6. Monitoring Performance
Let us now discuss monitoring performance because we need the equipment to be running optimally at all times, and the IS auditor wants to ensure that the equipment, services, and processes are being monitored. There needs to be a performance monitoring plan, not just for hardware but also for software. In the case of hardware, software, or processes, we can look at historical data, event logs, and reports. We just need to know that there is a plan to keep an eye on it. Now, in larger environments, people will probably have live monitoring consoles. They’ll use things like System Center or some other product to monitor service, server, or application performance. And there will be dashboards right there showing if something’s running well or not. And you’ll usually be able to tell just by looking.
And if there is an issue that you can see at a glance, you click on it and drill down. And to actually get down to the actual problem, we want to know, as auditors, that people are keeping an eye on the systems and keeping them running properly. We will now monitor hardware and software, as well as applications and the network. As an example here, if we just take a quick look at an example in Windows itself, we can see that all Windows operating systems have a performance monitor, and the servers have their own performance monitor. And if we click the performance monitor, we can add certain counters. So we can add a processor, and we can look at not just the processor but all CPUs or all cores on the processor, or we can add specific cores.
Usually, if you don’t know what you’re monitoring, monitor more broadly and then narrow it down. And so we’ve added all instances of a processor, and then maybe we can go to memory and take a look at memory. We can add that usually when you are just doing general monitoring, you’re monitoring the processor, memory, disk, and network, and then from there you’re drilling down to applications and specific functions of an application, like maybe a DHCP server. You’re monitoring the numbers of lease requests and leases granted. Or maybe, for a SQL Server, you’re monitoring numbers of procedures and triggers, and you’re monitoring numbers of queries and deadlocks.
Anyway, we will add just a couple of these, and then we’ll just watch in real time. Obviously, you only watch in real time when you’re trying to actually watch something happen. Instead of keeping your eye glued to this all the time, you’ll probably want to set up a log and have it collect in the background, which we can take a look at. So we could create a data collector set, define a data collector set, right-click this and create a new data collector set, and we could just call it whatever we wanted and manually create it. Or there are some existing templates, and I want performance counter information, or give me an alert when something happens, and I can add a couple of counters, like maybe processor, and click OK, and then I can see that. How often will it sample? Now I have to warn you: when you are collecting this sort of stuff automatically, you have to realise that, wherever this log is going to be, it’s going to grow very quickly.
And so now you’ve got to manage the performance of the performance monitoring tool itself, and it will have its own databases or logs that you have to manage. So we’ll leave the sample interval at the default and leave it in the location that’s the default. And we can start this right now, let it run for a while, then come back a little later and check it. Workload throughput performance failures will be monitored by all system administrators and network administrators. You’re going to monitor all this, and the IS auditor wants to know that you are monitoring these things. And what usually happens is that there will be signs—something is going on—something has happened. Now the auditor wants to see, “Can I see the logs? Can I trace exactly where this failure occurred?” Can I go back in time and look at the failure? Because it is frequently a domino effect. First one thing goes, then another thing, and a whole bunch of other things go. And so you trace back to find the original thing. And when we’re finally done, after it’s collected some data, at some point we’ll just run some kind of report here. And a nice thing about Windows these days is that you can automatically have reports made. This is just one example. In a larger organization, you’re going to have far more sophisticated monitoring systems where you’ll have a central console polling different servers and devices for their throughput, their CPU temperature, their workload, the number of users connected, how many security incidents they’ve had, how many leases were given out from a server, how many queries, whatever. And then you can, like I said, tell at a glance.
And so we can see right now that this guy is collecting data for his report. So these are all things that the IS auditor wants to know that the operations team is doing regularly. And in case there’s an incident, we need to be able to go back and look at all of the data and have the data sort of sifted through to find exactly what it is that we need. One of the reasons we monitor performance at all is for capacity planning. We’re all aware that we’ll need to add more disc space or purchase a newer, larger server at some point. We need to add more switch ports. We simply need to allow our capacity to expand. Management doesn’t take kindly to you suddenly saying, “Oh, we just ran out of disc space, and you suddenly surprised them with this.” They want to know well in advance to plan for the budget. So when we capacity monitor, we first set a baseline. Okay, let’s find out right now what the current workload of this system is.
And let’s look for any bottlenecks. And a bottleneck is basically one area that holds up all the other areas. So maybe the switch is too slow; it doesn’t have enough ports. Maybe the CPU needs more cores; there’s not enough RAM. So we’ll do some performance monitoring to see if different counters are within acceptable levels. and it really depends on the system. But there are some very common things. Like a lot of folks, I figure if a CPU is more than 75% busy all the time, it’s time to upgrade the CPU or do less work. If the memory, if the amount of available physical memory falls below maybe a certain percentage, I don’t know, 15%, or the number of pages per second, then we don’t have enough physical RAM. So we’re panning out to disc if that’s more than 300 pages per second, if the disc is more than 50% full, if the network is more than 60% utilized, or whatever works for you.
And all the vendors have different recommendations for their products. Once we clear out any of these bottlenecks, we capture a baseline of expected server performance, network traffic, or something like this. Once we have that baseline, we can track the trends over time and recapture them, and then we can go to management and say that if we keep adding users or doing more jobs at this rate, we’ll need to buy this, upgrade it, expand it, or do something else in six months. Management appreciates this kind of advance notice so that they can plan it into their purchasing and budgeting. And the IS auditor needs to know that the operations team is monitoring, tracking trends, and using performance monitoring not only to make sure the system is working well but also to track trends. When you look at performance, you might think, “Oh, this thing is performing so poorly.” And then there will be arguments about what the root cause of this is.
