You know, think about logging into your online bank, or maybe swiping your badge at work, getting into a secure area, or even just hopping onto the office Wi fi. We do this stuff all the time, right, but have you ever stopped to think about what's really going on behind the scenes, all the systems, the safeguards keeping things secure. Okay, let's unpack this a bit. Today we're doing deep drive into information systems auditing insecurity. And forget that old image
of like a dusty account. We're talking about the guardians of our digital world. Our physical space is too. These are the pros, often with certifications like the SISA that certified Information Systems auditor who make sure our tech works and crucially work safely. Our mission really is to get inside the heads of these IS auditors. How do they think, what risks are they looking for? And maybe uncover some surprising ways they protect everything from your bank account to
the building you might be sitting in right now. We've got a great cease of steady guide here as our source, which gives us a fantastic shortcut into their world.
Yeah, and what's really key, I think is that it's not just about hunting for mistakes already made. It's more about understanding the whole tech ecosystem of an organization from the ground up. The goal is building resilience, proactively thinking ahead, not just reacting right.
So it's not just ticking boxes on a checklist. Auditors are thinking about risk fundamentally. Our source gives us some clear ways to define it. Often it's simplified down to probability times impact. Makes sense. But there's another formula they use, maybe a bit more vivid. Risk equals A times V times T, so that's asset times vulnerability times threat. Let's break that down real quick. Asset is anything valuable, could
be data, hardware, reputation, even people. Vulnerability that's a weakness the organization can often control, like sloppy coding or forgetting to patch. And threat is what might exploit that weakness, often external stuff like hackers, malware, or even a flood. Now, this AVT formula, it sounds neat, but is it always that easy to put numbers on or is there some art to it in practice?
Oh, that's great point. That formula gives a solid framework, definitely, but quantifying each part that's where the skill the art comes in. It really helps auditors pinpoint inherent risk, that's the baseline risk before you put any controls in place. Then they look at the controls and figure out the
residual risk, what's actually left over after those defenses. And the big picture implication here is about focus, right, You can't protect everything perfectly, so this helps channel resources attention to where the risk is highest, which makes you think, how do you assess risk in your own projects or just daily life? Do you think about both how likely something is and how bad it could be and what's left after your precautions?
That makes total sense prioritization. So once you figured out the risks, you need controls. Our Guide breaks these down into types, which is really helpful for understanding how defenses get layered. Let's start with preventive controls. These aim to stop bad things before they happen. I think multi factor authentication, good firewalls, or segregating duties so one person can't do everything. Sense Are these sort of the bedrock?
Absolutely, they are the foundational layer. A strong preventive control is always your best bet. Stops the problem entirely ideally, but let's be real, nothing's ever one hundred percent fool proof, so you can't just stop there.
You need backups, and that's where detective controls step in, the ones that spot issues after they've happened, things like security cameras, log monitoring, maybe even having solid business continuity plans.
Ready exactly, they're your warning system. If something gets past the first wall, cag.
It quick, and then if something is detected, then.
You need corrective controls. These are about fixing it, restoring data from a backup, patching that vulnerability someone exploited, maybe revokeing access. It's the cleanup crew, basically getting things back to a known good state.
We also have deterrent controls like a simple warning CCTV and operation sign just making someone think twice. And finally, compensating controls. These are clever workarounds when the main control isn't practical, like maybe in a small company you can't perfectly segregate duty, so you compensate with really thorough log reviews. It's fascinating how they layer up. What I find really
interesting is how they work together. You might have a security guard that's a deterrent outside a locked door that's preventive if someone does get through the lock. Somehow, the CCTV detective helps figure out what happened, and that leads to actions to fix the vulnerability, corrective controls. It's like this mesh of defenses. So with all these layers, what's a common mistake or trap organizations fall into when setting up controls.
Well, often it's focusing too much on the tech side and forgetting the people aspect, or maybe investing heavily in say firewalls, but leaving physical security week. Auditors are always looking for those kinds of imbalances or assumptions that just one control is enough when you really need that integrated strategy that makes sense.
