@ISACA Volume 4  24 February 2016

Eight Commonly Used Network Security Tools

By Leighton Johnson, CISA, CISM, CIFI, CISSP

In today’s network-driven, always-on Internet environment, there are a series of network-based tools and utility programs that are critical to the security and the operations of applications and activities of an organization. These commonly used tools include:

  1. Port scanners—Port scanners are used to identify what ports are listening on operating systems to accept service connections. Port scanners are often used to identify potential weaknesses in networks since they identify what is open and available.
  2. Packet sniffers—Packet sniffers operate at layers 2 or 3 of the Open System Interconnection (OSI) model and are used to examine network or application traffic in real time. A packet sniffer captures and logs packets across a network or during the input or output operations of an application.
  3. Network scanners—Network scanners are used to identify potential weaknesses or flaws since they identify what is vulnerable on devices, machines and applications on the network. These tools typically start the vulnerability identification process for security and operations staff.
  4. Firewalls—A firewall is a combination of software and hardware that supports and enforces the company’s network security policy. Firewalls are an access control component that regulate network communications between 2 networks and are used to filter incoming/outgoing network traffic. Firewalls are commonly placed at a network perimeter to restrict access to one network from another network.
  5. Intrusion detection systems (IDSs)—An IDS monitors a system or network in real time for potential malicious traffic that varies from what antivirus software or firewalls detect. Typically, an IDS is a combination of hardware and software components that:
    • Monitors and collects system and network information
    • Determines if an attack or intrusion has occurred
    • Provides alerts when it detects an attack
  6. Intrusion prevention systems (IPSs)—An IPS is an IDS that takes additional automated actions to combat an attack when detected. These additional steps include actions such as configuring a firewall to block the Internet Protocol (IP) address of an intruder or launching a separate program to handle the detected event.
  7. Virtual private networks (VPNs)—VPNs are extensions of a corporate network. A VPN is a private data network that makes use of public telecommunications infrastructure. Corporate privacy of a VPN is maintained through the use of tunneling protocol, encryption and other security procedures.
  8. File integrity checkers—A file integrity checker is a software program that detects changes to files and directories since the last use. The modifications it notes include changes of file system information permissions, links and file sizes.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Cybersecurity Challenges in 2016


Source: ©iStock.com/

ISACA’s 2016 Cybersecurity Snapshot analyzes the issues organizations will experience this year. Among the findings of the survey is the IT community’s perception of information sharing. While most respondents support sharing information after a data breach and support the US Cybersecurity Information Sharing Act of 2015, less than half of respondents believe that their organization would voluntarily share information in the event of a data breach.

The top cyberthreat concerns for 2016 are social engineering, insider threats and advanced persistent threats. To tackle these concerns, skilled cybersecurity professionals are needed. Another finding of the survey is that the cybertalent shortage continues to be an issue. While 45% of survey respondents said that they are hiring more cybersecurity professionals, 94% of those hiring have said that it will be challenging to find skilled candidates.

To view the entire Cybersecurity Snapshot, visit the 2016 Cybersecurity Snapshot page of the ISACA web site.


Join the Ranks of Thousands of Certified Individuals


ISACA is pleased to announce that in 2015, 7,003 Certified Information Systems Auditor (CISA) candidates, 3,158 Certified Information Security Manager (CISM) candidates, 447 Certified in the Governance of Enterprise IT (CGEIT) candidates and 1,253 Certified in Risk and Information Systems Control (CRISC) candidates earned their ISACA certification. With a globally recognized ISACA certification, you hold the power to move ahead in your career, increase your earning potential and add value to any enterprise.

ISACA recently awarded the milestone 30,000th CISM certification. This certification, introduced in 2002, may help its holders have higher salaries. A 2015 study by Foote Partners LLC found that those with CISM certifications earn among the highest pay premiums in the security category, and Certification Magazine found CISM to be the highest-paying certification for 2015.

To join those who have earned these certifications, take the first step is by registering and taking the certification exam. The next ISACA exam is 11 June 2016. The early registration deadline for the June 2016 exam is 10 February 2016. Information on exam locations and language offerings can be found in the 2016 ISACA Exam Candidate Information Guide.

