9. Incident Management
Now let’s talk about incident management. When something happens, how do we deal with incidents? And we can see here that an incident is an unplanned interruption to our process or our service, or it’s a reduction in quality. And incidents are caused by problems. And you can have multiple incidents from a single root cause. If you have more than a one-off, or even a one-off, you’re going to have people looking for the root cause. They’re going to be doing something called root cause analysis. And the more data you can give them—and maybe you’re the one doing the root cause analysis—the more data we can get that is relevant, fresh, and verifiable, and the more we can dig in and figure out what the root cause of a problem is. So for problem and incident management, we’re going to want to look at these things. We want to make sure that the processes use these practices.
We want to make sure that there is a thorough logging of incidents and problems. I can’t stress that enough. I was working on one project at the time, and the helpdesk had no way of tracking the incidents that were being reported. Believe it or not, it was a small help desk and a small group, but they had a very far-flung customer base. And so one of the first things was to make sure that there was a tracking process in place because the director wanted to know, “Why are we spending so much money on telecom?” because people could call in and there was basically no landline. So people were calling on cell phones, and we were calling them back. We wanted to know why we were spending this much money on the phone bill every month. So one of the first things we did was create an incident tracking system that could actually log how much time is spent on the phone, who took the call, who made the call, and what the problem was. And we had all these fields, and we made sure that the fields were required and that you couldn’t close out the form until you filled in things like contact information.
What’s the name of the person who called, what’s their number, the nature of the problem, information about the operating system and the version, the time of day, and where are they located? And because of some of it, we needed to know things like where they were located because we needed to know about environmental conditions in that area; were they having power problems in that area? What was the weather like in that area? Because of the nature of where we were working, the weather had a lot to do with whether or not systems were working well.
And so you want to gather as much information as possible so that when we have to figure out root cause analysis or just figure out why this thing happened, we’ve got the data we need to figure it out. So we want to make sure there’s thorough logging of incidents and problems. Which means, of course, that you need to have a help desk and staff that knows how to ask those questions and how to get the right answers out of people because people are afraid to tell you stuff because they think you’re going to accuse them of something. And instead, I would tell the help desk: “To these folks who are terrified of calling you, say, we’re doing a little detective work.”
Everything you can do to help us We can figure out what’s going on and just talk to them in a way that encourages them to help and give you information rather than trying to hide information out of fear of getting in trouble for something that wasn’t their fault in the least. And then make sure that there is a method of escalation that you’ve actually tested. And so whenever you can build in controls to automatically escalate, like maybe this thing hasn’t been resolved in three days, there’s automatically an alert or a note sent to somebody, or there’s some kind of report where we can see open tickets that haven’t been dealt with but weren’t escalated either. So you want to make sure all of these things are in place, and the IS auditor is going to want to make sure all of these things are in place.
So now, of course, we’re talking about your help desk, and you may or may not outsource your help desk. You may have a very small help desk. You could have 20 people, 30 people, 50 people, or hundreds of people on your help desk. But help desk responsibilities will include being the single point of contact. Everybody knows to call the help desk. Now, hopefully, in a larger organisation or even a smaller one, you might have some self-help stuff first. And so someone can go to, say, an intranet website or refer to a manual and try certain things first. And that’s what we did. We couldn’t have an intranet website. So in the user manual, there were just clear troubleshooting steps. Try this, this, and this first; you should also see this, this, and this. If you don’t have these now, call us. And so there needs to be, sort of, a clear procedure for users. You can give them some sort of self-help first-line stuff, but after that, the help desk is their point of contact.
And really, you want the customers, who are your users, to be productive. So you don’t want them to feel like they’re getting the runaround; you want them to feel like they’re being taken care of, and you want to make sure that you are indeed satisfactorily taking care of incidents, and you don’t necessarily want to have the user just say, “Okay, I’m fine.” Now you want to make sure that the incident was thoroughly investigated because it could be the tip of a much larger iceberg. And you need to make sure that you resolve all of them because you need to get to a deeper root problem. So this is your single point of contact. You need to make sure that you document all the issues and have something to capture all of the issues that are being reported. This is the start of your resolution process. They should, however, always ensure that the help desk ensures that users’ problems are resolved at the end. And of course you’ll have some method for prioritizing, forwarding, and escalating issues as necessary.
