• Home
• Store
• Past Posts
• Resignation
• Contact us
• search

Subscribe

SQL injection attack

SQL injection attack uses malicious code to take advantage of security vulnerability in a database or web based applications. These attacks are carried out using sql commands and can have serious implications like controlling the sql server or elevating their privileges thus controlling the database with an administrator’s privilege allowing one to add, edit and even drop tables. (http://www.stardeveloper.com/articles/display.html?article=2008112501&page=1)

An Sql attack can be prevented by implementing sanitization techniques such as defining what type of value is expected  and using functions like replace(str, “’”, ”””) when expecting a string value as user input or getsecureval(cstr(param),”’”, “””) when accepting user input from cookies. Both these methods will replace any single apostrophe entered by sql injection attacks to a double quote thereby producing an error.

 one can also use the Clng() when expecting numeric values to be entered by the user, this converts the user input into numeric by first analyzing if it can be converted, if malicious code is put instead will it produce an error.Most web developers tend to focus more on security holes of the operating system or the web server that the website will run on forgetting the programming language like sql used to develop the database of that website. 

Security policy: standards, guidelines and procedures

A security policy would allow us to have a guide or a broad view of the guidelines, rules and procedures that are needed to protect our wireless technology. We need the security policy because it identifies what needs to be protected, how access, audits and reporting are to be handled. Example:  Internet access will be given to staff that only need it for their work.

A standard is developed from a security policy and it deals with specifics about an issue. We need standards because they describe an issue in detail and this provides for the possibility of audits i.e. ability to audit whether a standard is being followed or me. Example: every user must ensure they have a strong password.

A Guideline provides the how in implementing a standard. “It helps an organization to implement and maintain standards” (Dulaney, 2009). Example:  passwords for access to the wireless internet need to be 8 characters long and must consist of characters and numbers.

A Procedure is developed to provide a step by step instruction on how to accomplish or implement a guideline. It helps users know how to go about following the rules set by the organization.

Example: press CLT, ALT and DEL simultaneously.  Select change password, then enter old password and then enter new password twice. Password need to be 8 characters long and must consist of characters and numbers. Click ok to apply the changes.

References

Stewart M, Tittel E, Chapple M (2004). CISSP study Guide, Sybex

White G, Conklin W M A (2009) Comptia Security+, McGraw Hill

Dulaney E (2009) Comptia Security+  study guide 4^th Edition

Symmetric key Vs Asymmetric encryption

Symmetric encryption uses one shared key to encrypt and decrypt a document. This key is known to both the sender and receiver. While asymmetric encryption, each user has two keys one private only known to themselves and the other one public and known to everyone.

Symmetric encryption does not provide for non repudiation, since any person with access to the shared key can both encrypt and decrypt a message, so one cannot tell where it originated from, unlike asymmetric encryption where the use of a private key to sign a message allows for non repudiation of the message.

In symmetric encryption, key distribution is a problem since one has to find a secure means of exchanging the secret key unlike asymmetric encryption where people just need to make their public key known to anyone who wants to communicate with them.

Symmetric encryption provides for a fast method of communication and also lends itself to hardware implementation which provides for even higher operational speeds unlike asymmetric encryption which is slow because of the complicated math involved in generating the keys.

Symmetric key encryption algorithm is not scalable because it requires each potential pair of communicators to have a shared secret key thus making it hard for large groups to communicate e.g. two users would need one key, three users would need 3 keys, four users would need 6 keys etc unlike asymmetric encryption that that requires new users to only generate a pair of keys.

Intrusion detection system Vs Intrusion prevention systems

Intrusion detection system (IDS) is a system that monitors the network for any suspicious activity or external attacks that are aimed at interrupting the normal working of the network or the computer systems. IDS have sensors that monitor audit logs, external communication, and any suspicious activity. An analyzer examines these activities and normally compares these activities to known attack patterns, it then classifies them and alerts systems administrator in case an activity is considered an attack.

Intrusion prevention systems (IPS) monitors the network for suspicious activity, malicious programs or attacks and can block or redirect the traffic as it comes (in real time). IDS only monitors and reports, it doesn’t block suspicious activity. An IPS also has a sensor and an analyzer that monitors the network traffic as it comes in and this traffic is analyzed against known attack signatures or “bad” traffic patterns. When an attack is recognized, the connections can be reset, blocked, quarantined or the offending packet can be dropped and an alert generated and sent to the system administrator.

  The main advantage of an IPS over IDS is that IPS can block, reject and drop suspicious traffic while IDS can only report or alert the administrator about the suspicious traffic.

 Another advantage is that an intrusion prevention system (IPS) can decrypt encrypted traffic for further inspection and monitoring unlike an intrusion detection system which doesn’t have this ability so encrypted traffic passes through without inspection.