I remember getting into a whole argument one time over these reports that were running very poorly. It would take two weeks to run a report that should have taken half an hour. And the arguments—there were arguments all over. Some people were saying it’s got to be the hardware; we need more hardware. And I wasn’t persuaded at all. So we went and did some performance monitoring and captured some information. wasn’t the hardware at all. The CPU was only about 7% utilized, there was little network traffic because it was an internal report, and there was little memory utilization. And we’re saying it’s not the hardware. Well, it turned out as we went farther and farther, so we went and said, “Okay, how’s the application running?” And we discovered that we use some automated tools to test the application’s performance. We could see that just by running one thing.
The code was written so badly that instead of doing a procedure once, it was doing it like 100,000 times because it was just poorly written in the way it was written and the way it was accessing data. So you need to be able to produce these things so you can hunt down what’s the deal—why is the performance so bad? The IS auditor is interested in knowing that this is being tracked and captured so we can look at it later on. So when we are talking about capacity management, we’re looking at the utilisation, past, present, and projected future of the CPU, RAM, communications, and network. How many new users and tasks are we adding? Are we adopting new technologies? And also, if we’re outsourcing any of this, is this covered by our service level agreement? Or if we’re the outsourcer even within our own company, like we’re supplying a service to another business unit, what is our expected service level? What do they expect of us? There are some techniques for capacity planning techniques.
In a lead strategy, you ramp up way ahead of time in anticipation of expanding your market share. And maybe you’ll buy more inventory, or you’ll ramp up by hiring a whole bunch of servers, or you’ll ramp up your capacity, your inventory, or whatever it is that you have so that you can get customers. The risk, of course, is that you end up not using it. Lag strategy: we don’t increase until we’re at full capacity, which is much more conservative, but it means we can’t seize opportunities as quickly, or match strategy, where we’re trying to stick with a trend and basically tracking and trying to stay with it. That’s a compromise. There is a good balance in software inventory, as well as some good practices.
First of all, you do need to inventory the software you have, and there are plenty of tools that will go out and inventory it for you. You also need to inventory the usage of the software so that you’re in compliance with licensing. Or, hey, nobody’s using this thing that we bought, so why are we still paying for it? Or we’re going to need a whole lot more licenses, or a whole lot more copies, or whatever, because we’re hiring 50 more people. So we need to be able to have software inventory, but it depends on the organisation as to the level or depth. Just please make sure that you keep track of the actual licences and don’t inadvertently throw them out. A programme library is basically a repository to save clean source copies of your software. And it could be application source code; it could also be job control statements; it could be processes that you’re doing; it could be specific configuration parameters. But you want a clean, authoritative environment that is overseen by someone other than the It people.
So you’ll have somebody who’s like the custodian of all of this, or maybe not controlled by someone who’s not out of it, but controlled by like one person, so that people can’t just run in and grab software and inadvertently mix up copies or accidentally introduce a bad version. So the control functions, the library control software functions, would be that we don’t want programmers modifying good, clean source code or changing objects in the software. We want programmers to submit a source code change to a specific control group. We want to make sure that the library is updated and that you have read-only access to that source code anyway. And we have specific naming conventions, so we always know what we’re looking for, we don’t accidentally bring something into a production environment, and we’re always enforcing certain programming standards. The next thing we’re going to talk about is execution and source code integrity.
7. Source Code And Performance Monitoring
We were talking about the source library, and we want to have good, clean, well-maintained, read-only copies of source code, applications, or original install disks, whatever they are. Applications you develop, applications you’ve bought, operating system copies—whatever they are, we want to have them in a controlled environment where people aren’t just grabbing them. People can’t inadvertently update the wrong thing because it’s very controlled and very clean. They don’t introduce any viruses or inadvertently use up licenses that they shouldn’t be.
So the whole purpose of the source code library is so that we can maintain and enforce the integrity of our code and executables. So we can see here that we have a source library that’s always clean, always read-only, and always reliable, and then anything that goes into production, we know that it’s the same as what we got out of the library. Even in a smaller environment, you need to have some control over what finally gets checked in by the developers. You don’t want them checking in something on top of what has finally been approved. You want to be able to lock it and say, “Okay, no more changes to this.” And you want to have control over all of the things that you buy, like copies of Windows, copies of Office, copies of Visio, and copies of other applications. You want to make sure that those are strictly controlled as well. People aren’t just running in and grabbing them.
So with this control copy, make sure that there is always a master copy that is read-only, so that when we have new copies and we put them into production, we know that they’re the same and there’s no difference there. But if there is something new, then we can always compare. We’ve got the original source, and we’ve got something slightly modified. We know what the delta, or difference between the two, is, and we can compare the two. For software licensing, some best practices Here, we need to be able to identify software licencing violations. Now, the different vendors, especially Microsoft and Adobe, have really done their best to crackdown on software licencing violations because it’s astounding how many countries I’ve been in where you’d swear there was one original copy of Windows and that the whole rest of the country for that particular industry has a pirated copy.
So we want to make sure that we are in compliance because if we are ever out of compliance, then it’s going to cost us a whole lot more in fines or whatever when we have licencing violations. So the IS auditor needs to make sure that there are clear policies regarding the copying or distribution of software. And folks, it’s not enough just to say, “Warning, do not copy this.” You’re still liable even if you provide these warnings, but make sure that there are documented policies. Make sure that all contracts are reviewed so that we know what the specific licencing is. I mean, I have walked into small computer vendors, just small shops that sell computers. And this one guy, I’m not sure what he thought he was getting away with, was basically advertising cheap computers with Windows already installed. And this was back when you could install a minimal version of Windows. And so he never gave away the disk; hence, he never gave away the licence along with the computer that people would buy, but he installed the minimal version of Windows.
