Monday, August 11, 2008

ASEC and ISPA tips *updated with Thursday's stuff*

* means important
* trapdoor = Lines of code in programming module alloing user to access to system as he type in secret code. A secret undocumented entry point into the programming module hidden amoung lines of code
* backdoor requires software programs like RAT to access


*Countermeasures and specific exploits as well


various scanning tools (Not very IMPT)

passwords/access control

default/weak passwords


scripts and dll

malicious scripts

dll loading paths

buffer overflow

heap overflow

stack overflow

effects of exploits

propietary format and protocols

security thru obscurity not good

format string exploits

how is it conducted

effects of the exploits

integer overflow

how does it happen

preventive measures

SQL injection

conducting exploit

using meta data

protect database credentials

web vulnerabilties

error messages

forceful browsing


data tampering

http session form data cookies

information disclosure

passwords stored in text file

passwords stored in memory
section b

format string


integer overflow

sql injection

web vulnerabilities

information disclosures


* all from Lai FM

Exam format:

10 MCQ (20 marks)

5 Structured (80 marks)

2 hours

General tips:

Audit point of view***


ACL no commands, just MCQ

Few questions from MST chapters, just MCQ

No Cobit

Security polices, just MCQ

Use liberal amounts of common sense

Mainly look at the auditors' viewpoint, controls, and how an auditor sees things.

Can give logical answers as he may give marks for answers not found in the book, but are relavant to the answer.

May require drawing of diagrams to aid description questions.

Topic 4 Computer operations:

focus on this chapter, case study coming out for this

Page 40 onwards, page 43, 44, 45

segregation of duties*

Page 47

distributed model not important

Page 54

computer centre operation

physical security

Page 57-64

disaster recovery

Page 65 onwards

Page 71-75

email risks

Page 77

PC systems not important

Topic 5 Data management***

Page 93, 94, 95

Flatfile approach vs database

page 97 -106

advantages, disadvantages and features

Page 107

3 DBMS models in MCQ


database distributed environment important***


replicated and partitioned distributed database important***




access control


backup control***

Topic 6 SDLC

Product of SDLC + diagram page 141

Relate to POSB example, live system, maintainence system

136 onwards, 139

types of commercial systems in MCQ

142-165/end of topic

Auditor's role in SDLC

phase 7/implementation phase in MCQ

172 to end important***

controlling and auditing SDLC important***

controlling new systems

controlling maintenance***

Topic 7 network, internet, e commerce ***

audit point of view
227 onwards important


controlling e commerce


audit objectives


Topic 8

Input control, black and white box models, 5 CAATTS impt!

input controls important ***

processing and output controls in MCQ


testing application control ***


parallel simulation ITF and such in MCQ

If unsure clarify with me