Make sure there’s always follow-up, so that the customers, the users, feel like they’ve been taken care of and the incident has been well taken care of. I saw a really wonderful example of that in a large organization. It was a Fortune 20 company with a very extensive help desk. The first thing I noticed was that the company intranet had some self-help resources. And if you couldn’t resolve it that way, then it automatically escalated. We would immediately, via the intranet chat, get people online. They’d say, “Can I take over your machine for a minute so I can take a look?” Afterwards, someone else would contact me and say, “Was this resolved?” Moreover, da da da They were very thorough.
They had their own ways of capturing data as well. They didn’t just take my word for it because it might have seemed okay to me, but there could have been other issues that they were looking for. And that is my issue. It seemed resolved to me, but there were other things beneath that that they were looking for as well. So it really depends on the organization—how deep and how well it is organized. But, regardless of how large or small your helpdesk department is, you must ensure that the client’s or user’s issue is resolved as quickly, effectively, and completely as possible and satisfactorily as possible. And everything that happens is logged. So we can watch the trends. One thing that we will need to be aware of is how resilient systems are now, depending on how much money you want to spend.
Obviously, we want to be able to recover in case there’s an incident, a major incident. As a result, system resilience is the idea that there is no single point of failure in the system itself. So there are multiple switches; there are multiple connections; there are multiple network links; there are multiple routers; there are multiple servers. The service is distributed across a cluster of servers or a network load balancer. So we want to make sure that the system is as resilient as possible. In a mom-and-pop donut shop, maybe you don’t need to worry about that, but you still need to have people be able to restore and recover as quickly as possible. In a small health clinic, maybe they can wait because they can fall back on their paper system. But we still need to be able to restore and recover. However, in a provincial office, we do need the resiliency. We do need the clustering, the network load balancing, the multiple links, the multiple power supplies, and the backup generators.
So for system resiliency, using different techniques, we can have multiple redundant pieces of hardware or redundant links so that we don’t have a single point of failure. So if this switch dies, we automatically fail over to that switch. Or we can have fault-tolerant hardware, such as redundant discs that work together so that if one dies, the other takes over, or one is a constant copy of the other. For system resilience, some of the tools and techniques you use have redundant hardware; it’s a very common thing. Or you spread an application or service across multiple devices or boxes. So, like in this case, here’s a picture of somebody connected to two different switches.
Now, quite honestly, a desktop is not going to generally have two network cards, but you could have wired and wireless, and if the wireless fails, you go straight to wired. Here, I may have multiple discs and a raid array in which data is written across all discs with parity information, similar to a raid 5. If one dies, the others can keep going. Or I can have one disc constantly copying over to another on a mirror. Or I can have multiple servers, either clustered where one is running and they have shared data, and if this guy dies, the other one takes over, or a bunch of servers in a network load balance where they’re all working together and they all then contact another server for the database. But if one goes down, gets overwhelmed, or has a denial of service attack, the others can absorb the load. So these are all techniques, and they’re all for your infrastructure system architect to design and develop.
So for evaluating problem and incident management practices, the IS auditor is going to want to make sure that there are documented procedures to assist in all areas of help and that these exist so that the IS staff and the help desk staff know how to help the users. We want to make sure, of course, that the document procedures align with management’s goals, which means management has got to set some goals. How many times have I walked into a place where management goals aren’t really set as well as they should be, even in very large projects that affect entire countries? I want to make sure that the management process for problems is functioning correctly. So are we dealing with problems correctly? And is there oversight, procedure, documentation, and resolution, and are incidents prioritised properly based on impact and urgency? Because you walk in and you walk out, that was critical. Why did you mess around with this? That was far more important than this.
So you need to make sure that people know what the priorities are and can set something aside and go to this. Unfortunately, many priorities are more political than anything else. Make sure that the incident management process is sufficiently reactive that we actually get on it immediately. And if we can’t get on it immediately, then management has to figure out how to expand our capacity or automate our process so that we can respond immediately and resolve the problem as soon as possible. And make sure that incident management is governed by a service level agreement with agreed-upon times for resolution and response times and agreed-upon levels of service.
10. Hardware Component Types
So let’s talk about different hardware component types. There are many. They can be internal to a computer. They can be peripherals. They can be storage devices. We can see some pictures here. We’ve got a printer that is a peripheral device. Anything external that you plug in is considered peripheral. Here’s some storage. Here’s an old floppy drive. Actually, here’s a CD/DVD drive. Here is a USB stick.