And so then, in that way, he could claim he was giving away Windows, but if they ever needed the disc to expand it, there was no license. Well, he wasn’t supposed to give away that minimal install. It didn’t matter if it was a minimal or full installation. He was still installing windows. And so he was in clear violation of the licencing laws there. And he thought he could kind of get away with it by doing a minimal install. And I don’t know if he expected people to come and buy the full thing from him later or what the deal was, but he certainly didn’t tell us customers that. As a result, we must ensure that the licencing associated with the software contracts or items we purchase is clearly stated. If you’ve ever dealt with licensing, you know that from the vendors, you can have volume licensing, enterprise licensing, or individual retail licenses. You can have subscription-based licenses. And there are even OEM licenses. Original equipment manufacturers, for example, buy a lot of licences to put on their hardware, and then they have leftover copies.
And so then you’ll have these outlets on the Internet that sell these leftover copies that are unauthorised licences, but they’re meant for an OEM. So maybe they don’t have all the documentation, or they don’t have the full set of features that would come with a retail copy of Windows off the shelf. You want to compare the list of all the licenced applications with the list of everything that’s been installed. You need automated tools to actually go and query. There are plenty of automated tools that will query and get a complete inventory of software installed on everything, as well as software utilization. You might have software installed on everything, but it’s actually not being used. And then review all of the software currently installed, of course, on the users’ machines. If these machines belong to, say, a Microsoft domain, it becomes very easy to query all of them and inventory their software. So as auditors, when looking at performance monitoring and capacity monitoring, we want to see the monitoring plan. Is the monitoring strategy in line with the needs of the business?
And so we want to see the programme logs, the processing schedules, the job accounting, and any preventive maintenance reports. We want to look at the problem logs. What were the malfunctions, what was abnormal, and what did people do about it? We want to look at the preventive maintenance plan. So are you backing up regularly? Are you defragging regularly? Are you checking the errors on discs regularly? We want to look at any equipment that would automatically contact its manufacturer without the organisation intervening. We are well aware that most commercial products from large organisations will have someone in the background contacting the manufacturer, either for licencing information or to obtain updates. We want to look at that as well. We want to review the availability and utilisation reports so that we know that the scheduling is accurate and the usage is accurate. We also want to ensure that the resources can actually process programs. Maybe we just need to upgrade these things, or maybe we need to make them more available, or maybe we need to make them more fault-tolerant. So the IS auditor needs to look at all of these things when taking a look at performance and capacity management.
8. Patch Management
One of the things that any system administrator is going to worry about is patch management. And the IS auditor is interested in the patch management process itself because we want to be able to see the successes of patches. We want to see if there were any service disruptions because we patched or didn’t patch, and we want to be able to track that sort of stuff. So when we talk about patch management, we have some best practices here. Wheaton needs to be aware of the available patches and determine whether they are appropriate.
Now there are a number of different products and tools. Microsoft, for example, provides a free one with their Windows Server products, allowing you to set up a server that downloads patches from Microsoft. You put them on a test machine, see if you like them, then approve them or not, and then they get deployed out to the general population. But you’ll want to be aware of what patches are there and which ones are truly needed. Because there will be patches for different languages, for applications you don’t have, and for different platforms that you don’t have. Versions will be 32-bit and 64-bit. And so you have to determine what you really need. Also, most IS managers are aware that when you patch one thing, you break another.
And so you have to test within your own environment: will this patch actually work? Because even if the patches are well tested by the vendor, they’re not necessarily tested against third-party products or other vendors’ products. So we need to test and make sure that these patches don’t break anything, including our own internally created patches, make sure they don’t break anything as well. We also need the installation process in place. So typically, you’ll download patches from the vendor, you’ll evaluate them, and you’ll have some automated way of distributing them and maybe sending those same patches down to yet another location. So you need an infrastructure or a system in place to distribute the patches and also report on what patches were distributed and which machines actually got them.
There are plenty of tools. System Center is available. There are Windows Server Update Services. There are plenty of tools that can track what was downloaded, what was applied, and what was applied to which machine. So we’re going to, as an IS auditor, want to know that all of that is in place, and we want to be able to watch the change and release management process. As patches are distributed, different kinds of changes occur. You’ll have regular patches and regular updates. And in fact, our individual patches will be rolled up on a regular basis into a service pack, which includes all the patches up to that point. So we’ll have normal ones and standard changes.
We can also have emergency changes. So just remember that not all updates and patches are created equal. Some are emergency fixes, while others are routine maintenance. Some are critical, some are security-oriented, and some are recommended. So there are all kinds of updates and patches, and they shouldn’t all be treated equally. So when we talk about change management and release management, two different concepts here in change management, we have to worry about how critical the change is, and we need to track the change configuration and make sure that the change was authorized. And we have a special process for this, and based on how urgent it is or whether the type of release management is okay, have we actually tested this plan? Have we rolled it out? And do we have a rollback as well?
So, two kinds of thoughts here in patch management. For change management, things that we can measure For the metrics of change management, we can see how many changes were requested versus how many were made. and we’ll want to maybe know the difference there. We can see how many were successful and how many failed, as well as what the rate of disruption or interruption was and how many interruptions the change or the patches caused. And we want that number, of course, to stay as low as possible for configuration management. Remember, configuration means we are setting something up to work well, be in compliance, support our standards, et cetera. And configurations will, of course, be changed regularly. So you’ll have requests for configuration changes, what we call configuration items.
