notified if any staff are changed.)
Timeframe for work to be performed?
Use of computer time/access to system/logs/training needed.
Access to IT management and staff?
Communicate (1) and (2) to all IT staff affected.
Set weekly or biweekly meetings with audit manager/audit team to discuss audit
progress and issues.
9. Before the audit is finished, request close-out conference from audit group.
10. Request a copy of audit report.
Post-audit checklist:
1. When the audit report is issued, pull your team together and discuss the report; if
you follow the steps above there should be no surprises. If there are, there was a
communication breakdown somewhere.
2. If you disagree with the report or portions of the report, do so in writing with
supporting evidence. Remember, the auditor has supporting evidence for their
reports, and this exists in their working papers. For those areas you agree, indicate
what corrective actions your team plans to take.
3. Have your team provide a status report to you on a 3- to 6-month cycle with a copy
to go to Internal Audit. This shows you value their work.
128
Summary
Broadly, there are two types of Audit, internal and external.
External audits are commonly conducted by independent, certified parties in an objective
manner.
Internal audits usually are conducted by experts linked to the organisation, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
Within the broad scope of auditing information security there are multiple types of audits,
multiple objectives for different audits, etc. Audits can be broken down into a number of types,
from the simple analysis of security architecture based on opinion, to a full-blown, end-to-end
audit against a security framework such as ISO27001.
A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities.
Security assessments utilize professional opinion and expertise, but they also analyse the output
for relevancy and criticality to the organization. The analysis aspect of an assessment attempts
to quantify the risk associated with the items discovered to determine the extent of the
problem.
A security Audit examines the organizations security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies.
Auditing Techniques include o Documentation review o Log review
o Ruleset and system configuration review o
Network sniffing o File integrity checking
Four of the most common standard frameworks are as follows:
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISSAF)
NIST 800-115
Open Web Application Security Project (OWASP)
Red Teaming is a process designed to detect network and system vulnerabilities and test security
by taking an attacker-like approach to system/network/data access. This process is also called
"ethical hacking" since its ultimate purpose is to enhance security. Red Teams are third-party
entities hired to make an impartial assessment of the network or system.
Blue teams responsibility is designed to detect, respond and mitigate the attacks of the offensive
red teams. Blue teams need access to log data, SIEM data, threat intelligence data and to
network traffic capture data. The blue team needs to be able to analyse vast swathes of data to
detect the attacked vulnerability.
Black box testing: This assumes no prior knowledge of the infrastructure to be tested. The
testers must first determine the location and extent of the systems before commencing their
analysis.
White box testing: This provides the testers with complete knowledge of the infrastructure to be
tested, often including network diagrams, source code, and IP addressing information.
Grey box testing: These are the several variations in between the white and the black box, where
the testers have partial information.
129
Activity 1:
Search various Information Security Service Audit Organizations on the internet and prepare
a list of services they offer and the process or methodology followed. Present the same in
class.
Activity 2:
Go through various organizations websites and understand the various security policies and
guidelines. Prepare a descriptive write-up on the subject.
Activity 3:
Go through various security benchmarks, research and learn to conduct security audits and
the creation of reports and audit templates. Present in a group the audit approach.
Activity 4:
Go through security benchmarks like ISO 27001, PCI DSS, and Centre for Internet Security
and understand the implications of non-maintenance of such standards.

Q. Which one of the following is the correct full form of ISG?
a) Information Security Group
b) Information Secured Governance
c) Information Security Governance
d) Information Securities and Governance
Q. A security professional is testing the functionality of an application, but does not have any
knowledge about the internal coding of the application. What type of test is this tester performing?
a) White box
b) Black box
c) Gray box
d) Black hat
Q. Testers are analysing a web application your organization is planning to deploy. They have full
access to product documentation, including the code and data structures used by the application.
What type of test will they MOST likely perform?
a) Gray box
b) White box
c) Black box
d) White hat
Q. The which of the following is NOT one of the four most common security auditing frameworks?
a) Open Source Security Testing Methodology Manual (OSSTMM)
130
b) NIST 800-115
c) National Cyber Awareness System (NCAS)
d) Information Systems Security Assessment Framework (ISSAF)
Q. Log review is part of which of the following categories of auditing techniques?
a) Target Vulnerability Validation Techniques
b) Examination review techniques
c) Target Identification and Analysis Techniques
d) Interviews and discussions
Q. Arrange the following audit stages in the order of execution, starting from 1 to 6.
A.
Data collection and field work
______
B.
Follow-through
______
C.
Pre-audit agreement stage ______
D.
Initiation and Planning stage
E.
Reporting
______
______
F.
Analysis
______
Q. The test phase is part of which of the following audit stages?
a) Analysis
b) Pre-audit agreement stage
c) Data collection and fieldwork
d) Initiation and planning
Q. List the three types of audit methods as per activity
1. ____________________________ 2.
____________________________
3. ____________________________
131
NOTES:
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
132
UNIT III
133
Information Security Auditor
This Unit covers:

Lesson Plan
3.1. Role of an Auditor
3.2. Auditor Activities
3.3. Information Security Audit Consultants
3.4. Hiring an Information Security Auditor
3.5. Required Skills Sets of an Information Security Auditor
3.6. Ethics of an Information Security Auditor
3.7. What Makes an Information Security Auditor
134
LESSON PLAN
Outcomes
able to:
responsibilities within them
(0904)
PC6. refer to appropriate people
where audit tasks are beyond
your levels of knowledge, skills
and competence (0904)
Performance Ensuring
Measures
1. List and discuss the various
skills, knowledge and
qualifications of an auditor
and a security analyst
carrying out audit activities
2. Discuss details of formal
qualifications for acquiring
these skills and knowledge
and the benefits of getting
formal qualifications

Requirement
PCs/Tablets/Laptops
Internet with WiFi (Min 2
Mbps Dedicated)
Access to sites like ISACA
PC4. liaise with appropriate

people to gather
(0905)

1. Research and discuss the
understand:
various individual and team
KA5./KA11. who to involve
competencies
when carrying out information
(skills/knowledge) that audit
security audits (0904/0905) KA5.
providing consultants offer
the role of teams in information 2. Research as a security
security audits
analysts what roles does one
(0905)
play in various types of audits
KA17. the importance of
providing immediate support to
auditors as required (0905) KB4.
additional information that may
be required by auditors and
where to source this (0905)
PCs/Tablets/Laptops
Mbps Dedicated)
Access to sites like ISACA
Lesson
3.1 Role of an Auditor (As it is)
The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to
fix the problem, but to give a snapshot in time of the effectiveness of the security program. The
objective of the auditor is to report on security weakness.
Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organizations activities versus its security best practices.
The auditor functions as an independent advisor and inspector.
The auditor is responsible for planning and conducting audits in a manner that is fair and
consistent to the people and processes that are examined.
The auditing charter or engagement letter defines the conduct and responsibilities of an
auditor.
Depending on how a companys auditing program is structured, ultimate accountability for the
auditor is usually to senior management or the Board of Directors.
Auditors are usually required to present a report to management about the findings of the
audit and also make recommendations about how to reduce the risk identified.
The auditors are responsible for the following:
Plan, execute and lead security audits across an organization.
Inspect and evaluate financial and information systems, management procedures and
security controls
Evaluate the efficiency, effectiveness and compliance of operation processes with corporate
security policies and related government regulations
Review or interview personnel to establish security risks and complications
Develop and administer risk-focused exams for IT systems
Execute and properly document the audit process on a variety of computing

environments and computer applications
Assess the exposures resulting from ineffective or missing control practices
Accurately interpret audit results against defined criteria
Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
Provide a written and verbal report of audit findings
Develop rigorous best practice recommendations to improve security on all levels

Work with management to ensure security recommendations comply with company
procedure
Collaborate with departments to improve security compliance, manage risk and bolster
effectiveness
3.2 Auditor Activities (As it is)

The following tasks and activities area carried out by the auditor in discharging their responsibilities
Auditing the information asset management process will verify that the critical assets are
being managed in accordance with the IT/IS policies.
The auditor audits the information security and privacy policies and standards. The auditor
begins with policies and standards related to access control, data classification and network
security. In addition they focus on other policies and standards such as vendor management,
vulnerability management and data leakage prevention.
One of the important roles of audit is to verify that the policies and standards are not just
documented but are actually being implemented by users across the enterprise. This
verification can be accomplished by performing an audit of the security training and
awareness program
Instead of focusing on the actual access of each user, the auditor focuses on the IAM process
and verify that the IAM process is working as designed. Auditing an automated IAM process
ensures the integrity of the process. The audit also focuses on the workflow, which includes
the approval hierarchy. Several IAM vendors are starting to provide mechanisms to
incorporate segregation of duties (SoD) checks within the workflow. If an organization has
incorporated the SoD checks in the workflow, it is important to include this process within
its audit scope.
During the audit of policies and standards, the auditor should understand how the policies
and standards are being communicated across the enterprise. Every organization has a
communication method (e-mail, posting on an intranet web page, periodic security
seminars, monthly security awareness training, lunch-n-learns, etc.).
The responsible auditor should determine if logging is enabled in critical systems. Where
logs are enabled, the auditor verifies that there is a process for monitoring. The auditor also
verifies that the process has been assigned to a person and that this person is executing this
process. The focus here is on data leakage prevention (DLP). Besides verifying that the
proper access is granted to each individual, the auditor focuses on how the approved users
are using the data assets. Are data being encrypted properly before they are sent outside of
the organization? Depending on an organizations DLP policy, the SIEM system can
potentially help the auditor determine if the data are being copied on USB drives and leaving
the organization.
In todays business environment, Governance, Risk Management and Compliance (GRC)

processes are critical to the auditor. The auditor examines corporate governance processes
and verifies that an infrastructure has been created to identify and manage risks. The
governance structure should be active and ongoing, which means that the executives should
conduct periodic meetings to address risks. The auditor also identifies all relevant
regulations and industry standards and performs periodic compliance reviews based on
138
identified and relevant risks. Noncompliance should be tracked and managed by executive
management.
The internal auditor should identify how the organization is connected to the outside, and
who on the outside is connected to the organization. There is a total reliance by some
organizations on Statement on Auditing Standards No. 70 (SAS 70) Type II reports for review
of external vendors. While SAS 70 is good, it is not final. The auditor first verifies that there is
a policy in place to address third-party connections. In addition to the SAS 70 report, the
organization should periodically perform its own audit of the vendor to certify that its
policies and security needs are being adequately addressed (the organization may have to
ensure that the vendor contracts allow for this audit). Changes performed by the third-party
vendor on systems affecting the organization should follow the organizations normal
change management process.
Also, the auditor should follow the entire process within the extended enterprise where the
critical data assets reside. For example, an enterprise may do an exceptional job of
protecting critical data assets within the enterprise, but an unencrypted backup tape can fall
off a vendors truck and expose critical information and put the enterprise at risk. An audit
of the entire process will definitely reduce the risks associated with the extended enterprise.
This extended enterprise may exist globally and could add more complexity to the audit
plans.
The auditor verifies that a business continuity plan exists and is maintained and tested
periodically. The auditor should also make sure that the plan covers all the risks associated
with the business and that it is enough to keep the business in operation in times of
disruption. The IT auditor should understand the difference between business continuity
and disaster recovery and make sure that each is adequately addressed and periodically
tested.
The auditor identifies a catalog of IT initiatives, reviews the business reasons for the project
and identifies the executive sponsor for the project. The auditor obtains and reviews the
management reports from IT to executive management and verifies that sufficient
information is provided to management. The auditor verifies that IT initiatives are
adequately aligned with business objectives.
139
3.3 Information Security Audit Consultants (As it is)

Information Security Audit Consultants These consultants (individual or organisations) are
usually found in advising or auditing roles for information security.
Security consultants generally fall into one of three categories:
Management
Technical
Forensic
The first step in hiring a reliable consultant is to define the requirements of the job. Does it
involve the analysis of risk, implementation of security systems, regulatory compliance,
management consulting, training or defence of an inadequate security claim? Only after the
requirements of the job are defined can you select the right type of consultant to complete
the work.
A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product
or service line and understand that it may result in a conflict of interest.
140
3.4. Hiring an Information Security Auditor (As it is)
The following things has to be borne in mind before hiring of an audit company as auditors:
Does the consultant organization offer a comprehensive suite of services, tailored to specific
requirements?
Does the consulting organization have a quality certification?
Does the consulting organization have a track record of having handled a similar assignment for
security consulting?
Are the organizations security professional having certificates like CISSP, CISA, CSM and CIPP?
Does the Organization have sound methodology to follow?
Is the organization recognized contributor within the security industry in terms of research and
publication etc.?
141
3.5. Required Skills Sets of an Information Security Auditor

