 Hello and welcome to this session in which we will discuss in a context of IT system the three main types of controls that can be used to make sure the system is secure and the IT system has integrity and those are preventive controls, detective controls and corrective controls. We're going to look at some common preventive controls then specifically we will discuss something called the time-based security model then we will discuss defensive in depth under preventive under detective control we will discuss intrusion detection system or IDSs we'll look at log monitoring security audit and security testing under corrective controls we would look at restoring data from backups and review security policies we'll look at the computer emergency response team cert and we would look at patching system or patch management and we're going to explain each one of these controls what's preventive detective and corrective before we proceed any further I have a public announcement about my company farhatlectures.com farhat accounting lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses my CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles my accounting courses are aligned with your accounting courses broken down by chapter and topics my resources consist of lectures multiple choice questions true false questions as well as exercises go ahead start your free trial today no obligation no credit card required starting with preventive controls what are preventive controls preventive controls are in place to do what to avoid security incident happening from the get go you don't want the security incident to happen to deal with it so you will implement or you would use what's called preventive controls those are proactive measures you are not waiting for something to happen you are taking action to prevent unauthorized access unauthorized modification or destruction of data what are some common tools you have well you could have a firewall protecting your network access control making sure people who are accessing the system are legitimate you have security policies you have policies and procedures you have encryption in case the messages are intercepted or somebody was able to access your data they cannot read it because it's encrypted and obviously you want to train your people the employees about how to protect the system now to ensure effective control preventive procedures must be supplemented you might have preventive procedures but you really want to supplement them with measures for incident detection and procedures for taking corrective actions so you really want to have additional resources why because it's important to note that any system given sufficient time and resources can be penetrated so if you give someone enough time and resources someone's gonna access your system so make sure you're aware of this this is why detective and correction are crucial especially in the context of information system so preventive are good but somebody can always get to your system once they get to your system you have to basically have some other procedures so once preventive control our breach it takes a very little time to compromise steal or destroy the organization economic and informational resources so now what do we have to do we have to implement a preventive measure called time based security model because remember given enough time so you don't want to give that group that intruders enough time so what you do is you try to implement something called time based security model this is a preventive measure in a time based security model the effectiveness of the security is evaluated by analyzing the relationship between three variables and that's time say time is represented by p it's the amount of time an attacker takes to breach preventive control d is the time to take us to detect an ongoing attack d and c the time it takes to respond to that attack so it's three variables p how long it's gonna take the intruder to penetrate the system d how long it's gonna take us to detect and c how long it's gonna take us to do what correct the problem find out what the issue is and basically counter attack so they determine the effectiveness of a security procedure we have to make sure p p is greater than the sum of d and c so simply put it's gonna take more time more time more of one than two and three if that's the case then we the system is considered effective if that's not the case if they can get in quickly without us detecting them and without us responding it's too late so suppose for instance it takes an hacker 30 minutes to breach the system so it's gonna take them 30 minutes well on our end it may take us eight minutes to detect the problem well they have the as they are working it took us eight minutes to kind of find out someone is attacking us and another 15 minutes to kind of figure out what we need to do well guess what the attacker will not have enough time to breach our preventive measures so as long as this amount 30 minutes p is greater p is greater than the sum of d and c we are in good shape in the sense that the intruder will not be able to achieve their objective so our security procedures are effective then we have something called as a preventive measure the defense in depth what is defense in depth defense in depth means building layers upon layers of security protection to protect your computer system at your network okay what's the assumption here the assumption is one late if one layer is breach okay if you have only one layer well then you're done but if you have more than one layer there are still other layers in place to prevent an attack basically redundancies making sure if you know if plan a if plan a failed you have a plan b right to defend your system so you have other layers in place to to prevent an attacker from gaining access to sensitive information or causing any damage the assumption is no single security measure is full proof and that's true and that's relying on a single point is not sufficient therefore you have redundancies against sophisticated and determined attackers some examples of of this will be first you have to have physical security measures you don't want anybody to get physically to your system locks security cameras security individuals access control system that anybody can access it to control access to physical assets so people are legitimate perimeter security measures firewalls and intrusion prevention system to protect unauthorized access from outside the network so you protect your network you'll have endpoint security measures such as antivirus software and host and host intrusion prevention you don't let them sit in your system to protect against malware and other threats that originate from within the network so once they once they are in well you