Page 159 - Courses
P. 159

Logical Security: The Network Layer


            Security risks include:

            •  Malware intrusion occurs and goes undetected.
                   •  Lack of timely antivirus update.
                   •  Disabled antivirus software.
                   •  Undetected malware variant.
            •  Antivirus software is disabled.
                   •  A user with administrator capability (network, desktop, etc.) disables antivirus software.
                   •  Malware intrusion disables antivirus software.
                   •  The antivirus password setting is not changed from the vendor-supplied default password
                       setting.

            Controls include:

            •  All servers and computers have antivirus software installed and maintained up-to-date.
            •  Alerts occur when antivirus software is either disabled or not updated.
            •  Antivirus vendor-supplied default passwords are changed. A minimal number of people know the
               password.
            •  The network is segmented such that a malware outbreak will be isolated in a segmented area of
               the network.
            •  The normal user population does not have administrator rights on their desktops.

            Suggested audit procedures include:

            •  Observe antivirus endpoint console and note alert messages when antivirus software is not
               updated or disabled.
            •  Test to ensure antivirus is enabled and updated for a sample of desktop computers or servers.
            •  Review the network diagram to validate the network has been segmented.
            •  Attempt to log into the endpoint console using the default password.
            •  Review incident tickets for trends or anomalies related to reported antivirus software incidents.

            Security Information and Event Management (SIEM)

            SIEM Characteristics

            Security Information and Event Management (SIEM) is a software product that provides alerts based
            on predefined policies that are provided by the vendor or defined by the organization. Important
            points include:
            •  Logs from hardware, software, applications, etc. are sent to the SIEM, which processes them
               against predefined policies.
            •  Access to the SIEM is restricted, normally to security administration staff.
            •  The SIEM should be monitored 24/7. Alerts are sent to a central SIEM console and notifications
               are sent to associated parties via email, text, etc.

            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   154   155   156   157   158   159   160   161   162   163   164