People are often the weakest link, aren't they. Okay, let's shift focus. Now we've seen how auditors think about risk and controls. Let's apply that to something familiar. Online banking super convenient, right, But our source highlights a heavy dependence on internet service providers and naturally big cyber risks like hacking system down time and ensuring transaction integrity.
Right, that convenience factor brings in dependencies on external companies which the bank doesn't directly control. That just broadens the potential attack surface. So for an auditor, that means looking closely at governance, at confidentiality, integrity, availability arrangements, how well is security testing done? And like we all experience that two factor authentication prompt, that's a classic powerful preventive control.
It really helps mitigate those risks run someone just stealing your password, adds that vital second check.
Okay, let's wish from digital to physical for a moment. Yeah, physical security might seem obvious locks on doors, but the guide details some pretty sophisticated layers. Beyond standard dead bolts. You've got combination locks need changing, often electronic card locks which are easy to deactivate if for card is lost, and for really critical places, biometric locks, fingerprints, iris scans. But then there's this concept I FI fascinating dead man
doors or man traps. It's basically two doors in sequence. The second door won't open until the first one closes and locks behind you, and usually only one person is allowed in that little space between the doors at a time. It's a clever way to stop tailgating or piggybacking, someone sneaking in right behind someone authorized. Like physical two.
Factors exactly, it forces single entry, and you combine that with things like CCTV cameras strategically placed, making sure the footage is kept long enough, maybe three months, as the guide suggests, becomes a key detective control too.
And don't forget environmental controls. In places like data winners, fire suppression is crucial, but the source points out a really important safety risk with older systems like carbon dioxide or a halon. They work by reducing oxygen, which is obviously dangerous in a room where people might be working. Yes, sufifacation risk, that's right.
Which is why for manned areas you now see safer alternatives like FM two hundred or argonite gas. They suppress fire without displacing oxygen to dangerous levels. It's that balance once again, protecting assets and people.
So think about your own workplace for a second. What physical controls, visible or maybe hidden, are protecting things data centers, server rooms, even just your own desk. Now back to the digital world for a bit. How do we prove who we are online? Our sources talk about the three classic factors of authentication. You probably use these constantly. First, there's something you know, like your password or a pin number. Second, something you have, maybe a physical token, a smart card
or that one time codes into your phone. And third something you are biometrics fingerprint, face scan, IRIS scan, and two factor authentication, which we keep mentioning just means using a combination of two of those, like that digital dead Man door for your login.
It significantly boosts security, no doubt. But then you have things like single sign on sso super convenient, right, one password for lots of apps. But what's the catch. Well, the big disadvantage is it creates a single point of failure. If that one SSO password gets compromised, uh oh, an attacker potentially access everything it protects. It really highlights that constant tension between making things easy for users and keeping things secure.
Good point. And what about when data gets old, we need to get rid of it securely just hitting delete on your computer? Yeah, that doesn't really cut it. Our source mentions degaussing basically using strong magnets to scramble data on magnetic media like tapes or older hard drives if you want to reuse them. But for truly ensuring data is gone forever, especially sensitive stuff, physical destruction is listed as the most effective way shredding pulverizing.
Absolutely for physical media you control, destruction is definitive, But think about the cloud now or virtual machines gets more complicated, doesn't it. Auditors now have to worry about secure logical erasure, something called crypto shredding where you destroy the encryption key, or verifying the cloud provider's disposal methods. It just shows how deep this thinking has to go. Protecting data isn't just about when it's live, but also making sure it's securely retired.
Okay, let's move into the network. When you think network security, you probably think firewall. But it's not just one monolithic wall. It's a system with different types doing different jobs. You start with basic packet filtering, just looking at addresses, but then you get more advanced, all the way up to application level firewalls. These are pretty smart. They don't just check the address label. They actually look inside the package,
at the data content itself. Much deeper inspection, and there are special ways to set these up special components, like a bastion host. Think of it as a heavily armored guard post. It's designed to be the only system that's directly exposed to the public Internet. Everything else hides behind it, right.