An Intrusion prevention system (IPS) interacts with traffic in real time i.e. as it occurs and thus it’s able to prevent attacks in real time unlike an Intrusion detection system (IDS) that sits passively and watches the traffic but does not interact with it.

The disadvantage of an IPS over IDS is usually the price, an IPS costs much more than an IDS and this is because it has added functionality and it is a newer technology compared to IDS.

Factors influencing FAR & FRR in Biometrics

FAR in biometrics stands for false acceptance rate, it is the ratio of type 2 errors (when an invalid person is authenticated) to valid authentications. While false rejection rate (FRR) is the ratio of type 1 error (when a valid person is not authenticated) to valid authentications. (Gollmann, 2006)

FAR and FRR are influenced by the following factors:

Sensors being too sensitive causing a valid subject or person not to be authenticated, the sensors can also be insensitive thus causing an invalid subject or person to be authenticated.

Poor picture quality caused by poor lightning in a facial recognition system can also cause problems in biometrics systems thus increasing the rate of FAR and FRR errors.

Another influencing factor in FAR and FRR can be worn out fingerprints that can cause poor quality templates to be obtained during enrollment, this can increase the FAR and FRR.

Noisy surroundings especially in voice recognition can also affect the enrollment process and increase changes of errors in biometrics systems.

The equal error rate (EER) is when the FRR and FAR are equal or close to equal. It is used to measure the performance and accurate of the biometric device. A tradeoff between FAR and FRR can be reached by having a lower FAR and a higher FRR or vice versa. The device with sensitivity closest to the ERR is consider more accurate.  Shown below is a Graph of FAR and FRR errors showing the ERR point

 

 

Reference

Stewart M, Tittel E, Chapple M (2004). CISSP study Guide, Sybex

Gollmann, Dieter (2006).Computer security, John Wiley & Sons

http://www.bromba.com/faq/biofaqe.htm#DefinitionderFRR

Authentication methods

What you do and where you are, are important authentication methods that should be used in combination with the other three authentication methods (What you know, what you have, and who you are). This two authentication techniques are important because they increase the security of the system e.g.  Where you are restricts access to the system based on the logical location of an individual or computer thus making hacking difficult and cumbersome unless you are in that same location or terminal.  What you do restricts an individual to a particular job role thus it makes it difficult to access full information only partial data can be accessed in case of a security breach.

Also authentication methods tend to improve as new techniques come up thus these two new techniques can be seen as more secure than the previous authentication methods i.e. something you know e.g. password or PIN is easier to crack than something you have e.g. smart card which can be overcome by theft, which makes it less secure than something you are e.g.  Biometric systems like fingerprint and voice patterns. What you do  restricts a person to a particular job role thus only partial information can be accessed if there is a security breach and where you are restricts access to a system to a particular location thus it makes it harder for someone to break into the systems unless they work from the same location as the authenticated individual.

Examples of authentication methods

What you know: This authentication method utilizes passwords, maiden names, passphrase etc. e.g.  When log into your personal computer with your password then you utilize this technique.

What you have:  this method or technique utilizes something that a person has possession of e.g. a key to a lock. The key is something you have and as long as you don’t lose it or its not duplicated then you can be the only one with access. A smart card is also another example of what you have; it can be used to gain access to a building, room or systems.

Who you are: this technique involves the using physical characteristics of an individual e.g. voice recognition systems, retina pattern, hand geometry etc. an example of this technique is accessing an sensitive military installation and using the retina pattern as an authentication method for accessing the building.

What you do: this technique involves a task or a specific action that you have to accomplish, it can also be your job role. E.g. in online banking systems one can type a passphrase as a means to authenticate yourself and access the system. Also in a database system a person can log in and only have access to a particular portion of the database e.g. a purchasing agent can only access inventory data and not sales or financial data.

Where you are: This authentication technique takes into account where an individual logs in i.e. from a certain location or from a certain terminal. E.g. if the helpdesk function of AT&T is outsourced to India, then  helpdesk workstations should be allowed to access enterprise wide systems only from India and nowhere else.

IT Internal Controls

These are policies, procedures, practices and organizational structures designed to provide reasonable assurance that an organization’s objectives will be achieved, undesired risks presented, or detected and corrected.

Internal control objectives are statements of desired results or purposes to be achieved by implemented control procedures.

Control is the means by which control objectives are addressed: the control objectives include:

• Safeguarding of IT assets

• Compliance to corporate policies and legal requirements

• Authorization/input

• Accuracy and completeness of processing of transaction.

• Output

• Reliability of process.

• Backup/recovery.

• Efficiency and economy of operations

Controls can be classified as:

Preventative Controls:

This involves:

• Detecting problems before they arise.