(As it is)
A good auditor requires the following skills and knowledge in the various areas listed below:
Organization wide security program planning and management
Knowledge of the legislative requirements for an agency security program
Knowledge of the sensitivity of data and the risk management process through risk
assessment and risk mitigation
Knowledge of the risks associated with a deficient security program
Knowledge of the elements of a good security program
Ability to analyse and evaluate an organizations security policies and procedures and
identify their strengths and weaknesses
Access control
Knowledge across platforms of the access paths into computer systems and of the
functions of associated hardware and software providing an access path
Knowledge of access level privileges granted to users and the technology used to provide
and control them
Knowledge of the procedures, tools, and techniques that provide for good physical,
technical, and administrative controls over access
Knowledge of the risks associated with inadequate access controls
Ability to analyse and evaluate an organizations access controls and identify the strengths
and weaknesses
Skills to review security software reports and identify access control weaknesses
Skills to perform penetration testing of the organizations applications and supporting
computer systems
Application software development and change control
Knowledge of the concept of a system life cycle and of the System Development Life Cycle
(SDLC) process
Knowledge of the auditors role during system development and of federal guidelines for
designing controls into systems during development
Knowledge of the procedures, tools, and techniques that provide control over application
software development and modification
Knowledge of the risks associated with the development and modification of application
software
Ability to analyse and evaluate the organizations methodology and procedures for system
development and modification and identify the strengths and weaknesses
142
System software
Knowledge of the different types of system software and their functions
Knowledge of the risks associated with system software
Knowledge of the procedures, tools, and techniques that provide control over the
implementation, modification, and use of system software
Ability to analyse and evaluate an organizations system software controls and identify the
strengths and weaknesses
Skills to use software products to review system software integrity
Segregation of duties
Knowledge of the different functions involved with information systems and data processing
and incompatible duties associated with these functions
Knowledge of the risks associated with inadequate segregation of duties
Ability to analyse and evaluate an organizations organizational structure and segregation of
duties and identify the strengths and weaknesses
Service continuity
Knowledge of the procedures, tools, and techniques that provide for service continuity
Knowledge of the risks that exist when measures are not taken to provide for service
continuity
Ability to analyse and evaluate an organizations program and plans for service continuity
and identify the strengths and weaknesses
Application controls
Knowledge about the practices, procedures, and techniques that provide for the
authorization, completeness, and accuracy of application data
Knowledge of typical applications in each business transaction cycle
Ability to analyse and evaluate an organizations application controls and identify the
strengths and weaknesses
Skills to use a generalized audit software package to conduct data analyses and tests of
application data, and to plan, extract, and evaluate data samples
Auditors performing tasks in two of the above areas, access controls (which includes penetration
testing) and system software, require additional specialized technical skills. Such technical
specialists should have skills in one or more of the categories listed below:
Network analyst
Advanced knowledge of network hardware and software
Understanding of data communication protocols
Ability to evaluate the configuration of routers and firewalls
Ability to perform external and internal vulnerability tests with manual and automated tools
Knowledge of the operating systems used by servers
Windows/Novell analyst
Detailed understanding of microcomputer and network architectures
Ability to evaluate the configuration of servers and the major applications hosted on
servers
Ability to perform internal vulnerability tests with manual and automated tools
Unix analyst
Detailed understanding of the primary variants of the Unix architectures
Ability to evaluate the configuration of servers and the major applications hosted on servers
Ability to perform internal vulnerability tests with manual and automated tools
143
Database analyst
Understanding of the control functions of the major database management systems
Understanding of the control considerations of the typical application designs that use
database systems
Ability to evaluate the configuration of major database software products
Mainframe system software analyst
Detailed understanding of the design and function of the major components of the
operating system
Ability to develop or modify tools necessary to extract and analyse control information from
mainframe computers
Ability to use audit software tools
Ability to analyse modifications to system software components
Mainframe access control analyst
Detailed understanding of auditing access control security software such as ACF2, Top
Secret, and RACF
Ability to analyse mainframe audit log data
Ability to develop or modify tools to extract and analyse access control information
The Information Systems Audit and Control Association (ISACA) set forth a code governing the
professional conduct and ethics of all certified IS auditors and members of the association. As
a CISA, they expect them to be bound to uphold this code. The following points form part of
this code:
The auditor agrees to
Support the implementation of, and encourage compliance with, appropriate standards
and procedures for the effective governance and management of enterprise information
systems and technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance
with professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their
activities unless disclosure is required by legal authority. Such information shall not be
used for personal benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities
they can reasonably expect to complete with the necessary skills, knowledge and
competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the
results.
144
Support the professional education of stakeholders in enhancing their understanding of the

governance and management of enterprise information systems and technology, including:
audit, control, security and risk management.
The failure of a CISA to comply with this code of professional ethics may result in an
investigation with possible sanctions or disciplinary measures.
3.6 Ethics of an Information Security Auditor (Edited)

ISACA (Information Systems Audit and Control Association) sets forth this Code of Professional Ethics
to guide the professional and personal conduct of members of the association and/or its certification
holders.
Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance with, appropriate standards and
2.
3.
4.
5.
6.
7.
procedures for the effective governance and management of enterprise information systems
and technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their
activities unless disclosure is required by legal authority. Such information shall not be used
for personal benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities
they can reasonably expect to complete with the necessary skills, knowledge and
competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the
results.
Support the professional education of stakeholders in enhancing their understanding of the
governance and management of enterprise information systems and technology, including:
audit, control, security and risk management.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's
or certification holder's conduct and, ultimately, in disciplinary measures.
145
3.7 What Makes an Information Security Auditor (As it is)
At minimum, a bachelor's degree

Certification is often highly recommended and may be required by some
employers prior to hiring.
A Certified Information Systems Auditor or CISA is an independent expert who is
qualified to perform information systems audit. This has uplifted the status of the
CISA designation, which is often a mandatory qualification for an information
systems auditor.
ABOUT CISA
This certification is recognized worldwide as completion of a standardized security auditing
certification program.
Information Systems Audit and Control Association (ISACA) is a world recognized body that
was founded in 1969. The CISA examination and certification was initiated by ISACA in 1978, to
address industry requirements.
The CISA designation is awarded to individuals with an interest in Information Systems
auditing, control and security who meet the following requirements:
Successful completion of the CISA examination
Submit an Application for CISA Certification
Adherence to the Code of Professional Ethics
Adherence to the Continuing Professional Education Program
Compliance with the Information Systems Auditing Standards
It is important to note that many individuals choose to take the CISA exam prior to meeting
the experience requirements. This practice is acceptable and encouraged although the CISA
designation will not be awarded until all requirements are met.
ABOUT CISSP
CISSP (Certified Information Systems Security Professional) is a vendor-neutral CISSP
certification is for those with proven deep technical and managerial competence, skills,
experience, and credibility to design, engineer, implement, and manage their overall
information security program to protect organizations from growing sophisticated attacks.
Backed by (ISC), the globally recognized, not-for-profit organization dedicated to advancing
the information security field.
146
Summary
The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to fix
the problem, but to give a snapshot in time of the effectiveness of the security program. The
objective of the auditor is to report on security weakness.
Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organizations activities versus its security best practices.
The auditor audits the information security and privacy policies and standards.
A good auditor possess skills in the following areas:
o
Organization wide security program planning and
management o Access control
o
Application software development and change control o
System software o Segregation of duties o Service continuity
o
Application controls
A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product or
service line and understand that it may result in a conflict of interest.
Ethics statements are necessary to demonstrate the level of honesty and professionalism
expected of every auditor. Overall, the profession requires them to be honest and fair in all
representations they make. The goal is to build trust with clients.
ISACA has an auditor code of ethics which auditors should comply with.
While the minimum qualifications required for an auditor is a Bachelors degrees, an auditor can
get CISA and CISSP recognized certification to enhance their value.
147
Practical Activities:
Activity 1:
Identify some of the organisations offering audit services and to list down and compare
the offering, features, benefits and limitations of at least three of these.
Activity 2:
Collect information of various qualifications for data security auditors and consultants
Activity 3:
Collect through the internet and various other sources various cases where mishandling
of audits or security audit failures have caused damage to organisations. Present one
such interesting case in class.

Q. List in brief various activities carried out by an auditor?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List points of the ISACA Code of Ethics
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
148
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
149
UNIT IV
VULNERABILITY ANALYSIS
This Unit covers:

Lesson Plan
4.1. What Is Vulnerability Assessment?
4.2. Why to carry out Vulnerability Assessment?
4.3. Vulnerability Classification
4.4. Types of Vulnerability Assessment
4.5. How to Conduct a Vulnerability Assessment
4.6. Vulnerability Analysis Tools
150
LESSON PLAN
Outcomes
able to:
PC5. carry out required audit
tasks using standard tools and
following established
procedures/guidelines/checklist
s (0904)
PC3. identify the
requirements of information
security audits and prepare
for audits in advance (0905)
people to gather
(0905)
understand:
tools, templates and checklists
(0904)
KB5. common audit techniques
and how to record and report
audit tasks (0904)
for testing compliance against
your organizations security
criteria, legal and regulatory
requirements (0904) KA12.
your organizations knowledge
base and how to use this to
support information
security audits (0905)
Measures

Requirement
1. Research and identify the

scope of vulnerability
assessment and the
related tools, procedures,
guidelines to carry these
out.
2. Discuss the various
requirements and
procedures at different
stages of the VA and the
various activities that are
carried out and their
implications for the
organisation
PCs/Tablets/Laptops
Mbps Dedicated)
Web Inspect and IBM
AppScan etc.,
Open Source tools like
1. Research the various

automated VA (paid and
free) tools available in the
market and draw a
comparison in their
offerings, features and
benefits
2. Going through latest
threats and breaches in
cyberspace to understand
the implications of
standards.
PCs/Tablets/Laptops
Internet with WiFi
like ISO, PCI DSS, Center for
Internet Security
ITIL, ISO
151
Lesson
Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies,
and classifies the security holes (vulnerabilities) in a computer, network, or communications
infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed
countermeasures and evaluate their actual effectiveness after they are put into use.
4.1 What Is Vulnerability Assessment? (As it is)

A key component of the vulnerability assessment is properly defining the ratings for impact of loss and
vulnerability. The deliverable for the assessment is, most importantly, a prioritized list of discovered
vulnerabilities (and often how to remediate). The findings are classified into categories of high, medium,
and low risk.
A vulnerability assessment system, will look at the network and pinpoint the weaknesses that need to
be fixed/patched before they ever get breached. With ever growing new vulnerabilities being
announced each week, a companys network is only as secure as its latest vulnerability assessment. An
ongoing vulnerability assessment process, in combination with proper remediation, will help ensure
that the network is fortified to withstand the latest attacks.
152
4.2 Why to carry out Vulnerability Assessment? (As it is)

Vulnerability assessment is important because it is a powerful proactive process for securing an
enterprise network. With vulnerability assessment potential security holes are fixed before they
become problematic, allowing companies to fend off attacks before they occur. Virtually all attacks
come from already known vulnerabilities.
CERT/CC (the federally funded research and development center operated by Carnegie Mellon
University) reports that nearly 99% of all intrusions resulted from exploitation of known vulnerabilities
or configuration errors.
4.3. Vulnerability Classification (As it is)