Let’s talk about the different network types to familiarise you with them. We have this concept called a personal area network, or Pan. and that’s really meant for Bluetooth. It’s meant to just be a few feet around you. It can go as far as, say, a room, but it’s meant to be a very confined area, like your Bluetooth headset to your phone, a Bluetooth keyboard to a computer, or your computer to a printer. So it’s a very, very short distance, meant to be just a few feet. Then we have the very common concept called “land,” the local area network. The LAN now has very clear protocols that operate on a local area network (LAN) using ethernet, tokens, rings, and, in some cases, ATM. However, when we think of land, we usually think of a geographically limited location—an office, a building, or a campus of buildings. And I suppose a land area could extend for a kilometre or so.
But it’s meant to be in a geographically contained area. I was at this one major motion picture studio where the campus land actually had an ATM backbone. From below, they had the administration buildings and the sound stages, where they did all the filming and production. And then up the hill, there was an ATM backbone leading up to an amusement park area at the top of the hill. And that whole thing was a campus. And they had one whole land with an ATM backbone, and they had a whole bunch of different departments and sort of smaller networks inside that entire land. And then we have the concept known as a wide area network. Now, a wide area network is basically a network of networks. So what you do is connect your land to another land via a Wanlink or to the Internet via a Wanlink.
So then a wave can cover the whole world. It can cover a state, a province, a country, or a continent. It depends on how far you need your network to reach. The ultimate example of a wide-area network is the Internet. It is a network of networks—zillions, thousands, and thousands of networks. And so wide-area networks and WANs have very clear protocols. They’ll have frame relay, ISDN PPP, HDLC, and ATM. We’ll talk a little bit more about some of those protocols when we talk about the OSI model in chapter six. Then we have a concept called a “man,” a metropolitan area network. And this is a man that spans a limited part of, like, a city or a region, and it can be five; it kind of depends. Many mans can be fiber-based or wireless, with wireless coverage. And it depends upon how you do the coverage, but they’re meant to be COVID-like a municipality or a particular region. And the thing that’s really kind of different between Mans and Wands is that generally, metropolitan area networks have land speed.
As with local area networks, I anticipate that the links will be fast gigabits, ten gigabits, or hundreds of megabits at the very least. Perhaps the older one is ten megabits. In wide area networks, I expect the link speeds to be more like T-1, one and a half megabits, 1.54, or maybe six megabits, or maybe 128 slower than a land line. But for a metropolitan area network, we expect a much higher throughput of eleven megabits, 54 megabits, or 100 megabits, depending upon the service that you’re paying for and the service you’re providing. And then there’s something here called a SAM, or a storage area network. Storage Area Networking is not really for connecting servers, computers, or me to a website. Instead, it’s an area of your network, your LAN, usually where you have boxes for storage. And these boxes have controllers that talk straight to the network. And they can either use IP with TCP commands or scuzzy commands on top. So we can either use Icuzzy or they can have proprietary dedicated fibre-type connections. But it’s basically so that all the servers in the land can have their storage in one specific area that’s dedicated just for storage, so that we can have central management of our storage.
It’s not for connecting from one town to another. Now, it is true that you can have applications send their data and ship their logs and copies across a Wan link, but that’s not what we’re thinking of when we’re thinking of a storage area network; we’re usually thinking of a dedicated little network within the larger network. A VLAN is typically IP-based. Or perhaps a fibre channel using specialised fibre optic cable. And it’s specifically just so the servers have storage in a specific location, as we’re going to see more of in the next module. Networking has sets of standards and protocols. Protocols are sets of rules. They’re just rules for communication. And we use standard models so that different networking products, protocols, and services can work with each other.
And so networking standards try to make network products and devices interoperable, more available, and more flexible. It’s easier to maintain, and it’s easier to mix and match different vendors. And we’re going to talk about some of those network models and standards a little bit more in the next lesson. Let’s talk about, in general, different network services. You’ve probably used all of them, but let’s just cover at a high level what they do. network file system I’m creating a spreadsheet document. Whatever it is, I’m going to save it across the network to a centrally stored location, be it a database, a shared folder, a public folder, or whatever it is, so that it is in a centrally controlled location where we can have controlled versioning and it can be backed up and maintained. So that’s a network file system. Email I’m sending an email to a friend of mine over there.
