Control for

Information
Security

Chapter 5

8-1
https://www.youtube.com/watch?v=1R7L_7erkCI

2
Trust
Services
Framework

3
 Trust Services
Framework
Security
• Access to the system and data is
controlled and restricted to
legitimate users.

Confidentiality
• Sensitive organizational data is
protected. Protected
by security
Privacy
• Personal information about trading
partners, investors, and employees
are protected.

Processing integrity
• Data are processed accurately,
completely, in a timely manner, and
only with proper authorization.
Foundation of system reliability
Availability
• System and information are
available to meet operational and
contractual obligations. 8-4
Question 1

The AICPA and the CICA have created an evaluation service

known as SysTrust. SysTrust follows four principles to
determine if a system is reliable. The reliability principle
that states that users must be able to enter, update, and
retrieve data during agreed-upon times is known as

a) availability.
b) security.
c) maintainability.
d) integrity.

5
Question 2

Which of the following is not one of the five basic principles

that contribute to systems reliability according to the Trust
Services framework.
a) Confidentiality
b) Processing speed
c) Security
d) System availability

6
Understanding
Targeted
Attacks
(Basic steps of
criminal)

7
1. Conduct reconnaissance
2. Attempt social
engineering
3. Scan and map the target
4. Research
5. Execute and attack
6. Cover track

8
Three
Fundamental
Information
Security
Concepts

9
 1
0

1. Security is a
management
issue
Security Life Cycle
 1
1

2. The people

a. Create a
security-
• Lead by example conscious culture
• Demonstrate support
• Execute enforcement
•Never open unsolicited e-mail
attachments 1
2
•Follow safe computing practices
•Use only approved software
•Use strong password 2. The people
•Do not share/ write passwords
•Physically protect
laptops/cellphones
b) Security
•Protect against social awareness training
engineering to employees
•Avoid piggybacking
 3. Time-based
model

Security is effective if:

P > D + R where
• P is time it takes an attacker to break
through preventive controls
• D is time it takes to detect an attack is in
progress
• R is time it takes to respond to the attack
and take corrective action
8-
1
3
 3. Time-based
model

Defense-in-depth Strategy
Multiple layers of control (preventive and
detective) to avoid a single point of failure to
satisfy time-based model

8-
1
4
 3. Time-based
model

Three Time-based Model

Components:
Preventive, detective and corrective
controls

8-
1
5
Question 3

If the time an attacker takes to break through the organization's

preventive controls is greater than the sum of the time required to
detect the attack and the time required to respond to the attack, then
security is

a) effective

b) ineffective

c) overdone

d) undermanaged
16
Question 4

There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the
latter. He had researched an exploit and determined that he could penetrate the
target system, download a file containing valuable data, and cover his tracks in eight
minutes. Six minutes into the attack he was locked out of the system. Using the
notation of the time-based model of security, which of the following must be true?

a) P < 6

b) D = 6

c) P = 6

d) P > 6
17
Three Time-
based Model
Components

18
1. Preventive
Controls
To prevent errors and
irregularities
1. Physical Access
Control

Limit entry to building,

assets and AIS

8-20
2. Process: User
access control:
i) Authentication
(Verify the person)
Something person knows:
password
Something person has:
access card
Some biometric
characteristic (physical
characteristics): face
Multifactor authentication
(combination of 1,2 and 3)
Multimodal authentication
(example: combination of
item in 3)

8-21
2. Process: User
access control:
i) Authentication
(Verify the device)
Network Interface Card (NIC)
which has unique identifier
(media access control MAC
address)

8-22
3. Process: User
access control:
ii) Authorization—
determines what a
person can access
on specific task
and program (who
and which devices)

Example: A salesperson is
only allowed to use the sales
entry system, whereas an
accounts receivable clerk is
not allowed to access this
system.

8-23
4. Well-designed
source of
documents

To prevent the omission of

necessary information
during data input.

8-24
5. IT Solution:
Malware Controls

1. Awareness and training

to employees
2. Antimalware protection
tools. Eg: anti-virus
3. Patch management
4. Regular review of new
malware
5. Block potential sources
of malware (Filter
incoming traffic)

8-25
6. IT Solution:
Network Access
Controls

1. Border router
2. Firewall
3. Demilitarized Zone
(DMZ)

8-26
6. IT Solution:
Network Access
Controls

4. Filtering Packets

8-27
6. IT Solution:
Network Access
Controls

5. Intrusion Prevention
System (IPS)

8-28
7. IT Solution:
Device and
software
hardening control

1. Endpoint Configuration:
Most computer systems by
default have many security
vulnerabilities and default
settings that make it
susceptible to cyber attacks.
Therefore, organization need to
modified the configuration
using vulnerability scanner.

2. User Account Management

8-29
7. IT Solution:
Device and
software
hardening control
3. Software design

8-30
8: IT Solution:
Encryption

• Final layer of defense to

AIS
• Translate data into a code

8-31
https://www.youtube.com/watch?v=0YF_9M0vHqw

32
2. Detective
Controls
To detect errors,
weaknesses, deficiencies
and fraud.
1. Log analysis

The process of examining

logs to identify evidence of
possible attack:

• Who access
• What action
• Unsuccessfully trial (fail
log-on attempt)

8-34
2. Intrusion
Detection Systems
(IDS)

Produced a warning
alert when it detects a
suspicious pattern of
network traffic.