The following are categories of vulnerabilities commonly recognized. Even though classification is an
ongoing discussion that has not yet been fully agreed by various stakeholders:
1.
Misconfigurations
2.
Default installations
3.
Buffer overflows
4.
Unpatched servers
5.
Default passwords
6.
Open services
7.
Application flaws
8.
Open system flaws
9.
Design flaws
Some of these are explained below
Misconfigurations
Security misconfiguration is simply, incorrectly assembled safeguards for a web application. These
misconfigurations typically occur when holes are left in the security framework of an application by
systems administrators, DBAs or developers. They can occur at any level of the application stack,
including the platform, web server, application server, database, framework, and custom code. These
153
security misconfigurations can lead an attacker right into the system and result in a partially or totally
compromised system. Attackers find these misconfigurations through unauthorized access to default
accounts, unused web pages, unpatched flaws, unprotected files and directories, and more. If a
system is compromised through faulty security configurations, data can be stolen or modified slowly
over time and can be time-consuming and costly to recover.
Default installations
Most server applications included in a default installation are solid, thoroughly tested pieces of
software. Having been in use in production environments for many years, their code has been
thoroughly refined and many bugs that have been found are fixed. However, there is no perfect
software and there is always room for further refinement. Moreover, newer software is often not as
rigorously tested because of its recent arrival to production environments or because it may not be as
popular as other server software. Developers and system administrators often find exploitable bugs in
server applications and publish the information on bug tracking and security related websites such as
the Bugtraq mailing list (http://www.securityfocus.com) or the Computer Emergency Response Team
(CERT) website (http://www.cert.org).
Buffer overflows
A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold. Since buffers are created to contain a
finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally
through programming error, buffer overflow is an increasingly common type of security attack on data
integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific
actions, in effect sending new instructions to the attacked computer that could, for example, damage
the user's files, change data, or disclose confidential information.
Unpatched servers
According to Wikipedia, a patch is a piece of software designed to update a computer program or its
supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with
such patches usually called bugfixes or bug fixes, and improving the usability or performance.
Although meant to fix problems, poorly designed patches can sometimes introduce new problems.
Server applications which languish unpatched by developers or administrators who fail to patch their
systems leave this as one of the most exploited vulnerabilities.
Default passwords
Another common error is to leave the default passwords or keys in services that have such
authentication methods built into them. For example, some databases leave default administration
passwords under the assumption that the system administrator will change this immediately upon
configuration. Even an inexperienced cracker can use the widely-known default password to gain
administrative privileges to the database.
154
4.4 Types of Vulnerability Assessment (As it is)

Types of Vulnerability Assessment
Active Assessment: Scans the network using any network scanner to find hosts, services and
vulnerabilities.
Passive Assessment: This is a technique that sniffs the network traffic to find out active systems,
network services, applications and vulnerabilities present.
Host based Assessment: This is a sort of security check carried out through a configuration level test
through command line.
Internal Assessment: This is a technique to scan the internal infrastructure to find out the exploit and
vulnerabilities.
External Assessment: This is used to assess the network from a hacker point of view to find out what
exploits and vulnerabilities are available to the outside world.
Application Assessment: This tests the web server infrastructure for any misconfiguration, outdated
content and known vulnerabilities.
Network Assessment: This determines the possible network security attacks that may occur on the
organization system.
Wireless network Assessment: This determines and tracks all the wireless network prevalent at the
client side.
155
4.5 How to Conduct a Vulnerability Assessment (As it is)

The method for performing the VA will include reviewing appropriate policies and procedure relating to
the systems being assessed, interviewing system administrators, and security scanning.
Vulnerability analysis consists of several steps:
STEP 1.
Defining and classifying network or system resources
STEP 2.
Assigning relative levels of importance to the resources
STEP 3.
Identifying potential threats to each resource
STEP 4.
Developing a strategy to deal with the most serious potential problems first
STEP 5.
Defining and implementing ways to minimize the consequences if an attack occurs.
The following tasks are involved in conducting a VA
Use vulnerability assessment tools
Check for misconfigured web servers, mail servers, firewalls, etc.
Search the web for more postings about the companys vulnerabilities
Search at underground websites for more postings about the companys vulnerabilities
The VA is done in three phases:
Pre-assessment phase
Describe the scope of the Assessment
Creates proper information protection procedures such as effective planning, scheduling,
coordination and logistics
Identifies and ranks the critical assets
Assessment phase
Examine the network architecture
Evaluates the threat environment
Carries out penetration testing
Examines and evaluates physical security
Performs a physical asset analysis
Observes policies and procedures
Conducts and impact analysis
Performs a risk characterization
Post Assessment phase

156
Prioritising assessment recommendations

Providing action plan development to implement the proposed recommendation
Capturing lessons that are learned to improve the complete process in the future
Conducting training
Vulnerability Analysis phase

This phase refers to identifying areas where vulnerability exists. This entails performing vulnerability
analysis and listing of areas that need testing and penetration.
Vulnerability penetration capabilities can be broken down into three steps:
Locating nodes
Performing service discoveries on them
Testing those services for known security holes
Now that auditors have identified and verified the vulnerabilities, they must perform in-depth analysis
of all the assembled data. The goal here is to identify systemic causes, and then they formulate plans to
remedy each cause. These plans are the basis of the strategic recommendations that they bring before
the business executives. Once the auditors have completed their assessment, the IT department or the
consultants work alongside the executives to fix those problem areas. Once the business rectifies
vulnerabilities, they can direct their attention to upgrading or transitioning the network.
157
4.6 Vulnerability Analysis Tools (As it is)

Types of tools available for vulnerability assessment are classified as follows:
Host based VA tools
These find and identify the OS running on a particular host computer and tests it for known
deficiencies. These search for common application and services.
Application-layer VA tools
These are directed towards web servers or databases
Scope assessment tools
They provide security to the IT system by testing for vulnerabilities in the application and OS
Depth assessment tools
These tools find and identify previously unknown vulnerabilities in a system, and include fuzzers. A
fuzzer is a program that attempts to discover security vulnerabilities by sending random input to an
application. If the program contains a vulnerability that can leads to an exception, crash or server
error (in the case of web apps), it can be determined that a vulnerability has been discovered. Fuzzers
are often termed Fault Injectors for this reason, they generate faults and send them to an application.
Active/passive tools
Active scanners perform vulnerability checks on the network that consumes resources on the
network. Passive scanners do not materially affect system resources, these only observe system data
and performs data processing in a separate analysis machine
Tools may also be classified based on data examined or location. For example Network-based scanner,
agent based scanner, proxy scanner or cluster scanner.
158
While new vulnerabilities are discovered every day and new tools are required to tackle
these, a list of available tools are listed below:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Qualys Vulnerability Scanner

Cycorp CycSecure Scanner
eEye Retina Network Security Scanner
Foundstone Professional Scanner
GFI LANguard Network Security Scanner
ISS Network Scanner
Saint Vulnerability Scanner
Symantec NetRecon Scanner
Shadow Security Scanner
Microsoft Baseline Security Analyzer
SPIKE Proxy
Foundstones ScanLine
Cerebrus Internet Scanner
Some of the free scanners available on the internet include:

Nmap
Nmap is a utility for network discovery and/or security auditing. It can be used to scan large networks
or single hosts quickly and accurately, determining which hosts are available, what services each host
is running and the operating system that is being used.
For more information visit http://www.insecure.org/nmap
Nessus
Nessus is a remote security scanner. This software can audit a given network and determine if there
are any weaknesses present that may allow attackers to penetrate the defences. It launches
predefined exploits, and reports on the degree of success each exploit had.
For more information visit http://www.nessus.org
Whisker
Whisker is a CGI web scanner. It scans for known vulnerabilities found in web servers, giving the URL
that triggered the event as well, it can determine the type of web server being run. It is easy to
update and has many useful features.
For more information visit http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
Enum
Enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve
userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy
information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts.
For more information visit http://razor.bindview.com/tools/desc/enum_readme.html
159
Firewalk
Firewalking is a technique that employs traceroute-like techniques to analyze IP packet responses to
determine gateway ACL filters and map networks. It can also be used to determine the filter rules in
place on a packet forwarding device.
For more information visit http://www.packetfactory.net/Projects/Firewalk
Summary
160
Vulnerability analysis, also known as vulnerability assessment, is a process that defines,

identifies, and classifies the security holes (vulnerabilities) in a computer, network, or
communications infrastructure.
The deliverable for the assessment is, most importantly, a prioritized list of discovered
vulnerabilities (and often how to remediate). The findings are classified into categories of high,
medium, and low risk.
Virtually all attacks come from already known vulnerabilities.
The following are categories of vulnerabilities commonly recognised: o Misconfigurations o
Default installations o Buffer overflows o Unpatched servers o Default passwords o Open
services o Application flaws o Open system flaws o Design flaws
Developers and system administrators often find exploitable bugs in server applications and
publish the information on bug tracking and security-related websites such as the Bugtraq
mailing list (http://www.securityfocus.com) or the Computer Emergency Response Team (CERT)
website (http://www.cert.org).
Types of Vulnerability Assessment o Active Assessment o Passive Assessment o Host based
Assessment o Internal Assessment o External Assessment o Application Assessment o Network
Assessment o Wireless network Assessment
Types of tools available for vulnerability assessment are classified as follows: o Host based VA
tools o Application-layer VA tools o Scope assessment tools o Depth assessment tools o
Active/passive tools
Tools may also be classified based on data examined or location. For example Network-based
scanner, agent based scanner, proxy scanner or cluster scanner.
Nessus, NMap, Whisker, Firewalk and Enum are free scanners available on the internet.
Some of the other available tools include Qualys Vulnerability Scanner, Cycorp CycSecure
Scanner, Eye Retina Network Security Scanner, Foundstone Professional Scanner, GFI LANguard
Network Security Scanner, ISS Network Scanner, Saint Vulnerability Scanner, Symantec
NetRecon Scanner, Shadow Security Scanner, Microsoft Baseline Security Analyzer, SPIKE Proxy
Foundstones ScanLine, Cerebrus Internet Scanner
161
Practical Activity:
Activity 1:
Go through the latest threats and breaches in cyberspace to understand the
implications of non-compliance to security standards. List such sources from which
information can be had.
Activity 2:
Search and list various VA tools offered by various organizations and note down their
features, uses, benefits and limitations. Also research reviews of these tools available
online.
Activity 3:
Search for examples of incidents reported for each of the categories of the
vulnerability listed in this unit. Share this with your class.

Q. List the three types of Security consultants in the industry?
a) ___________________________________
b) ___________________________________
c) ___________________________________
Q. Which one of the following is NOT a category of VA tools?
a)
b)
c)
d)
Host based
Application based
Scope Assessment
Firewall based
Scans the network using any network scanner to find hosts, services and
vulnerabilities.
Wireless network
Assessment
Sniffs the network traffic to find out active systems, network services,
applications and vulnerabilities present.
Host based
Assessment
A sort of security check carried out through a configuration level test

through command line.
Active Assessment
This determines and tracks all the wireless network prevalent at the client
side.
Application
Assessment
162
Assesses the network from a hacker point of view to find out what
exploits and vulnerabilities are available to the outside world.
External Assessment
Tests the web server infrastructure for any misconfiguration, outdated

content and known vulnerabilities.
Passive Assessment
Determines the possible network security attacks that may occur on the
Internal Assessment
organization system.
Scans the infrastructure inside the company to find out the exploit and
vulnerabilities.
Network Assessment
Q. Match the following

Q. State whether the following statements are TRUE or FALSE
1. Nessus is a free remote security scanner. (
)
2. Active and Passive Scanners are categories of VA tools, classified as such based on the
amount of resources they use to carry out the scan. (
)
3. Incorrectly assembling the safeguards for a web application is known as a default
installation. (
)
4. A buffer overflow occurs when more data is sent to the temporary storage areas than the
capacity and the data spills into other areas corrupting these. (
)
5. A fuzzer is a program that attempts to discover security vulnerabilities by sending random
input to an application (
)
163
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
164
UNIT V
PENETRATION TESTING
This Unit covers:

Lesson Plan
5.1. About penetration testing
5.2. Penetration testing stages
165
LESSON PLAN
Outcomes
able to:
s (0904)
PC3. identify the
requirements of information
security audits and prepare
for audits in advance (0905)
people to gather
(0905)
Measures

Requirement
1. Research and identify the

PCs/Tablets/Laptops
scope of penetration testing Labs availability (24/7)
and the related tools,
procedures, guidelines to
Mbps Dedicated)
carry these out.
Networking EquipmentDiscuss the various
Routers & Switches
2. requirements and
procedures at different
stages of the Penetration
Web Inspect and IBM
testing and the various
AppScan etc.,
activities that are carried
out and their implications
for the organisation
166

understand:
tools, templates and checklists
(0904)
audit tasks (0904)
for testing compliance against
your organizations security
criteria, legal and regulatory
requirements (0904) KA12. your
organizations knowledge base
and how to use this to support
information
1. Research the various
penetration testing tools
available in the market and

draw a comparison in their
offerings, features and
benefits
2. Going through latest threats
and breaches in cyberspace
to understand the
implications of
standards.
PCs/Tablets/Laptops
Mbps Dedicated)
167
Lesson
A penetration test is the process of actively evaluating companys information security measures.
Security measures are Security measures are actively analysed for actively analysed for design
weaknesses, technical flaws and vulnerabilities. The results are delivered comprehensively in a
report, to executive, management, and technical audiences.
5.1. Why conduct penetration testing? (As it is)
Reasons for conducting pentests:

Identify the threats facing an organization's s information assets
Reduce an organization's IT security costs and provide a better Return on IT Security Investment
(ROSI) by identifying and resolving vulnerabilities and weaknesses
Provide an organization with assurance - a thorough and comprehensive assessment of organizational
assessment of organizational security covering policy
Gain and maintain certification to an industry regulation (BS7799, HIPAA etc.)
Adopt best practice by conforming to Adopt best practice by conforming to legal and industry
regulations
It focuses on high severity vulnerabilities and emphasizes application-level security issues to
development security issues to development teams and teams and management
For testing and validating the efficiency of security protections and controls
For enabling vulnerability perspectives to the organization internally and externally
Providing indisputable information usable by audit teams gathering data for regulatory compliance
Providing comprehensive approach of preparation steps that can be taken to prevent upcoming
exploitation
Evaluating the efficiency of network security devices such as firewalls, routers, and web servers
For changing or upgrading existing infrastructure of software, hardware, or network design
168
5.2. What should be tested? (As it is)
An organization should conduct a risk assessment operation before the penetration testing that will
help to identify the main threats, such as:
Communications failure, e-commerce failure, and loss of confidential information.
Public facing systems; websites, email gateways, and remote access platforms.
Mail, DNS, firewalls, passwords, FTP, IIS, and web servers.
Testing should be performed d be performed on all hardware and software components of a network
security system.
5.3 Penetration testing stages (As it is)

According to one classification, there are three stages in penetration testing
Pre-attack
Attack Phase
Post-attack phase
Pre-attack phase
This process seeks to gather as much information about the target network as possible, following
these seven steps:
STEP 1. Gather initial information
STEP 2. Determine the network range
STEP 3. Identify active machines
STEP 4. Discover open ports and access points
STEP 5. Fingerprint the operating system
STEP 6. Uncover services on ports
STEP 7. Map the network
169
Attack Phase
The next phase is the attack phase, where if an attack is successful, the vulnerability is verified and
safeguards are identified to mitigate the associated security exposure. In many cases, exploits that
are executed do not grant the maximum level of potential access to an attacker. They may instead
result in the testers learning more about the targeted network and its potential vulnerabilities, or
induce a change in the state of the targeted networks security.
Some exploits enable testers to escalate their privileges on the system or network to gain access
to additional resources. If this occurs, additional analysis and testing are required to determine the true
level of risk for the network, such as identifying the types of information that can be gleaned, changed,
or removed from the system. In the event an attack on a specific vulnerability proves impossible, the
tester should attempt to exploit another discovered vulnerability.
If testers are able to exploit a vulnerability, they can install more tools on the target system or
network to facilitate the testing process. These tools are used to gain access to additional systems or
resources on the network, and obtain access to information about the network or organization.
Post-Attack Phase and Activities

The reporting phase occurs simultaneously with the other three phases of the penetration test. In
the planning phase, the assessment planor ROEis developed. In the discovery and attack phases,
written logs are usually kept and periodic reports are made to system administrators and/or
management. At the conclusion of the test, a report is generally developed to describe identified
vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered
weaknesses.
Penetration (or external assessment) testing usually starts with three pre-test phases:
Footprinting
Scanning
Enumerating
Together, the three pre-test phases are called reconnaissance.

The goal of reconnaissance is primarily to discover the following information:
IP addresses of hosts on a target network

Accessible User Datagram Protocol (UDP) and Transmission Control Protocol (TCP)
ports on target systems
Operating systems on target systems
Malicious hackers also value reconnaissance as the first step in an effective attack.
The three stages of reconnaissance are:
170
Footprinting
Footprinting is the active blueprinting of the security profile of an organization. It involves gathering
information about your customer's network to create a unique profile of the organization's networks
and systems. It's an important way for an attacker to gain information about an organization
passively, that is, without the organization's knowledge.
Footprinting may also require manual research, such as studying the company's Web page for useful
information, for example:
Company contact names, phone numbers and email addresses

Company locations and branches
Other companies with which the target company partners or deals
Company privacy policies, which may help identify the types of security mechanisms in place
Other resources that may have information about the target company are:
The Capital Market database if the company is publicly traded
Disgruntled employee blogs and Web sites
Trade press
You can also get more active with footprinting. For example, you can call the organization's help
desk, and by employing social engineering techniques, get them to reveal privileged information.
Scanning
The next four information-gathering steps -- identifying active machines, discovering open ports
and access points, fingerprinting the operating system, and uncovering services on ports are
considered part of the scanning phase. The goal here is to discover open ports and applications by
performing external or internal network scanning, pinging machines, determining network ranges
and port scanning individual systems.
Although this is still information gathering mode, scanning is more active than footprinting, it
provides a more detailed picture of the customer operations.
Some common tools used in the scanning phase are:
NMap
Ping
Traceroute
Superscan
Netcat
NeoTrace
Visual Route
171
Enumerating
In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares
using active connections to systems and directed queries. The type of information sought by testers
during the enumeration phase can be users and groups, network resources and shares, and
applications.
The techniques used for enumeration include:
Obtaining Active Directory information and identifying vulnerable user accounts

Discovering NetBIOS name enumeration with NBTscan
Using snmputil for SNMP enumeration
Employing Windows DNS queries
Establishing null sessions and connections
Remember that during a penetration test, you'll need to document every step and finding, not only
for the final report, but also to alert the organization immediately to serious vulnerabilities that may
exist. This is also known as the Discovery phase.
172
Summary
A penetration test is the process of actively evaluating companys information security
measures. Security measures are Security measures are actively analysed for actively analysed
for design weaknesses, technical flaws and vulnerabilities. The results are delivered
comprehensively in a report, to executive, management, and technical audiences.
Testing should be performed on all hardware and software components of a network security
system.
According to one classification, there are three stages in penetration testing o Pre-attack o
Attack Phase o Post-attack phase
The three stages of reconnaissance are: o Footprinting o Scanning o Enumerating
Types of Reconnaissance o Active Reconnaissance o Passive Reconnaissance
Reconnaissance process seeks to gather as much information about the target network as
possible, following these seven steps: o Gather initial information o Determine the network
range o Identify active machines o Discover open ports and access points o Fingerprint the
operating system o Uncover services on ports o Map the network
The next phase is the attack phase, where if an attack is successful, the vulnerability is verified
and safeguards are identified to mitigate the associated security exposure.
Attack phase activities include: perimeter auditing, web application auditing, wireless auditing,
application security auditing, network security auditing, wireless/remote access auditing,
database auditing, file integrity checking, log management auditing, telephone security, data
leakage auditing, social engineering auditing
At the conclusion of the test, a report is generally developed to describe identified
vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered
weaknesses.
173
Practical Activity:
Activity 1:
Collate data from various sources and list the various types of penetration testing
based on the object of testing. List down steps and considerations for each type of
testing including the various tools that are available in the market for the particular
testing.
Activity 2:
Compare various data security companies and their offerings for penetration testing.
Compare their features, benefits and value propositions, also research reviews of
various clients /independent reviewers of their products and services.
Activity 3:
Study from various sources and discuss in class the legal and ethical concerns of
penetration testing. Also to explore the advantages and disadvantages of penetration
testing.
Check for understanding:

Q. A security tester is sending random data to a program. What does this describe? a)
Fuzzing
b) Buffer overflow
c) Integer overflow
d) Command injection
Q. Your organization wants to improve the security posture of internal database servers. Of the
following choices, what provides the BEST solution?
a) Opening ports on a servers firewall
b) Disabling unnecessary services
c) Keeping systems up to date with current patches
d) Keeping systems up to date with current service packs
Q. List at least 5 tools used for network security assessment.
a) ___________________________________
b) ___________________________________
174
c) ___________________________________
d) ___________________________________
e) ___________________________________
Q. Active blueprinting of the security profile of an organization, involving gathering information about
your customer's network to create a unique profile of the organization's networks and systems is known
as
a) Enumerating
b) Footprinting
c) Scanning
d) Relational Assessment
Q. List at least 5 tools used for web application assessment.
a) ___________________________________
b) ___________________________________
c) ___________________________________
d) ___________________________________
e) ___________________________________
175
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
176
UNIT VI
Information Security Audit
Tasks
This Unit covers:

Lesson Plan
6.1. Pre-audit tasks
6.2. Information gathering
6.3. External Security Audit
6.4. Internal Network Security Auditing
6.5. Firewall Security Auditing
6.6. IDS Security Auditing
6.7. Social Engineering Audit
177
LESSON PLAN
Outcomes

able to:
Performance Ensuring Measures
1. Carry out audits using free

internet tools in a lab
environment
PC2. identify the
2. Locate list of threats and
vulnerabilities and compare
s for the audit tasks you are
them to known lists or
required to carry out (0904)
uncovered threats and
vulnerabilities
PC3. identify any issues with
procedures/guidelines/checklist 3. Carry out a preliminary
s for carrying out audit tasks and
information gathering activity
clarify these with appropriate
for the Training institution
people (0904)
network. Identify the
perimeter and other network
PC4. collate information,
components and create a
evidence and artefacts when
security audit plan for the
carrying out audits (0904)
same
s (0904)

Requirement
PCs/Tablets/Laptops
2 Mbps Dedicated)
Firewalls and Access
Points
Commercial Tools like
HP Web Inspect and
IBM AppScan etc.,
PC7. record and document audit

tasks and audit results using
standard tools and templates
(0904)
PC8. review results of audit
tasks with appropriate people
and incorporate their inputs
(0904)
PC3. identify the requirements
of information security audits
and prepare for audits in
advance (0905)
178

understand:
KB1. common issues that may
affect carrying out audit tasks
and how to deal with these
KB2. different systems and
structures that may need
information security audits and
how they operate
1. Research and list various

stages of the audit and
related tasks
2. Research and outline the
responsibilities of security
analyst across the various
stages and tasks
PCs/Tablets/Laptops
2 Mbps Dedicated)
3. Research various tools (paid

and free) and compare their
offerings, features, benefits
and limitations
KB3. features, configuration and

specifications of information
security systems and devices and
associated processes and
architecture
KA10. different approaches and
ways of working for internal and
external information security
audits
KA11. who to involve when
carrying out information security
audits
knowledge base and how to use
this to support information
security audits
KA13. how to carry out, record
and report audit tasks
KA14. the range of data and
information required for
KA15. methods and techniques
used when working with others
179
Training Resource Material

A security analyst may contribute to activities during the audit process which includes the following
task.
6.1 Pre-audit tasks (As it is)

During this phase, the auditors determine the main area/s of focus for the audit and any areas that are
explicitly out-of-scope, based normally on an initial risk-based assessment plus discussion with those
who commissioned the audit. Information sources include general research on the industry and the
organization, previous and perhaps other audit reports, and documents such as the Statement of
Applicability, Risk Treatment Plan and Security Policy.
The auditors should ensure that the scope makes sense in relation to the organization. The audit
scope should normally match the scope of the Information Security Management System (ISMS) being
certified. For example, large organizations with multiple divisions or business units may have separate
ISMS's, an all-encompassing enterprise-wide ISMS, or some combination of local and centralized ISMS.
If the ISMS certification is for the entire organization, the auditors may need to review the ISMS in
operation at all or at least a representative sample of business locations, such as the headquarters and
a selection of discrete business units chosen by the auditors.
The auditors should pay particular attention to information security risks and controls associated with
information conduits to other entities (organizations, business units etc.) that fall outside the scope of
the ISMS, for example checking the adequacy of information security-related clauses in Service Level
Agreements or contracts with IT service suppliers. This process should be easier where the out-ofscope entities have been certified compliant with ISO/IEC 27001.
During the pre-audit survey, the ISMS auditors identify and ideally make contact with the main
stakeholders in the ISMS such as the ISM manager/s, security architects, ISMS developers, ISMS
implementers and other influential figures such as the CIO and CEO, taking the opportunity to
request pertinent documentation etc. that will be reviewed during the audit. The organization
normally nominates one or more audit "escorts", individuals who are responsible for ensuring
that the auditors can move freely about the organization and rapidly find the people,
information etc. necessary to conduct their work, and act as management liaison points.
The primary output of this phase is an agreed ISMS audit scope, charter, engagement letter or similar.
Contact lists and other preliminary documents are also obtained and the audit files are opened to
contain documentation (audit working papers, evidence, reports etc.) arising from the audit.
180
The pre-audit questionnaire is used to assist the audit manager in gathering pertinent information prior
to the on-site visit. Information gathered from the pre-audit questionnaire is used to formulate
additional questions to be answered during the on-site visit and to assist in determining policy
compliance. Additionally, the pre-audit questionnaire is used as a tool by audit managers to prepare
information sheets for local auditors, outlining/summarizing the CSAs audit program and procedures.
6.2 Information Gathering (As it is)

Information gathering is essentially using the Internet to find all the information you can about the
target (company and/or person) using both technical (DNS/WHOIS) and non-technical (search
engines, news groups, mailing lists etc.) methods.
a. What Is Information Gathering?

