Free Essay

Auditing and Compliance Lab 4

In:

Submitted By theliontamer
Words 1109
Pages 5
1. What is a PHP Remote File Include (RFI) attack, and why are these prevalent in today's Internet world?
RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. This vulnerability exploits the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). RFI is a common vulnerability and all website hacking is not entirely focused on SQL injection. Using RFI you can deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one.

2. What country is the top host of SQL Injection and SQL Slammer infections? Why can't the US Government do anything to prevent these injection attacks and infections?
The U.S. is the top host of SQL Injection and SQL Slammer infections. Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL Injections. Malicious code writers have exploited these vulnerabilities to distribute malware so quick that the government cannot contain such a large quantity.

3. What does it mean to have a policy of Nondisclosure in an organization?
It is a contract where the parties agree not to disclose information covered by the agreement. It outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties.

4. What Trends were tracked when it came to Malicious Code in 2009 by the Symantec Report researched during this lab?
DoS attacks are always common, however targeted attacks using advanced persistent threats (SPT) that occurred in 2009 made headlines.

5. What is Phishing? Describe what a typical Phishing attacks attempt to accomplish?
Phishing is a term used to describe various scams that use fraudulent e-mail messages, sent by criminals, to trick you into divulging personal information. The criminals use this information to steal your identity, rob your bank account, or take over your computer. Counterfeit web sites, using “hijacked” company brands and logos, are created to lure you into revealing information you would not want to be public knowledge.

6. What is the Zero Day Initiative? Do you think this is valuable, and would you participate if you were the managing partner in a large firm?
A program for rewarding security researchers for responsibly disclosing vulnerabilities. It is valuable for firms in that vulnerabilities are shared so that they can be mitigated before more harm can be done.

7. What is a Server Side Include (SSI)? What are the ramifications if an SSI exploit is successful?
The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

8. According to the Tipping Point Report researched in this lab, how do SMB attacks measure up to HTTP attacks in the recent past?
In contrast to HTTP attacks, attacks against the SMB protocol, which is the foundation of countless file shares, has dropped over the sampled time period. This supports the premise that attackers are shifting their concentration away from underlying computer protocols and on to Web applications, because they represent a more lucrative and easier target. 9. According to the Tipping Point Report, what are some of the PHP RFI payload effects DVLabs has detected this year?
Password brute force, E-mail/MMS Spam relay, Network flood, Malware dropper, Botnet member, Recon and re-infection

10. Explain the steps it takes to execute a Malicious PDF Attack as described in the Tipping Point Report?
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the AcroPDF ActiveX control. The issue lies in the messageHandler property of the control. By manipulating the messageHandler's attributes an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.

11. What is a Zero Day attack and how does this relate to an organization's vulnerability window?
A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch. It is called a "zero-day" because the programmer has had zero days to fix the flaw. 12. How can you mitigate the risk from users and employees from clicking on an embedded URL link or e-mail attachment from unknown sources?
Continue with the controls that the government organization already has in place to combat malicious e-mail. Connect to the Internet via a Trusted Internet Connection. Take measures to protect the actual PCs used by users. Use tools to monitor user behavior so that a check can be made on whether policy is being observed. Install the latest web browsers on PCs; they are likely to have better security controls than older browsers. Make users aware of the risks involved and give them examples of the types of attack. Make users aware of the organization’s AUP. Make users aware of the legal issues. Repeat awareness development and training at regular intervals.

13. When auditing an organization for compliance, what role does IT security policies and an IT security policy framework play in the compliance audit?
Since IT systems are used to generate, change, house and transport that data, IT personnel have to build the controls that ensure the information stands up to audit scrutiny. Policies determine what data is to be stored, who has access to the data, and how and where it is stored.

14. When performing a security assessment, why is it a good idea to examine compliance in separate compartments like the seven domains of an IT infrastructure?
Each domain has different degrees of risk that require different mitigation solutions. Each domain will have different standards to meet compliance requirements.