If you have already taken and passed the exam, but not yet applied for the certification, please remember that you have only 5 years from the exam passing date to apply for certification. Apply for your CISA, CISM, CGEIT or CRISC certification today.


Gaining Confidence With a CISA Certification

Tapiwa Mvere, CISA, CGEIT, COBIT 5 Foundation, AgilePM, ISO 27001, ITIL, Shares His Experience as a CISA

“In the world of IT audit and assurance, ISACA certifications are ranked amongst the best,” says Tapiwa Mvere. “Professionals with a Certified Information Systems Auditor (CISA) certification are valued, have superior earning potential and are viewed as subject matter experts.”

Having the CISA certification has helped Mvere address some of the hesitance and uncertainty he faces from auditees. “The foremost challenge in my profession is resistance from business. In most cases, this stems from the mistaken assumption that IS audit professionals do not have the necessary experience to provide meaningful recommendations to management,” he says. “However, in my experience, business and management in general tend to be more receptive once they realise that I am CISA certified. In some cases, I have received inquiries about how auditees can become certified themselves in order to improve their professional profiles and skills.”

In addition to the recognition he has gained from others as a result of his CISA certification, Mvere also has more confidence in himself because of his experience as a CISA. “I feel much more confident about my experience and the recommendations I provide because I know these have been tried and tested across a variety of industries and across different geographic locations,” he says. “Additionally, I have met and interacted personally with a number of senior people within the IS audit industry. I can also confidently say that without my CISA certification I would probably not have been considered for my current job.”

Mvere, who has written a novel and memorized a 200-digit number just to improve his memory, is not afraid of hard work, which he says is necessary to earn and maintain the CISA certification. “I have come across a lot of people who are hesitant about taking the exam. However, I believe that sometimes we create limitations in our own minds,” he says. “I can say that attaining the CISA certification, along with the hard work and perseverance that it takes, are life-changing—both in a professional and personal way.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  Measuring and Managing Information Risk

Reviewed by Upesh Parekh, CISA

Risk professionals may encounter risk that is unlikely to happen but would have a considerable impact if it materialized. This kind of risk may have a high price to remediate, which presents a dilemma for risk professionals. How can risk professionals convey the significance of this risk while justifying a recommendation to spend considerable amounts of money just to address a potential concern? Measuring and Managing Information Risk by Jack Freund and Jack Jones helps risk professionals solve this dilemma by posing 2 simple questions: How much risk is there? How much less risk will there be if the required investment is made? Traditional risk analysis methods that classify risk as high, medium or low do not help answer these questions.

Measuring and Managing Information Risk uses the Factor Analysis of Information Risk (FAIR) approach to measuring and managing risk. This book challenges the conventional method of risk management and makes risk professionals pause and consider the status quo.

The FAIR framework is ontological in that its approach focuses on the relationship between elements. Specifically, the FAIR framework is based on the relationship of risk elements such as risk, threat, loss and vulnerability. FAIR offers a risk assessment method that is based on quantitative risk assessment.

The book begins with a discussion of the shortcomings of traditional risk analysis. Then, it moves on to discuss basic risk concepts and the FAIR risk ontology. Chapter 3, which is about the FAIR risk ontology, lays the foundation for the framework.

The book then explains the risk analysis process, as per the FAIR framework, and explains how to interpret the results of the analysis. The book also contains practical examples, scenarios and common mistakes that occur when using FAIR. Finally, the book concludes with a discussion of risk management as a whole.

This book is directed toward senior professionals, risk professionals and auditors to help them gain an understanding of an effective risk analysis methodology. Anyone looking to use quantitative risk analysis frameworks, such as FAIR, must have a clear understanding of concepts such as subjectivity versus objectivity, precision versus accuracy and forecast versus predictability. This book helps readers better understand these concepts.

There may be some risk scenarios that do not call for detailed and quantitative risk analysis. The risk, impact, probability and loss are crystal clear. However, more often than not, risk scenarios will not be that easy to resolve. In such cases, it is important to employ a framework that attempts a more reliable, repeatable and logical risk assessment, and FAIR is a strong option to consider.

Measuring and Managing Information Risk is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a risk and governance professional with more than 10 years of experience in the banking and finance industry. He is based in Pune, India.