Common Types of Vulnerabilities in IT Systems and Networks

1. Malware, short for malicious software, such as Trojans, viruses, and worms that

are installed on a user’s machine or a host server.

2. Social engineering attacks such as phishing that fool users into giving up

personal information such as a username or password.

3. Outdated or unpatched software that exposes the systems running the

application and potentially the entire network.

4. Misconfigured firewalls / operating systems that allow or have default policies

enabled: Incorrect system or application configurations that lead to security

weaknesses. For instance, default passwords, unnecessary services enabled, or

open network ports.

5. Physical Vulnerabilities: Issues related to the physical security of IT assets. This

includes unprotected server rooms, easy access to network infrastructure, and

lack of secure disposal practices for hardware.

6. Zero-Day Vulnerabilities: Previously unknown vulnerabilities that are exploited

by attackers before the vendor has released a patch or even before they are aware

of the vulnerability.

Tools and Techniques for Vulnerability Scanning and Assessment

Vulnerability Scanners: Automated tools that scan systems and networks to detect

known vulnerabilities. Examples include Nessus, OpenVAS, and Qualys.

Penetration Testing: Also known as ethical hacking, this involves simulating cyber

attacks on a system to identify exploitable vulnerabilities. Tools like Metasploit, Burp

Suite, and Kali Linux are commonly used.

Static Application Security Testing (SAST): Analyzes source code at rest to detect

vulnerabilities. It is effective in identifying potential security flaws in application source

code.

Dynamic Application Security Testing (DAST): Tests applications as they run to find

vulnerabilities that are visible only during the operation of the application.

Configuration Management Tools: Tools like Chef, Puppet, and Ansible can be used to

ensure configurations are consistent and secure across all environments.

Relationship Between Vulnerabilities and Threats

Vulnerability represents a weakness in a system that can potentially be exploited. It

becomes a significant risk if there are threats capable of exploiting it.

A threat is any potential agent or event that could harm the system by exploiting

vulnerabilities. Threats can be human (hackers, disgruntled employees), environmental

(fire, floods), or technological (malware, network attacks).

Exploitation: The actual act of leveraging a vulnerability is known as exploitation. The

severity of the exploitation depends on the threat actor’s intent and capability and the

nature of the vulnerability.

Risk Management: The process of identifying, assessing, and responding to

vulnerabilities and threats is known as risk management. It involves assessing the

likelihood and impact of a threat exploiting a vulnerability and determining the

appropriate response to mitigate the risk.

Identifying and Classifying Different Types of Security Incidents

Malware Infection: Any incident involving malicious software such as viruses, worms,

Trojan horses, ransomware, or spyware.

Unauthorized Access: Incidents where an unauthorized person gains access to systems,

data, or resources. This can include credential theft, privilege escalation, or bypassing

security controls.

Data Breach: Involves the unauthorized retrieval, exposure, or theft of data. This can be

customer information, intellectual property, or other sensitive data.

Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks: These

incidents aim to make a service unavailable to its intended users by overwhelming the

service with a flood of illegitimate requests.

Insider Threats: Incidents caused by employees, contractors, or business associates who

have inside information concerning the organization's security practices, data, and

computer systems.

Classifying these incidents typically involves assessing their impact on confidentiality,

integrity, and availability (CIA), the scope of the incident, and the potential damage or

loss.

Incident Response Procedures and Steps for Managing an Incident

Preparation: Develop and maintain an incident response plan, train the response team,

and establish communication protocols.

Identification: Detect and confirm the occurrence of a security incident. This involves

monitoring security alerts and analyzing them to determine if they warrant further

investigation.

Containment: Short-term containment involves stopping the incident from causing

immediate damage, while long-term containment focuses on securing systems for

deeper analysis and recovery.

Eradication: Identify the root cause of the incident and remove affected components to

eliminate the threat from the environment.

Recovery: Restore and validate system functionality for business operations. This step

often involves patching systems, changing passwords, and tightening security controls.

Lessons Learned: After handling the incident, conduct a debriefing to evaluate the

response and update procedures based on what was learned.

Tools Used for Incident Detection and Response

Security Information and Event Management (SIEM): Tools like Splunk, LogRhythm,

and IBM QRadar that collect, store, and analyze security logs from various sources to

identify anomalies and potential incidents.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Tools such as

Snort or Cisco's IPS that monitor network traffic to detect and potentially prevent

policy violations or malicious activities.

Intrusion Prevention System (IPS), also known as intrusion detection prevention system

(IDPS), is a technology that keeps an eye on a network for any malicious activities

attempting to exploit a known vulnerability.

Endpoint Detection and Response (EDR): Solutions like CrowdStrike Falcon,

SentinelOne, and Sophos Intercept X that provide continuous monitoring and

collection of endpoint data with response capabilities to quickly mitigate threats.