15. True or False. Auditing for compliance and performing security assessments to achieve compliance requires a checklist of compliance requirements.
True

Similar Documents

Premium Essay

Audit

...Student Lab Manual © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Student Lab Manual © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT Auditing IT Infrastructures for Compliance © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION IS4680 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett©Learning, LLC Learning, LLC, an Ascend Learning Company Bartlett Current Version Date: 11/21/2011 © Jones & Learning, LLC Copyright 2013 by Jones & Bartlett www.jblearning.com! NOT FOR SALE OR DISTRIBUTION ...

Words: 30948 - Pages: 124

Free Essay

Auditing It Infrastructures for Compliance

...and combine them into one final report. These reports will consist of: - The two auditing frameworks or hardening guidelines / security checklists used by the DoD. - How a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typical IT infrastructure can help an organization achieve compliance. - How to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered. - The top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening. - The top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening. - The top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. - The top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. Part 1: Purpose: The purpose of part 1 for this lab is to develop an executive summary in regards to either the two auditing frameworks or hardening guidelines/security checklists used by the DoD. For this, I have chosen to discuss the two auditing frameworks. Background: A little background about the AF (Auditing Framework) for the DoD is that it provides a foundation for developing and representing...

Words: 2140 - Pages: 9

Premium Essay

Audit

...Auditing Standard 5: Information Technology General Controls Testing This assignment addresses Objective 1: Overall Security, in Chapter 11: Auditing Computer-based Information Systems. It requires testing some form of access authorization control, typically called an IT General Control (IT GC). You will find posted on the course site AS 5 PowerPoint presentation. Please review as you do this assignment. Chapter 11 also plays a part in this assignment. Required: A. Select a resource that is subject to access authorization control to access a resource. The resource can be anything, including hard assets or soft (information) assets. Also, it could be a non-financial or financial (accounting) resource. Examples: Access to a dorm or an apartment building, access to controlled parking lots, buildings (such as a hospital, especially outside normal hours of operation, including weekends), cafeteria, a controlled ATM facility, library or lab facilities, computer operating room, a restricted event, class rooms (such as BA 111), fitness center. It could even be something quite unique. For example, on the back of my credit card, in place of the signature, I have “Request ID.” I could track all charge card transactions and track failures to ask for my ID, that is, incidences where I used the card but the provider of products or services did not request my ID (some businesses do not care if the charge is less than $25). Another example: Compliance test of a check on...

Words: 880 - Pages: 4

Premium Essay

Chemical Inventory Management

...Chemical Inventory Management System David Acker Auburn University Risk management and Safety Abstract Managing chemical inventories at colleges and universities is one of today’s major challenges for higher education. This is especially true for large, diverse, research-oriented institutions like Auburn University. Knowing what chemicals are on site, their hazard potential, who is responsible for them, and where they are located is essential to maintaining a safe campus. Additionally, Federal and State regulations dealing with hazardous waste, chemical security, and emergency preparedness have become more stringent in recent years, requiring greater accountability from colleges and universities. These safety and regulatory compliance imperatives, along with issues of environmental sustainability and cost containment, drive the need for effective chemical inventory management in the university environment. In order to achieve effective chemical inventory management at Auburn University, Risk Management and Safety (RMS) has implemented a Chemical Inventory Management System (CIMS). The technological core of the CIMS is a chemical tracking database that provides realtime, discreet (to the individual container) monitoring of chemical inventories. The database has the capacity to accurately link the chemical container to hazard data, location, user, and acquisition date. Personnel, equipment, and budgetary resources were required to support the implementation phase, and ongoing...

Words: 4990 - Pages: 20

Premium Essay

Dfhdfh

...| |  | | |[pic]www.csudh.edu | | |[pic] | |[pic] |College of Natural and Behavioral Sciences | | |Department of Computer Science | | |http://csc.csudh.edu | |Course Title: |Communication Systems Security | |Course Number: |CTC 362 | |Instructor Name: | Mehrdad S. sharbaf, ph.d. msharbaf@csudh.edu, Office: tba, phone: tba, office Hours: tba | |Date: |Spring Semester, 2016 | |Course Length: ...