And so we want to make sure that as we’re gathering metrics about it, obviously we want the information to be of high quality, and we want to make sure that the information is complete. We know what configuration changes were requested and which ones were actually executed. And another important thing is, do we have enough data of high enough quality that we can predict whether or not the changes are actually going to have the effect we want? So do we know that these patches will help address this security issue or improve that performance, or do we not know? So we want to have enough data so that we can hopefully track and predict ahead of time whether this change will be useful or not, or whether these changes will be useful or not. For release management, some of the metrics that we’ll want to be looking at are the number of resources (computers, tablets, whatever they are), servers, devices that we have to deploy changes to and support, and the number of incidents that we have. And also, from the user’s perception, did this improve anything?
And also, what is the cost of doing this? So for our release management, we’re worried about those kinds of metrics. So when we’re talking about evaluating change configuration and release management, as an IS auditor, we’re going to want to look at these things. We want to ensure that the patch management process documentation is stored securely, that we can access it, that it is frequently reviewed, and that there are steps that are published and followed in the patch management process, such as downloading first, testing it, and then approving or not approving. Clear out the patches you ended up not using. Maintain the database that holds the patches. We want to make sure that testing is done first because I know Windows Update automatically goes and downloads things. You really want to test things first because you never know for sure how an update will work with your particular applications.
Make sure there’s a rollback plan so that if there is an update, we can roll back in case something happens. Usually, with desktop operating systems, you can set a restore point so that, in case this blows up on us, we can roll back and it will restore the registry, drivers, and configurations back to an original point. Make sure that the sources used to determine the need for patching are valid. Like the vendor is communicating and saying, “Hey, you really need it.” It’s a critical update; it’s a security update. Ensure that we have websites and distribution lists that are valid sources, that the sources are reviewed on a regular basis, and that systems that are patched manually are not patched inappropriately, too frequently, or insufficiently. So these are all the things that an IS auditor is going to want to look at when taking a look at patch and change management.
9. Incident Management
Now let’s talk about incident management. When something happens, how do we deal with incidents? And we can see here that an incident is an unplanned interruption to our process or our service, or it’s a reduction in quality. And incidents are caused by problems. And you can have multiple incidents from a single root cause. If you have more than a one-off, or even a one-off, you’re going to have people looking for the root cause. They’re going to be doing something called root cause analysis. And the more data you can give them—and maybe you’re the one doing the root cause analysis—the more data we can get that is relevant, fresh, and verifiable, and the more we can dig in and figure out what the root cause of a problem is. So for problem and incident management, we’re going to want to look at these things. We want to make sure that the processes use these practices.
We want to make sure that there is a thorough logging of incidents and problems. I can’t stress that enough. I was working on one project at the time, and the helpdesk had no way of tracking the incidents that were being reported. Believe it or not, it was a small help desk and a small group, but they had a very far-flung customer base. And so one of the first things was to make sure that there was a tracking process in place because the director wanted to know, “Why are we spending so much money on telecom?” because people could call in and there was basically no landline. So people were calling on cell phones, and we were calling them back. We wanted to know why we were spending this much money on the phone bill every month. So one of the first things we did was create an incident tracking system that could actually log how much time is spent on the phone, who took the call, who made the call, and what the problem was. And we had all these fields, and we made sure that the fields were required and that you couldn’t close out the form until you filled in things like contact information.
What’s the name of the person who called, what’s their number, the nature of the problem, information about the operating system and the version, the time of day, and where are they located? And because of some of it, we needed to know things like where they were located because we needed to know about environmental conditions in that area; were they having power problems in that area? What was the weather like in that area? Because of the nature of where we were working, the weather had a lot to do with whether or not systems were working well.
And so you want to gather as much information as possible so that when we have to figure out root cause analysis or just figure out why this thing happened, we’ve got the data we need to figure it out. So we want to make sure there’s thorough logging of incidents and problems. Which means, of course, that you need to have a help desk and staff that knows how to ask those questions and how to get the right answers out of people because people are afraid to tell you stuff because they think you’re going to accuse them of something. And instead, I would tell the help desk: “To these folks who are terrified of calling you, say, we’re doing a little detective work.”
Everything you can do to help us We can figure out what’s going on and just talk to them in a way that encourages them to help and give you information rather than trying to hide information out of fear of getting in trouble for something that wasn’t their fault in the least. And then make sure that there is a method of escalation that you’ve actually tested. And so whenever you can build in controls to automatically escalate, like maybe this thing hasn’t been resolved in three days, there’s automatically an alert or a note sent to somebody, or there’s some kind of report where we can see open tickets that haven’t been dealt with but weren’t escalated either. So you want to make sure all of these things are in place, and the IS auditor is going to want to make sure all of these things are in place.
So now, of course, we’re talking about your help desk, and you may or may not outsource your help desk. You may have a very small help desk. You could have 20 people, 30 people, 50 people, or hundreds of people on your help desk. But help desk responsibilities will include being the single point of contact. Everybody knows to call the help desk. Now, hopefully, in a larger organisation or even a smaller one, you might have some self-help stuff first. And so someone can go to, say, an intranet website or refer to a manual and try certain things first. And that’s what we did. We couldn’t have an intranet website. So in the user manual, there were just clear troubleshooting steps. Try this, this, and this first; you should also see this, this, and this. If you don’t have these now, call us. And so there needs to be, sort of, a clear procedure for users. You can give them some sort of self-help first-line stuff, but after that, the help desk is their point of contact.