Information gathering does not require that the assessor establishes contact with the target system.
Information is collected (mainly) from public sources on the Internet and organizations that hold public
information (e.g. tax agencies, libraries, etc.) Information gathering section of the penetration test is
important for the penetration tester. Assessments are generally limited in time and resources.
Therefore, it is critical to identify points that will be most likely vulnerable, and to focus on them. Even
the best tools are useless if not used appropriately and in the right place and time. Thats the reason
why experienced testers invest an important amount of time in information gathering.
Information Gathering is a necessary step of a penetration test. This task can be carried out in many
different ways. By using public tools (search engines), scanners, sending simple HTTP requests, or
specially crafted requests, it is possible to force the application to leak information, e.g., disclosing error
messages or revealing the versions and technologies used. And it includes the following steps:
1.
Spiders, Robots and Crawlers: This phase of the Information Gathering process consists of
browsing and capturing resources related to the application being tested.
2.
Search Engine Discovery/Reconnaissance: Search engines, such as Google, can be used to
discover issues related to the web application structure or error pages produced by the application that
have been publicly exposed.
3.
Identify application entry points: Enumerating the application and its attack surface is a key
precursor before any attack should commence. This section will help you identify and map out every
area within the application that should be investigated once your enumeration and mapping phase has
been completed.
4.
Testing Web Application Fingerprint: Application fingerprint is the first step of the Information
Gathering process; knowing the version and type of a running web server allows testers to determine
known vulnerabilities and the appropriate exploits to use during testing.
181
5.
Application Discovery: Application discovery is an activity oriented to the identification of the
web applications hosted on a web server/application server. This analysis is important because often
there is not a direct link connecting the main application backend. Discovery analysis can be useful to
reveal details such as web applications used for administrative purposes. In addition, it can reveal old
versions of files or artefacts such as undeleted, obsolete scripts, crafted during the test/development
phase or as the result of maintenance.
6.
Analysis of Error Codes: During a penetration test, web applications may divulge information
that is not intended to be seen by an end user. Information such as error codes can inform the tester
about technologies and products being used by the application. In many cases, error codes can be easily
invoked without the need for specialist skills or tools, due to bad exception handling design and coding.
Clearly, focusing only on the web application will not be an exhaustive test. It cannot be as
comprehensive as the information possibly gathered by performing a broader infrastructure analysis
b. Information Gathering Methodology
Phase One
Network survey: A network survey is like an introduction to the system that is tested. By doing that, you
will have a network map, using which you will find the number of reachable systems to be tested
without exceeding the legal limits of what you may test. But usually more hosts are detected during the
testing, so they should be properly added to the network map. The results that the tester might get
using network surveying are: - Domain Names - Server Names - IP Addresses - Network Map - ISP / ASP
information - System and Service Owners Network surveying can be done using TTL
modulation(traceroute), and record route (e.g. ping -R), although classical 'sniffing' is sometimes as
effective method
Phase Two
OS Identification (sometimes referred as TCP/IP stack fingerprinting): The determination of a remote
OS type by comparison of variations in OS TCP/IP stack implementation behaviour. In other words, it is
active probing of a system for responses that can distinguish its operating system and version level. The
results are: - OS Type - System Type - Internal system network addressing.
Phase Three
Port scanning: Port scanning is the invasive probing of system ports on the transport and network level.
Included here is also the validation of system reception to tunnelled, encapsulated, or routing protocols.
Testing for different protocols will depend on the system type and services it offers. However, it is not
always necessary to test every port for every system. This is left to the discretion of the test team. Port
numbers that are important for testing according to the service are listed with the task. Additional port
numbers for scanning should be taken from the Consensus Intrusion Database Project Site. The results
that the tester might get using Port scanning are: - List of all Open, closed or filtered ports - IP addresses
of live systems - Internal system network addressing - List of discovered tunnelled and encapsulated
protocols - List of discovered routing protocols supported. Methods include SYN and FIN scanning, and
variations thereof e.g. fragmentation scanning.
182
Phase Four
Services identification: This is the active examination of the application listening behind the service. In
certain cases more than one application exists behind a service where one application is the listener and
the others are considered components of the listening application. The results of service identification
are: - Service Types - Service Application Type and Patch Level - Network Map
The methods in service identification are same as in Port scanning. There are two ways using which one
can perform information gathering:
1.
1st method of information gathering is to perform information gathering techniques with a 'one
to one' or 'one to many' model; i.e. a tester performs techniques in a linear way against either one
target host or a logical grouping of target hosts (e.g. a subnet). This method is used to achieve
immediacy of the result and is often optimized for speed, and often executed in parallel
2.
Another method is to perform information gathering using a 'many to one' or 'many to many'
model. The tester utilizes multiple hosts to execute information gathering techniques in a random, ratelimited, and in non-linear way. This method is used to achieve stealth. (Distributed information
gathering)
c. Information gathering steps
Information Gathering Steps
1.
Crawl the website and mirror the pages on your PC
2.
Crawl the FTP website and mirror the pages on your PC
3.
Lookup registered information in WHOIS database
4.
List the products sold by the company
5.
List the contact information, email addresses, and telephone numbers
6.
List the companys distributors
7.
List the companys partners
8.
Search the internet, newsgroups, bulletin boards and negative websites for information
about the company
9.
Search for trade association directories
10.
Search for link popularity of the company website
11.
Compare price of product or service with competition
12.
Find the geographical location
13.
Search the internet archive pages about the company
14.
Search similar or parallel domain name listings
15.
Search job postings sites about the company
16.
Browse social network websites
17.
Write down key employees
18.
Investigate key personnel searching in Google, look up their resumes and cross reference
information
19.
List employee company and personal email address
20.
Search for web pages posting patterns and revision numbers
183
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
Email the employee disguised as customer asking for quotation

Visit the company as inquirer and extract privileged information
Visit the company locality
Use web investigation tools to extract sensitive data targeting the company
Conduct background check on key company personnel
Search on Ebay and other sites for company presence
Use the Domain Research Tool to investigate the companys domain
Use various public Database to research company information
Use Google/Yahoo!Finance and other sites to search for press releases issued by the company
Search company business reports and profiles at various databases
Search for telephone numbers using directories and other services
Retrieve the DNS record of the organisation from publicly available servers
6.3 External Security Audit (As it is)

External Intrusion Audit and Analysis
An External Intrusion Audit and Analysis identifies strengths and weaknesses of a client system and
network as they appear from the outside the clients security perimeter, usually from the internet.
Why Is It Done?
This is done to demonstrate the existence of known vulnerabilities in the client system and network that
could be exploited by an external hacker.
Client Benefits
The client benefits by anticipating external attacks, that might cause security breaches and to
proactively reduce risks to information, system and networks. It also improves the security of the
clients networked resources. This provides improved e-commerce and e-business operations with
increased confidence in their ability to protect data, information and resources.
External Security Auditing How is it done?
Gather externally accessible configuration information

Scan client external network gateways to identify services and topology
Scan client Internet servers for ports and services vulnerable to attack
Attempt intrusion of vulnerable internal systems
Steps for Conducting External Security Auditing

184
Inventory the companys external infrastructure and create a topological map of the network
Identify the IP address of the targets
Locate the traffic route that goes to the web servers
Locate TCP and UDP traffic path to the destination
Identify the physical location of the target servers
Examine the use IPV6 at the remote location
Lookup domain registry for IP information, find IP block information about the target
Locate the ISP servicing the client
List open and closed ports
List suspicious ports that are half open/close
Port scan every port on the targets network
Use SYN scan and connect scan on the target and see the response
Use XMAS scan, FIN scan and NULL scan on the target and see the response
Firewalk on the routers gateway and guess the access-list
Examine TCP sequence number prediction
Examine the use standard and non-standard protocols
Examine IPID sequence number prediction
Examine the system uptime of target
Examine the operating system used for different targets
Examine the applied patch to the operating system
Locate DNS record of the domain and attempt DNS hijacking

Download applications from the companys website and reverse engineer the binary code
List programming languages used and application software to create various programs from the
target server
Look for error and custom web pages
Guess different sub domain names and analyse different responses
Examine the session variables
Examine cookies generated by the server
Examine the access controls used in the web applications
Brute force URL injections and session tokens
Check for directory consistency and page naming syntax of the web pages
Look for sensitive information in web page source code
Attempt URL encodings on the web pages
Try buffer overflow attempts at input fields
Try Cross Site Scripting (XSS) techniques
Record and replay the traffic to the target web server and note the response
Try various SQL injection techniques
Examine hidden fields
Examine e-commerce and payment gateways handled by the web server
Examine welcome messages, error messages, and debug messages
Probe the service by SMTP mail bouncing
Grab the banner of HTTP servers, SMTP servers, POP3 servers, FTP Servers
185
Identify the web extensions used at the server

Try to use an HTTPS tunnel to encapsulate traffic
OS fingerprint target servers
Check for ICMP responses (type 3, port unreachable), (type 8, echo request), (type 13,
timestamp request), (type 15, information request), (type 17, subnet address mask request)
Check for ICMP responses from broadcast address
Port scan DNS servers (TCP/UDP 53)
Port scan TFTP servers (Port 69)
Test for NTP ports (Port 123)
Test for SNMP ports (Port 161)
Test for Telnet ports (Port 23)
Test for LDAP ports ( Port 389)
Test for NetBIOS ports ( Ports 135-139, 445)
Test for SQL server ports (Port 1433, 1434)
Test for Citrix ports (Port 1495)
Test for Oracle ports (Port 1521)
Test for NFS ports (Port 2049)
Test for Compaq, HP Inside Manager ports (Port 2301, 2381)
Test for Remote Desktop ports (Port 3389)
Test for Sybase ports (Port 5000)
Test for SIP ports (Port 5060)
Test for VNC ports (Port 5900/5800)
Test for X11 ports (Port 6000)
Test for Jet Direct ports (Port 9100)
Port scan FTP data (Port 20)
Port scan web servers (Port 80)
Port scan SSL servers (Port 443)
Port scan Kerberos-Active directory (Port TCP/UDP 88)
Port scan SSH servers (Port 22)
6.4 Internal Network Security Auditing (As it is)

Internal testing involves testing computers and devices within the company. It is more like white-box
testing. What if an employee of the company penetrates the network with the amount of IT knowledge
he knows? What if a hacker breaks-in to the internal network that houses employees PC and databases
and steals sensitive information?
What if a casual guest visitor walks by the company and steals data from one of the isolated machines?
Internal network penetration test process will test and validate the level of internal security on the
client network. Based on statistics maintained by the Federal Bureau of Investigations (FBI), fifty
percent of companies reporting break-ins to their networks and/or business applications state they
were compromised by internal attacks. Internal network security is, more often than not,
underestimated by administrators. Very often, such security does not even exist, allowing one user to
186
easily access another users machine using well-known exploits, trust relationships and default settings.
Most of these attacks require little or no skill, putting the integrity of a network at stake.
Most employees do not need and should not have access to each others machines, administrative
functions, network devices and so on. However, because of the amount of flexibility needed for normal
operation, internal networks cannot afford maximum security. On the other hand, with no security at
all, internal users can be a major threat to many corporate internal networks. A user within the
company already has access to many internal resources and does not need to bypass firewalls or other
security mechanisms which prevent non-trusted sources, such as Internet users, to access the internal
network. Poor network security also means that, should an external hacker break into a computer on
your network, he/she can then access the rest of the internal network more easily. This would enable a
sophisticated attacker to read and possibly leak confidential emails and documents; trash computers,
leading to loss of information; and more. Not to mention that they could then use your network and
network resources to start attacking other sites, that when discovered will lead back to you and your
company, not the hacker.
Most attacks, against known exploits, could be easily fixed and, therefore, stopped by administrators if
they knew about the vulnerability in the first place. During an Internal Network Security Assessment,
security experts scan the entire internal local-area and wide-area networks for known vulnerabilities.
These scans include all servers, workstations, and network devices.
Steps for Internal Network Security Auditing
Internal Network Review includes:
Examining the internal configuration and setup of the organizations computing resources.
Users accounts & password policies and practices
Access privileges and levels
File, directory, event log and registry permissions
Audit logs
Software Patch management
Physical network cabling
Backup methodology & disaster recovery plans
Internal testing involves testing computers and devices within the company. The internal penetration
testing involves:
Performing port scanning on individual machines and establishing null sessions.