Words: 1433 - Pages: 6

Premium Essay

Le Vlademe Eh

... Students have two options. They can order from the EPCC campus bookstore, or they can order from the publishers shopping portal (www.shopjblearning.com). Below are the bundle breakdowns and options: OPTION 1: Purchase at EPCC Bookstore: Printed Access Code (For Bookstore) Print Bundle: a. Print Text + Virtual Lab Access/eLab Manual ISBN: 978-1-284-07445-1 Bookstore sets student price: eBundle: a. eBook Rental + Virtual Lab Access/eLab Manual ISBN: 978-1-284-07444-4 Bookstore sets student price: OPTION 2: JONES & BARTLETT: E-mailed Access Code (For Student). Students can go to: www.shopjblearning.com, enter the ISBN in the Search field, and then Add to Cart- proceeding through the checkout process. Print Bundle: b. Print Text + Virtual Lab Access/eLab Manual ISBN: 978-1-284-07440-6 Approx. cost to the student: $170 eBundle: b. eBook Rental + Virtual Lab Access/eLab Manual ISBN: 978-1-284-07439-0 Approx. cost to the student: $150 c. Virtual Lab Access/eLab Manual ONLY ISBN: 978-1-284-07446-8 Approx. cost to the student: $117 B. Required Materials 1. Internet Access to utilize the online Virtual Lab Environment. 2. USB Flash Drive– minimum 4GB (Gigabyte).(Note: You do not...

Words: 1345 - Pages: 6

Premium Essay

Research

...Unit 8 Lab 8: Auditing the Remote Access Domain for Compliance Larry Sanchez IS4680 5/12/2014 Remote Access Domain, when using this you are access resources that our outside you organizational resources to access your organizations network. A lot of this accessing of resources compromises of sensitive data. This makes it a lot more accessible to attackers or hackers due to the perimeter of the network being so far extended and the attackers or hackers could be able to find a breach in the network perimeter. Having a weak VPN that has no layers of security can and will give hackers or attackers the window of opportunity that they need to get to our network. We need to watch what kind of software that our user's are using. If our remote users are using different software than what we have at our company headquarters than there could be a possible risk. The software can be suspicious, especially if the user downloaded it from the Internet. the software in question could lead to incoming viruses and worms that can affect our network. This can create holes in the security that has been set up. Configuration settings can lead a user to let in viruses and worms also. If the remote user does know how to set up their configuration settings on their machines than anything that they send or receive can be a potential risk, threat, and vulnerability to our network. Once an employee takes their laptop home they are no longer protected by the organizations firewalls. This can...

Words: 716 - Pages: 3

Premium Essay

Student

...Auditing 1/26/15 Enron Enron began as Northern Natural Gas in 1932. In 1979 the company reorganized and became InterNorth. InterNorth was in the business of creating energy products such as natural gas and plastics. Later InterNorth merged into what was known as Enron with the new CEO Kenneth Lay running the show. He then began moving the headquarters to Houston, where they began selling off assets to limit their losses initially. The misleading financial accounts began when Jeffrey Skilling wanting to hide their losses. He and Andrew Fastow used special purpose entities to off load liabilities to those company to keep their main business looking as if they were profiting. Which intern made them look as though their business is successful and made their stocks increase because investors saw that the business was profiting not failing. A way that they were able to show the company as profitable was transferring debits and losses to offshore businesses that made it look as though on the books they were profiting and to make those unprofitable parts of the company disappear into an offshore business. To hide their losses in the trading business Skilling used mark-to-market accounting. Mark-to-market accounting is used in the security business but what Skilling did was use it for everyday business. Doing this let them write out what they thought a certain venture would be making in the future, without having to have actually made a dime. This let Enron show on the books...