• Monitor both operational aspects and input process.

• Attempts to predict potential problems before they occur and make adjustments.

• Prevent an error, omission or malicious act.

Preventative controls include segmentation of duties, controlling access to physical facilities, audit checks, use of access control software that allow only authorized personnel to access sensitive files.

Detective Controls

These controls report the occurrence of an error, omission or malicious act. These controls include harsh totals, checkpoint in production jobs, internal audit function, error message over tape labels, duplicate checking of calculations.

Corrective Controls

These controls minimize the impact of a threat. It helps to identify the cause of a problem and correct the error arising from a problem. It also helps to modify processing systems to minimize future occurrences of the problem.

These controls are contingency back up procedures and rerun procedures.

The objectives of IS controls include:

• Safeguarding Assets: This involves securing information systems from improper access and keeping that information up to date.

• Assuring integrity of general system environments including network management.

• Assuring integrity of sensitive and critical application system environments including accounting/financial and management information through.

• Authorization of inputs.

• Accuracy and completeness in processing of transaction.

• Reliability of overall information processing activities.

• Accuracy, completeness and security of output.

• Database integrity.

• Ensuring the efficiency and effectiveness of operations.

• Complying with user’s requirements and with organizational policies and procedures as well as laws and regulations.

• Develop business continuity and disaster recovery plans.

• Developing an incidence response time.

IT Governance

Corporate Governance can be defined as ethical corporate behavior by directors or others charged with governance in the creation and presentation of wealth.

Corporate Governance spells out the rules and procedures for making decisions on corporate affairs. This helps in providing a structure through which company objectives are set and means of attaining those objectives and monitoring performance.

IT Governance tries to ensure that the organization and related technology support its resources i.e. resources are used responsibly, and its risks are managed.

IT has long been considered as an integral part of the overall organization’s strategy. IT helps achieve this overall strategy by efficiently and effectively deploying secure and reliable technology. The intent of IT Governance is to ensure:

• Integrity of IT systems.

• Inclusion of independent audit.

• Inclusion of appropriate controls for monitoring IT risks, controlling IT assets, compliance with laws and regulations and record management.

• Enable the enterprise by exploiting opportunities and maximizing benefits of IT

• Ensure IT resources are used responsibly.

 

Factors driving IT Governance are:

• Expanding role of IT into corporate/enterprise governance support, strategy initiative, knowledge management, privacy/security/continuity.

• Proliferation of technology solutions.

• Increased emphasis on accountability

• Need to manage the management process.

• Focus on organizational capital, value and balance.

• Rapid advance of technology.

The key elements driving IT Governance are:

• IT strategic planning

• IT control performance

• IT project management

• IT asset management

• IT policies/standards/processes i.e corporate, business units, information services.

IT Governance is concerned with two issues i.e. IT delivers value to the business and that IT risks are mitigated. The first issue is driven by strategic alignment of IT with business this is driven by embedding accountability into enterprise.

IT governance is the responsibility of the Board and Executive management. It is an integral part of the enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.

 

A key goal of IT governance is aligning of business and IT to achieve business value.

This key goal is achieved by aligning IT governance frameworks with best practices. Such a framework should be composed of:

IT governance .

• Structures, processes and relational mechanism.

• The key governance practices are:

• IT strategic committee.

• Risk management

• Standard IT balanced scorecard.

BEST PRACTISES FOR IT GOVERNANCE:

Corporate governance is a set of responsibility and practices used by an organization’s management to provide strategic direction thereby ensuring that goals are achievable, risks are properly addressed and organization’s resources are properly utilized. IT Governance is a structure of relationship and processes used to direct and control the enterprise towards achievement of its goals by adding value while balancing risk vs return over IT and the processes.

IS Audit Process

Audit Objectives:

The basic purpose of an IS Audit is to identify control objectives and the related controls that address the objective. Audit objectives refer to a specific goal of the audit and it centers around substantiating that internal controls exists to minimize business risks.

Audit process:

• Plan: this involves assessing the risk, then developing an audit program i.e. objectives and procedures.

• Obtain evidence:

• Evaluate evidence: this involves evaluating the strength and weakness of controls.

• Prepare and present report.

• Follow up: this involves taking corrective action by management.

The basic steps followed in performing an audit include:

• Obtaining and recording of an understanding of the audit area/subject.

• Carrying out risk assessment and a general audit plan/schedule.

• Carry out detailed audit planning.

• Carry out preliminary review of the audit area/subject.

• Evaluating audit areas/subject.

• Compliance testing i.e. test of controls.

• Substantive testing.

• Reporting

• Follow up

Procedures for testing and evaluating IS controls.