Attempting replay attacks, ARP poisoning, MAC flooding.
Conducting man-in-the-middle attack and trying to login to a console machine.
Attempting to plant keylogger, Trojan, and Rootkit on target machine.
Attempting to send virus using target machine.
Hiding sensitive data and hacking tools in target machine.
Escalating user privileges.
187
Internal testing which is a critical part of this includes the following steps:
Map the internal network
Scan the network for live hosts
Port scan individual machines
Try to gain access using known vulnerabilities
Attempt to establish null sessions
Enumerate users/identify domains on the network
Sniff the network using Wireshark
Sniff POP3/FTP/Telnet passwords
Sniff email messages
Attempt replay attacks
Attempt ARP poisoning
Attempt MAC flooding
Conduct a man-in-the middle attack
Attempt DNS poisoning
Try a login to a console machine
Boot the PC using alternate OS and steal the SAM file
Attempt to plant a software keylogger to steal passwords
Attempt to plant a hardware keylogger to steal passwords
Attempt a plant a spyware on the target machine
Attempt to plant a Trojan on the target machine
Attempt to create a backdoor account on the target machine
Attempt to bypass anti-virus software installed on the target machine
Attempt to send virus using the target machine
Attempt to plant rootkits on the target machine
Hide sensitive data on target machines
Hide hacking tools and other data on target machines
Use various Steganography techniques to hide files on target machine
Escalate user privileges
Capture POP3/SMTP/IMAP email traffic
Capture the communications between the FTP client and FTP server
Capture HTTP/HTTPS/RDP/VoIP traffic
Run Wireshark with the filter -ip.src == ip_address
Run Wireshark with this filter - ip.dst == ip_address
Run Wireshark with this filter - tcp.dstport == port_no
Run Wireshark with this filter - ip.addr == ip_address
Spoof the MAC address
Poison the victims IE proxy server
Attempt session hijacking on Telnet/FTP/HTTP traffic

188
Continue to compromise every machine in the network and perform the previous steps. Make sure you
can undo your actions based on the pen-test process you had conducted.
Internal Security Auditing Tools
a.
b.
Automated penetration tools

Core Impact
Metasploit
Canvas
Scanning tools
Internet Scanner (www.iss.net)
NetRecon (www.symantec.com)
CyberCop (www.nai.com)
Nessus (www.nessus.org)
Cisco Secure Scanner (www.cisco.com)
189
6.5 Firewall Security Auditing (As it is)

A firewall is a set of related programs, located at a network gateway server that protects the resources
of a private network from users from other networks. A firewall sits at the junction point or gateway
between the two networks, usually a private network and a public network, such as the Internet.
Firewalls protect against hackers and malicious intruders. It is a combination of hardware and software
that separates a LAN into two or more parts for security purposes
Firewalls are top on the list of critical security devices that businesses use to protect their assets.
Firewalls come in all shapes and sizes, they operate on the same basic principle that you should limit
the exposure of computer systems to only those protocols and ports necessary to provide services,
thus reducing the size of the attack surface of the system. The auditing of a firewall primarily revolves
around inspecting the firewall rules to make sure that they are accurately enforcing security policy, and
providing as high a degree of protection as feasible.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. It
routes packets between the networks. It filters both inbound and outbound traffic. It manages public
access to private networked resources such as host applications. It logs all attempts to enter the private
network and triggers alarms when hostile or unauthorized entry is attempted. Firewalls block
unauthorized traffic, but if an organization wants to follow good practices, then it needs to layer on
other security countermeasures to defend against attacks that firewalls are not designed to prevent.
Address filtering:
Firewalls can filter packets based on their source and destination addresses and port numbers.
Network filtering:
Firewalls can also filter specific types of network traffic. The decision to forward or reject traffic
is dependent upon the protocol used, for example HTTP, FTP, or Telnet.
Firewalls can also filter traffic by packet attribute or state.
If you have an attack against an authorized port and service, and your server is compromised, it isnt
the firewall that failed but the lack of defence in depth. Of course the concept of what a firewall is just
isnt as clear as it used to be in the days of single purpose firewalls. We live in a unified threat
management world, and todays firewalls perform a great many security tasks. IPS and VPN has been
integrated into the firewall line. Unified Threat Management (UTM) devices operate as a combined
threat management device, but the foundational elements of the firewall are central to how the device
operates.
A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it
meets certain criteria. The type of criteria used to determine whether traffic should be allowed through
varies from one type of firewall to another. Firewalls may be concerned with the type of traffic, or with
source or destination addresses and ports. They may also use complex rule bases that analyse the
application data to determine if the traffic should be allowed through.
190
Types of firewall
Firewalls fall into four broad categories:
Packet filters
Circuit level gateways

Application level gateways
Stateful multilayer inspection firewalls
Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP).
They are usually part of a router. In a packet filtering firewall, each packet is compared to a set of
criteria before it is forwarded.
Depending on the packet and the criteria, the firewall can:
Drop the packet.
Forward it or send a message to the originator.
Rules can include source and destination IP address, source and destination port number and protocol
used.
The advantage of packet filtering firewalls is their low cost and low impact on network performance.
Most routers support packet filtering.
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They
monitor TCP handshaking between packets to determine whether a requested session is legitimate.
Information passed to remote computer through a circuit level gateway appears to have originated
from the gateway. Circuit level gateways are relatively inexpensive. They have the advantage of hiding
information about the private network they protect. Circuit level gateways do not filter individual
packet
Application level gateways are also called proxies. They can filter packets at the application layer of the
OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In plain
terms, an application level gateway that is configured to be a web proxy will not allow any FTP, gopher,
Telnet or other traffic through. Because they examine packets at application layer, they can filter
application specific commands such as http: post and get.
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They
filter packets at the network layer, determine whether session packets are legitimate and evaluate
contents of packets at the application layer. They are expensive and require competent personal to
administer the device.
Review Firewall Design
191
Assessing firewall design requires that the auditor understand the various ways in which a firewall can
be deployed. There are many factors that cause an organization to choose one design over another,
and technical requirements sometimes are shaped by politics and budget as well. The firewall is a
policy enforcement tool that should be placed at key network zone boundaries. It is ultimately up to
the business to determine its tolerance for risk and deploy the countermeasures that make sense. The
following examples illustrate common firewall designs that an auditor might find.
Simple Firewall
The simple firewall design is common for small or branch networks and involves a firewall or router
(configured as a firewall) between the Internet and the internal network. NAT is typically used, and
providing Internet access is the primary function of the firewall. There might be port forwarding
configured to internal servers for e-mail delivery or limited web hosting. These designs typically
suffer from minimal layered security, but are by far the least expensive deployment method to
connect a very small remote office or mobile worker situation.
Screening Router and Firewall
A screening router provides frontline defence at the network edge. Not only does this router act as
a basic firewall, but can also perform services such as routing, Netflow collection, quality of service,
and anti-spoofing. The point of a screening router is to provide defence in depth and another place
where access rules can be applied.
Firewall with DMZ
A better design for an organization that hosts its own websites, e-mail, or other Internet facing
services is the firewall with DMZ design. This design provides segmentation of Internet-facing
services to their own dedicated subnet where policies and access control can be better enforced.
Typically the firewall provides NAT services to the web applications, and also conducts application
layer inspection to enforce RFC compliance and application use policies. Layering in an IPS via an
SSM module inside the firewall or through a dedicated appliance can give full IPS protection for all
traffic passing through the device.
Firewall with DMZ and Services Network
As the criticality of web services increases, a single DMZ can sometimes become crowded with
applications and services. The more applications, the more complicated the access rules can
become, and before long policies become difficult to implement on a single DMZ. Creating service
networks on separate firewall interfaces addresses this, by grouping like services together to
simplify policy enforcement. Web servers can go into the DMZ, and internal servers can go into the
services network. The amount of configuration starts to increase as the number of interfaces
increases, but the capability to be able to create more effective policies is vastly improved.
High Availability Firewall
High availability firewall designs are common in organizations that rely on the Internet as both a
source of revenue and an important mechanism for reaching customers. For these types of
organizations, downtime can create significant monetary loss, so the expense of a redundant
architecture is well worth it. Another high availability option is active/active where both firewalls
enforce policy and pass traffic at the same time, and in the event of a failure of one device all
traffic flows through the single remaining firewall. The benefits of active/active over active/standby
are that both firewalls are being utilized and can support higher data rates than a single firewall.
192
The downside to active/active is that both firewalls must be able to support their own traffic loads
in addition to the other firewall if one fails or the organization must be able to accept.
Firewall testing
The steps involved in firewall penetration testing include:
Locate the firewall and traceroute to identify the network range
Port scan the router
Grab the banner
Create custom packets and look for firewall responses
Test access control enumeration
Test to identify firewall architecture
Test the firewall policy
Test firewall using firewalking tool
Test for port redirection
Testing the firewall from both sides
Overt firewall test from outside
Test covert channels
Covert firewall test from outside
Test HTTP tunnelling
Test firewall specific vulnerabilities After the testing the following is documented:
Firewall logs.
Tools output
The analysis
Recommendations (if any).
Firewall Auditing Tools: HTTPORT, HTTHOST, Firewall Test Agent, Hping3, Netfilter, fragroute, IP
Filter, Ftester, Fwanalog, Fpipe, Firewall Builder, Port Test/ Firewall Tester, VisualRoute,
datapipe, firewalking;
193
6.6 IDS Security Auditing (As it is)

Introduction to IDS
IDS is a software/hardware that detects and logs inappropriate, incorrect, or anomalous activity. IDSes
are typically characterized based on the source of the data they monitor.
There are 2 types of IDS:
Host-based: A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.
Network-based: A network-based IDS uses a sensor to monitor packets on the network to
which it is attached.
A network intrusion detection system (NIDS) is a system that tries to detect malicious activity such as
denial of service attacks, port-scans or even attempts to crack into computers by monitoring network
traffic.
A host-based IDS monitors individual hosts on the network for malicious activity; for example, Cisco
Security Agent. Host systems are more accurate than network-based IDS because they analyse the
server's log files and not just network traffic patterns. The host monitors the system and reports its
activities to a centralized server. They are expensive and resource intensive.
An application-based IDS is like a host-based IDS designed to monitor a specific application (similar to
antivirus software designed specifically to monitor your mail server). An application-based IDS is
extremely accurate in detecting malicious activity for the applications it protects. Multi-Layer Intrusion
Detection Systems
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine. It
aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a single
monitoring and analysis source.
Benefits:
Improves detection time

Increases situational awareness
194
Incident handling and analysis

Shortens response time
Decreases detection and reaction time
Decreases consumed employee time and increases in systems uptime
Provides a clear picture of what happened during an incident
Wireless Intrusion Detection Systems

WIDS monitor and evaluate user and system activities, identify known attacks, determine abnormal
network activity, and detect policy violations for WLANs.
Check for potential weakness that damage the WLAN security.
Rough wireless APs.

Man-in-the-middle attacks.
A WIDS detects the following:
DoS attacks.
MAC spoofing.
RF interference.
Isolates an attacker's physical location
Identifies non-encrypted traffic. IDS Security Auditing Steps
IDS Security Auditing Steps:

Test for resource exhaustion/ IDS by sending ARP flood
Test the IDS by MAC spoofing/ IP spoofing

Test by sending a packet to the broadcast address/ inconsistent packets
Test IP packet fragmentation/duplicate fragments

Test for overlapping fragments/ping of death
Test for odd sized packets/ TTL evasion

Test by sending a packet to port 0/UDP checksum
Test for TCP retransmissions/ TCP flag manipulation

Test TCP flags
Test the IDS by sending SYN floods/sequence number prediction

Test for backscatter
Test the IDS with ICMP packets/IDS using covert channels

Test using TCP replay
Test using TCP opera

Test using method matching
Test the IDS using URL encoding

Test the IDS using double slashes
195
Test the IDS for reverse traversal

Test for self-reference directories
Test for premature request ending
Test for IDS parameter hiding
Test for HTTP-mis-formatting
Test for long URLs
Test for DOS/Win directory syntax
Test for null method processing
Test for case sensitivity
Test session splicing
IDS Security Auditing Tools:
IDS Informer
Firewall informer
Traffic IQ professional
OSSEC HIDS
Evasion tools:
EVADE IDS
Evasion GAteway
196
6.7 Social Engineering Audit (As it is)

What is Social Engineering?
The term social engineering is used to describe the various tricks used to fool people (employees,
business partners, or customers) into voluntarily giving away information that would not normally be
known to the general public.
Examples:
Names and contact information for key personnel