And really, you want the customers, who are your users, to be productive. So you don’t want them to feel like they’re getting the runaround; you want them to feel like they’re being taken care of, and you want to make sure that you are indeed satisfactorily taking care of incidents, and you don’t necessarily want to have the user just say, “Okay, I’m fine.” Now you want to make sure that the incident was thoroughly investigated because it could be the tip of a much larger iceberg. And you need to make sure that you resolve all of them because you need to get to a deeper root problem. So this is your single point of contact. You need to make sure that you document all the issues and have something to capture all of the issues that are being reported. This is the start of your resolution process. They should, however, always ensure that the help desk ensures that users’ problems are resolved at the end. And of course you’ll have some method for prioritizing, forwarding, and escalating issues as necessary.
Make sure there’s always follow-up, so that the customers, the users, feel like they’ve been taken care of and the incident has been well taken care of. I saw a really wonderful example of that in a large organization. It was a Fortune 20 company with a very extensive help desk. The first thing I noticed was that the company intranet had some self-help resources. And if you couldn’t resolve it that way, then it automatically escalated. We would immediately, via the intranet chat, get people online. They’d say, “Can I take over your machine for a minute so I can take a look?” Afterwards, someone else would contact me and say, “Was this resolved?” Moreover, da da da They were very thorough.
They had their own ways of capturing data as well. They didn’t just take my word for it because it might have seemed okay to me, but there could have been other issues that they were looking for. And that is my issue. It seemed resolved to me, but there were other things beneath that that they were looking for as well. So it really depends on the organization—how deep and how well it is organized. But, regardless of how large or small your helpdesk department is, you must ensure that the client’s or user’s issue is resolved as quickly, effectively, and completely as possible and satisfactorily as possible. And everything that happens is logged. So we can watch the trends. One thing that we will need to be aware of is how resilient systems are now, depending on how much money you want to spend.
Obviously, we want to be able to recover in case there’s an incident, a major incident. As a result, system resilience is the idea that there is no single point of failure in the system itself. So there are multiple switches; there are multiple connections; there are multiple network links; there are multiple routers; there are multiple servers. The service is distributed across a cluster of servers or a network load balancer. So we want to make sure that the system is as resilient as possible. In a mom-and-pop donut shop, maybe you don’t need to worry about that, but you still need to have people be able to restore and recover as quickly as possible. In a small health clinic, maybe they can wait because they can fall back on their paper system. But we still need to be able to restore and recover. However, in a provincial office, we do need the resiliency. We do need the clustering, the network load balancing, the multiple links, the multiple power supplies, and the backup generators.
So for system resiliency, using different techniques, we can have multiple redundant pieces of hardware or redundant links so that we don’t have a single point of failure. So if this switch dies, we automatically fail over to that switch. Or we can have fault-tolerant hardware, such as redundant discs that work together so that if one dies, the other takes over, or one is a constant copy of the other. For system resilience, some of the tools and techniques you use have redundant hardware; it’s a very common thing. Or you spread an application or service across multiple devices or boxes. So, like in this case, here’s a picture of somebody connected to two different switches.
Now, quite honestly, a desktop is not going to generally have two network cards, but you could have wired and wireless, and if the wireless fails, you go straight to wired. Here, I may have multiple discs and a raid array in which data is written across all discs with parity information, similar to a raid 5. If one dies, the others can keep going. Or I can have one disc constantly copying over to another on a mirror. Or I can have multiple servers, either clustered where one is running and they have shared data, and if this guy dies, the other one takes over, or a bunch of servers in a network load balance where they’re all working together and they all then contact another server for the database. But if one goes down, gets overwhelmed, or has a denial of service attack, the others can absorb the load. So these are all techniques, and they’re all for your infrastructure system architect to design and develop.
So for evaluating problem and incident management practices, the IS auditor is going to want to make sure that there are documented procedures to assist in all areas of help and that these exist so that the IS staff and the help desk staff know how to help the users. We want to make sure, of course, that the document procedures align with management’s goals, which means management has got to set some goals. How many times have I walked into a place where management goals aren’t really set as well as they should be, even in very large projects that affect entire countries? I want to make sure that the management process for problems is functioning correctly. So are we dealing with problems correctly? And is there oversight, procedure, documentation, and resolution, and are incidents prioritised properly based on impact and urgency? Because you walk in and you walk out, that was critical. Why did you mess around with this? That was far more important than this.
So you need to make sure that people know what the priorities are and can set something aside and go to this. Unfortunately, many priorities are more political than anything else. Make sure that the incident management process is sufficiently reactive that we actually get on it immediately. And if we can’t get on it immediately, then management has to figure out how to expand our capacity or automate our process so that we can respond immediately and resolve the problem as soon as possible. And make sure that incident management is governed by a service level agreement with agreed-upon times for resolution and response times and agreed-upon levels of service.
10. Hardware Component Types
So let’s talk about different hardware component types. There are many. They can be internal to a computer. They can be peripherals. They can be storage devices. We can see some pictures here. We’ve got a printer that is a peripheral device. Anything external that you plug in is considered peripheral. Here’s some storage. Here’s an old floppy drive. Actually, here’s a CD/DVD drive. Here is a USB stick.
