Attribute sampling - Compliance testing
Statistical sampling -Detection testing
Variable sampling - Substantive testing
Stop & go - used when auditors believe that there will
be found very few errors
Showing posts with label Definition. Show all posts
Showing posts with label Definition. Show all posts
Sunday, June 10, 2018
Sunday, January 21, 2018
Attack
Eavesdropping attack
Software attack using special monitoring software to gain access to private communications on the network wire or across a wireless network. (aka sniffing attack)
spoofing attack
is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
masquerade
Impersonating another user, usually with the intention of gaining unauthorized access to a system
noun
1.a false show or pretence.
synonyms:
pretence, deception, pose, act, front, facade, disguise, dissimulation, cover-up, bluff, subterfuge, play-acting, make-believe
verb
1.pretend to be someone one is not.
synonyms:
pretend to be, pose as, pass oneself off as, impersonate, disguise oneself as, simulate, profess to be;
rarepersonate
Software attack using special monitoring software to gain access to private communications on the network wire or across a wireless network. (aka sniffing attack)
spoofing attack
is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
masquerade
Impersonating another user, usually with the intention of gaining unauthorized access to a system
noun
1.a false show or pretence.
synonyms:
pretence, deception, pose, act, front, facade, disguise, dissimulation, cover-up, bluff, subterfuge, play-acting, make-believe
verb
1.pretend to be someone one is not.
synonyms:
pretend to be, pose as, pass oneself off as, impersonate, disguise oneself as, simulate, profess to be;
rarepersonate
Definition
Traffic engineering
To ensure that quality of service requirements are achieved, the VoIP service over the WAN should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering.
Optimal Business Continuity Strategy
Is determined by lowest sum of downtime cost and recovery cost. Both costs have to be minimized, and the strategy for which the sum of the costs is the lowest is the optimal strategy
buffer overflow
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.
brute force attack
an attack on a password that repeatedly tries to re-create it through a random combination of characters
Tuesday, December 26, 2017
Decision trees
Decision trees use questionnaires to lead a user through a series of choices
until a conclusion is reached. Rules refer to the expression of declarative
knowledge through the use of if-then relationships.
Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.
Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.
IPSec
IPSec works on two basic packet components—ESP and AH. ESP encrypts the data
and stores them in an encapsulated security payload packet component for data
protection. Though essential, AHs manage the authentication process, not the
security of the data. Semantic nets are part of artificial intelligence and
would not help in data protection. Digital signatures are not used in IPSec and,
thus, will not provide data protection.
What is the ESP protocol?
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity and confidentiality protection of packets.
The basic idea of IPsec is to provide security functions,
authentication and encryption, at the IP (Internet Protocol) level.
This requires a higher-level protocol (IKE) to set things up for the
IP-level services (ESP and AH).
Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec
supports network-level peer authentication, data-origin authentication,
data integrity, data confidentiality (encryption), and replay
protection.
Critical Success Factors(CSF) includes :
Identifying and engaging with key stakeholders (Who). •.
Planning and communicating the in-scope processes (
Determining assessment frequency and time to execute (When). •.
Employing a risk-based assessment approach with proper prioritization (How).
Continually tracking, reviewing and reporting performance to management.
Critical Success Factors for Continually Monitoring, Evaluating and Assessing Management of Enterprise IT
Planning and communicating the in-scope processes (
Determining assessment frequency and time to execute (When). •.
Employing a risk-based assessment approach with proper prioritization (How).
Continually tracking, reviewing and reporting performance to management.
Critical Success Factors for Continually Monitoring, Evaluating and Assessing Management of Enterprise IT
Software Escrow
A software escrow is a service that helps protect all parties involved in a software license by having a neutral 3rd party escrow agent hold source code, data, and documentation until a mutually-agreed-upon event occurs.
Source code escrow is the deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning.
Escrow Meaning: a bond, deed, or other document kept in the custody of a third party and taking effect only when a specified condition has been fulfilled.
Sunday, December 3, 2017
Encapsulation
Encapsulation
is a property of objects, which prevents accessing either properties or
methods, that have not been previously defined as public. This means that any
implementation of the behavior of an object is not accessible. An object
defines a communication interface with the exterior and only whatever belongs
to that interface can be accessed.
Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?
A. Inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism
Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?
A. Inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism
Risk
The
risk that an error exists that could be material or significant when combined
with other errors encountered during the audit, there being no related
compensating controls, is the inherent risk.
Control risk is the risk that a
material error exists that will not be prevented or detected on a timely basis
by the system of internal controls.
Detection risk is the risk when an IS auditor uses an inadequate test
procedure and concludes that material errors do not exist, when they do.
Sampling risk is the risk that incorrect
assumptions are made about the characteristics of a population from which a
sample is taken.
Saturday, December 2, 2017
Dead Man Doors
Only one can access
at a time. Reduces risk of Piggy Backing. Unauthorized person follows authorized person into
restricted area. It helps safe secure to confidential places. The security is
comes under in Safety and Access Control Systems.
This Topic is regarding to Physical Access Control
Wednesday, November 29, 2017
Testing
white box testing
White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. Verifying the program can operate successfully with other parts of the system is sociability testing.
Black Box Testing
Testing the program's functionality without knowledge of internal structures is black box testing.
sand box testing
Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing
Double-blind testing
Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are "blind" to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.
Blind testing
Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted.
targeted testing
Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point.
external testing
External testing refers to a test where the penetration tester launches attacks on the target's network perimeter from outside the target network (typically from the Internet).
Shadow file processing
In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking systems.
Tuesday, November 28, 2017
Traffic engineering
To ensure that quality of service requirements are achieved, the VoIP service over the WAN should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering.
Attack
Brute force attack
an attack on a password that repeatedly tries to re-create it through a random combination of characters.
Eavesdropping attack
Software attack using special monitoring software to gain access to private communications on the network wire or across a wireless network. (aka sniffing attack)
Masquerading
Impersonating another user, usually with the intention of gaining unauthorized access to a system
Spoofing attack
is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
IP spoofing
IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing passive attacksExamples of passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks include brute force attacks, masquerading, packet replay, message modification, unauthorized access through the Internet or web-based services, denial-of-service attacks, dial-in penetration attacks, email bombing and spamming, and email spoofing.
CRC
A Cyclic Redundancy Check is a calculation which is performed on a block of data by treating that block of data as a binary number, and transmitted along with that data.
The same calculation is performed by the computer at the receiving end and if the results agree, it is assumed that the data has been transmitted without error. A CRC is a more sophisticated error detection method than a checksum.
Subscribe to:
Posts (Atom)