Forensic Tools: Tools like EnCase, FTK, and Volatility are used for digital forensics,

helping to uncover the root cause of the incident and preserve evidence for potential

legal actions.

Motives for Information security attacks

1. Financial Gain

One of the most common motives is financial profit. Attackers often target businesses

and individuals to steal credit card information, banking credentials, or even to directly

transfer funds. Ransomware attacks, where data is encrypted and a ransom is demanded

for the decryption key, are also primarily financially motivated.

2. Political reason

Espionage involves gathering confidential information for strategic, political, or

military advantage. This can be conducted by nation-states, corporations, or other

entities looking to gain a competitive edge or interfere in the affairs of rivals or other

nations. Industrial espionage, for example, targets trade secrets and other corporate

data.

3. Revenge
Revenge includes attacks meant to disrupt, degrade, or destroy an organization's

operations or infrastructure. This can be motivated by revenge (perhaps from a

disgruntled employee), competition, or malice. The goal is often to cause operational

disruption, financial loss, or damage to the organization’s reputation.

4. Gain Reputation

In some cases, individuals engage in hacking simply for the personal challenge or to

gain reputation within certain communities. These attackers, often called "grey hat"

hackers, might not have a specific financial or political motive but engage in hacking to

demonstrate their skills, identify vulnerabilities, or earn respect among peers.

5. Intellectual Challenge and Learning

Some attackers are driven by the desire to learn and experiment. This can include

students or amateur technologists who are curious about the workings of networks and

systems. While not necessarily malicious in intent, their unauthorized activities can still

be harmful and illegal.

6. Blackmailing

Attackers may also engage in cybersecurity attacks as a form of extortion, coercing an

organization or individuals by threatening to release sensitive data, launch more

damaging attacks, or harm their reputation unless demands (often financial) are met.

7. Terrorism
In more extreme cases, cyber-attacks can be used as a form of terrorism. These attacks

seek to inspire fear, cause physical harm, or disrupt societal functions through the

compromise of critical infrastructure or systems.

COBIT 5 PRINCIPLES

COBIT 5, developed by ISACA, is a comprehensive framework for governance and

management of enterprise IT that emphasizes regulatory compliance, risk management,

and aligning IT strategy with organizational goals. Here are the five principles of

COBIT 5, which are fundamental to its framework:

1. Meeting Stakeholder Needs

This principle focuses on creating value for stakeholders through the effective and

efficient use of IT. It emphasizes aligning IT objectives with business objectives and

ensuring that stakeholder needs drive all decision-making processes in IT governance

and management.

2. Covering the Enterprise End-to-End

COBIT 5 applies to the whole enterprise, not just the IT department. It integrates IT

processes into the enterprise's governance framework, ensuring that there is a seamless

connection between business and IT goals across all areas of the organization, from

executive leadership to operational processes.

3. Applying a Single, Integrated Framework

This principle is about using a single, holistic framework to manage IT governance.

COBIT 5 can integrate with other standards and frameworks (like ISO 27001, ITIL, and
NIST), providing a comprehensive overview that reduces complexity, eliminates

redundant processes, and ensures that all governance and management activities are

consistent across the organization.

4. Enabling a Holistic Approach

COBIT 5 encourages an inclusive approach to IT governance by considering all aspects

of IT operations. It outlines several dimensions that should be addressed, including

processes, organizational structures, people, skills, culture, information, services,

infrastructure, and applications. This holistic view helps organizations address the

complexity of IT governance in a structured and manageable way.

5. Separating Governance From Management

The fifth principle distinguishes between governance and management activities.

Governance ensures that stakeholder needs, conditions, and options are evaluated to

determine balanced, agreed-on enterprise objectives. Management, on the other hand,

plans, builds, runs, and monitors activities in alignment with the direction set by the

governance body to achieve the enterprise objectives. This separation clarifies the

distinct roles and responsibilities necessary to achieve effective governance and

efficient management.

Define the term IS/IT Governance and describe five basic outcomes of an

effective IS/IT governance framework.

IS/IT Governance:

IS/IT Governance refers to the processes and structures implemented by an

organization to inform, direct, manage, and monitor the activities of information

systems and IT. This ensures that its information technology supports and enables the

achievement of its strategies and objectives.

Five Basic Outcomes of an Effective IS/IT Governance Framework:

1. Strategic Alignment:

Ensures that IT goals are aligned with the organization’s strategic objectives,

resulting in IT delivering value to the business.

2. Risk Management:

Identifies, manages, and mitigates IT-related risks, considering the impact on the

entire organization.

3. Resource Optimization:

Ensures efficient and effective use of IT resources, including people,

infrastructure, and applications.

4. Value Delivery:

Focuses on optimizing investments in IT, ensuring that IT delivers the promised

benefits against the strategy, contributing to the overall success of the

organization.