Let’s talk about the different network types to familiarise you with them. We have this concept called a personal area network, or Pan. and that’s really meant for Bluetooth. It’s meant to just be a few feet around you. It can go as far as, say, a room, but it’s meant to be a very confined area, like your Bluetooth headset to your phone, a Bluetooth keyboard to a computer, or your computer to a printer. So it’s a very, very short distance, meant to be just a few feet. Then we have the very common concept called “land,” the local area network. The LAN now has very clear protocols that operate on a local area network (LAN) using ethernet, tokens, rings, and, in some cases, ATM. However, when we think of land, we usually think of a geographically limited location—an office, a building, or a campus of buildings. And I suppose a land area could extend for a kilometre or so.
But it’s meant to be in a geographically contained area. I was at this one major motion picture studio where the campus land actually had an ATM backbone. From below, they had the administration buildings and the sound stages, where they did all the filming and production. And then up the hill, there was an ATM backbone leading up to an amusement park area at the top of the hill. And that whole thing was a campus. And they had one whole land with an ATM backbone, and they had a whole bunch of different departments and sort of smaller networks inside that entire land. And then we have the concept known as a wide area network. Now, a wide area network is basically a network of networks. So what you do is connect your land to another land via a Wanlink or to the Internet via a Wanlink.
So then a wave can cover the whole world. It can cover a state, a province, a country, or a continent. It depends on how far you need your network to reach. The ultimate example of a wide-area network is the Internet. It is a network of networks—zillions, thousands, and thousands of networks. And so wide-area networks and WANs have very clear protocols. They’ll have frame relay, ISDN PPP, HDLC, and ATM. We’ll talk a little bit more about some of those protocols when we talk about the OSI model in chapter six. Then we have a concept called a “man,” a metropolitan area network. And this is a man that spans a limited part of, like, a city or a region, and it can be five; it kind of depends. Many mans can be fiber-based or wireless, with wireless coverage. And it depends upon how you do the coverage, but they’re meant to be COVID-like a municipality or a particular region. And the thing that’s really kind of different between Mans and Wands is that generally, metropolitan area networks have land speed.
As with local area networks, I anticipate that the links will be fast gigabits, ten gigabits, or hundreds of megabits at the very least. Perhaps the older one is ten megabits. In wide area networks, I expect the link speeds to be more like T-1, one and a half megabits, 1.54, or maybe six megabits, or maybe 128 slower than a land line. But for a metropolitan area network, we expect a much higher throughput of eleven megabits, 54 megabits, or 100 megabits, depending upon the service that you’re paying for and the service you’re providing. And then there’s something here called a SAM, or a storage area network. Storage Area Networking is not really for connecting servers, computers, or me to a website. Instead, it’s an area of your network, your LAN, usually where you have boxes for storage. And these boxes have controllers that talk straight to the network. And they can either use IP with TCP commands or scuzzy commands on top. So we can either use Icuzzy or they can have proprietary dedicated fibre-type connections. But it’s basically so that all the servers in the land can have their storage in one specific area that’s dedicated just for storage, so that we can have central management of our storage.
It’s not for connecting from one town to another. Now, it is true that you can have applications send their data and ship their logs and copies across a Wan link, but that’s not what we’re thinking of when we’re thinking of a storage area network; we’re usually thinking of a dedicated little network within the larger network. A VLAN is typically IP-based. Or perhaps a fibre channel using specialised fibre optic cable. And it’s specifically just so the servers have storage in a specific location, as we’re going to see more of in the next module. Networking has sets of standards and protocols. Protocols are sets of rules. They’re just rules for communication. And we use standard models so that different networking products, protocols, and services can work with each other.
And so networking standards try to make network products and devices interoperable, more available, and more flexible. It’s easier to maintain, and it’s easier to mix and match different vendors. And we’re going to talk about some of those network models and standards a little bit more in the next lesson. Let’s talk about, in general, different network services. You’ve probably used all of them, but let’s just cover at a high level what they do. network file system I’m creating a spreadsheet document. Whatever it is, I’m going to save it across the network to a centrally stored location, be it a database, a shared folder, a public folder, or whatever it is, so that it is in a centrally controlled location where we can have controlled versioning and it can be backed up and maintained. So that’s a network file system. Email I’m sending an email to a friend of mine over there.
I’m at work, and she’s at a training session. I composed this email. Usually it’s actually in HTML format, even if you’re not using an HTML client. My client informs the email server, which sends it to the email server that handles my mailbox. That email server looks at the destination and goes “training,” looks up the email server for training, and passes it along to the training organisation’s email server, which looks at the destination and goes “Oh, you’re trying to send this to Sally” and drops it into Sally’s mailbox. Then, when she starts her email client, like Outlook or Windows Mail, or whatever it is, she goes and grabs it out of her mailbox, and it shows up, and she reads it. Print Services I need to print something.
Now, the printer can be connected directly to my machine, or I can submit the print job to a print server, and the print server has a much bigger print queue and a lot more memory and disc space, and everybody’s sending print jobs. And then it can send the actual print jobs to specific printers that have different priorities, different speeds, or different papers. I can even do this across a land link from a branch office to a central office. I can control all of the printers in all of the branch offices from a central office. So print services can be a lot more complex than simply plugging a printer into one machine. Remote Access Services We’ve actually used remote access even in this particular class, where I’m sitting at one machine but want to remotely connect to services or another machine somewhere else. And so I will use either a VPN or remote desktop—or some other kind of product or technology—so that I can sit here and connect over there, and I can either see a desktop or just connect straight to a server, connect to a database, connect to my email, whatever it is.
