ACCP308 - Chapter 3: Security Part I: Auditing Operating Systems and Networks

Operating System Control Objectives

1. Protect itself against tampering by users
2. Protect users from accessing, destroying, or corrupting another user’s programs or data
3. Safeguard users’ application modules from destroying or corrupting other modules
4. Safeguard its own modules from destroying or corrupting other modules
5. Protect itself from its environment including power failures and other disasters

Operating Systems Security \[methods\]

1. Log-on Procedure
2. Access Token
3. Access Control List
4. Discretionary Access Privileges
5. Controlling Risks from Equipment Failure
6. Auditing Electronic Data Interchange **(EDI**)

Log-on Procedure

First line of defense against unauthorized access consisting of user IDs and passwords

Access Token

Contains key information about the user which is used to approve actions attempted during the session

Access Control List

Assigned to each IT resource and used to control access to the resource

Discretionary Access Privileges

Allows user to grant access to another user

Threats to Operating System Integrity

1. Accidental threats
2. Intentional threats
3. Growing Threats

Accidental threats

These include hardware failures and errors in user applications

Intentional threats

These are often attempts to illegally access data or violate privacy for financial gain

Growing threats

These includes destructive programs with no apparent gain.

3 Sources of Growing Threat

1. Privileged personnel who abuse their authority
2. Individuals who browse the operating system to identify and exploit flaws
3. Individuals who insert viruses or other destructive programs into the operating system, either intentionally or unintentionally

Operating Systems Controls Procedures / Key Audit Considerations

1. Access privileges
2. Password Control
3. Viruses and Destructive Program
4. System Audit Trails
5. Subversive Threats

Access Privileges - Audit Objectives

Verify that access privileges are consistent with the separation of incompatible functions and organization policies.

Access Privileges - Audit Procedures

1. Review policies for separating incompatible functions
2. Review a sample of user privileges, especially access to data and programs
3. Review security clearance checks of privileged employees
4. Determine if users have formally acknowledged their responsibility to maintain data confidentiality
5. Review users’ permitted log-in times

Password

It is a secret code user enters to gain access to system or data

Common contra-security behaviors

1. Forgetting passwords or failing to regulaly change
2. Post-it syndrome which puts passwords in display
3. Simplistic passwords that are easy for criminals to ancitipate

Most commonly passwords are **reusable**

Hence, management should require changes and disallow weak ones

One-time Passwords

These are automatically generated by the system when user enters a PIN.

**Password Control** - Audit objective

Ensure adequacy and effectiveness of password policies for controlling access to the operating system

**Password Control** - Audit procedures

1. Verify passwords are required for all users and that new users are instructed in their use and importance
2. Ensure controls requiring passwords are changed regularly
3. Review password file for weak passwords
4. Verify encryption of the password file.
5. Assess the adequacy of password standards.
6. Review account lockout policies and procedures.

Controlling Against Malicious & Destructive Programs

Organizations can reduce threats by:


1. Purchase software from reputable vendors in original packages.
2. Policy pertaining to unauthorized or illegal software.
3. Examine upgrades and public-domain software for viruses before implementation and use.
4. Implement procedures for changing programs.
5. Educate users regarding threats.
6. Test all applications before implementation.
7. Make frequent backups and limit users to read and execute rights only whenever possible.
8. Require protocols to bypass Trojan horses and use antiviral software.

**Viruses & Destructive Programs** - Audit objectives

Verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses.

**Viruses & Destructive Programs** - Audit procedures

1. Interviews to determine that operations personnel have been properly educated and are aware of the risks
2. Verify new software is tested on standalone workstations before being implemented
3. Verify that antiviral software is current and that upgrades are frequently downloaded

System audit trails

These are logs that record activity at the system, application and use level

Two types of audit logs

1. Keystroke monitoring
2. Event monitoring

Keystroke monitoring

This involves recording user’s keystrokes and the system’s response

Event monitoring

This summarizes key activities related to system resources

Audit trails can be used to:

1. Detect unauthorized access
2. Reconstruct events
3. Promote personal accountability

True

Benefits must be balanced against costs.

Intranet Risks

1. Intercepting network messages
2. Accessing corporate databases
3. Privileged employees

Sniffing

Interception of user IDs, passwords, confidential e-mails, and financial data files

Accessing corporate databases

Connections to central databases increase risk data will be accessible to employees

Privileged employees

1. Overrides may allow unauthorized access critical data.
2. Organizations reluctance to prosecute.
3. Negligent hiring liability requires employers to check employee backgrounds.
4. Courts holding employers responsible for employee criminal acts that could have been prevented with background check

Internet Risks

1. IP Spoofing
2. Denial of Service Attacks


1. SYN Flood
2. Smurf
3. Distributed Denial of Service

IP spoofing

It is masquerading to gain access to a Web server and/or to perpetrate an unlawful act without revealing one’s identity

Denial of service (DOS) attack

It is an assault on a Web server to prevent it from servicing users

Denial of service (DOS) attack

* Particularly devastating to business entities that cannot receive and process business transactions.
* Motivation may be to punish an organization for a grievance or may be done for financial gain

Network Topologies

subject to risks from equipment failure which can cause corruption or loss

Three Common Types of DOS Attacks

1. SYN Flood
2. Smurf
3. Distributed Denial of Service

**SYN Flood**

When the three-way handshake needed to establish an Internet connection occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the receiving server while it waits

**Smurf**

DOS attacker uses numerous intermediary computers to flood the target computer with test messages, “pings” causing network congestion

**Distributed Denial of Service**

May take the form of Smurf or SYN attacks, but distinguished by the vast number of **zombie** computers hijacked to launch the attacks

Controlling Risks from Subversive Threats

1. Firewalls


1. Network-level firewalls
2. Application level-firewalls
2. Encryption
3. Digital Signatures & Certificate
4. Message sequence numbering
5. Message transaction log
6. Request-response technique
7. Call-back device

**Firewalls**

It prevents unauthorized access to or from a private network

To prevent unauthorized access to or from a private network

1. All traffic between the outside network and organization’s intranet must pass through the firewall.
2. Only authorized traffic is allowed to pass through the firewall which must be immune to all penetration.

Network-level firewalls

These provide efficient, low security control

**Screening router**

Examines source and destination addresses attached to incoming message packets but does not explicitly authenticate outside users

**Application-level firewalls**

These provide higher, customizable network security, but add overhead cost

Controlling DOS Attacks -- Smurf Attacks

Organizations can program firewalls to ignore identified attacking site

Controlling DOS Attacks -- SYN flood attacks

1. Get Internet hosts to use firewalls that block invalid IP addresses.
2. Use security software to scan for half-open connections

To counteract DDos attacks organizations use…

**intrusion prevention systems (IPS)** that employ **deep packet inspection (DPI)**

**Intrusion prevention systems (IPS)**

Works as a filter that removes malicious packets from the flow before they can affect servers and networks.

Encryption

Conversion of data into a secret code for storage and transmission

Encryption algorithm

Used to convert the original cleartext message into a coded ciphertext which is decoded at receiving end

**Caesar cipher** method

Earliest method of encryption

2 Fundamental Components of Encryption

1. Key
2. Algorithm

Key

Mathematical value sender selects

**Algorithm**

procedure of shifting letters in cleartext message number of positions key value indicates

Two commonly used methods of Encryption

Private and Public Key Encryption

**Digital signature**

It is an electronic authentication that cannot be forged.

Digital signature

Sender uses a one-way hashing algorithm to calculate a **digest** of the text message which is encrypted to produce the digital signature

**Certification authority (CA).**

A digital certificate issued by a trusted third party to verify sender’s identity

Public key encryption

central to digital authentication making public key management an important internal control issue

**Public key infrastructure (PKI)**

constitutes policies and procedures for administering this activity

**Message sequence numbering**

inserts a sequence number in each message to prevent attempts to delete, change or duplicate a message

**Message transaction log**

records all attempted accesses with user ID, time of access and location

**Request-response technique**

sends control messages and responses randomly making it difficult for an intruder to circumvent

**Call-back device**

requires a dial-in user to enter and password and be identified

**Subversive Threats-** Audit objectives

1. Verify security and integrity of financial transactions.

\
2. Determine network controls (1) can prevent and detect illegal access; (2) will render captured data useless; and (3) are sufficient to preserve integrity and security of data

**Subversive Threats** - Audit procedures

1. Review adequacy of firewall: flexibility, proxy services, filtering, segregation of systems; audit tools; weaknesses.
2. Verify IPS with DPI for organizations vulnerable to DDoS.
3. Review security procedures and message transaction logs.
4. Verify encryption process and test operation of the call-back feature.

Controlling Risks from Equipment Failure - Audit objective

Verify integrity of transactions by determining controls are in place to detect and correct message loss

Controlling Risks from Equipment Failure - Audit procedure

Examining a sample of messages for garbled content and verifying all corrupted messages were retransmitted

**Line errors**

losses from communications noise

Techniques to detect and correct data errors

1. Echo check
2. Parity check

**Echo check**

receiver returns the message to the sender

**Parity check**

extra bit is added onto each byte of data similar to check digits

Auditing Electronic Data Interchange **(EDI**)

intercompany exchange of computer-processible business information in standard format

Key to Success of EDI

use of standard format for messaging between dissimilar systems

Benefits of EDI

1. Reduces or eliminates need for data entry.
2. Reduction of errors and paper forms.
3. Mailed documents replaced with cheaper transmissions.
4. Automated manual procedures and inventory reduction.

Electronic funds transfer (EFT) processing

It is more complicated than EDI for purchasing and selling

Converting remittance information to electronic form

can result in very large records.

Both customer and supplier must establish EDI transactions are valid and authorized

1. Some VANs have the capability of validating passwords and user ID codes for the vendor.
2. Before conversion, translation software can validate trading partner’s IDs and passwords.
3. Before processing, trading partner’s application software reference valid files to validate transaction.

Absence of source documents in EDI

eliminates traditional audit trail and restricts audit tests

Auditing Electronic Data Interchange (EDI) - Audit Objectives

1. Transactions are authorized, validated, and in compliance with the trading partner agreement.
2. No unauthorized organizations can gain access to database.
3. Authorized trading partners have access only to approved data.
4. Adequate controls are in place to ensure a complete audit trail.

Auditing Procedures for EDI

1. Tests of Authorization and Validation Controls
2. Test of Access Controls
3. Test of Audit Trail Controls

Tests of Authorization and Validation Controls

1. Review agreements with VAN to validate transactions.
2. Review trading partner files for accuracy and completeness.

Test of Access Controls

1. Verify limited access to vendor and customer files.
2. Verify limited access of vendors to database.
3. Test EDI controls by attempting to violate access privileges

Test of Audit Trail Controls

1. Verify existence of transaction logs.
2. Review a sample of transactions to verify key data values were recorded correctly.

PC Accounting System Modules

1. General ledger module
2. Inventory control module
3. Payroll module
4. Cash disbursements module
5. Purchases and accounts payable module
6. Cash receipts module
7. Sales order module

PC Systems Risks and Controls

1. Operating System Weaknesses
2. Weak access control
3. Inadequate segregation of duties
4. Multilevel password control used to restrict employees sharing computers.
5. Risk of theft and virus infection.
6. Weak backup procedures

Audit Objectives Associated with PC Security

Auditor should verify:


1. Controls in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft.
2. Adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators.
3. Backup procedures are in place to prevent data and program loss due to system failures, errors and so on.
4. Systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes.
5. System virus free and adequately protected to minimize the risk of becoming infected with a virus or similar object.

Audit Procedures Associated with PC Security

1. Observe PCs are physically anchored.
2. Verify segregation of duties and/or adequate supervision.
3. Confirm reports are prepared, distributed, and reconciled by appropriate management at regular and timely intervals.
4. Determine multilevel password control as needed.
5. Verify drives are removed and stored appropriately.
6. Verify backup procedures are appropriate.
7. Verify software purchases and selection and acquisition procedures.
8. Review policy for using antiviral software.

\

Internet Technologies

1. Packet switching
2. Virtual Private Network
3. Extranet
4. World wide web

Packet switching

Messages divided into small packets where each packet of the message may take a different routes

Virtual private network (VPN)

private network within a public network

Extranet

password controlled network for private users

World Wide Web (WWW)

an Internet facility that links users locally and globally

Internet Addresses

1. Email addresses
2. URL address
3. IP address

E-mail addresses

Format is USERNAME@DOMAIN NAME

URL address

1. Defines the path to a facility or file on the Web.
2. Subdirectories can be several levels deep