have antivirus software you don't let them sit there and implement any malware you have to have network security encryption and virtual private network to protect data as it travels through the network now also when you're sending data you want to make sure that's all protected so notice you don't you're not only physically protecting or having perimeter security measures you have other other other security measures also for each application you would have security measures so if they penetrated the system at least the last defense may be the application secure coding practices and input validation to protect against attacks that could exploit vulnerability in the software application itself so you'll take many measures of they penetrated one system you have another defense another defense so on and so forth so those are preventive measures detective measures this this will take place after your system has been pre penetrated now what you do now you have to identify the potential security incident that already occur now you are detecting it it already happened these controls are designed to detect unauthorized access or activity and they help to identify any potential threat before they cause significant damage now they're in but you want to detect them as soon as possible well what are some examples intrusion detection systems log monitoring and security audit starting with ids those are software or hardware system that designed to monitor the system constantly monitor the network the system for signs of unauthorized access or malicious activity now they're just waiting inside inside your system and seen is there any activity that's going on well they try to detect pattern of activity that indicative of an attack because they would see for example there's an unusual activity they'll just they would look at it okay they will scan the port they would look at brute force attack many people attacking you at the same time or the use of known malware so they'll have a system as soon as a malware is there and it's known they will detect it immediately because it's known the problem is when the malware is not known they don't detect it because they don't think that's an issue the ID ask can be configured to trigger alert so once something happened they will alert you generate reports or take action to response to detect threat now some sometime they may have false reports not a big deal but you want to make sure to be secure ID access can be either host based you mean it's hosting on your system or on the network and can be configured to work in real time it means constantly or you know certain hours but obviously you don't you don't want those hours to be predictable by an attacker that's a detective this is one examples of detective controls another example of detective control something called log monitoring log is when you log into this system and this is the practice of collecting and reviewing logs generated by computer system or application to identify potential security threat who's logging in our system at what time what is the what's the trend there logs can include information about system events network traffic user activity and application usage you just kind of form a profile about your system by analyzing this data security professional can identify anomalies for example let's assume for the sake of illustration we have the least amount of activities between 3 a.m and 5 a.m let's assume that's the case and suddenly the system is telling us we have a high level of activities between three and five that's an anomaly why we have to look into it it might be legitimate I don't know some some place around the world they found our business and now they're logging at this time because it's a convenient time for them that could be fine but also this is an anomaly so we would analyze this data to be on the lookout log monitoring can be done either manually or with the help of automated tools so you could have a person kind of monitoring the system or an mostly automated tools because you want this to be running in real time 24 7 and can be used to detect issues such as unauthorized access attempts malware infections and policy violation also you could have what's called security audit as part of your deductive system here the systematic review you're conducting systematic review of your policies procedures and controls to identify areas of vulnerabilities you want to go back even the best security system will need to be reviewed on a regular basis because also the hackers are using new technology new methods so you want to update those security procedures and security policies security audit can be conducted by an internal or external auditor and there's a lot of opportunities for auditor matter of fact yesterday literally I was talking to one of my subscribers on far hat lectures and this individual was telling me should I go into tax or should I go on to audit so I was talking to this individual like you know there's no really a correct answer for this and one thing like to the other and ask what do you do now and this individual is a salesperson for a cyber security so what he does now is he sells cyber security packages to companies like hold on a second you should not be in tax you should not be in audit you should be a consultant an IT cyber security consultant because that's your business so I told him sell me your product and you have five minutes sell me your product so over the phone he explained to me how cyber security works like you know I would hire you if I was if I am I am in need so you are a cyber security expert so the point is as accountant as auditors you have the opportunity to do what to do security audits so I advise him to get some type of some sort of a cyber security certification in addition to the CPA or get what's called the CISA also that's another important certification in addition to his CPA so security audit can be conducted I know this is kind of off-tribe but I just remember this by internal or external auditors so this individual will help you do that the audit process can include a review of policies procedures talk to employees analysis of system configuration and network and network traffic and other activities the goal of all of this is to identify potential security weakness you want to know what are your security weakness so you do what you prevent anyone from coming into the system or gaps in the organization defenses and to make recommendation for improvement and this is what this individual does basically now he go and he will study your system and say this is what we can offer you to protect yourself but this is as a CPA that's a great great great career path security testing also a detective measure this is now you're testing the system on purpose you're trying to