Words: 2227 - Pages: 9

Premium Essay

Test

...ITT Technical Institute IS3340 Windows Security Onsite Course SYLLABUS Credit hours: 4.5 Contact/Instructional hours: 60 (30 Theory Hours, 30 Lab Hours) Prerequisite(s) and/or Corequisite(s): Prerequisite: NT2580 Introduction to Information Security or equivalent Course Description: This course examines security implementations for a variety of Windows platforms and applications. Areas of study include analysis of the security architecture of Windows systems. Students will identify and examine security risks and apply tools and methods to address security issues in the Windows environment. Windows Security Syllabus Where Does This Course Belong? This course is required for the Bachelor of Science in Information Systems Security program. This program covers the following core areas:    Foundational Courses Technical Courses BSISS Project The following diagram demonstrates how this course fits in the program:    IS4799 NT2799 IS4670 ISC Capstone Project Capstone ProjectCybercrime Forensics NSA    NT2580 NT2670  Introduction to  Information Security IS4680 IS4560 NT2580 NT2670 Email and Web Services Hacking and Introduction to  Security Auditing for Compliance Countermeasures Information Security Email and Web Services      NT1230 NT1330 Client-Server Client-Server  Networking I Networking II  IS3230 IS3350 NT1230 NT1330  Issues Client-Server Client-Server  SecurityContext in Legal Access Security Networking I Networking II   NT1110...

Words: 2305 - Pages: 10

Premium Essay

It255

...ITT Technical Institute IT255 Introduction to Information Systems Security Onsite Course SYLLABUS Credit hours: 4 Contact/Instructional hours: 50 (30 Theory Hours, 20 Lab Hours) Prerequisite(s) and/or Corequisite(s): Prerequisites: IT220 Network Standards and Protocols, IT221 Microsoft Network Operating System I, IT250 Linux Operating System Course Description: This course provides an overview of security challenges and strategies of counter measures in the information systems environment. Topics include definition of terms, concepts, elements, and goals incorporating industry standards and practices with a focus on availability, vulnerability, integrity and confidentiality aspects of information systems. Introduction to Information Systems Security Syllabus Where Does This Course Belong? This course is required for the Bachelor of Science in Information Systems Security program. This program covers the following core areas:    Foundational Courses Technical Courses BSISS Project The following diagram demonstrates how this course fits in the program: IS427 Information Systems Security Capstone Project 400 Level IS404 Access Control, Authentication & KPI IS411 Security Policies & Implementation Issues IS415 System Forensics Investigation & Response IS416 Securing Windows Platforms & Applications IS418 Securing Linux Platforms & Applications IS421 Legal & Security Issues IS423 Securing Windows Platforms & Applications ...

Words: 4114 - Pages: 17

Premium Essay

Database Security and Hipaa

...personnel, nurses, doctors, insurance agents, case managers and many more. The Health/Insurance Portability and Accountability Act of 1996 (HIPAA) was created to safeguard patients’ medical data security and privacy. HIPAA incorporates requirements that allow for a comprehensive review that will show anyone who has looked at confidential medical patient information. HIPAA is structured to provide a complete security access and auditing for Oracle database information. This framework designates data access points such as User Access Control, System Administration, Object Access and Data Changes that should be monitored and controlled. An accurate HIPAA compliant security execution assures all such access areas are plainly outlined and that applicable security measures along with audit controls are in place. This paper will review and describe these controls as they apply to an Oracle database instance used for medical data. Keywords: HIPAA database, database encryption requirements, database, database security requirements, database design, database compliance, database...

Words: 4360 - Pages: 18

Premium Essay

Task 4

... Task 4 | | | Monica DeWitt | | | Current Compliance Status The hospital is compliant in with the National Patient Safety Goals (NPSG) in the following areas: staff is using 2 identifiers when providing care, correctly transfusing patients, maintaining a healthy patient care environment by complying with the Center for Disease Control (CDC) and World Health Organization (WHO) hand hygiene guidelines, continuing evidence-based best practice to prevent or reduce the risk of catheter-associated urinary tract infections (CAUTI), identifying patients at risk for suicide. Within the rest of the accreditation requirements the facility was compliant with the following elements: EM-emergency management HR-Human Resources IC-Infection Prevention and Control IM-Information Management MS-Medical Staff PI-Performance Improvement RI-Rights and Responsibilities of the Individual TS-Transplant Safety Trends of noncompliance within the healthcare system From the list of recorded finding there are several trends identified in which the hospital is will need to address to meet the Joint Commission (JC) standards. The list is divided into direct and indirect impact. There are 4 indirect impact issues that need to be addressed and 1 direct impact issue. Indirect Impact Trends Verbal Orders-Verbal orders are not being authenticated within the 48 hours on several units. The hospital audits should show a 100% compliance regarding verbal orders. The...