Directory service That’s a central computer or a central service that authenticates people on the network. So there are thousands of us, and we all have to authenticate onto the network, and our client workstations send our authentication request to a server that holds the directory service and the database. And in a Microsoft network, the directory service is called Active Directory, and the servers that host it are called domain controllers. Network Management I’m on the IT staff, and I want to keep an eye on all the servers. So I’ll run a console here and little agents on all the servers, and my console will regularly pull all of the agents. How many people are following you? Any security breaches? How many DHCP leases did you give out? How many queries have you had? Have you had any deadlocks? And then you just go round and round and round. How busy are you? Do you have any congestion?
Do you have any queues that are backed up? And so it just goes in a round-robin fashion. All of these devices that I am monitoring are constantly polling the agents. And they’re not just servers. They could be firewalls, switches, routers, or anything else. And in a central console, I see statistics, which I can drill down into. I can see problems at a glance. DHCP and DNS are the two really core network services, because all computers have to have an IP address. If they’re running IP, which almost all networks do, they have to get an address. So we can manually type in IP addresses. But that’s a lot of hassle. Instead, when a computer boots up, it sends out a broadcast saying, “I’m awake; I need an address so I can talk to people, anybody.” And a DHCP server, which uses the Dynamic Host Configuration Protocol, which you don’t need to memorize, will respond by broadcasting, “Here, here’s an address.” And the client will say, “Oh, thanks.” and the server will log it. And this way, we automatically configure clients with addresses. The nice thing about DHCP is that if I take my laptop and plug it in, I can pick up an address that’s appropriate for the network I just walked into. I unplug, I go home, I pick up a different address for that network, and so I can have different addresses for different networks. DNS computers want numbers.
They want their addresses to be numbers. But humans remember names. So, when you enter www.google.com or server dot company, Something or other is irrelevant to computers. They want to know, “Oh, it’s at 24 dot one, dot two, dot three, or it’s 192-16-8175 DNS.” It’s just like directory assistance on the telephone system. It’s a server that has a database that maps friendly names to IP addresses. As a user, I don’t have to know or care; I just type in www.google.com. But in the background, my client computer has a DNS client service that is going to the DNS server and saying, “Do you have an address for this?” And there’s been a whole system of that server either having the address or going and querying other servers to get the address. So these are very common network infrastructure services that you’re going to encounter. And as an IM auditor, you need to be aware of all of these services.
11. Network Component Types
We talked about the core network infrastructure services and the common applications on a network. Let’s talk a little bit about the hardware components we expect to see on a network. Again, it doesn’t hurt to have some background in hardware, software, and system management. But even if you don’t—maybe your project manager or your manager does—you haven’t gotten down to the nuts and bolts of hardware. You should be able to recognise these devices and know in general what they do.
We’ll talk, like I said, more about networking in the next lesson. So we have common network component types, starting with a repeater. And a repeater simply gets the signal farther. The repeater can be wireless or wired because the signal starts to drop off in strength after a certain distance. And we want the repeater to boost the signals so they can go a little bit farther. And there’s a whole science behind how far the repeater can go. You obviously don’t have it all the way at the very end, where the signal is very bad, so you back it up just a little bit. But the idea is that I want to get my signal a little bit farther than would be normal. So that’s the idea of a repeater.
A hub is a device. It’s a central device, and it’ll have multiple ports. It could be wired or wireless, and a bunch of computers or devices could plug into it. Computers, tablets, phones, servers, printers, whatever So this is a central device on a LAN that will connect a whole bunch of computers together. Now, hubs have been largely replaced by switches. A switch is actually a hub that’s intelligent, because the problem with a hub is that I plug all these computers in. If one little computer transmits, a hub is obliged by its design to repeat that transmission out to all of the other machines, and maybe they don’t care to hear that transmission. One machine makes a small transmission in here, where a switch is. The switch will take a look at the destination—where that transmission is actually supposed to go. It will examine the destination address of that frame and then selectively repeat that frame from that transmission out only the port to the other machine that is supposed to receive it.
So with a hub, if one machine is transmitting, everyone else has to shut up until it’s done. But with a switch, if I’ve got a 24-port switch, I could, in theory, have twelve pairs of conversations going on at the same time. For the most part, we only use hubs if we really are kind of desperate or if we have only a few machines, but they still exist and you can still buy them. But switches are cheap enough. Then there’s the concept of a bridge. Now, depending on your context here, Cisco refers to switches and bridges interchangeably because they do the same kind of thing. They make forwarding decisions based on layer 2 addresses, usually Mac addresses. But, if we think a little wider, a bridge can also be something that converts one media type to another. So I can have a bridge that translates from wired to wireless or from Ethernet to power, so that we can actually have transmissions of data over power lines. How do you like that? So bridges typically transmit physical connectivity (of various types of physical connectivity).
Or, if we think of the Cisco definition, they behave just like a switch because they basically are an older version of a switch, if you think of that sort of thing, where they make forwarding decisions between two segments of a network or a couple of segments of a network based on destination layer two, the Mac address. So repeaters, hubs, switches, and bridges are all things we expect to find in the local area network to connect devices on the land. Then we have a concept called the router. And a router is a device that sits at the edge of your network and connects your network to other networks. And it makes forwarding decisions based on layer 3 addresses, or network addresses. So I’m going to connect this whole network to the Internet, or this whole network across a Wan link to that whole network there. Now it’s a router’s job. A “gateway” is a more generic term. Sometimes when we say “gateway,” we’re referring to routers. It is the thing that gets us onto another network. Sometimes when we say “gateway,” we mean something that translates one protocol to another. So it’s a little bit more of a generic term. We can have a gateway that will translate IP to IPX or a gateway that is a router that will translate Ethernet to PPP. So a “gateway,” though, is generally either a router or a function on a device that translates one kind of protocol to another in a network. Why do we need that translation?