you're trying to penetrate the system testing that's focused on identifying vulnerabilities in the software or the system so to identify the weakness that could be exploited by a future attacker and this way you'll give yourself guidance and recommendation on how to address those weaknesses so security testing can be conducted in many ways one is something called penetration testing you're trying to test your system and you are acting like the bad person here the bad guy so penetration system or pen testing is a process of simulating you are simulating an attack on yourself why to identify any weakness vulnerability or potential security risk it involves a combination of maybe of automated or manual technique to just make sure both are both are tested vulnerability scanning just trying to see what what are you vulnerable vulnerability scanning is the process of using automated tool to scan a system or application for known vulnerabilities the scanning can be configured to scan the specific type of vulnerability or perform a comprehensive scan of the system and I have an orton which is a simple system it does this on a regular basis it just go through through my system code review do what review your code your source code of the program or the application to identify security weakness this can be done manually or with the help of automated tools as well make sure you have a risk assessment to identify potential security risk on a regular basis and assess how what is the probability of something happening risk assessment can be done through a combination of manual analysis or use of automated or my friend Stephen I just told you about that's what he's supposed to do this assess your risk social engineering is another security testing is using deception and manipulation to obtain sensitive information or gain access to the system and most likely there's a chance you are subject to social engineering by your company well they'll send you they'll tell you don't respond to this email then they will send you email see if you respond to it and they're trying to gain access to the system can be used to test the organization security policies and employee training they'll tell you don't open this email and they will send you an email on purpose a week or so later and they want you to open it now what should you do don't open it if it's important someone will call you right so be careful this is really a and sometime you'll get into trouble if you do open it with the it people because you are the weak point now corrective controls corrective controls once the system once their preventive measure did not work once somebody inside the system and too late now we there's nothing we can do we could not detect it now the third level is corrective controls now you want to make sure everything is fixed and learned from it that's the most important thing here the corrective control is in place to remedy any security incident that has been identified these controls are designed to fix any problems that has been discovered that's the most important and learned and prevent similar incident from occurring in the future what are some examples one is restoring restoring data from backups you have to have backups and we talked about having recovery plan in a separate session that's that's like I don't have to even discuss this you want to make sure the first thing is I can go back and restore my system because I have a backup and obviously you want to review your security policies because if you if your security policies failed something is wrong this could happen again too you want to have a computer emergency response team which is a cert and we'll talk about that and also a patching system talking about cert what is a cert it's a group of cyber security or computer expert who are responsible for responding remember now we are responding and managing security incidents the incident already occurred we could not prevent it we could not detect it at on time it's it's ongoing now we are responding so this system will provide guidance and advice to stakeholders you know management um and coordinate with the other organization if they are affected maybe sometime government will be involved if it's a publicly traded company or there's a lot of social securities you might have really a public incidents here a cert team typically have a range of technical expertise that's why you want to be you have to have to you want to have some cyber security some it background as a future cpa okay uh vulnerability assessment incident response and malware analysis they have expertise in all of those they may also have expertise in risk management of course legal and regulatory compliance i know lawyers that do this type of work and public communication because you want at the end of the day communicate this information to external users and worst to external to internal or worse to external users when this incidence becomes public most incidents of cyber security goes unnoticed not because it didn't happen because the company don't want you to know about it it's about publicity patch management is a process of identifying acquiring testing and installing updates or what's called patches to software application because after the again this is a this is what a corrective control after the system was penetrated now you want to fix it so you have what's called a patch management or a patching system okay because why you want to mitigate this security vulnerability in your system patches are typically released by software vendor to address known security issues or bug and you want to make sure they're installed or up to date they have to help you ensure that system are up to date with the latest security fixed and any future vulnerabilities are eliminated or minimized the effective patch management typically involves several steps including identifying which system and application are affected and require a patch by the patch acquire the patch it has to be from a trusted source or the original vendor test it test the patch see if it's working you test it in a controlled environment which is offline to ensure it doesn't cause any compatibility issues or stability issues with the system then you deploy it you deploy the patch and what do you do you verify it's working as expected because you don't just deploy it's okay now we're good you have to test this what should you do now go to far hat lectures and look at additional mcqs preventive control detection control corrective controls those are important it topics so you want to make sure you're up to date in terms of knowledge and how do you know this while listening to the lecture is important but working mcqs to verify your knowledge is even more important than that good luck study hard and of course stay safe