System user IDs and passwords
Proprietary operating procedures
Customer profiles
Steps in conducting Social Engineering
Attempt social engineering techniques using phone, vishing, telephone, email, traditional mail,
in person, dumpster diving, insider accomplice, shoulder surfing, desktop information, extortion
and blackmail, websites, theft and phishing attacks, satellite imagery and building blue prints,
details of an employee from social networks sites, telephone monitoring device to capture
conversation, video recording tools to capture images, vehicle/asset tracking system to monitor
motor vehicles, identified disgruntled employees and engage in conversation to extract
sensitive information
Document everything including approach, response, information sought and retrieved
Web Application Security Auditing

Web application vulnerabilities generally stem from improper handling of client requests and/or a lack
of input validation checking on the part of the developer. A web application is an application, generally
comprising a collection of scripts that resides on a web server and interacts with databases or other
sources of dynamic content.
Steps for Web Application Testing
Fingerprinting the web application environment
Investigate the output From HEAD and OPTIONS HTTP requests
Investigate the format and wording of 404/other error pages
Test for recognized file types/extensions/directories
Examine source of available pages
Manipulate inputs in order to elicit a scripting error
Test inner working of a web application
Test database connectivity

197
Test the application code

Testing the use of GET and POST in web application
Test for parameter-tampering attacks on website
Test for URL manipulation
Test for cross site scripting
Test for hidden fields
Test cookie attacks
Test for buffer overflows
Test for bad data
Test client-side scripting
Test for known vulnerabilities
Test for race conditions
Test with user protection via browser settings
Test for command execution vulnerability
Test for SQL injection attacks
Test for blind SQL injection
Test for session fixation attack
Test for session hijacking
Test for XPath injection attack
Test for server side include injection attack
Test for logic flaws
Test for binary attacks y
Test for XML structural
Test for XML content-level
Test for WS HTTP GET parameters/REST attacks
Test for naughty SOAP attachments
Test for WS replay
Web Application Testing Tools

Burp Suite, fuzzing tool, dotDefender, IBM Security AppScan, HP WebInspect, SQL Block Monitor,
Microsoft Source Code Analyzer, Acunetix Web Vulnerability Scanner, WebCruiser, GreenSQL,
Microsoft UrlScan, Absinthe, CORE IMPACT Pro, Safe3SI, BSQLHacker, SQL Power Injector, Havij,
BobCat, Sqlninja, sqlmap, Pangolin Automatic SQL Injection Penetration Testing Tool,
NGSSQuirre, AtStake WebProxy, SPIKE Proxy, WebserverFP, KSES, Mieliekoek.pl, Sleuth, Webgoat,
AppScan
Summary
198
Pre audit tasks: During this phase, the auditors determine the main area/s of focus for the
audit and any areas that are explicitly out-of-scope, based normally on an initial risk-based
assessment plus discussion with those who commissioned the audit.
An External Intrusion Audit and Analysis identifies strengths and weaknesses of a client system
and network as they appear from the outside the clients security perimeter, usually from the
internet.
Internal testing involves testing computers and devices within the company. It is more like
white-box testing. What if an employee of the company penetrates the network with the
amount of IT knowledge he knows? What if a hacker breaks-in to the internal network that
houses employees PC and databases and steals sensitive information?
Internal testing involves testing computers and devices within the company. The internal
penetration testing involves:
o
Performing port scanning on individual machines and establishing null sessions.
o
Attempting replay attacks, ARP poisoning, MAC flooding. o Conducting man-inthe-middle attack and trying to login to a console machine.
o
Attempting to plant keylogger, Trojan, and Rootkit on target machine. o
Attempting to send virus using target machine. o Hiding sensitive data and hacking tools
in target machine.
o
Escalating user privileges.
Firewall auditing includes testing the firewall after establishing the types of firewall and their
configuration in the company
Firewalls fall into four broad categories: o Packet filters o Circuit level gateways o Application
level gateways
o
Stateful multilayer inspection firewalls There are 2 types of IDS: o Host-based:
A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity. o Network-based: A network-based IDS uses a sensor to monitor
packets on the network to which it is attached.
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine.
It aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a
single monitoring and analysis source.
WIDS monitor and evaluate user and system activities, identify known attacks, determine
abnormal network activity, and detect policy violations for WLANs.
Other audits in Penetration testing include Social Engineering and Web Application testing.
199
Activity 1:
Gather as much information and the various sources of information, you can gather of the
training institute without crossing boundaries of law. Share the same in class and debate on
the security considerations for each type of information being out there and the authorised
or unauthorised sources of information.
Activity 2:
Make a list of precautions, security measures and legal options your institute has to enhance
the security of their organisations information assets?
Activity 3:
Study and deliberate on the varying needs, concerns, limitations and challenges of an internal
and external information security audits.

Q. List down steps involved in Firewall auditing
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Q. List down the four types of firewall.
a) ___________________________________________________
b) ___________________________________________________
c) ___________________________________________________
d) ___________________________________________________
Q. What are the two types of IDS?
200
a)
b)
___________________________________________________
___________________________________________________ Q. Write a short
note on the benefits of Multi-Layered IDS.

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List down at least four types of firewall designs an auditor is likely to find in organisations?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
201
UNIT VII
Audit Reports and Actions
This Unit covers:

Lesson Plan
7.1. Audit Reports and Actions
202
LESSON PLAN
Outcomes


able to:
1. Evaluate various audit report

formats available from various
sources. Discuss the purpose
PC7. record and document audit
of each of the elements of the
tasks and audit results using
report.
standard tools and templates
2. Prepare a report for an audit
(0904)
of the training institute
PC8. review results of audit
tasks with appropriate people
and incorporate their inputs
(0904)
PCs/Tablets/Laptops
Internet with WiFi
Center for Internet
Security
PCs/Tablets/Laptops
Internet with WiFi
Center for Internet
Security
PC5. organize data/information

required for information security
audits using standard templates
and tools (0905)
You must know and understand: 1. Research various audit report
KA6. how to record and report
formats and procedures to
audit tasks (0904) KA7. the
create and audit report.
importance of recording the
2. Research key issues and
results of audit tasks (0904)
concerns around audit
KA10. how to improve the
reports, key considerations
process and outcomes of future
and present the same in class
audits (0904)
audit tasks (0904)
KA13. how to carry out, record
and report audit tasks (0905)
203
Lesson
The auditor reports goal is to show the organization that the team honestly wants to improve the
companys security posture this is to be borne in mind when writing the report.
Documentation report should contain the final result and recommendations to rectify the problem if
occurred during the penetration testing process.
The document report includes:
Summary of the test execution.

Scope of the project
Result analysis.
Recommendations.
Appendixes.
After documentation, submit the document to the client and get the signature from them and keep a
copy of the report.
The summary should provide a short, high-level overview of the test. It should contain the clients
name, testing firm, date of test, and so on. Information about the targeted systems and applications.
End-user test results. Examine all exploits performed. The summary should include details of discovered
vulnerabilities.
Scope of the project should include the IP address ranges that are tested and mentioned in the contract.
Examining whether social engineering was employed or not.
Examining whether public or private networks are tested or not.
Examining whether Trojans and backdoor software applications are permitted or not.
The results analysed should include:
Domain name and IP address of the host
TCP and UDP ports
Description of the service
Details of the test performed
Vulnerability analysis
If one would simply run a handful of tools and provide a report, then the company will never want to
see you again. Recommendations to their security is very important for the report to be accepted by
the customer.
Appendices should include:
Contact information
204
Screen shots
Log output
Network penetration testing should include the following reports:
Executive report - Generate reports for various hosts, users, and vulnerabilities that were
identified, targeted, and exploited during the test process.
Active report - Generates a detailed report for various executed exploits.
Host report - Generate a detailed report on various hosts that were tested.
Vulnerability report - Generate report on various vulnerabilities that were exploited

effectively during the penetration testing process.
Payment Card Industry (PCI) report - Display the results of vulnerabilities that are
performed by the Payment Card Industry (PCI) data security standard. (Where applicable)
Client-side penetration testing should include the following reports:
Client-side penetration report - Provide report for client side test that includes the email
template sent, exploit launched, test result, and details about the compromised systems.
User report - Provide information about which links were clicked, when the links were
clicked, and who have clicked the link. Display summarized report on all the users who
were identified and targeted during the testing process.
Web application penetration testing should include the following reports:
Web application vulnerability report:
Provides detailed report on every vulnerability that were found during the testing process.
Web application execution report:
Provides summarized report of every vulnerable web page found during the penetration
testing process.
Writing the final report does not have to be the responsibility of one person. In many cases, multiple
team members will contribute to the actual writing of the final report. Assigning the writing
responsibility is usually according to the abilities of individual team members and the scope they
covered.
Divide the reports into sessions as follows:
Network test reports
Client side test reports
Web application test reports

Common structure for penetration report includes:Executive summary
Management summary
Technical summary
Findings are security issues that the team uncovered during the penetration testing. Findings are
categorized as:
High
Medium
Low
205
High criticality findings: Loss could result in the unauthorized release of information that could have
a significant impact on the organizations mission or financial assets or result in loss of life
Medium criticality findings: Loss could result in the unauthorized release of information that could
have an impact on the organizations mission or financial assets or result in harm to an individual
Low criticality findings: Loss could result in the unauthorized release of information that could have
some degree of impact on the organizations mission or financial assets or result in harm to an individual
Focus on high priority security concerns first. Develop strategies to achieve short term and long term
security postures. Decide on required and available resources to maintain a consistent level of
information security.
Organizations should develop an action plan to:
Address the security concerns on time and systematically.
Reduce the misuse or threat of attacks on the organization.
Create a configuration management process.
Create or use configuration checklists available from the product vendors and security
organizations such as NIST and NSA.
Improve the level of control for the purchased software's by checking for updates and
patches from the vendors.
Create a policy for applying patches in a timely manner.
Create guidelines for best practices to be followed based on the recommendations of pen
test report.
Regular auditing of organization reduces exposure to vulnerabilities.

Contribute to creation and strengthening of Security Policies:
Systems Security Policy
Information Classification Policy
Password Policy
Strong Authentication Policy
Virus Detection and Management Policy
Encryption Policy
Security Change Management Policy
Remote Network Access Policy
Firewall Security Policy.

Conduct training for analysing security posture of a network. Technical security training programs for
people managing information technology. Training for application developers to develop secure code.
Security education and awareness programs need to be implemented, such as:
General security awareness for new employees in the organisation
206
Awareness program through e-learning.

Provide training on social engineering to each and every employee.
Final report format

The final report will contain
The cover letter
A title page: this will indicate the report name, the agency or department it is for, the date
as to when the report was published.
A table of contents: Seems obvious, but these documents can get lengthy, include this as
courtesy.
An executive summary: This will be a high level summary of the results, what was found
and what the bottom line is. The sections of the executive summary will include:
o Organization synopsis o Purpose for the
evaluation o System description o Summary
of evaluation o Major findings and
Recommendations o Conclusion
An introduction: A simple statement of your qualifications, the purpose of the audit and
what was in scope.
Findings: This section will contain your findings and will list the vulnerabilities or issues that
should be re-mediate. This listing should be ordered by critical levels, of which are
hopefully defined by internal policies (i.e. if your vulnerability scanner finds a high critical
vulnerability, based upon how that vulnerability is implemented in your environment, it
may not be a true high critical, so internal policies should assist in defining the critical
levels)
Methodologies: Here you will discuss tools used, how false positives were ruled out, what
processes completed this audit. This is to provide consistency and allow your audits to be
repeatable in the event a finding is disputed or deemed not worthy of fixing by
management.
Conclusion: Basic conclusion, summarize the information you have already put together.
Appendixes: This will be any extra attachments needed for reference.

The final report should be delivered personally and the report should not be sent by emails or CDROM.
A printed report is the best format. The pen-test information is very sensitive. One should only store it
for a certain period of time (3045 days is typical). One should be able to answer questions during this
period. After the 3045 days, one should destroy the information from the storage. This clause is usually
mentioned in the contract with the customer before the engagement begins. Pentest reports on
discovered vulnerabilities, available options, recommendations, and suggestions. Recommendations
make the most important part of the report for the user to implement for improving the network
security. A pen tester should hand over the sensitive information within 45 days or should destroy from
the storage. Create a final report, documenting the test findings. Deliver the report to the concerned
officer.
207
Summary
The auditor reports goal is to show the organization that the team
honestly wants to improve the companys security posture this is to be
borne in mind when writing the report.
The document report includes: o Summary of the test execution o
Scope of the project o Result analysis o Recommendations o
Appendixes
The results analysed should include: o Domain name and IP address of
the host. o TCP and UDP ports. o Description of the service. o Details of
the test performed.
o Vulnerability
analysis. Appendices
should include: o Contact
information o Screen
shots o Log output
Divide the reports into sessions as follows: o Network test reports o
Client side test reports o Web application test reports Findings are
categorized as:
o High o Medium
o Low
Organizations should develop an action plan as a result of the audit
The report should help in creating and strengthening information
security policies
Activity 1:
Collate various audit report templates and sources which provide guidance on audit
reports. These should be compared and the considerations and requirements for their
preparation should be discussed in class.