• One can use generalized audit software to survey contents of data files.

• Use of specialized software to assess as parameter files.

• Use of flowcharting techniques for documenting automated applications.

• Use of audit reports available

An audit program is a step by step audit procedures and instructions that should be performed to complete an audit. It is actually a guide to performing or documenting various audit steps performed, the type and extent of evidential matters to be reviewed.

An audit program provides the trail of the process used and provides accountability for performance.

Audit phases: There are various phases in an audit. these are:

• Audit subject: identify the area to be audited.

• Audit objective: identify purpose of audit.

• Audit Scope

• Pre-audit planning

• Audit procedures and steps for data gathering.

• Procedures for evaluating the tests or reviewing results (organization specific).

• Procedures for communication with management (organization specific)

• Audit report preparation.

Audit Objective

An audit objective is to identify the purpose of an audit e.g. determining that source code changes occur in a well defined and controlled manner.

Audit Scope:

An audit scope identifies the specific function, system or organizational unit to be included in the review e.g. in the above example, you can check that source code changes occur in a well defined and controlled manner in a single application or a limited period of time e.g.3 months.

Pre_audit planning

• This involves identifying technical skills and resources required.

• Identify sources of information for tests of review e.g. functional flowcharts, procedures, policies, standards, pros audit papers.

• Identify locations and facilities to be audited.

Audit Planning

Obtain an understanding of the client by obtaining background information about the client, obtaining information about the client’s legal obligations and assess acceptability of audit risk and inherent risk.

Audit Procedures and steps for data gathering:

• Identify and select audit approach to verify and test controls.

• Identify individuals you want to interview.

• Identify and obtain departmental policies, standards and guidelines for review.

• Develop audit tools and methodology to test and verify control.

Audit report preparation:

• Identify following review procedures.

• Identify procedures to evaluate/test operational efficiency and effectiveness.

• Identify procedures to test controls.

• Review and evaluate the soundness of documents, policies and procedures.

Fraud Detection

It is management’s responsibility to establish, implement and maintain a framework and design of IT controls to meet internal control objectives. A well designed framework helps to deter fraud and it enables timely detection f frauds.

When it comes to fraud:

• IS auditors should be alert to the possibilities of opportunities that allow a fraud to materialize and should observe and exercise professional care in all aspects of their work.

• IS auditors should have knowledge of fraud indicators and during audit work, they should be alert to possibilities of fraud and errors.

• In case an auditor identifies a major fraud, where the risk associated with the detection is high, they should consider communicating to the audit committee.

• When an IS auditor comes across instances of fraud, or indicators of fraud he/she may carefully evaluate, communicate the need for a detailed investigation to appropriate authorities.

Audit Classification

 

The basic purpose of an IS Audit is to identify control objectives and the related controls that address the objective. Audit objectives refer to a specific goal of the audit and it centers around substantiating that internal controls exists to minimize business risks.

 

Performing IS Audit

Audit is the process by which an independent competent person obtains and evaluates evidence regarding an event or economic entity in conformance with identified set of standards.

Classification of Audits

Audits can be classified as:

Financial Audits: Relates to information reliability and integrity and it assess the correctness of financial statements. It involves detailed substantive testing.

Operational Audit is designed to evaluate internal controls like IS audit of application controls or logical security.

Integrated Audit: Includes doing both compliance and substantive testing i.e. data and controls. It assesses the overall objectives related to financial information, assets, safeguarding.

Administrative Audits: these audits assess issues related to efficiency and effectiveness of operational productivity within an organization.

IS Audit: This audit collects and evaluates evidence to determine if an IS and related resources safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively and efficiently.

Internal Controls provide reasonable assurance that operational and control objectives will be met.

Specialized Audits:

These are audits done to review services such as those offered by third parties. it defines professional standards used by service auditor to assess the internal control of service organizations.

Forensic Audits:

They are specialized in discovering, discussing and following up on fraud and crimes. Forensic audit tools such as data mapping for security and privacy, risk assessment and intellectual property for data protection are being used for prevention compliance and assurance.

 

« Previous Page — Next Page »

• Recent Posts

  • Rapid application Development (RAD) Technique
  • Dynamic System Development Method (DSDM)
  • Certification and Accreditation Process: Last Phase
  • Certification and Accreditation Process:Certification testing
  • Certification and Accreditation Process:Assessing risk
  • Certification and Accreditation Process:Minimum security baseline & best practices
  • Certification and Accreditation Process:System security plans
  • Certification and Accreditation Process:Assessing data sensitivity and criticality
  • Certification and Accreditation Process: System Inventory process
  • Certification and Accreditation Process: Scope definition

Copyright © 2010 Lecture Notes · VarsityLecture by Antony · Log in