Index

Absolute addressing, 275, 276

Access

Control List (ACL), 472

controls, discretionary, 156

point (AP), 207

Accounting discrepancies, 487

Accreditation Manual for Hospitals, 9

Achilles configuration, 199

ACL, see Access Control List

Activity

codes, common, 305

logs, protection of, 490

Addressing

absolute, 275, 276

relative, 275, 276

Address Resolution Protocol (ARP), 211

Administrative support and supplies sub-team, 36

ALE, see Annualized loss expectancy

ALGs, see Application Layer Gateways

Annualized loss expectancy (ALE), 5, 21

Annualized rate of occurrence (ARO), 5, 22

Anticybersquatting Consumer Protection, 349

Antivirus software, 2, 103, 153, 190

AP, see Access point

Application

firewalls, 93

Layer Gateways (ALGs), 467

logging, 241

Appropriate Use Policy (AUP), 457

ARO, see Annualized rate of occurrence

ARP, see Address Resolution Protocol

Arpwatch, 211

Asset(s)

criticality, 20

definition of, 5

identification, 455

protection schedule, 30

ranking of, 20

value, 5

Attack(s)

administrator facilitated, 258

automated, 212

common, 136

denial-of-service, 3, 23, 70

origin of, 240, 258

wireless, 211

financial, 196

malicious code, 315

replay, 462

resistance to, 70

system, 253

most frequent, 230

recognition of, 70

tools, 213

types of, 257

unicode input, 198

virus, 23

Attacker

definition of, 5

identity, 321

Attorney-client communications, e-mail, 64

Audit

findings, 202

management planning, 129, 131, 132

program development, 135

report, 143, 144

risk, 130

trails, 92, 113, 158

Auditing, 111-227

audit conferences, 145-150

audit program for small IT department,147-150

exit conferences, 146

opening conferences, 145

other conferences, 145-146

summary of audit steps, 146-147

auditing for masses, 111-113

auditor responsibilities, 111-112

authority and responsibility, 113

documentation, 113

general controls, 112

internal controls, 112

performance checks and accountability, 113

separation of duties and least privilege, 112-113

specific controls, 112

audit management planning, 129-144

auditing common systems vulnerabilities, 137-143

audit programs, 132-133

audit report, 143-144

audit risk, 130

audit work papers, 143

common attacks, 136

development of audit program, 135

flawed systems, 136-137

planning of audit, 130-132

standard audit programs, 133-134

useful Internet sites, 136

auditors, 113-117

attributes, 114-115

code of ethics and conduct, 115

external impairments, 116

free and independent, 115-116

organizational impairments, 116

personal impairments, 116-117

qualifications, 113-114

controls, 117-118

E-commerce Web sites, 214-227

auditing Windows NT and XP, 227

auditing workstations, 219-220

audit program items, 216-217

chargeback issues, 216

cookies, 226-227

credit card authentication, 215-216

e-mail sent by employees, 224-225

first steps, 220

implementing fraud screening to identify high-risk transactions, 217-218

keystroke monitors, 227

looking in right places, 225-226

organizing and searching file systems, 221-222

settlement, 216

signs of possible online credit card fraud, 218-219

unformatting and undeleting, 222

Windows Registry investigations, 222-224

evidence collection, 121-129

flowcharts, 126

homework, 122-123

interview analysis, 124

interviewing for evidence of controls, 123-124

interview preparation, 122

interviews, 121-122

interview steps, 123

questionnaires, 125-126

taking care of stakeholders, 128-129

types of flowcharts, 126-127

firewall auditing, 204-206

barbarians at wall, 204-205

firewall rulebase, 205-206

logging, 206

network vulnerability assessments, 171-191

assessment safety, 176-177

automated vulnerability tools, 185-187

discovering character of audit target, 177-180

domain name server, DNS, and zone transfers, 184-185

homework, 187-191

identifying operating systems, 183-184

IP address confirmation, 176

rules of engagement, 173-174

social engineering, 174-176

system parts that are alive, 180-182

remote system administration, 202-204

security measures preventing automated attacks, 212-214

root tools to gain access, 212-213

users of attacking tools, 213-214

specialized auditing matters, 154-171

access controls, 156

auditing databases, 154

auditing UNIX, 163-166

auditing Windows NT, 168-171

audit trail controls, 158

database concurrency controls in distributed environment, 157-158

database definitions, 154-156

database existence controls, 158-159

discretionary access controls, 156

domain servers, 159-162

format of /etc/passwd file, 167-168

format of shadow file, 168

mandatory access controls, 156-157

object reuse, 158

protecting against DNS cache corruption, 162-163

software controls and update protocols, 157

UNIX shadow password file, 166-167

subsystem interaction and reliability, 118-121

audit procedures, 120-121

generally accepted government auditing standards, 120

risks affecting auditors, 119-120

vulnerability self-assessments, 150-154

disaster recovery and business resumption, 153

emergency power management, 152

employee security awareness training, 154

environmental conditions, 152

hardware, 151

media, 153-154

network protocols, 152

physical security, 151

software, 153

Web application vulnerability assessments, 191-202

accidental error messages, 194-195

Achilles, 199

audit findings, 202

audit issues, 202

automated Web tools, 199-201

Cookie Pal, 198-199

get vs. post commands in CGI forms, 196-197

hidden form elements, 195-196

HTML examination, 192

overflow vulnerabilities, 195

quality control issues, 201

reporting vulnerability assessment results, 201-202

testing for indexed directories, 192-193

unexpected user input, 195

unicode input attack, 198

Web page referrer fields, 198

Web server examination, 193-194

Windows NT, 227

wireless networks, 206-212

auditor considerations for wireless networks, 211-212

basic wi-fi architecture, 207-208

cloaking SSIDs, 209

802.11b headers, 208

802.11b information packet types, 208

WEP, 209

wi-fi audit program features, 209-210

wi-fi network detection, 208

wireless denial-of-service attacks, 211

workstation, 219, 220

Auditor(s), 103

attributes, 114

data controls, 104

disaster recovery, 104

risk assessment reviews by, 38

systems development and programming policies, 104

workstation audit policies, 104

AUP, see Appropriate Use Policy

Authentication, 92, 475