1. I S Auditor Technical Overview
In this lesson, we’re going to talk about all of the technical things you need to know to be an IS auditor. Now, while it would be ideal if you had a Microsoft MCP network plus certification, maybe a Cisco CCNA, to have that technical background, we will cover everything you need to know at a high level and just deep enough so you understand all the technologies involved in information security. We’re going to talk about cryptography and about physical and logical controls. We’ll talk about environmental controls, we’ll talk about network security, and we’re also going to talk about security policies and security design in general. So why don’t we get started? The first thing you need to be aware of is this concept called the CIA triangle.
CIA for confidentiality, integrity, and availability. Now, what’s the difference? You do need to know the distinction between confidentiality and integrity. In the case of confidentiality, only the people or processes that have the right and need to be able to access that thing can get to it. In other words, if you don’t have a need to know, or if this process has no reason to access that database, email, file folder, printer, etc., then it’s not permitted. And we use confidentiality. We enforce it with something called authorization. So confidentiality is only required if you have a legitimate need to know. Now, generally, the military is more interested in confidentiality. On the other side, the private sector is more interested in integrity, and it’s not like they’re not interested in the other, but this tends to be more their focus.
With integrity, we guarantee that this piece of data, or this network transmission, or whatever it is, has not been changed in an unauthorised manner. We guarantee that this thing is still intact, whole, unmodified, untouched, not hacked, with no timestamps changed, and that it is the original as it was. That’s integrity. How do we guarantee confidentiality and integrity? Well, there are many mechanisms, and we’ll talk about those in greater detail. But in short, with confidentiality, we prove our identity, we authenticate, and then whatever it is we’re trying to get to—a file folder, printer, database, email, whatever—we get there. That resource, that asset, has an access control list. And when we try to get to it, we see whether or not our authentication, however we’re logged on, has the right to get to it. So we have this concept of being authorised by an access control list. With integrity, we do something to make sure that this file has not changed. In an extreme case, we could encrypt a file to maintain its confidentiality. But for integrity, we don’t necessarily need to be so confidential as this thing has not been modified in an unauthorised way.
So the very common thing we’ll do is basically use cryptography to protect it. But we’ll do something called a hashing algorithm that we can use to run again to prove that the result now is the same as the result before; therefore, this thing could not have possibly been changed. We’ll explore cryptography, encryption, and hashing in the next topic. So the idea of confidentiality and integrity is really crucial, and then, as a system administrator or a network administrator, it’s really crucial that we make things available. We make these resources available to those who require them (file folders, printers, databases, emails, etc.). Now, that might seem obvious, but sometimes you can overdo it with the confidentiality part. You can set an access control list or a level of access to be so restrictive that you accidentally leave out people who have a legitimate need.
So when we do the CIA triangle, we want to make sure that people who need access actually do get access, and they get it in a timely manner, so that they don’t have to be calling you up and saying, “I can’t get into that thing again,” but that they actually can just go into it and get to it, and that the system and the network can provide it in a timely manner as well. We’re always striving for that CIA triangle. So in terms of access control, this is the most common thing that we do in the private sector. We will usually have the operating system on a server. And you can see in this slide that there is a person who is accessing the server. The person proves their identity, and we’ll talk about authentication schemes in greater detail. But you prove your identity either by password or biometrics or by holding some kind of device, and you prove that you are who you say you are. And your session, when you’re on your desktop, is given to you, and the session basically represents everything you do. And so that session allows you to connect to printers, files, and folders, and access your email and whatever else. Part of that session is a token representing you and all of your access rights and all of the groups you belong to.
So when you authenticate, you’ve got this token, and this all happens in the background. As a user, you don’t see it. This is going on in the operating system itself. When you go to access a file or folder, then that file or folder has an access control list on it, and the token is presented in the background of that access control list. And it could be share permissions, NTFS permissions, print permissions, database permissions, email permissions, or whatever. That process will check the identity of your token against the access control list, the ACL, to see what your level of authorization is. So this is the whole concept of access control. Different resources will have different access control lists. So I will log on as me, and I belong to maybe three or five different groups, and all those groups have different levels of privilege. This folder may allow me, in its access control list (ACL), to read, write, and execute. But that folder may only allow me to read because it depends on its contents. And maybe in this folder over here, I have no access whatsoever, so my token stays constant, but my allowed access depends upon what was set in the ACL on the resource I go to. Obviously, one of the things we have to watch out for in hacking is that we’re always trying to elevate our privileges above what our normal access is. And so we want to see if people are accessing things with a privilege level that they shouldn’t have.
Are they in a group of administrators that they should not be in? Did they run some kind of hacking tool that temporarily elevated their privilege? So we’re always looking out for that kind of thing, and we can talk later about reviewing logs to look for that kind of access. So access control is a big thing on our mind when we are setting network, server, and system security. As we design security, there are a number of factors that we need to be conscious of. First of all, proving people’s identification And it’s not just to the computer but also in the building. I have a badge. I’ve got to swipe my badge before I walk in, or people have to recognise me before I walk in, or I have to punch in a code or have my voice recognised or something, or at least sign a book or something for my identity. And of course, it’s only as good as how well you enforce it and how well you monitor it. So I prove my identification, and I authenticate to a computer because my badge that gets me into a building is probably not going to be the same thing I use to authenticate to a computer. And then what am I authorised to get into? So as we design security, we’re worried about general identification.
People authenticating on systems, as well as the level of authorization for each individual resource And not only that, but stuff slips through the cracks all the time. People are either not doing what they should be doing or are doing things they should not be doing. So we should have some mechanism for logging all of the access. We should have some accounting and auditing, and all operating systems allow you to set up auditing so you can see who accessed what server, what computer, when they accessed it, and what they did. One disadvantage of reviewing audit logs is that it is not always possible to determine people’s general intent. I mean, the system only knows that this person at this time accessed this particular file and opened it, read it, or changed it. Generally, it can’t tell you what they did to change it or why they were in it in the first place. But at least you have the hard evidence that at least so-and-so’s account actually got into it. Was that actually the case? That’s a whole other question because one of the big issues with security is: did somebody log in as somebody else or did somebody spoof someone’s identity and pretend to be somebody else and then access something? If I were a hacker, I would never be accessing things as myself; I would be pretending to be somebody else.
So basically, it looks like someone else did it. But the auditing and the accounting are all part of your whole security design. So we need people to prove their identity, we need people to authenticate the systems, we need access control and authorization for all the resources, and we need audit logs and accounting so we can check to see what has been going on. And it may not just be looking for misdeeds; it could also be that you’ve got a department of people complaining that they can’t get into this thing. Well, you can look at the audit log and see that, yes, 20 people yesterday tried to access and had access denied, yet they had a legitimate need. Or we do the auditing just to see how much traffic is going to that thing, whatever that thing is, that file folder resource, so we can see whether or not it’s actually in use or not. So auditing and accounting aren’t just for security; they’re also for performance and to see if people can access what they need to access when they need to access it. The following topic will be security design, as well as checklists of what we need to be aware of when securing various parts of our network.
2. Security Design
Let’s now talk about security design, and I’d really like to talk about where you can get checklist templates for your security policies. It all starts with a policy. If you don’t list out what you’re trying to do security-wise, then how can you know that you’ve accomplished it? You’ve got to have a security policy. The policy can be one page or a hundred pages. It can have subsections for every part of your network and your systems, or it can just be very simple. It really depends on your needs. If you’re a larger organization, your security policy will probably be pretty complex. If you’re a small mom-and-pop shop, your security policy will probably be very, very simple. So the first thing I’d like to do is share with you folks where you can go to get free downloadable security templates if you go online to Sans.org.
Sans.org is an organisation of security professionals, and they give away free downloadable information security policy templates. And when we look here, we can see that there are many templates for many different needs. Computer security policies, desktop security policies, email policies, and HIPAA security policies are all examples of such policies. I worked in health informatics, and I still do. And so I’m concerned about private patient privacy, internet security policy, mobile user network, physical, et cetera. So you can get all of these, as well as white papers and other materials. So, for example, if we were to look at the wireless security policy, then we can see examples with guidelines. So let’s just take a look at an example here, and you can download these resources and use them just as checklists to see and determine whether or not they’re applicable to you. But this is a really good resource to guide you if you’re just going, “Okay, where do I start?”
So I encourage you to get these. It’s not something you need to know for the exam, but when you’re in the field, you should be able to have policy templates handy. Now I want to make a comment here also, and this is for management especially. It’s one thing to have a policy, but you are not exercising due care and diligence if you don’t also train your people. And in fact, the requirements of due care and diligence require that you train people according to the level of responsibility required by their job. And so, for example, I’ve seen many times where management will just send out an email saying, “Go take this training on our website, go read this,” and say they acknowledge people don’t understand what it is. You actually have to take time to train people. Now, whether the training is online training or whether they go to a class or something like that, you have to train them.
And not only that, you’re not doing due diligence if you don’t regularly refresh their training. And there are some federal regulations that require you to train your people based on their jobs to whatever level their job requires and require you to regularly refresh that training. So please bear that in mind as well. It’s not enough just to say, “Go read this and sign it,” “Go view this,” or whatever. Sometimes people don’t even notice the email. So in a court of law, you’ll still be liable because you didn’t exercise care and due diligence. So if we go back to our slides, let’s talk about security design techniques. We already know that there are a whole slew of templates that we can use as checklists to download different security policies.
Start with a policy. Look for everything that you’re trying to protect. Remember how we were talking about risk-based approaches to security? So the very first thing is, what is it that you have that you’re trying to protect? We’ve got these servers, these folders, and this data. Remember, you’re not protecting just data; you’re not protecting just hardware. You’re also protecting processes, people, and proprietary information. Maybe you have the secret formula for some kind of food or something. You’ll have trademark stuff. So you’re protecting documentation; you’re protecting all kinds of things. And auditing is not just about protecting what’s on a computer; it’s also about gaining access to those computers. It’s the training that people have. It’s their awareness of how to work with computers and the awareness of security involved with everything, including the environmental, physical, and electronic cameras, locks, and keypads on doors and the cameras.
So, now that you’ve got a big list, inventory everything you have and get a lot of people involved in this, get a big inventory, sort of categorise what it is, then look at, okay, what are the risks? Now remember, we talked about risks before. Let’s say I have, okay, I’ve got these servers. What are the risks to these servers? Identify those risks. Well, the servers could be stolen, the hardware could fail, or there could be a lightning strike that gets past the ups and blows up the power supply or the motherboard. That has happened. In fact, I was on this one job site in another nation, and there was a big storm that blew out computers in half a town that were part of this whole sort of government installation. It could get a virus, it could be hacked, or someone could steal a part of it. I came into a site one day, and someone had opened up a server and taken the motherboard. That seems funny, but that sort of thing does happen. The data could be accidentally deleted or corrupted somehow.
So you just go down the line and list all the possible threats and risks to every asset that you have. And not all risks have a very high threat level. Remember how we were talking about wanting to either assign a dollar value to the risk or qualify it based on the probability and the impact? So, while we can’t put a dollar value on something, we know that the probability on a scale of one to ten is usually a nine, and the impact is an eight. And of course, this is a subjective judgement, but you basically get the opinion of a bunch of informed people. So you know what’s more important than something else? Some things can clearly be assigned a monetary value. You can say, “Remember that big virus attack?” We had that one year, and it took us out for three days, and the database server was down for three days. Ordinarily, the sales guys generate $100,000 of new business every day, so that was $300,000 just in lost sales. Plus, it took our entire department of ten people.
And you can actually put a dollar value on it. And remember, as I’ve said before, when you quantify something with a dollar value, don’t just have the hard costs. Include all of the man hours that were people who were not doing their job but were taken away from something else to do this. So include all the soft costs as well. So determine what it is you have, what are the risks to it, what is the impact of the threat, and how big is the threat in dollar value, probability, and impact? And so you know where to put your focus on.Also, when you’re looking at stuff, like data, you need to classify that data. So you need to look at all the assets and say, “Okay, is this public information?” Is it sensitive? It could be sales reports; is it confidential? Like patient information? Is it classified where we really don’t want people to see it? Is it top secret, like the formula for Coca-Cola or something? So you want to classify that because that will also help determine how important that thing is and how much effort you should put into protecting it. And while you’re doing it, you have to think about not only how sensitive the data is—do a sensitivity analysis—but also the privacy impact. Because I can tell you, working in health, it only takes two pieces of information to identify a person.
And so, like, I was in a place where there was a clinic, and a colleague’s wife gave birth, and you wouldn’t think anything of it. But at that point in time, at that clinic, with her age group, it was easy to identify who she was. Well, in that particular situation, because we were working in an African nation, all clinics were required to identify people’s HIV status as well. It took very little effort to find out her HIV status. And that was published too. And I’m always amazed at how easy it is to figure out someone’s identity from people who don’t understand this, who don’t work in fields like epidemiology or with sensitive data. And they’ll say, “Oh, people will never know.” Oh, yes, they will. And with very little effort, they’ll figure it out. We’re in the United States and many other countries. We’re very, very concerned about people’s privacy. So you also have to consider what the privacy impact of this information is.
So these are all the things you need to keep in mind when you’re designing your security. Have those templates, categorise what you have, determine the risk and the threat level, and always know what the sensitivity of the data is and what the identifiability of that data is to people’s privacy as well. So, when you set up your information security program, you’ll be concerned not only with technical aspects such as what firewall you have, what antivirus you have, what intrusion detection you have, what operating system you have, what access controls you have—but also with operational aspects such as, “Okay, folks, do not piggyback behind people when someone swipes their badge to get in.” Don’t have five other people come behind them. Or when you do this, always log in when you do that; always punch in when you do this; always, always do something. And don’t expect people to memorize. You need to post this stuff everywhere. And when you’re trying to get people to agree to support security, it really comes down to the people at the department level. They’re the ones who, in their day-to-day lives, support security. Give them carrots as well as sticks.
This department has gone a whole month without any security breaches that we’ve detected. As a result, the department will receive a small reward. Get people to take ownership of it, and you’ll be amazed at how well they do. Anytime you can empower people to take ownership of security, get them to understand that, hey, when you set up a wireless access point, it’s not just in this room. We can sit down the road two miles away in a Porsche Cantana and pick up that signal. You know, and we’ve certainly seen people do it. So, you know, educate people and reward them when they do well, as well as have enforcement, and they’ll really perform for you. So be aware of the technical, the operational, and the procedural. What are the procedures we follow? When people do the same thing day in and day out, they have a tendency to cut corners, but you have those clear procedures for a very specific reason. And you must always emphasise the importance of it to others. Generally, it’s only security professionals who understand just how critical that becomes. Your average user is interested in making sales or doing their day-to-day work. They don’t know the impact of always following the same procedure.
So make sure that they do it and that you reward them for doing it. So in all of these measures that you’re going to be setting up in your security programme, this is for all activities, projects with time limits, any starting initiatives, all the resources you have, and realise that people and documentation are resources just as much as hardware, software, servers, and physical infrastructure. So be aware of all of those things when you’re setting up your security program. And like I said, use those templates as a starting point to help you organise this. And as an IS auditor, we’re looking to see: Did they do all this? Now, obviously, if it’s a mom-and-pop donut shop, they’re not going to go through loads of security templates, but what was appropriate for them? And as an IS auditor, we need to see: Did they do this? If they did it, then they did it with care and due diligence. Did they do what a reasonable person would do? Everything that a reasonable person would do to protect the assets as much as possible So the next thing we’re going to talk about is security monitoring. Monitoring.
3. Monitoring Systems
Let’s now talk about monitoring systems. When you are auditing, you might very well want to look at the logs from monitoring systems. You might want to say, “Okay, can I see the log for who got into that particular database?” Can I see the network log? Can I see the ID log? Can I see the firewall log? Can I see whatever this or that log is? It’s important that in any network environment, besides the very smallest, there is some kind of logging. and all firewall products have logging. All operating systems have the ability to turn on logging for this, this, and this.
So let’s talk about logging, scanning, and monitoring. Part of what you may do if you get into something very technical, like looking at network security or system security, is indeed do vulnerability scans, and we’ll talk about those in greater detail later. But you’ll want to scan systems and networks, and you’ll want to also look at just regular logging. And you should only have monitoring. In general, a good system administrator or network administrator is going to have some kind of logging or general monitoring, possibly even a console, that they look at on a regular basis. If we look at some examples of scanning, such as this one, we can see that it is simply a monitoring console. We can see host and service statuses. We can see details, and we can tell at a glance. Typically, these monitoring consoles will be able to show us at a glance what is critical and what is good. So then, usually, you can click these things and get more details. So here is one example of a console for monitoring. Here’s another example of a tool that we can use to look for wireless access availability.
Maybe we’re looking for rogue wireless access points, and people do it for convenience. I mean, I’ve walked into a place, and the general manager put a wireless access point on a file cabinet down the hall because he wanted to be able to just go into a conference room and provide wireless capability. The problem is that, of course, that radiant signal went way out beyond the building, and all you had to do was sit in a parking lot with a directional antenna and just start picking it up. And you could get right into the files and folders and whatever. I’ve seen people aim down a freeway from 2 miles away with a cannon that cost $70 or $10 to build, get into proprietary data, look at spreadsheets, and other things like that. So here’s another example of where we might look for wireless access points. Here’s another thing where we can get different kinds of reports. So different monitoring consoles and tools will show different things. As an IS auditor, you’ll be interested in looking at the logs and also looking to see what people are monitoring or whether they are actually taking a look at what’s going on in their network, their services, their servers, and their systems, not just for security’s sake but also for performance as well. Because if we have a certain requirement for security, we’ve got to be able to prove that we are maintaining that security and that we’re monitoring for it. So the idea of monitoring is really important. In addition, you’ll periodically have to scan a system for vulnerabilities. And there are all kinds of scanners.
Some are more intrusive than others. Some are very expensive, and some are free. And there are a number of good free ones available where you can basically scan the network or scan systems. and you’re looking for open ports. Basically, a port is how you can connect to a specific service on a server across the network. And you’ll look for ways to get into a system across a network. So a very simple example of that would be like this simple port scanner, where I’m going to basically scan my own machine to look for any open ports. The open ports themselves don’t necessarily mean there’s a vulnerability, but they do mean the server is willing to accept a connection on that port. And so I can see as I drill down that I have three open ports and a certain number of closed ports as well. And I can see here that this server is accepting Microsoft remote procedure calls, as all Microsoft machines do. It is listening on TCP 139, the old netBIOS-based SMB port. In other words, file and print.
In addition, on newer CIFS and LSA login port 445. Right now, I can deduce immediately that this is a Microsoft machine because Microsoft machines use these specifically as opposed to others. And I can also see that other ports were closed. Now, is that a vulnerability? It is a point of access. The next question is, “Is the service that’s listening on that port vulnerable?” Because I can go up and get that service’s attention and say, “Hi,” I’d like to make a connection and start a session. But now that I’ve begun a session, am I able to do anything with that service? So scanning across the network on a system, whatever this is, is a common thing that you’ll do when you’re doing auditing, looking at logs from monitoring consoles. A very, very common sort of thing that we will do when we’re an IS auditor is, after we’ve been looking, after we’ve been scanning for vulnerabilities, after we’ve been monitoring logs and looking at monitoring logs, we can, of course, do a review.
And not only that, but we’ll need to periodically update the results of our findings. So, did you perform a vulnerability scan? Yeah. How long ago was that? six months ago. Okay, let’s maybe update that scan, and then we’ll have to manage what we discover. Most scanners, unless they’re the really cheap ones that are really free, will also have recommendations on what you can do about the vulnerabilities that are discovered. Most of them even have links or will tell you some specific knowledge base number or other information about it so you can take action. And as we’re looking at all of this, as we’re scanning and monitoring, we are indeed trying to identify what the potential threats and weaknesses are, or what has happened.
We’re trying to identify not only that we saw a vulnerability but also that this is a kind of activity that shouldn’t have happened, that’s unusual activity, and therefore we’ll investigate further. So we’re on the lookout for these kinds of things. As much as you can automate some of this scanning and monitoring, that’s better because there’s so much data that automated tools can help you crunch that data down a whole lot quicker and get to what you need to see a lot faster. And then, of course, we’re always looking at why we even did this. Why did we even install this server? Why did we even put up this firewall? Why do we even have that connection? We’re looking at the business driver behind it. And this is for network people and server administrators, folks.
And this is my background too. Once upon a time, what we did was simply a cost to the business. And once upon a time, if they could have gotten rid of us to get rid of that cost, they would have. Now the thinking from all the way up to top management is changing. And astute upper management recognises this, it is no longer just a cost center, a necessary evil, or whatever. It is actually something that assists the whole business in achieving its business objectives. So therefore, everything we do—all the purchases, all the things we set up, everything we configure—has to be aimed at supporting that business objective. As a result, we are constantly looking at the business drivers behind this.
And so these are the things that we need to monitor—not just simply port scans, but why did we even do it? And as an IS auditor, why did they do that? Were they thinking about the business? Were they supporting the business when they did that? Because our whole thing is: What are the business objectives? What are the controls in place, and are they being implemented properly? So, why did you go out and purchase 20 servers? Ah, you needed it because you needed to build out your data center. Okay, got it. So as we develop our whole security architecture, we’ll be thinking about the physical architecture and the logical architecture. So when we talk about physical, of course we’re talking about where we’re placing the cables. Let me tell you a story about one place. I went into this one place, and they had lost connectivity up on the fifth floor. And the question is, why did they lose their T one?
Tomorrow they had a video conference, so why did they lose that? So we went into the phone room just to take a look, and I had my telephone toner. We were looking around, and there were just so many clients in that building, it was hard to trace where anything was. We eventually located the one punch block where the cables for the T one for that specific suite went. And the building engineer came in. This is a Sunday, and he comes up and says, “What are you guys doing?” And we said, “Oh, well, we’re trying to trace out why this particular suite, this office, lost their Internet connectivity.” And he says, “You know what? There was a phone guy here on Friday, working right where you are right now.” So we went, “Oh, groaned.” Someone bumped into something, broke something, and we just found out from the building engineer that someone was there before us. One of the problems, of course, is that when you’re in a building, if you don’t own the entire building, you’re sharing a telecommunications closet with everybody else, all the other customers. As a result, you never know who comes and goes. I mean, when we got there, the phone room door was propped open on a Sunday. Nobody was there, and anybody could walk in.
So you’re concerned about where cables are physically located; you’re concerned about things being locked? I mean, I’ve been to plenty of places on a hot weekend afternoon. The door to the server room is propped open, and there’s no one around. You’re worried about the fences and the lighting and all the perimeter security, and you’re worried about whether the guard’s presence is extended by the use of cameras. What kinds of door locks do we have? Are the locks working? As a result, you’re always on the lookout for it. Do we have redundant systems? Do we have multiple power supplies? Do we have a generator, or something that can provide power? Do we have downs? What do we have? Because it’s not just people breaking in, but there will be some kind of natural thing or a spike in power, so we need to kick in the generator.
So you’re going to be looking for redundant systems as well as just flat-out physical security. And then, of course, in the logical architecture, you’re going to be worried about what processes we go through, what are our procedures, what are our guidelines, what are our standards, and what software we use to secure and control things. But not only that, in terms of process, what do we do with printed documents? I mean, I was at this one health facility where a district health officer went to train the local staff. It was a small location, and they used live data to basically show some things; they had printed out some live patient data, including HIV status. And then it was okay. The staff had the right to see all that stuff, and the district health officer had the right to see certain things. But they left the printout lying around, and the next thing they knew, an unauthorised person found it. And the next thing they knew, they were hearing about it on the local radio station, where the local radio station DJs were mocking them, saying they had left us printouts with patient information around.
So, I mean, you have to worry about what you do in your process, what you do with documents that are private and confidential, what logical network access restrictions we have, and also how you report things and escalate things. So when you do this, start with what you’re trying to protect and how you run your business. That’s really it. How do you run your business? What are the day-to-day procedures? And then what can you do to protect every process, everything people touch, and everything people access? And as an IS auditor, you need to see: Did they think this through? Do they have procedures for protecting everything people touch and do? And at what point do they decide that the risk is just residual risk? When they’ve thought all that stuff through, then they’ve done their due diligence. And so that is going to be one of the things you’re going to be concerned about when you’re looking at information security architecture. Now, the next thing we’ll talk about is specific types of attack methods and techniques.