| < Day Day Up > |
|
Absolute addressing, 275, 276
Access
Control List (ACL), 472
controls, discretionary, 156
point (AP), 207
Accounting discrepancies, 487
Accreditation Manual for Hospitals, 9
Achilles configuration, 199
ACL, see Access Control List
Activity
codes, common, 305
logs, protection of, 490
Addressing
absolute, 275, 276
relative, 275, 276
Address Resolution Protocol (ARP), 211
Administrative support and supplies sub-team, 36
ALE, see Annualized loss expectancy
ALGs, see Application Layer Gateways
Annualized loss expectancy (ALE), 5, 21
Annualized rate of occurrence (ARO), 5, 22
Anticybersquatting Consumer Protection, 349
Antivirus software, 2, 103, 153, 190
AP, see Access point
Application
firewalls, 93
Layer Gateways (ALGs), 467
logging, 241
Appropriate Use Policy (AUP), 457
ARO, see Annualized rate of occurrence
ARP, see Address Resolution Protocol
Arpwatch, 211
Asset(s)
criticality, 20
definition of, 5
identification, 455
protection schedule, 30
ranking of, 20
value, 5
Attack(s)
administrator facilitated, 258
automated, 212
common, 136
denial-of-service, 3, 23, 70
origin of, 240, 258
wireless, 211
financial, 196
malicious code, 315
replay, 462
resistance to, 70
system, 253
most frequent, 230
recognition of, 70
tools, 213
types of, 257
unicode input, 198
virus, 23
Attacker
definition of, 5
identity, 321
Attorney-client communications, e-mail, 64
Audit
findings, 202
management planning, 129, 131, 132
program development, 135
report, 143, 144
risk, 130
trails, 92, 113, 158
Auditing, 111-227
audit conferences, 145-150
audit program for small IT department,147-150
exit conferences, 146
opening conferences, 145
other conferences, 145-146
summary of audit steps, 146-147
auditing for masses, 111-113
auditor responsibilities, 111-112
authority and responsibility, 113
documentation, 113
general controls, 112
internal controls, 112
performance checks and accountability, 113
separation of duties and least privilege, 112-113
specific controls, 112
audit management planning, 129-144
auditing common systems vulnerabilities, 137-143
audit programs, 132-133
audit report, 143-144
audit risk, 130
audit work papers, 143
common attacks, 136
development of audit program, 135
flawed systems, 136-137
planning of audit, 130-132
standard audit programs, 133-134
useful Internet sites, 136
auditors, 113-117
attributes, 114-115
code of ethics and conduct, 115
external impairments, 116
free and independent, 115-116
organizational impairments, 116
personal impairments, 116-117
qualifications, 113-114
controls, 117-118
E-commerce Web sites, 214-227
auditing Windows NT and XP, 227
auditing workstations, 219-220
audit program items, 216-217
chargeback issues, 216
cookies, 226-227
credit card authentication, 215-216
e-mail sent by employees, 224-225
first steps, 220
implementing fraud screening to identify high-risk transactions, 217-218
keystroke monitors, 227
looking in right places, 225-226
organizing and searching file systems, 221-222
settlement, 216
signs of possible online credit card fraud, 218-219
unformatting and undeleting, 222
Windows Registry investigations, 222-224
evidence collection, 121-129
flowcharts, 126
homework, 122-123
interview analysis, 124
interviewing for evidence of controls, 123-124
interview preparation, 122
interviews, 121-122
interview steps, 123
questionnaires, 125-126
taking care of stakeholders, 128-129
types of flowcharts, 126-127
firewall auditing, 204-206
barbarians at wall, 204-205
firewall rulebase, 205-206
logging, 206
network vulnerability assessments, 171-191
assessment safety, 176-177
automated vulnerability tools, 185-187
discovering character of audit target, 177-180
domain name server, DNS, and zone transfers, 184-185
homework, 187-191
identifying operating systems, 183-184
IP address confirmation, 176
rules of engagement, 173-174
social engineering, 174-176
system parts that are alive, 180-182
remote system administration, 202-204
security measures preventing automated attacks, 212-214
root tools to gain access, 212-213
users of attacking tools, 213-214
specialized auditing matters, 154-171
access controls, 156
auditing databases, 154
auditing UNIX, 163-166
auditing Windows NT, 168-171
audit trail controls, 158
database concurrency controls in distributed environment, 157-158
database definitions, 154-156
database existence controls, 158-159
discretionary access controls, 156
domain servers, 159-162
format of /etc/passwd file, 167-168
format of shadow file, 168
mandatory access controls, 156-157
object reuse, 158
protecting against DNS cache corruption, 162-163
software controls and update protocols, 157
UNIX shadow password file, 166-167
subsystem interaction and reliability, 118-121
audit procedures, 120-121
generally accepted government auditing standards, 120
risks affecting auditors, 119-120
vulnerability self-assessments, 150-154
disaster recovery and business resumption, 153
emergency power management, 152
employee security awareness training, 154
environmental conditions, 152
hardware, 151
media, 153-154
network protocols, 152
physical security, 151
software, 153
Web application vulnerability assessments, 191-202
accidental error messages, 194-195
Achilles, 199
audit findings, 202
audit issues, 202
automated Web tools, 199-201
Cookie Pal, 198-199
get vs. post commands in CGI forms, 196-197
hidden form elements, 195-196
HTML examination, 192
overflow vulnerabilities, 195
quality control issues, 201
reporting vulnerability assessment results, 201-202
testing for indexed directories, 192-193
unexpected user input, 195
unicode input attack, 198
Web page referrer fields, 198
Web server examination, 193-194
Windows NT, 227
wireless networks, 206-212
auditor considerations for wireless networks, 211-212
basic wi-fi architecture, 207-208
cloaking SSIDs, 209
802.11b headers, 208
802.11b information packet types, 208
WEP, 209
wi-fi audit program features, 209-210
wi-fi network detection, 208
wireless denial-of-service attacks, 211
workstation, 219, 220
Auditor(s), 103
attributes, 114
data controls, 104
disaster recovery, 104
risk assessment reviews by, 38
systems development and programming policies, 104
workstation audit policies, 104
AUP, see Appropriate Use Policy
Authentication, 92, 475
| < Day Day Up > |
|