Words: 1189 - Pages: 5

Premium Essay

Intro to Information Security Notes

...manageable Vulnerabilities can be mitigated All affect the CIA triad Not all threats are intentional Confidentiality, integrity, accessibility = CIA Starting on pg 161 DAC- only as secure as the individuals understanding. Access determined by owner. MAC- access determined by data classification itself. data itself has a classification. Need to be cleared to the level of the data security. Also has a “need to know” aspect to it. Non DAC- third party determines the permissions. Role based- pg 166. Access determined on the job of the user. Rule based- variation of DAC. Rules are created and access is based on the rules created. Week of 4/17/13 Starts on pg 146 Project- search SSCP CBK on the library under 24/7 Each of the 7 domains, vulnerabilities in each, security used in each to control, For lab 5--- Make 4 types of connections. 2 secure 2 not secure. telnet, securenet, ssh, and ftp. Will need 3 machines. Student, Target, ubuntu 1 Wireshark setting to capture a file in promiscuous mode on student. Do an FTP to target windows. Command prompt from student to ubuntu. Try to log in. Do questions. Question 9, focus on SSH and what traffic you are getting. Assignments— Week of 5/1/13 Acronyms- Pg263 BCP- Business Continuity Plan DRP- Disaster Recovery Plan Pg266 BIA- Business Impact analysis Pg256 SRE ARO ALE Pg258 Dealing with risk BCP A plan designed to help an organization continue to operate during and after a disruption Covers...

Words: 907 - Pages: 4

Premium Essay

Business Law

...Riordan Corporate Compliance Plan LAW/531 June 11, 2012 James Mc Phail Riordan Corporate Compliance Plan Riordan Manufacturing, Inc. Riordan Manufacturing is a global and international company that produces and sells plastic parts for the beverage manufacturing industry, automotive industry, aircraft manufacturers, and fan manufacturers. Riordan owns four major facilities in the United States Albany, Pontiac, Michigan, and Georgia. In addition, one joint venture located in China, in the town of Hangzhou. Riordan headquartered in San Jose, California is responsible for the creation of new designs, research, and development. The company employs 550 people worldwide, with annual earnings of $46 million. Enterprise liability Riordan currently maintains a corporate compliance plan. However, the company should improve the governance system to manage, control, and protect the company stakeholder’s assets efficiently against potential legal threats. Riordan should implement a strong corporate governance meeting structure that will allow conformance and compliance of new regulations and legal requirements. The implementation of procedures and corporate policies will help the employees to focus and will prevent compliance violations. Both officers and employees must comply with applicable laws and guidelines provided in the corporate policies. Regular reviews of the following governance committees will help to manage the liability of the directors...

Words: 2043 - Pages: 9

Premium Essay

Seeking Help

...IT255 Introduction to Information Systems Security [Onsite] Course Description: This course provides an overview of security challenges and strategies of counter measures in the information systems environment. Topics include definition of terms, concepts, elements, and goals incorporating industry standards and practices with a focus on availability, vulnerability, integrity and confidentiality aspects of information systems. Prerequisite(s) and/or Corequisite(s): Prerequisites: IT220 Network Standards and Protocols, IT221 Microsoft Network Operating System I, IT250 Linux Operating System Credit hours: 4 Contact hours: 50 (30 Theory Hours, 20 Lab Hours) Introduction to Information Systems Security Syllabus Where Does This Course Belong? This course is required for the Bachelor of Science in Information Systems Security program. This program covers the following core areas:    Foundational Courses Technical Courses BSISS Project The following diagram demonstrates how this course fits in the program: IS427 Information Systems Security 400 Level Capstone Project IS418 IS404 Access Control, Authentication & KPI IS421 Legal & Security Issues IS423 Securing Windows Platforms & Applications IS411 Security Policies & Implementation Issues IS415 System Forensics Investigation & Response IS416 Securing Windows Platforms & Applications Securing Linux Platforms & Applications 300 Level IS305 Managing Risk in Information Systems ...

Words: 4296 - Pages: 18