I’m at work, and she’s at a training session. I composed this email. Usually it’s actually in HTML format, even if you’re not using an HTML client. My client informs the email server, which sends it to the email server that handles my mailbox. That email server looks at the destination and goes “training,” looks up the email server for training, and passes it along to the training organisation’s email server, which looks at the destination and goes “Oh, you’re trying to send this to Sally” and drops it into Sally’s mailbox. Then, when she starts her email client, like Outlook or Windows Mail, or whatever it is, she goes and grabs it out of her mailbox, and it shows up, and she reads it. Print Services I need to print something.
Now, the printer can be connected directly to my machine, or I can submit the print job to a print server, and the print server has a much bigger print queue and a lot more memory and disc space, and everybody’s sending print jobs. And then it can send the actual print jobs to specific printers that have different priorities, different speeds, or different papers. I can even do this across a land link from a branch office to a central office. I can control all of the printers in all of the branch offices from a central office. So print services can be a lot more complex than simply plugging a printer into one machine. Remote Access Services We’ve actually used remote access even in this particular class, where I’m sitting at one machine but want to remotely connect to services or another machine somewhere else. And so I will use either a VPN or remote desktop—or some other kind of product or technology—so that I can sit here and connect over there, and I can either see a desktop or just connect straight to a server, connect to a database, connect to my email, whatever it is.
Directory service That’s a central computer or a central service that authenticates people on the network. So there are thousands of us, and we all have to authenticate onto the network, and our client workstations send our authentication request to a server that holds the directory service and the database. And in a Microsoft network, the directory service is called Active Directory, and the servers that host it are called domain controllers. Network Management I’m on the IT staff, and I want to keep an eye on all the servers. So I’ll run a console here and little agents on all the servers, and my console will regularly pull all of the agents. How many people are following you? Any security breaches? How many DHCP leases did you give out? How many queries have you had? Have you had any deadlocks? And then you just go round and round and round. How busy are you? Do you have any congestion?
Do you have any queues that are backed up? And so it just goes in a round-robin fashion. All of these devices that I am monitoring are constantly polling the agents. And they’re not just servers. They could be firewalls, switches, routers, or anything else. And in a central console, I see statistics, which I can drill down into. I can see problems at a glance. DHCP and DNS are the two really core network services, because all computers have to have an IP address. If they’re running IP, which almost all networks do, they have to get an address. So we can manually type in IP addresses. But that’s a lot of hassle. Instead, when a computer boots up, it sends out a broadcast saying, “I’m awake; I need an address so I can talk to people, anybody.” And a DHCP server, which uses the Dynamic Host Configuration Protocol, which you don’t need to memorize, will respond by broadcasting, “Here, here’s an address.” And the client will say, “Oh, thanks.” and the server will log it. And this way, we automatically configure clients with addresses. The nice thing about DHCP is that if I take my laptop and plug it in, I can pick up an address that’s appropriate for the network I just walked into. I unplug, I go home, I pick up a different address for that network, and so I can have different addresses for different networks. DNS computers want numbers.
They want their addresses to be numbers. But humans remember names. So, when you enter www.google.com or server dot company, Something or other is irrelevant to computers. They want to know, “Oh, it’s at 24 dot one, dot two, dot three, or it’s 192-16-8175 DNS.” It’s just like directory assistance on the telephone system. It’s a server that has a database that maps friendly names to IP addresses. As a user, I don’t have to know or care; I just type in www.google.com. But in the background, my client computer has a DNS client service that is going to the DNS server and saying, “Do you have an address for this?” And there’s been a whole system of that server either having the address or going and querying other servers to get the address. So these are very common network infrastructure services that you’re going to encounter. And as an IM auditor, you need to be aware of all of these services.
11. Network Component Types
We talked about the core network infrastructure services and the common applications on a network. Let’s talk a little bit about the hardware components we expect to see on a network. Again, it doesn’t hurt to have some background in hardware, software, and system management. But even if you don’t—maybe your project manager or your manager does—you haven’t gotten down to the nuts and bolts of hardware. You should be able to recognise these devices and know in general what they do.