208
Q. Complete the following by providing relevant answers and information

High criticality findings are
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Medium criticality finds are
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Low criticality findings are
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Q. List the elements of a test report

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Q. List the elements of an overall audit report

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
209
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
210
UNIT VIII
Audit Support Activities As it is
This Unit covers:

Lesson Plan
7.1. Audit Support Activities
211
LESSON PLAN
Outcomes

212
To be competent you must be

able to:
responsibilities within them
(0904)
PC3. identify any issues with
s for carrying out audit tasks and
clarify these with appropriate
people (0904) PC6. refer to
appropriate people where audit
tasks are beyond your levels of
knowledge, skills and
competence (0904) PC9. comply
with you organizations policies,
standards, procedures,
guidelines and checklists when
contributing to information
PC3. identify the requirements of
prepare for audits in advance
(0905)
people to gather
(0905)
PC5. organize data/information
required for information security
audits using standard templates
and tools (0905) PC6. provide
immediate support to auditors
to carry out audit tasks (0905)
PC7. participate in audit reviews,
as required (0905)
1.
Research and list down the
various aspects of support
required by auditors at different

stages of the audit.
PCs/Tablets/Laptops
Internet with WiFi
2.
Discuss with the class the
challenges and need for support
anticipated in carrying out audit
activities.
3.
Discuss implications of
these challenges and actions taken
to address them for overall audit.
You must know and understand: 1. Research and list down the
various policies/documents that
that provide information around
PCs/Tablets/Laptops
Internet with WiFi
213
policies, standards, procedures, roles and responsibilities of

organizational staff and support
guidelines, systems and
provided to auditors.
checklists for information
security testing and auditing and
your role in applying these KA2.
scope of work to be carried out
and the importance of keeping
within these boundaries
KA3. limits of your knowledge,
skills and competence and who
to seek guidance from
KA6. what information is
required for information
security audits and the
importance of preparing this is
advance of the audit KA7. how
to improve the process and
outcomes for future audits
KA8. types of support required
by teams for information
security audits and how to
provide this
KA14. the range of data and
information required for
KA17. the importance of
providing immediate support to
auditors as required
214
Lesson
Assisting the auditors
Security Analyst: A security analyst may be assigned responsibilities to carry out activities supporting
the audit team or independently carrying out a set of security auditing activities. It is important for the
security analyst to clarify and understand their scope of responsibilities and work within these limits. In
case they are not clear about any aspect of their limits of authority, or scope of responsibilities they
should speak to their supervisor and clarify the same. It always helps to get written clarifications for
eliminating the scope of confusion later on.
Auditors need organizational support, such as having access to certain data or staff. The Security
analyst often assists and supports the information audit. This support often includes actions such as
obtaining access to copies of policies or system configuration data. These expectations should be
clarified or directed by seniors to the security analyst and the auditors. The security analyst should also
get clear information about units whose systems will be audited. The security analyst would
communicate the same to co-workers and other users in the organization to ensure a least disruptive
and smooth audit. For this purpose, business and IT unit managers of the audited systems should be
involved in the process early in the process. This will ensure there are no disputes and delays regarding
auditor's access to areas and information.
The various responsibilities of the Security Analyst in supporting the auditors can include the following:
Assisting with Security Policy
As stated, a security audit is essentially an assessment of how effectively the organization's security
policy is being implemented. Of course, this assumes that the organization has a security policy in place
which, unfortunately, is not always the case. A Security Analyst will support the auditors in getting the
necessary information by getting them access to policies and procedures documents or explaining the
processes where such documents are not available.
Facilitating access
Natural tensions frequently exist between workplace culture and security policy. Even with the best of
intentions, employees often choose convenience over security. Sometimes teams and individuals need
to be spoken to and auditors need to be helped in gaining access to the facilities required for auditing.
This may also be the case with getting time with individuals to get their time for auditing.
Pre-Audit Homework
Before the computer security auditors even begin an organizational audit, there's a fair amount of
homework that should be done. Auditors need to know what they're auditing. In addition to reviewing
the results of any previous audits that may have been conducted, there may be several tools they will
use or refer to before. The first is a site survey. This is a technical description of the system's hosts. It
also includes management and user demographics. This information may be out of date, but it can still
provide a general framework. Security questionnaires may be used as to follow up the site survey.
215
These questionnaires are, by nature, subjective measurements, but they are useful because they
provide a framework of agreed-upon security practices. The respondents are usually asked to rate the
controls used to govern access to IT assets. These controls include:
management controls, authentication/access controls, physical security, outsider access to systems,
system administration controls and procedures, connections to external networks, remote access,
incident response, and contingency planning.
A security analyst may be called upon to assist in conducting site surveys and administering security
questionnaires. Accompanying communication may be required to acquire the specific responses of
specific requirements.
Auditors, review previous security incidents at the client organization to gain an idea of historical weak
points in the organization's security profile. It may require the support of organisational staff to support
auditors examine current conditions to ensure that repeat incidents cannot occur. If auditors are asked
to examine a system that allows Internet connections, they may also want to know about IDS/Firewall
log trends. Do these logs show any trends in attempts to exploit weaknesses? A security analyst may be
called upon to provide such support to auditors.
The auditors develop an audit plan. This plan will cover how will audit be executed, with which
personnel, and using what tools. They will then discuss the plan with the requesting agency. Next they
discuss the objective of the audit with site personnel along with some of the logistical details, such as
the time of the audit, which site staff may be involved and how the audit will affect daily operations.
The security analyst may be called upon to coordinate and smoothen the audit execution.
At the Audit Site
When the auditors arrive at the site, their aim is to not to adversely affect business transactions during
the audit. They should conduct an entry briefing where they again outline the scope of the audit and
what they are going to accomplish. Any questions that site management may have should be addressed
and last minute requests considered within the framework of the original audit proposal. This
communication may be further passed on with the help of the security analyst.
During the audit, they will collect data about the physical security of computer assets and perform
interviews of site staff. They may perform network vulnerability assessments, operating system and
application security assessments, access controls assessment, and other evaluations. Throughout this
process, the auditors should follow their checklists, but also keep eyes open for unexpected problems.
Here they get their noses off the checklist and start to sniff the air. They should look beyond any
preconceived notions or expectations of what they should find and see what is actually there. In this
case the security analyst may be of immense help providing the auditors with background information
and facilitating ad-hoc activities that may not be registered in the original plan.
Conduct Outgoing Briefing
After the audit is complete, the auditors will conduct an outgoing briefing, ensuring that management
is aware of any problems that need immediate correction. Questions from management are answered
in a general manner so as not to create a false impression of the audit's outcome. It should be stressed
that the auditors may not be in a position to provide definitive answers at this point in time. Any final
216
answers will be provided following the final analysis of the audit results. The security analyst may be
the conduit for channeling the information and supporting interim measures for strengthening security.
Back in the Office
Once back in the home office, the auditors will begin to comb their checklists and analyze data
discovered through vulnerability assessment tools. There should be an initial meeting to help focus the
outcome of the audit results. During this meeting, the auditors can identify problem areas and possible
solutions. They may require some pending information or call for information to fill in some gaps. This
may be provided by the Security Analyst.
Post-recommendation stage
Finally, the audit staff should prepare the report as speedily as accuracy allows so that the site staff can
correct the problems discovered during the audit. Depending on company policy, auditors should be
ready to guide the audited site staff (Security Analysts) in correcting deficiencies and help them
measure the success of these efforts. Management should continually supervise deficiencies that are
turned up by the audit until they are completely corrected.
The Ongoing Audit
It must be kept in mind that as organizations evolve, their security structures will change as well. With
this in mind, the computer security audit is not a one-time task, but a continual effort to improve data
protection.
Security analysts learn with each audit and testing activity and can carry on evaluation of the strength
of the organizations security policy and its implementation. The analyst makes ongoing efforts to help
refine the policy and correct deficiencies that are discovered through the audit process. Whereas tools
are an important part of the audit process, the audit is less about the use of the latest and greatest
vulnerability assessment tool, and more about the use of organized, consistent, accurate, data
collection and analysis to produce findings that can be measurably corrected. This is where the security
analyst continues to contribute to.
217
Summary
A security analyst may be assigned responsibilities to carry out activities supporting the audit
team or independently carrying out a set of security auditing activities.
It is important for the security analyst to clarify and understand their scope of responsibilities
and work within these limits.
In case they are not clear about any aspect of their limits of authority, or scope of
responsibilities they should speak to their supervisor and clarify the same.
Auditors need organizational support, such as having access to certain data or staff. The
Security analyst often assists and supports the information audit.
This support often includes actions such as obtaining access to copies of policies or system
configuration data. These expectations should be clarified or directed by seniors to the
security analyst and the auditors.
Security Analyst in supporting the auditors can include the following: o Security Analyst will
support the auditors in getting the necessary information by getting them access to policies
and procedures
o
Helping Auditors in gaining access to the facilities required for auditing. This may
also be the case with getting time with individuals to get their time for auditing. o A
security analyst may be called upon to assist in conducting site surveys and administering
security questionnaires. Accompanying communication may be required to acquire the
specific responses of specific requirements.
o
Auditors on site need help in site management o Security analyst may be of
immense help providing the auditors with background information and facilitating ad-hoc
activities that may not be registered in the original plan.
o
Security analysts learn with each audit and testing activity and can carry on
evaluation of the strength of the organisations security policy and its implementation.
The analyst makes ongoing efforts to help refine the policy and correct deficiencies that
are discovered through the audit process.
218

Q. List down various assistance auditors require at various stages of the audit, that the Security Analysts
may be called upon to assist with.
Pre-audit stage
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
On-site
_______________________________________________________________________
________________________________________________________________________
Post audit
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
219
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
220

Security Analyst Module 2

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security Analyst Module 2

Încărcat de

Drepturi de autor:

Formate disponibile

Student Handbook SSC/ Q0901 Security Analyst

This Unit covers:

Student Handbook SSC/ Q0901 Security Analyst

QA session and a Descriptive

Creation of templates based

KA11. who to involve

based on the learnings

Student Handbook SSC/ Q0901 Security Analyst

Student Handbook SSC/ Q0901 Security Analyst

6.2 Types of Security Metrics (Edited)

Strategic security metrics

Strategic security metrics:

Another classification is by object of measurement:

Process Security Metrics

Student Handbook SSC/ Q0901 Security Analyst

Process Security Metrics:

Student Handbook SSC/ Q0901 Security Analyst

Student Handbook SSC/ Q0901 Security Analyst

6.3 Using Security Metrics (Edited)

6.4 Development of the Metrics Process (Edited)

Step 1: Define the metrics program goal(s) and objectives

Student Handbook SSC/ Q0901 Security Analyst

Step 2: Decide which metrics to generate

Example objective: To reduce the number of

b. Identify metrics that would indicate progress

Example metric: Current ratio of virus alerts to

c. Determine measurements needed for each

Example measurement: Number of virus alerts

Student Handbook SSC/ Q0901 Security Analyst

Example measurement: Average number of

b. Determine metrics that could be generated

Example metric: Change in number of critical

c. Determine the association between the

Example objective: To reduce the level of

Student Handbook SSC/ Q0901 Security Analyst

Step 6: Create an action plan and act on it

Step 7: Establish a formal program review/refinement cycle

Student Handbook SSC/ Q0901 Security Analyst

6.5 Metrics and Reporting (Edited)

Student Handbook SSC/ Q0901 Security Analyst

6.6 Designing information security measurement

Student Handbook SSC/ Q0901 Security Analyst

Student Handbook SSC/ Q0901 Security Analyst

Check your understanding:

Measurements are generated by counting whereas metrics are generated

____________________ metrics are usually compliance driven.

Student Handbook SSC/ Q0901 Security Analyst

Student Handbook SSC/ Q0901 Security Analyst

Student Handbook SSC/ Q0901 Security Analyst

This Unit covers:

Student Handbook SSC/ Q0901 Security Analyst

To be competent, you must be able

QA session and a Descriptive

PC2. monitor systems and apply

Group presentation and

PC11. comply with your

Team work (IM and chat

Student Handbook SSC/ Q0901 Security Analyst

Student Handbook SSC/ Q0901 Security Analyst

7.2 Risk Identification (Edited)

including program risk assessments

Student Handbook SSC/ Q0901 Security Analyst

7.3 Risk Analysis (As it is)

Risk analysis steps: