Information Security

Detail Course Outline-3

Unit 6
■ Auditing
■ Monitoring
■ Penetration-testing techniques
■ Inappropriate activities
■ Indistinct threats and countermeasures
 CISA Definition for Audit
“Systematic process by which a
qualified, competent, independent team
or person objectively obtains and
evaluates evidence regarding assertions
about a process for the purpose of
forming an opinion about and reporting
on the degree to which the assertion is
implemented.”
 Audit Planning
Short-Term: What do we need to audit this
year?
Long-Term: What should we plan to audit in
the future?
What should we test first? Consider…
■ What parts of our business are the most
susceptible to risk?
■ What business/IS systems are changing?
■ Are new evaluation tools available?
■ What regulations must we test for?
■ Are there new regulations to test for?
 IS Audit Definition

Plan audit &

gather info.
IS Audit: Any audit that
wholly or partially
evaluates automated Review
internal control
information processing
system, related
non-automated Perform
processes, & their compliance &
substantive tests
interfaces
Prepare &
present report
Simplified Audit Process
 Audit Engagement Procedure
[Techniques of evaluation:
Some may be optional] Evaluate
Compliance
Obtain understanding Use general Test results
of audit subject area audit s/w
Run tests
Evaluate
Flowchart Substantive
Perform risk assessment automated Test results
Prepare audit applications
engagement plan
Write audit
Examine audit report & present
logs & reports
[external [internal
Review plan
Review audit] audit]
with auditee
documentation
Perform
Evaluate whether Follow-up
control design Interview
is effective & observe
 Step 1A: Obtain Understanding
of Audit Subject Area
May include:
Tour facilities related to audit
Read background material
Review business and IT strategic
plans
Interview key managers to
understand business
Review prior audit reports
Identify applicable regulations
Identify areas that have been
outsourced
 Audit Engagement Plan
Vocabulary
Audit Subject: The area to be audited
E.g., Information Systems related to Sales
Audit Objective: The purpose of the audit
E.g., Determine whether Sales database is safe
against data breaches, due to inappropriate
authentication, access control, or hacking
Audit Scope: Constrains the audit to a specific
system, function, or unit, or period of time
E.g., Scope is constrained to Headquarters for the last
year.
 Step 1B: Perform Risk
Assessment
Risk-Based Auditing
Inherent Risk: Susceptibility to a problem
■ E.g., a bank’s inherent risk is a robber
Control Risk: A problem exists that will not be detected
by an internal control system
■ For bank: A thief accesses another’s account at
Money Machine but is not detected
Detection Risk: An auditor does not detect a problem
that does exist
■ For bank: Fraud occurs but is not detected
Overall Audit Risk: Combination of audit risks
 Audit Engagement Risk Analysis
Audit Engagement Risk Analysis
Inherent Risks: (Risks organization is predisposed to)
Data Breach: Student grades, disabilities (FERPA), student health (HIPAA),
student/employee financial acct, payment card info. (PCI DSS), SSN and
passport numbers (State Breach). Students agree to publish contact info.
annually (FERPA).
Hacking: University is an open system, with no limitations on installed software
Control Risks: (Risk that a control has vulnerability(s))
Insufficient Firewall/IPS Restrictions: While much of the university network is
open, critical databases must be in a secure zone with a high level of
Detection Risk: (Risks of auditor not detecting a problem)
Hacker within Confidential Zone: This audit may not detect an infiltrated
Confidential Zone or critical vulnerability.
 Step 1C: Prepare Audit
Engagement Plan
Develop risk-based
approach
Include audit objectives,
scope, timing, required
resources
Comply with applicable
law
Develop audit program
and procedures
 Step 1C: Add Detail to Plan
Tools for the Auditor
ISACA has Standards and Guidelines related to Audit
Section 2200 General Standards
Section 2400 Performance Standards
Section 2600 Reporting Standards
Section 3000 IT Assurance Guidelines
Section 3200 Enterprise Topics
Section 3400 IT Mgmt Processes
Section 3600 IT Audit and Assurance Processes
Section 3800 IT Audit and Assurance Mgmt
 Step 1C: Add Detail to Plan
Translate basic audit objective into specific IS
audit objectives
Identify and select the audit approach to verify
and test controls
Identify individuals to interview
Obtain departmental policies, standards,
procedures, guidelines to review
Develop audit tools and methodology
 Step 2: Evaluate Controls:
IT Control Classifications

Time of
After Event Event Before Problematic Event

Corrective Detective Controls: Preventive Controls*:

Controls: Finding fraud when it Preventing fraud
Fix problems occurs
and prevent Includes: Includes:
future problems Hash totals Programmed edit checks
Includes: Check points Encryption software
Contingency Duplicate checking Access control S/W
planning Error messages Well-designed procedures
Backup Past-due account Physical controls
procedures reports Employ only qualified personnel
Reruns Review of activity
logs
 Step 2: Evaluate Controls:
Simple Control Matrix

Prob/ Disk Power Data Fraud Hack Malware Social Missing

Control Failure Failure Breach Engineer Equip.
Access
Control
Authenti
cation
Antivirus
Firewall
Logs/
Alarms
Physical
Security
Strong
policies
Security
Training
Vuln
Test
 Step 3: Perform Tests
[Techniques of evaluation:
Some may be optional] Evaluate
Compliance
Obtain understanding Use general Test results
of audit subject area audit s/w
Run tests
Evaluate
Flowchart Substantive
Perform risk assessment automated Test results
Prepare audit applications
engagement plan
Write audit
Examine audit report & present
logs & reports
[external [internal
Review plan
Review audit] audit]
with auditee
documentation
Perform
Evaluate whether Follow-up
control design Interview
is effective & observe
 Step 3: Perform Tests
Review IS Organization: Separation of duties
Review IS Policies, Standards, Procedures: Defined,
periodically updated
Review IS Documentation: Policy, Procedures, Design,
Test, Operations, Contract/SLAs, Security
Interview personnel: Segregation of duties, security
awareness, competency
Observe personnel: Document everything in sufficient
detail
 Step 3: Perform Tests
Evidence: Audit findings must be based on sufficient and
reliable evidence and appropriate interpretation of the
evidence
Documentation: The audit work and audit evidence to
support conclusions must be fully documented
Supervision: Audit staff is supervised to ensure that audit
is professionally completed
Professional Skepticism: The auditor must keep an eye
open for irregularities and/or illegal acts, unusual
relationships, material misstatements
■ when irregularities are encountered, the auditor should:
• Investigate fully
• document all communications, tests, evidence, findings
• report the irregularity to governance body in a timely manner
Substantive vs. Compliance
Testing

Substantive Testing:
Does Sales Application work?
Compliance Testing:
Does access control limit access?
Compliance Testing:
Does Authentication require complex
passwords?
 Step 3: Test Vocabulary
Compliance Testing: Substantive Testing:
Are controls in place and Are transactions
processed accurately?
consistently applied?
Are data correct and
■ Access control accurate?
■ Program change control Double check
■ Procedure documentation processing
■ Program documentation ■ Calculation validation
■ Software license audits ■ Error checking
■ Operational
■ System log reviews documentation
■ Exception follow-ups If Compliance results are
poor, Substantive testing
should increase in type
and sample number
 Step 3A: Compliance Testing
Control: Is production software controlled?
■ Test: Are production executable files built from
production source files?
■ Test: Were proper procedures followed in their
release?

Control: Is Sales DB access constrained to

Least Privilege?
■ Test: Are permissions allocated according to
documentation?
■ Test: When sample persons access DB, can they
access only what is allowed?
 Step 3B: Substantive Testing
Audit: Is financial statement section related to
sales accurate?
■ Test: Track processing of a sample transactions
through the system, performing calculations
manually
■ Test: Test error conditions

Audit: Is tape inventory correct?

■ Test: Search for sample days and verify complete
documentation and tape completeness
 Sampling
Statistical Sampling:
■ N% of all items randomly tested
■ Should represent population distribution
■ Variable Sampling: How accurate is the sample
population in matching the full population?
Nonstatistical (or Judgment) Sampling:
■ Auditor justifies another distribution for sample
selection
■ Which items are most risky?
 Difference Estimation Sampling

Sample:
Sample Mean
Sample Std. Dev

Population:
Population Mean (Average)
Population Standard Deviation

Precision: Acceptable range between Sample and Population

Confidence Coefficient or Level: The probability that the sample
represents the actual population
Level of Risk = 1 – Confidence Level
 Variable Sampling
Stratified Mean per Unit

Yes
Samples selected
No
from groups?
Difference Estimation
Yes
Difference between audited values
and real population is noted
Group statistical

distribution
is known?
No Unstratified Mean per Unit

Group distribution is estimated from sample testing

 Sampling
Tolerable Error Rate: The maximum allowable error rate (e.g.,
inappropriately documented changes)

NonStatistical Sampling includes:

Discovery Sampling: A minimal testing model used when the
expected occurrence rate is extremely low (e.g., find fraud,
break laws)
Stop-or-Go Sampling: If the first 20 have zero errors, then
stop. Else if the first 100 have < 10 errors, stop. Else…
Attribute Sampling: How many of X have Y attribute?
E.g. How many changes are appropriately documented?
 Generalized Audit Software
(GAS)
File Access: Read records & file structures
File reorganization: Allow sorting, indexing,
merging/linking with other files
Data Selection: Select a set of records
Statistical functions: Perform sampling,
stratification, frequency analysis
Arithmetic Functions: Perform arithmetic
operations on data sets
 Step 4: Prepare Audit Report
Identify:
■ Organization, recipients, restriction on
circulation
■ Scope, objectives, period of coverage,
nature, timing and extent
■ Findings, conclusions,
recommendations/follow up, and
reservations or qualifications
• Grouped by materiality or intended recipient
• Mention faults and constructive corrections
■ Evidence to support results (may be
separate)
■ Overall findings, conclusion, & opinion
■ Signed & dated
 Evidence
Forms of Evidence
Notes from Interviews
Test Results
Email or mail correspondence
Documentation
Observations
Best Sources
External: Sources from outside organization
Qualified: Most knowledgeable
Objective: Evidence not prone to judgment
Timing: Should match period under review
 Communicating Results

heir
ial to t
ater
g s m
ndin
t fi
epor
s
2. R terest
in

Upper Management/Board
1. R
epo
Obt rts find
ain
Doc agre ings m
u e a
Auditor of p m ent ment terial to
robl a &
ems greem cours their a
whe ents e of reas
re d & im corr ;
isag plica ectio
reem tion n
ent s
occ
urs.Lower Management
.
 Step 4B: Follow-up
Has management taken appropriate action to
fix problems in a timely manner?
Request and evaluate information on
follow-up
■ Management should schedule implementation of
correction
■ May be scheduled for convenient time
■ Next audit these follow-ups should be checked
 Final IMPORTANT
Recommendation
IS Audits can result in system failures, problems, etc.
Protect Yourself:
Get an approval signature for your audit plan before
you begin
If you will be impacting the system at all, send an email
to all affected and talk to the administrators before
starting any tests
When working with data or devices, be careful not to
be the CAUSE of any problems; be careful not to
change live data or configurations for test purposes:
Work on a copy!
Preferably have an escort for all that you do
There is one difference between a hacker and auditor:
Permission!!!
 Classifications of Audit

Financial Audit: Assure integrity of financial

statements
Operational Audit: Evaluate internal controls for
a given process or area
Integrated Audit: Includes both Financial and
Operational aspects
Forensic Audit: Follows up on fraud/crime
IS Audit: Evaluates IS safeguards for data in
providing CIA efficiently
Administrative Audit: Assess efficiency of a
process or organization
 Computer-Assisted Audit
Techniques (CAAT)
Software tools enable auditor to
■ Access and analyze data in database
■ Perform compliance tests
■ Perform penetration and vulnerability tests
■ Test Application
May include utility software, debug or
scanning software, test data, application trace,
expert systems, generalized audit software
Special use:
■ Referenced in audit plan & report
■ Download sample data and use in read-only mode
 Control Self-Assessment
Internal audit system that enhances external
audit
Control monitoring occurs in functional areas
Includes designing and assessing controls
locally, often in workshops
Benefit: Involves and trains employees, often
reducing risk quicker
 Emerging Audit Techniques
Automated Work Papers: Automated tools for
risk & audit reporting
Integrated Audit: Combines financial,
operational, and/or IS audit via team effort
Continuous Audit: Provides audit reports on
continuous basis (weekly, daily, hourly)
 Service Learning Component:
Non-Disclosure Agreement
Wrong Way:
You: I developed an audit plan for Help-The-Community
Interviewer: What specifically did you do?
You: We tried to break into their wireless network.
Interviewer: What did you find?
You: They had no security. They were hopelessly
non-technical. Their password was ‘
HelpTheCommunity’, and transmissions were
unencrypted. I could read everything…
What is wrong with this dialogue?
 Service Learning Component:
Non-Disclosure Agreement
Right Way:
You: I developed an audit plan for Help-The-Community
Interviewer: What specifically did you do?
You: We did a penetration test. However, I signed a non-
disclosure agreement, so I am not at liberty to say
specifically what we did or found.
Interviewer: Were you successful in breaking in?
You: I can’t say. However, if you would like to contact
my community partner as a reference, here is her
contact information…
Penetration
Testing
 Background
What is Penetration Testing
■ A form of stress testing, which exposes
weaknesses or flaws in a computer system.
■ Art of finding an open door.
■ A valued assurance assessment tool.
■ PT can be used to find Flaws in
• Policies
• Specifications
• Architecture,
• Implementation,
• Software,
• Hardware,
• And many more………………
 Background

Need for Penetration Testing

• To find poorly configured machines.
• Verify that security mechanisms are working.
• Help organizations to tighten the Security
system.

