Network and Telecommunications Audit

Slides:



Advertisements
Similar presentations
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Advertisements

CSA 223 network and web security Chapter one
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NETWORKS Lauren Hickman Patrick McCamy Morgan Pace Noah Ryder.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Storage Security and Management: Security Framework
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 6 of the Executive Guide manual Technology.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ACM 511 Introduction to Computer Networks. Computer Networks.
1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
Information Security What is Information Security?
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World Network Fundamentals – Chapter 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Living in a Network Centric World Network Fundamentals – Chapter 1.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
IS3220 Information Technology Infrastructure Security
Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Network Architecture Characteristics  Explain four characteristics that are addressed by.
Principles Identified - UK DfT -
Security Issues in Information Technology
Cryptography and Network Security
CS457 Introduction to Information Security Systems
Threat Modeling for Cloud Computing
INFORMATION SYSTEMS SECURITY AND CONTROL.
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Design for Security Pepper.
Malware and Social Engineering
Secure Software Confidentiality Integrity Data Security Authentication
Chapter 17 Risks, Security and Disaster Recovery
Living in a Network Centric World
CCNA Network Fundamentals
Living in a Network Centric World
Security Engineering.
Securing Information Systems
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
CIS 333 RANK Education for Service-- cis333rank.com.
Malware, Phishing and Network Policies
Living in a Network Centric World
IS4680 Security Auditing for Compliance
Living in a Network Centric World
INFORMATION SYSTEMS SECURITY and CONTROL
Social Engineering Attacks
Living in a Network Centric World
– Communication Technology in a Changing World
Living in a Network Centric World
Living in a Network Centric World
Managing the IT Function
Living in a Network Centric World
Living in a Network Centric World
Living in a Network Centric World
Unit 1.6 Systems security Lesson 1
Living in a Network Centric World
Presentation transcript:

Network and Telecommunications Audit Revised on 2014

Why we need to audit network? Proliferation of computers Increased integration of systems Ramification of network failure CISB424, Sulfeeza

Network Vulnerabilities Three (3) primary areas which network may be seen as vulnerable: Interception of data transmitted over the network Availability of communications for operations Unauthorized access through entry points CISB424, Sulfeeza

Network Vulnerabilities CISB424, Sulfeeza

Risks related to failures in network security Loss of reputation Loss of confidentiality Loss of information integrity User authentication failure System unavailability CISB424, Sulfeeza

1. Loss of Reputation CISB424, Sulfeeza

1. Loss of Reputation CISB424, Sulfeeza

Controls that can be implemented to reduce the risks of network failure Interception of data: Good physical and logical security of network infrastructure and equipment Eg: Firewall Encryption Eg: Digital Certificate, Digital Signature CISB424, Sulfeeza

Controls that can be implemented to reduce the risks of network failure Availability of communications: Good network architecture and monitoring. To ensure that between every resource and an access point there are redundant paths and automatic routing to switch the traffic to the available path (in case of communication failure) without loss of data or time. Every component in the network needs to be fault-tolerant or built with suitable redundancies. CISB424, Sulfeeza

Controls that can be implemented to reduce the risks of network failure Unauthorized access: Limit the type of traffic that can come in or go out of the network Limit the origin and destination of the traffic (may allow traffic only from systems with specific addresses) Installing appropriate intrusion- detection systems CISB424, Sulfeeza

Auditing Network Security Steps for IT auditors: What is network? What are the critical information assets in the network? Who has access? What are the connections to the external network? CISB424, Sulfeeza

Auditing Network Security What is network? Review extent of network by examining the network diagram Assess adequacy and accuracy of network diagram Ascertain what processes exist to update and maintain network diagram CISB424, Sulfeeza

Auditing Network Security What are the critical information assets in the network? Identify the critical assets, systems and services that need to be secured Assess whether systematic risks assessment is adopted CISB424, Sulfeeza

Auditing Network Security Who has access? Identify who has access and for what purpose? Assess adequacy of given access privilege Assess impact of given access privilege to the network security CISB424, Sulfeeza

Auditing Network Security What are the connections to the external network? Assess the security impact of connections to external network CISB424, Sulfeeza

Social Engineering Example of one of the common threats to network security Definitions: Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information (Source: http://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures (Source: http://searchsecurity.techtarget.com/definition/social-engineering) CISB424, Sulfeeza

Common social engineering attacks Email from a friend Phishing attempts Baiting scenarios Creating distrust Social Engineering tips CISB424, Sulfeeza

A Sample Case In 2007, a mystery man who remains at large burgled safety deposit boxes at an ABN Amro bank in Belgium, stealing diamonds and other gems weighing 120,000 carats, in all. He visited the bank during regular business hours, overcame all of the bank's exceptional security mechanisms, and walked right out the door with €21 million (roughly $27.9 million at the time) worth of gemstones with no one the wiser, using absolutely no technology whatsoever. "He used one weapon -- and that is his charm -- to gain confidence," Philip Claes, spokesman for the Diamond High Council, said at the time. "He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were. "You can have all the safety and security you want," said Claes "but if someone uses their charm to mislead people it won't help." CISB424, Sulfeeza

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.