It takes all the direct hits theoretically, and then you have proxy servers. They act as a go between your computer talks to the proxy, the proxy talks to the Internet. This helps hide to your internal network structure and addresses from the outside world.
And you combine these things the source flags, the screen, subnet firewall often called a DMZ or demilitarized zone as the most secure configure. This typically uses two firewalls, maybe routers acting as firewalls, plus a bastion host in between, creates layers.
Like an airlock exactly that. DMZ is a classic example of defense and depth. You create this buffer zone. Public services like a web server might live in the DMZ, isolated from your really sensitive internal network. An attacker would have to breach multiple layers to get inside. Auditors love seeing well configured DMZs. They're checking not just that there are firewalls, but how they're configured, how they work together.
Makes sense. Now, what about VPNs. Lots of us use them, especially for remote work virtual private networks. They create that secure encrypted tunnel over the public Internet, using things like tunneling protocols and ip SEC for encryption. Sound secure, but what are the risks?
Well, VPNs are great for confidentiality, but they post challenges. One is that firewalls often cannot adequately examine encrypted VPN traffic. So potentially maliciou stuff could tunnel right through your perimeter defenses hidden inside that encrypted stream. Okay, and a really significant risk is the endpoint device itself, the remote computer
connecting in. If that laptop is already compromised with malware, it can just send that malicious code through the VPN tunnel right into the organization's private network bypassing a lot of defenses, Which leads to the question for you, the listener, how secure is the device you use to connect via VPN and is the VPN itself configured correctly? Because poor configuration is another major risk area. Strong crypto doesn't help if the setup is leaky.
Right, the tunnel might be strong, but what's going through it or where it ends up matters hugely. Okay. Finally, let's touch on Wi Fi security. Wireless is everywhere. How do we lock that down? Our source mentions some practical steps auditors look for. One is m MA filtering. This means configuring the router to only allow devices with specific pre approved hardware addresses MASc dresses to connect, kind of like a guest list.
Yeah, it adds a layer. Then absolutely crucial is encryption. The guide points to WPA two as the strong standard you should be using. WPA three is even better now, but WPA two is the minimum baseline. The scrambles the data flying through the air, so eavesdroppers can't easily read it.
The guide also mentions disabling SSID broadcasting. That's hiding your network name so it doesn't pop up automatically in lists, so it knows. This isn't strictly necessary unless you're maybe trying to avoid advertising a public hotspot. Security by obscurity isn't super strong on its own.
True. And finally, disabling DHCP. DHCP automatically assigns IP addresses to devices joining the network. Disabling it means you have to manually configure the IP address on each device. It makes it harder for an unauthorized person to just jump on. A bit more hassle, but more control.
Yeah, these are all practical things, things auditors check and things you can even check on your own home network,
understanding the why behind them. So we've covered a lot of ground today, a real whirlwind tour through how I auditors think, from breaking down risk into assets, vulnerabilities and threat to building layered defenses with all those different types of controls, we've seen how just one week spot a missing control, a shared password, maybe an unpatched system can cause big problems, and how layers from physical deadman doors to complex firewall rules and VPNs work together to try
and keep things safe.
Absolutely, and the key takeaway, I think is that this is never static. Technology changes constantly, threats evolve, but those core principles know your assets, understand your weaknesses, layer your controls, preventive, detective, corrective, and so on, those remain essential, Which maybe leaves the
final question for you, the listener. In our super tech dependent lives, are we doing enough to think like these auditors, do we really understand the why behind the security measures we use or are we just sort of clicking accept and hoping for the best.
A very important question indeed. Well thanks for diving deep with us today on information systems, auditing, and security. Keep learning, keep asking those white questions, and stay curious. Hopefully you now feel a bit more informed about this really complex but vital field