FACT!!!!
99.9% secure = 100%vulnerable!
 Methods and Techniques of PT
Black Box
• zero-knowledge testing
• Tester need to acquire the knowledge and
penetrate.
–Acquire knowledge using tools or Social Engineering
techniques
–Publicly available information may be given to the
penetration tester,
■ Benefits:
Black box testing is intended to closely replicate
the attack made by an outsider without any
information of the system. This kind of testing will
give an insight of the robustness of the security
when under attack
 Methods and Techniques of PT
White Box
■ complete-knowledge testing
■ Testers are given full information about the target
system they are supposed to attack .
• Information includes ,
–Technology overviews,
–Data flow diagrams
–Code snippets
–More…..
■ Benefits:
• reveals more vulnerabilities and may be faster.
• compared to replicate an attack from a criminal hacker
that knows the company infrastructure very well. This
hacker may be an employee of the company itself, doing
an internal attack
 Methods and Techniques of PT
Gray-box or crystal-box test
The tester simulates an inside employee. The tester is
given an account on the internal network and standard
access to the network. This test assesses internal
threats from employees within the company.
 Methodology of PT

There are NO formal methods of Penetration

testing!!!!!!!!
Typically has Seven Stages
• Scope/Goal Definition
• Information Gathering
• Vulnerability Detection
• Information Analysis and Planning.
• Attack& Penetration/Privilege Escalation.
• Result Analysis & Reporting.
• Cleanup.
 Methodology of PT

STAGE 1: Scope/Goal Definition

■ Which attacker profile the tester will use
–Hacker with no knowledge about the target.
–Hacker with knowledge about the target.
–Internal user with access.
■ Which systems or networks the test will be
conducted.
■ How long will the test last.
 Methodology of PT

STAGE 2: Information Gathering.

■ Information about the Targets.
» Publicly available information( WWW.Arin.net,
www.apnic.net, nslookup)
» Technical Information provided by organisation.
 Methodology of PT

STAGE 3: Vulnerability Detection.

■ Manual Detection
• manually probe the target host for common
misconfigurations or flaws because a
vulnerability scanner can fail to identify certain
vulnerabilities.
» Ex: database configurations etc….
• Using Software.
–Use of commercial or Freeware Scanners to
enumerate known flaws or vulnerabilities , Ex: Retina
,Hfnectcheck, GFI Languard, Nikito, nmap so on.

PLENTY TOOLS available in Market/Internet.

 Methodology of PT

STAGE 4: Information Analysis and Planning.

■ Collating the information gathered in previous
stages.
■ Preparation of High level attack planning
–Overall Approach
–Target identification.
 Methodology of PT
STAGE 5: Attack & Penetration/Privilege Escalation.
Has Two Sub Stages
1. Attack & Penetration
• Known/available exploit selection
» Tester acquires publicly available s/w for exploiting.
• Exploit customization
» Customize exploit s/w program to work as desired.
• Exploit development
» Develop own exploit if no exploit program available.
• Exploit testing
» Exploit must be tested before formal Test to avoid
damage.
• Attack.
» Use of exploit to again unauthorized access to target
 Methodology of PT
II. Privilege Escalation
■ What can be done with acquired access/privileges.
–Alter.
–Damage.
–What not ……

Repeat the Stages (2 to 5)

 Methodology of PT
STAGE 6:Result Analysis & Reporting
Organize Data/related results for Management Reporting.
■ Consolidation of Information gathered.
■ Analysis and Extraction of General conclusions.
■ Recommendations.

STAGE 7:Cleanup
Cleaning of all that has been done during the testing
• Any System alterations
• Exploits
 Resources.
Guidelines
■ OSSTMM : The Open Source Security Testing Methodology Manual.
■ OWASP : Open Web Application Security Project.
Tools
■ NMAP,Nikito,John,CAIN&able and many
more………….
■ Whopix
■ Tigertools (Commercial Tool)
■ Metasploit.
■ ExploitTree.
■ Core Impact (Commercial Tool)
 Tools
DCOM vulnerability using ExploitTree.
Password Cracker –Tiger Tools.
WHOPIX.
Security Auditor.
Pasword Craking (Raptor
Chown-Recorded Demo).
ExploitTree.
MetaSploit.