Exam Objectives Fast Track

Security Audits

  • Security audits are driven by both internal and external factors:

    • Internal examples: quality of service, shareholder return, and customer confidence

    • External examples: industry regulatory requirements, law or legislation

  • Separation of duties requires that different personnel participate in functions such that no one person has the capability to introduce (willingly or though negligence) critical errors into a system.

  • An auditor is not necessarily a security expert, but should have an understanding of the areas that they are auditing. Auditors and IS/IT personnel should work together for the good of the organization.

  • Preventative controls are intended to inhibit persons or processes from being able to initiate actions or activities that could potentially violate the policy for which the control was devised.

  • Detective controls are intended to identify actions or activities from any source that violates the policy for which the control was devised. Detective controls often act as a trigger for a corrective control.

  • Corrective controls are intended to act upon a situation where a policy has been violated. Often called countermeasures, corrective controls can act in an automated fashion to inhibit the particular action or activity that violated a policy from becoming more serious than it already is.

  • Directive controls are intended to initiate or ensure that particular actions or activities take place. These are often set by administrators or management personnel to ensure that the requisite actions or activities for maintaining a policy or system integrity take place.

  • Like corrective controls, recovery controls are intended to act upon a situation where a policy has been violated. As opposed to acting upon factors in the situation that has arisen due to the violation in policy, recovery controls will attempt to restore the system or processes relating to the violation in policy to their original state.

Auditing Methods

  • Checklist audits use a checklist to gather information about the information being audited such that there is a pass or fail mark for each audit item.

  • CAATs will facilitate the gathering and/or analysis of audit data as it is accumulated. A CAAT can save a lot of time when dealing with a very large infrastructure.

  • Penetration testing involves the actual testing of security by performing actions that will determine whether a real hacker or cracker would be successful in an attack.

  • Wardialing is the utilization of a tool to dial a series of telephone numbers looking for a modem in auto-answer mode. Some tools can also try to break into username/password prompts.

Audit Data Sources

  • The audit subsystem of an information system will provide very technical low-level details of what exactly happens on that system. This information can range from specific calls to functions or drivers that affect hardware, or simply authentication information.

  • Normal user activities such as logging in or creating a new file can be recorded to the system log. This is one of the more common sources of audit data.

  • Through data sampling and extraction, specific information can be generated from what may seem to be not so useful information. All audit data can be useful; it is just a matter of determining how it can be applicable.

Monitoring Methods and Mechanisms

  • Once an audit has been completed, scorecards are often prepared showing the results of the audit. By comparing the results of sequential audits, one can monitor how an organization has improved (or weakened) in the area in which the audit was applicable.

  • Intrusion detection is a method of actively monitoring networks and information systems for specific or anomalous behavior that violates a policy:

    • Pattern recognition looks for specific activities.

    • Anomaly detection looks for activities that are outside the expected norm.

  • Log watching is the monitoring of log files for specific activities. There are many tools available for searching through logs, some automated and some that require manual efforts. The UNIX tool grep is among the most useful of the command line tools.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net