Chapter Nine

Security Testing

THIS CHAPTER INTRODUCES US to the world of cybersecurity, testing, and evidence collection. Although security testing is usually an optional item in an information systems audit, it is imperative in cases like network audits and technical reviews. In order to act as a network auditor, one is required to go through specialized training on cybersecurity and cyberforensics, which are outside the scope of this book. As you complete this chapter, you should form a working idea about common security threats and a common tool-based approach to security testing.


Cybersecurity focuses on prevention of damage to, protection of, and restoration of information system assets, including information. The objective is to ensure availability, integrity, authentication, confidentiality, and nonrepudiation of information systems assets. Cybersecurity may include technology, policies, and training to achieve its goal of protecting and assuring information quality.


An information systems auditor must be aware of various types of cybercrimes being committed to judge the extent of exposure of the auditee. Cybercrimes are a genre of crimes that use computers and networks for unlawful activities. A computer can be used for crime either as a tool or as a target or both.

The first type of crime is basically an extension of “real-world” crimes, such as forgery, fraud, or copyright piracy, using computers. These types of computer-enabled crimes are usually ...

Get Understanding and Conducting Information Systems Auditing + Website now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.