8-35
3. Honeypots

A network-attached
system set up as a
decoy to lure cyber
attackers and detect,
deflect, study hacking
attempts to gain
unauthorized access to
information systems
and provide early
warning.

8-36
4. Continuous
Monitoring
(Managerial Report)

Report to monitor and

assess control
effectiveness such as:
• Number of incidents
with business impact
• % or users who do
not comply with
password standards
Internal auditors
evaluate, identify risk,
report and
recommend solution.

8-37
5. Periodically stock
take

To keep track of
physical stock and to
verify internal controls
by cross checking the
stock.

8-38
6. Verify non-
current assets
records

To ensure that:
(i) Non-current assets
are correctly recorded,
adequately secured
and properly
maintained
(ii) Acquisitions and
disposals of non-
current assets are
properly authorized

8-39
7. Cash Summary
Report

Shows the movement

of cash into and out of
an organization for a
selected period.

8-40
8. Bank
reconciliation

Ensure that the

company’s cash
records are correct

8-41
9. Fraud hotline

Provides a third-party
anonymous and
confidential
whistleblower
reporting service for
potential fraud, ethical
issues, and other
concerns.

8-42
10. External Audit

Auditors develop audit

procedures to detect
material frauds.

Management also may

engage a forensic
accountant as a
consultant.

8-43
Question 11

Information technology managers are often in a bind when a new exploit is discovered in the
wild. They can respond by updating the affected software or hardware with new code
provided by the manufacturer, which runs the risk that a flaw in the update will break the
system. Or they can wait until the new code has been extensively tested, but that runs the
risk that they will be compromised by the exploit during the testing period. Dealing with
these issues is referred to as

a) change management.

b) hardening.

c) patch management.

d) defense in depth

44
3. Corrective
Controls
• To undertake timely responding
to attacks and corrective actions.
• Study the existing procedures
and eliminate the cause of the
error
1. Chief Information
Security Officer
(CISO) and Chief
Security Officer
(CSO)
A senior-level executive
responsible for
developing and
implementing an
information security
program, which
includes procedures and
policies designed to
protect organization
communications,
systems and assets from
both internal and
external threats.

8-46
 Senior manager
2. Computer (To make decision based on cost and
benefits analysis)
Incident Response
Team (CIRT)

The team practice the

incident response plan
regularly

IT system security
(Technical specialist)

Recognition Containment Recovery Follow-up

8-47
3. Insurance

To reduce loss

8-48
4. Penetration
Testing

A simulated attack to
test organization`s
information system
and identify where
additional protections
are needed.

8-49
5. Change controls
and change
management

Formal process to
ensure changes/
modification from old
practice to new (to
take advantage of IT
technology) do not
reduce system
reliability.

8-50
6. Disaster recovery
plan and business
continuity plan

A business continuity
and disaster recovery
plan is a combination
of strategies, policies
and procedures about
how an organization
should respond to or
adapt to potential
threats or unforeseen
disruptive events while
minimizing the
negative impacts.

8-51
Question 5

Verifying the identity of the person or device attempting to access

the system is

a) Authentication

b) Authorization

c) Identification

d) Threat monitoring

52
Question 6

Restricting access of users to specific portions of the system as

well as specific tasks, is

a) Authentication

b) Authorization

c) Identification

d) Threat monitoring

53
Question 7

Which of the following is an example of a preventive control?

a) Encryption

b) Log analysis

c) Intrusion detection

d) Emergency response teams

54
Question 8

Which of the following preventive controls are necessary to provide

adequate security that deals with social engineering?

a) Controlling remote access

b) Encryption

c) Host and application hardening

d) Training

55
Question 9

The process of turning off unnecessary features in the system is

known as

a) Deep packet inspection

b) Hardening

c) Intrusion detection

d) War dialing

56
Question 10

The process of transforming normal text into cipher text

a) Encryption

b) Decryption

c) Filtering

d) Hardening

57
Question 11

Information technology managers are often in a bind when a new exploit is

discovered in the wild. They can respond by updating the affected software or
hardware with new code provided by the manufacturer, which runs the risk that
a flaw in the update will break the system. Or they can wait until the new code
has been extensively tested, but that runs the risk that they will be
compromised by the exploit during the testing period. Dealing with these issues
is referred to as

a) change management.

b) hardening.

c) patch management.

d) defense in depth 58
Question 12

In 2007, a major U.S. financial institution hired a security firm to attempt

to compromise its computer network. A week later, the firm reported that
it had successfully entered the system without apparent detection and
presented an analysis of the vulnerabilities that had been found. This is
an example of a

a)preventive control.

b)detective control.

c) corrective control.

d)standard control.
59
Question 13

The ___________ disseminates information about fraud,

errors, breaches and other improper system uses and their
consequences.

a) Chief information officer

b) Chief operations officer

c) Chief security officer

d) Computer emergency response team

60
Question 14

This uses automated tools to identify whether a given system

possesses any well-known security problems.

a) Intrusion detection system

b) Log analysis

c) Penetration test

d) Vulnerability scan
61
Question 15

A special purpose hardware device or software running on a general-

purpose computer which filters information that is allowed to enter
and leave the organization's information system.

a) Demilitarized zone

b) Intrusion detection system

c) Intrusion prevention system

d) Firewall
62
Security
Implications
of
Virtualization,
Cloud
Computing
and the
Internet of
Things

63
Risk even
higher in
virtualisation,
cloud
environment
and Internet
of Things.

• unauthorized access
• data theft
• destruction and
compromise
• malware
• reliability

64
End of
Chapter.

66