5. Performance Measurement:

Establishes relevant metrics to measure and monitor the performance and health

of IT, ensuring that it meets predefined standards and contributes to business

objectives.

State and briefly explain the six stages of System Development Life

Cycle (SDLC) and the role of the IS auditor within each stage.
1. Planning:

This stage involves defining the scope and purpose of the IT project.

IS Auditor Role: Assess the adequacy of the project planning process, ensure alignment

with business goals, and verify that risk assessments are performed.

2. Analysis:

Detailed analysis of business needs and requirements.

IS Auditor Role: Review requirements for completeness and feasibility, and ensure that

they meet business objectives.

3. Design:

Transforming requirements into complete, detailed system design documents.

IS Auditor Role: Evaluate design specifications for compliance with organizational

policies and standards, and assess security controls.

4. Implementation (Development):

The actual coding or building of the system components.

IS Auditor Role: Audit the development process for adherence to standards, proper

change control procedures, and documentation.

5. Testing:

System components are thoroughly tested to find and correct errors.

IS Auditor Role: Verify that testing procedures are comprehensive, security controls are

tested, and issues are documented and resolved.

6. Deployment (and Maintenance):

The system is put into production and maintained.

IS Auditor Role: Ensure that deployment follows organizational policies, data migration

is secure, and post-implementation reviews assess whether the system meets the

intended objectives and remains compliant.

Basic types of Information Protection that an Organization can use

1. Preventive Controls: Designed to prevent security incidents before they occur.

Includes measures like firewalls, antivirus software, and complex password

policies.

2. Detective Controls: Aimed at detecting and identifying security incidents as they

occur. Examples include intrusion detection systems (IDS) and continuous

monitoring tools.

3. Corrective Controls: Intended to correct any issues after a security incident has

happened. This could involve restoring systems from backups or applying

security patches after an attack.

4. Deterrent Controls: These are meant to discourage security violations. An

example would be the presence of security cameras or the announcement of audit

procedures.

5. Recovery Controls: Help restore system operations after a security breach.

Recovery controls include disaster recovery plans and data recovery processes.
Processes of Access Control Mechanism, when a user requests for

resources

1. Identification: The user presents credentials to establish their identity to the

system. This could be a username or some form of user ID.

2. Authentication: The system verifies the user’s identity by validating their

credentials, which may involve a password, biometric verification, security

tokens, or multi-factor authentication.

3. Authorization: Once authenticated, the system determines what level of access

the user is granted based on predefined security policies. This determines which

files, systems, or network resources the user can access and what operations they

can perform.

IT Risk Management

IT Risk Management refers to the process of identifying, assessing, responding to, and

monitoring risks associated with an organization’s information technology

environment. It involves:

1. Risk Identification: Discovering potential threats that could negatively impact

the organization's information assets.

2. Risk Assessment: Evaluating the likelihood and impact of these risks occurring.

3. Risk Response: Deciding on the appropriate actions to manage the risk.

4. Risk Monitoring: Continuously observing the risk environment to detect changes

and ensure that controls are effective.

Four courses of action management can take in response to identified risks are:
Mitigation: Taking steps to reduce the likelihood or impact of a risk.

Acceptance: Deciding to accept the risk, typically when it's low or the cost of mitigation

exceeds the benefit.

Avoidance: Changing plans to avoid the risk entirely.

Transfer: Sharing the risk with a third party, such as through insurance or outsourcing.

Cite three examples of roles that an IS auditor needs to ensure are segregated within

an organization and explain why they need to be segregated. (5 marks)

Segregation of duties is essential to prevent fraud and errors.

1. System Administrator and System Auditor: The administrator should not have

the ability to modify logs or system settings that would hide or alter actions they

have taken.

2. Developer and Deployer: A developer should not have access to production

environments to prevent unauthorized changes or introduction of backdoors.

3. Data Entry and Data Review/Approval: The individual who enters data should not

be the same person who reviews or approves it, to prevent the entry of fraudulent

or erroneous data.

Within the context of Recovery Strategies, explain the differences between: Warm

Sites, Duplicate/Redundant Information Processing Facilities (IPFs), Mobile Sites

and Reciprocal Agreements. (10 marks)

Recovery strategies are critical for business continuity planning, and they include:
Warm Sites: Partially equipped office spaces that have some hardware and connectivity

in place but require some time to become operational. They are a middle ground

between hot and cold sites regarding readiness and cost.

Duplicate/Redundant IPFs: These are facilities that are fully equipped and immediately

available. They are identical replicas of the primary site with full redundancy for critical

systems. It ensures almost zero downtime but at a higher cost.

Mobile Sites: Portable offices that can be deployed to a site and set up to provide

operational capabilities. These are usually trucks or trailers equipped with necessary

technology, useful for responding to physical disasters.

Reciprocal Agreements: Arrangements between two organizations that agree to provide

data processing facilities to each other in the event of a disaster.