* means important
* trapdoor = Lines of code in programming module alloing user to access to system as he type in secret code. A secret undocumented entry point into the programming module hidden amoung lines of code
* backdoor requires software programs like RAT to access
ASEC
*Countermeasures and specific exploits as well
introduction
various scanning tools (Not very IMPT)
passwords/access control
default/weak passwords
permissions
scripts and dll
malicious scripts
dll loading paths
buffer overflow
heap overflow
stack overflow
effects of exploits
propietary format and protocols
security thru obscurity not good
format string exploits
how is it conducted
effects of the exploits
integer overflow
how does it happen
preventive measures
SQL injection
conducting exploit
using meta data
protect database credentials
web vulnerabilties
error messages
forceful browsing
XSS
data tampering
http session form data cookies
information disclosure
passwords stored in text file
passwords stored in memory
section b
format string
dll
integer overflow
sql injection
web vulnerabilities
information disclosures
ISPA
* all from Lai FM
Exam format:
10 MCQ (20 marks)
5 Structured (80 marks)
2 hours
General tips:
Audit point of view***
Tutotial**
ACL no commands, just MCQ
Few questions from MST chapters, just MCQ
No Cobit
Security polices, just MCQ
Use liberal amounts of common sense
Mainly look at the auditors' viewpoint, controls, and how an auditor sees things.
Can give logical answers as he may give marks for answers not found in the book, but are relavant to the answer.
May require drawing of diagrams to aid description questions.
Topic 4 Computer operations:
focus on this chapter, case study coming out for this
Page 40 onwards, page 43, 44, 45
segregation of duties*
Page 47
distributed model not important
Page 54
computer centre operation
physical security
Page 57-64
disaster recovery
Page 65 onwards
Page 71-75
email risks
Page 77
PC systems not important
Topic 5 Data management***
Page 93, 94, 95
Flatfile approach vs database
page 97 -106
advantages, disadvantages and features
Page 107
3 DBMS models in MCQ
114
database distributed environment important***
116
replicated and partitioned distributed database important***
118
concurrency
120
access control
125
backup control***
Topic 6 SDLC
Product of SDLC + diagram page 141
Relate to POSB example, live system, maintainence system
136 onwards, 139
types of commercial systems in MCQ
142-165/end of topic
Auditor's role in SDLC
phase 7/implementation phase in MCQ
172 to end important***
controlling and auditing SDLC important***
controlling new systems
controlling maintenance***
Topic 7 network, internet, e commerce ***
audit point of view
227 onwards important
227-228
controlling e commerce
237
audit objectives
239
Topic 8
Input control, black and white box models, 5 CAATTS impt!
input controls important ***
processing and output controls in MCQ
320
testing application control ***
323
parallel simulation ITF and such in MCQ
If unsure clarify with me
Monday, August 11, 2008
Subscribe to:
Posts (Atom)