Because networks have all kinds of protocols depending upon the network, sometimes we need to translate from one to the next to get from one network to another. And then finally, we have this concept called a modem. If you have DSL, you know what a modem is. Modems basically make a dial-up connection across the network to some other location. A DSL modem is a type of modem that never turns off. But you still have to authenticate, don’t you? When you first set up a DSL modem, you provide a username and password. In the old days, the old dial-up analogue modems actually picked up the phone, dialled a number, made a connection with the other end, negotiated a speed, and now you had a connection across an analogue line. So that is the idea of a modem that we use to make a connection now; it doesn’t have to be across a telephone system. Cable modems are also available, and with cable TV, your data is treated as a premium TV channel, with one for transmit, one for run, and one for receive.
And the modem then makes a connection between the cable system and your Ethernet LAN. Just so you know what you’re seeing when you see these devices, We’re just going to look at some common examples. Here’s an example of a repeater, and I can see that I have some RJ-45 connections here for Ethernet. I can also see that I have some BNC connections. So this repeater is meant to simply boost the signal so it can go farther. Of course, we can also have wireless repeaters as well.Here are some examples of hubs. You notice a hub—the majority of hubs these days are Ethernet hubs. And you can see the eight-pin RJ-45 connectors here for twisted pair. And these are just a couple of vendor examples. Here are examples of switches. We can see that it’s significantly larger; we could have entire racks of switches here. We can have smaller switches. And you might go, “Gee, that looks a whole lot like this.” Are switches always sort of this greenish gray? Well, that just depends on the vendor. Sometimes it’s really hard to tell the difference. Is this really a hub or a switch? But just by looking at it, unless you can read the product, sometimes you don’t know. But here are some typical examples of switches.
And you can see up-close pictures of where we’ve plugged our cables; these are RJ-45 jacks, and we’re plugging twisted pair. This looks like category five—probably five e connections into RJ-45 jacks with twisted pair cable. very typical for a local area network. You’ll probably recognise these computer cables. This is what you plug into your computer—probably into a port on the wall. Of course, one of the risks of having wired connectivity is that you can have a mess. I’ve been in places that were far worse than this, and they don’t do anything about it until someone trips and some equipment gets yanked down on top of somebody. So part of good management is also good cable management as well. And when you walk into data centres and server rooms, you’ll see trays with all the cabling running along them, with little panels over them, so it’ll be neatly controlled rather than something like this. Here are some examples of bridges. Now this is an example of a wireless bridge. This device is a USB to Ethernet converter.
This is an interesting product here. It’s meant to actually extend the length of your USB cable across an Ethernet link and then back to USB. I thought that was really interesting when I saw it. Here’s an example of ethernet to a power line. It’ll actually plug into your AC outlet there so that you can basically run Ethernet on a power line around the house. So here are some examples of bridges. Here are some examples of routers. The larger professional routers are shown here. The big Cisco routers here are smaller branch office-type Cisco routers: the 7200 series and the 2600 series. Here are the kinds of routers that I expect to see at home. These are wireless routers. So here’s an old link system and a slightly newer one. and you can see the ports on the back. Most of these routers, especially the home ones, will have a little built-in switch inside of them. So there might be a little four-port switch built in right here. And then you plug computers in here, plus it can pick up wireless from laptops and wireless devices, including phones that are on WiFi. And then you plug in your WAN link here. So here are some examples of routers, and here are some examples of firewalls.
The smaller of these are the Cisco ASA firewalls. And here’s another one. a sonic wall. And you might just say, “Gee, it is really hard to tell the difference between these products.” Well yeah, you’re right. Sometimes they look so much alike that it is hard to tell the difference because they all have the same kinds of ports and jacks. And that’s why you have to actually look at the product, the name, and the make and model to see, well, what is it really? Is it a switch? Is it a hub? Is it a firewall? What is it like? I can tell at a glance. I know SonicWall makes firewalls, but if I hadn’t looked closer, if I hadn’t known it was a Cisco ASA, I wouldn’t have realised it was a firewall. And so that’s just sort of a quick look at the different kinds of network devices that you’ll expect to see when you are walking in and doing an audit of an IT department. Of course, there are various types of system software. We know we have operating systems. Windows Server 2012 Red Hat Enterprise Software produces Windows Server 2008. So there are all different kinds.
There are also just database management systems, such as SQL Server or Oracle SQL. There are utilities and tools like the network monitoring tool or system center. So there are a variety of different software types for whole systems, not just simple operating systems. When you are an IS auditor and you walk into an IT department, the things you’re going to want to be looking at are: what is all the hardware they use? Do they even have a network map? Do they even have an inventory of all their hardware? Do they even know what all this stuff does? And have salespeople been plugging in switches and hubs that they bought at the local electronics store? Did they set up rogue wireless access points? What are all the hardware components? and sometimes that’s a lot harder to answer than you might think. And then, how are they using and maintaining all the operating systems? Because there’s going to be more than just Windows, you’re going to have Linux, you’re going to have Mac, and you’re going to have different kinds of Unix.
There are all kinds of flavours there. And also, what about the entire network infrastructure? How are they controlling the traffic in and out to the Internet and to other locations? How do they have their switches and hubs connected? How do they have their routers connected and configured? You’ll want to review the entire network infrastructure. And if hardware is not your particular area of expertise or if network infrastructure is not your particular area of focus, you’ll want to have with you people who really understand network infrastructure as well as hardware and operating system maintenance. And the next thing we’re going to talk about is how to go deeper into networking.