We’ll talk, like I said, more about networking in the next lesson. So we have common network component types, starting with a repeater. And a repeater simply gets the signal farther. The repeater can be wireless or wired because the signal starts to drop off in strength after a certain distance. And we want the repeater to boost the signals so they can go a little bit farther. And there’s a whole science behind how far the repeater can go. You obviously don’t have it all the way at the very end, where the signal is very bad, so you back it up just a little bit. But the idea is that I want to get my signal a little bit farther than would be normal. So that’s the idea of a repeater.
A hub is a device. It’s a central device, and it’ll have multiple ports. It could be wired or wireless, and a bunch of computers or devices could plug into it. Computers, tablets, phones, servers, printers, whatever So this is a central device on a LAN that will connect a whole bunch of computers together. Now, hubs have been largely replaced by switches. A switch is actually a hub that’s intelligent, because the problem with a hub is that I plug all these computers in. If one little computer transmits, a hub is obliged by its design to repeat that transmission out to all of the other machines, and maybe they don’t care to hear that transmission. One machine makes a small transmission in here, where a switch is. The switch will take a look at the destination—where that transmission is actually supposed to go. It will examine the destination address of that frame and then selectively repeat that frame from that transmission out only the port to the other machine that is supposed to receive it.
So with a hub, if one machine is transmitting, everyone else has to shut up until it’s done. But with a switch, if I’ve got a 24-port switch, I could, in theory, have twelve pairs of conversations going on at the same time. For the most part, we only use hubs if we really are kind of desperate or if we have only a few machines, but they still exist and you can still buy them. But switches are cheap enough. Then there’s the concept of a bridge. Now, depending on your context here, Cisco refers to switches and bridges interchangeably because they do the same kind of thing. They make forwarding decisions based on layer 2 addresses, usually Mac addresses. But, if we think a little wider, a bridge can also be something that converts one media type to another. So I can have a bridge that translates from wired to wireless or from Ethernet to power, so that we can actually have transmissions of data over power lines. How do you like that? So bridges typically transmit physical connectivity (of various types of physical connectivity).
Or, if we think of the Cisco definition, they behave just like a switch because they basically are an older version of a switch, if you think of that sort of thing, where they make forwarding decisions between two segments of a network or a couple of segments of a network based on destination layer two, the Mac address. So repeaters, hubs, switches, and bridges are all things we expect to find in the local area network to connect devices on the land. Then we have a concept called the router. And a router is a device that sits at the edge of your network and connects your network to other networks. And it makes forwarding decisions based on layer 3 addresses, or network addresses. So I’m going to connect this whole network to the Internet, or this whole network across a Wan link to that whole network there. Now it’s a router’s job. A “gateway” is a more generic term. Sometimes when we say “gateway,” we’re referring to routers. It is the thing that gets us onto another network. Sometimes when we say “gateway,” we mean something that translates one protocol to another. So it’s a little bit more of a generic term. We can have a gateway that will translate IP to IPX or a gateway that is a router that will translate Ethernet to PPP. So a “gateway,” though, is generally either a router or a function on a device that translates one kind of protocol to another in a network. Why do we need that translation?
Because networks have all kinds of protocols depending upon the network, sometimes we need to translate from one to the next to get from one network to another. And then finally, we have this concept called a modem. If you have DSL, you know what a modem is. Modems basically make a dial-up connection across the network to some other location. A DSL modem is a type of modem that never turns off. But you still have to authenticate, don’t you? When you first set up a DSL modem, you provide a username and password. In the old days, the old dial-up analogue modems actually picked up the phone, dialled a number, made a connection with the other end, negotiated a speed, and now you had a connection across an analogue line. So that is the idea of a modem that we use to make a connection now; it doesn’t have to be across a telephone system. Cable modems are also available, and with cable TV, your data is treated as a premium TV channel, with one for transmit, one for run, and one for receive.
And the modem then makes a connection between the cable system and your Ethernet LAN. Just so you know what you’re seeing when you see these devices, We’re just going to look at some common examples. Here’s an example of a repeater, and I can see that I have some RJ-45 connections here for Ethernet. I can also see that I have some BNC connections. So this repeater is meant to simply boost the signal so it can go farther. Of course, we can also have wireless repeaters as well.Here are some examples of hubs. You notice a hub—the majority of hubs these days are Ethernet hubs. And you can see the eight-pin RJ-45 connectors here for twisted pair. And these are just a couple of vendor examples. Here are examples of switches. We can see that it’s significantly larger; we could have entire racks of switches here. We can have smaller switches. And you might go, “Gee, that looks a whole lot like this.” Are switches always sort of this greenish gray? Well, that just depends on the vendor. Sometimes it’s really hard to tell the difference. Is this really a hub or a switch? But just by looking at it, unless you can read the product, sometimes you don’t know. But here are some typical examples of switches.
And you can see up-close pictures of where we’ve plugged our cables; these are RJ-45 jacks, and we’re plugging twisted pair. This looks like category five—probably five e connections into RJ-45 jacks with twisted pair cable. very typical for a local area network. You’ll probably recognise these computer cables. This is what you plug into your computer—probably into a port on the wall. Of course, one of the risks of having wired connectivity is that you can have a mess. I’ve been in places that were far worse than this, and they don’t do anything about it until someone trips and some equipment gets yanked down on top of somebody. So part of good management is also good cable management as well.And when you walk into data centres and server rooms, you’ll see trays with all the cabling running along them, with little panels over them, so it’ll be neatly controlled rather than something like this. Here are some examples of bridges. Now this is an example of a wireless bridge. This device is a USB to Ethernet converter.
This is an interesting product here.It’s meant to actually extend the length of your USB cable across an Ethernet link and then back to USB. I thought that was really interesting when I saw it. Here’s an example of ethernet to a power line. It’ll actually plug into your AC outlet there so that you can basically run Ethernet on a power line around the house. So here are some examples of bridges. Here are some examples of routers. The larger professional routers are shown here. The big Cisco routers here are smaller branch office-type Cisco routers: the 7200 series and the 2600 series. Here are the kinds of routers that I expect to see at home. These are wireless routers. So here’s an old link system and a slightly newer one. and you can see the ports on the back. Most of these routers, especially the home ones, will have a little built-in switch inside of them. So there might be a little four-port switch built in right here. And then you plug computers in here, plus it can pick up wireless from laptops and wireless devices, including phones that are on WiFi. And then you plug in your WAN link here. So here are some examples of routers, and here are some examples of firewalls.
The smaller of these are the Cisco ASA firewalls. And here’s another one. a sonic wall. And you might just say, “Gee, it is really hard to tell the difference between these products.” Well yeah, you’re right. Sometimes they look so much alike that it is hard to tell the difference because they all have the same kinds of ports and jacks. And that’s why you have to actually look at the product, the name, and the make and model to see, well, what is it really? Is it a switch? Is it a hub? Is it a firewall? What is it like? I can tell at a glance. I know SonicWall makes firewalls, but if I hadn’t looked closer, if I hadn’t known it was a Cisco ASA, I wouldn’t have realised it was a firewall. And so that’s just sort of a quick look at the different kinds of network devices that you’ll expect to see when you are walking in and doing an audit of an IT department. Of course, there are various types of system software. We know we have operating systems. Windows Server 2012 Red Hat Enterprise Software produces Windows Server 2008. So there are all different kinds.
There are also just database management systems, such as SQL Server or Oracle SQL. There are utilities and tools like the network monitoring tool or system center. So there are a variety of different software types for whole systems, not just simple operating systems. When you are an IS auditor and you walk into an IT department, the things you’re going to want to be looking at are: what is all the hardware they use? Do they even have a network map? Do they even have an inventory of all their hardware? Do they even know what all this stuff does? And have salespeople been plugging in switches and hubs that they bought at the local electronics store? Did they set up rogue wireless access points? What are all the hardware components? and sometimes that’s a lot harder to answer than you might think. And then, how are they using and maintaining all the operating systems? Because there’s going to be more than just Windows, you’re going to have Linux, you’re going to have Mac, and you’re going to have different kinds of Unix.
There are all kinds of flavours there. And also, what about the entire network infrastructure? How are they controlling the traffic in and out to the Internet and to other locations? How do they have their switches and hubs connected? How do they have their routers connected and configured? You’ll want to review the entire network infrastructure. And if hardware is not your particular area of expertise or if network infrastructure is not your particular area of focus, you’ll want to have with you people who really understand network infrastructure as well as hardware and operating system maintenance. And the next thing we’re going to talk about is how to go deeper into networking.
