Chapter 3 – Security Part I: Auditing Operating Systems and Networks - contains key information about the user, including

on about the user, including user ID, password, user group

and privileges granted to the user
AUDITING OPERATING SYSTEMS 3. Access Control List – assigned to each IT resource that contain information that
Operating System – computer’s control program that allows users and their applications to defines the access privileges for all valid users of the resources
share and access computer resources  When a user attempts to access a resource, the system compares his/her ID
and privileges contained in the access token with those contained in the
Operating System Objectives access control list.
4. Discretionary Access Privileges – granted to resource owners to allow them to grant
Three Main Tasks:
access privileges to other users
1. It translates high-level languages into machine-level language that the computer can
Threats to Operating System Integrity
execute
 Compilers and Interpreters – language translator modules of operating  Accidental threats include hardware failures that cause the operating
system system to crash.
2. It allocates computer resources to users, workgroups, and applications.  Errors in user application programs also cause operating system errors.
3. It manages the tasks of job scheduling and multiprogramming.  Accidental system failures may cause whole segment of memories to be
dumped to disks and printer, resulting in the unintentional disclosure of
Three ways in which jobs are submitted to the system:
confidential information.
1. Directly by the system operator  Intentional threats to the operating system are most commonly attempts to
2. From various batch-job queues illegally access data or violate user privacy for financial gain.
3. Through telecommunication links from remote workstations
Three Sources:
Five Fundamental Control Objectives:
1. Privileged personnel who abuse their authority
1. The operating system must protect itself from users. 2. Individuals, both internal and external to the organization
2. The operating system must protect users from each other. 3. Individuals who intentionally (or accidentally insert computer viruses
3. The operating system must protect users from themselves.
Operating System Controls and Audit Tests
4. The operating system must be protected from itself.
5. The operating system must be protected from its environment. Four areas that are examined:

Operating System Security 1. Access Privileges

 Management should ensure that individuals are not granted privileges that
Operating System Security – involves policies, procedures, and controls that determine who
are incompatible with their assigned duties
can access the operating system, which resources they can use, and what actions they can
2. Password Control
take.
 Password – secret code the user enters to gain access to systems,
Components in secure operating systems: applications, data files or a network server
 Most common forms of contra-security behaviour include:
1. Log-On Procedure – operating system’s first line of defense against unauthorized o Forgetting passwords and being locked out of the system
access. o Failing to change passwords on a frequent basis
 When the user initiates the process, he/she is presented with a dialog box o The post-it syndrome, whereby passwords are written down and
requesting ID and password. The system compares the ID and password to a displayed for others to see
database of valid users. o Simplistic passwords that a computer criminal easily anticipates
2. Access Token – created by the operating system when log-on attempt is successful
  Reusable Passwords – the user defines the password to the system once
and then reuses to gain future access
 One-Time Passwords – the user’s password changes continuously
3. Virus Control
 Malicious and destructive programs are responsible for millions of dollars of
corporate losses that are measured in terms of data corruption and
destruction, degraded computer performance, hardware destruction,
violations of privacy and the personnel time devoted to repairing the
damage.
4. Audit Trail Control
 System audit trails – logs that record activity at the system, applications,
and user level
 Consists of two types of audit logs:
o Detailed logs of individual keystrokes
o Event-oriented logs
 Keystroke Monitoring – involves recording both the user’s keystrokes and
the system’s responses
- may be used after the fact to reconstruct the details of an event pr a
real-time control to prevent unauthorized intrusion
 Event Monitoring – summarizes key activities related to system resources
- record the IDs of all users accessing the system; the time and
duration of a user’s session; programs that were executed during the
session; and the files, databases, printers and other resources
accessed
 Setting Audit Trail Objectives:
o Detecting Unauthorized Access
o Reconstructing Events
o Personal Accountability
AUDITING NETWORKS
 The paradox of networking is that networks exist to provide user access to shared
resources, yet the most important objective of any network is to control such access.
Hence, for every productivity argument in favour of remote access, there is security
argument against it.
Intranet Risks
Intranet – consists of small LANS and large wide area networks (WANS) that may contain
thousands of individual nodes
- used to connect employees within a single building, between buildings on the
same physical campus, and between geographically dispersed locations
1. Interception of Network Messages
 Sniffing – unauthorized interception of information by a node on the network
2. Access to Corporate Databases – increases the risk that an employee will view,
corrupt, change or copy data
3. Privileged Employees – middle managers, who often possess access privileges that
allow them to override controls, are the most often prosecuted for insider crimes
 Reluctance to Prosecute – a factor that contributes to computer crime
Internet Risks
1. IP Spoofing – a form of masquerading to gain unauthorized access to a Web server
and/or to penetrate an unlawful act without revealing one
 A perpetrator modifies the IP address of the originating computer to disguise
his/her identity.
 A criminal makes a message packet appear to be coming from a trusted or
authorized source and thus slip through control systems designed to accept
transmissions from certain host computers and block out others.
2. Denial of Service Attack – an assault on a Web browser to prevent it from servicing
its legitimate users
Three common types are:
 SYNchronize (SYN) Flood Attack – accomplished by not sending the final
acknowledgement to the server’s SYNchronize-ACKnowledgement (SYN-ACK)
response, which causes the server to keep signalling for acknowledgement until
the server times out
 Smurf Attack – involves three parties: the perpetrator, the intermediary, and
the victim
- accomplished by exploiting an Internet maintenance tool called a ping,
which is used to test the state of network congestion and determine
whether a particular host computer is connected and available on the
network
o This ping works by sending an echo request message (like a sonar
ping) to the host computer and listening for a response (echo reply).
The ping signal is encapsulated in a message packet that also contains
the IP address of the sender. A functioning and available host must
return an echo reply message that contains the exact data received in
the echo message request packet.
o Intermediary – unwilling and unaware party who is also a victim and
to some extent suffers the same type of network congestion
problems the target victim suffers
 Distributed Denial of Service (DDoS) – may take form of a SYN flood or smurf
attack
 - the perpetrator of DDoS attack may employ a virtual army of so-called
zombie or bot (robot) computers to launch the attack
- involves one or more Internet relay chat (IRC) networks as a source of
zombies
o Internet relay chat (IRC) – popular interactive service on the Internet
that lets thousands of people from around the world engage in real-
time communications via their computers
o Botnets – collections of compromised computers that are under
control of the perpetrator
3. Equipment Failure – can disrupt, destroy or corrupt transmissions between senders
and receivers
 Network topologies consists of various configurations of:
o Communication lines
o Hardware components
o Software
Controlling Networks
 We begin by reviewing several controls for dealing with subversive threats. This is
followed by with the audit objectives and procedures associated with these controls.
The section then presents controls, audit objectives, and audit procedures related to
threats from equipment failure.
Controlling Risks from Subversive Threats
1. Firewall – a system of software and hardware that prevents unauthorized access to
or from a private network
- can be used to authenticate an outside user of the network, verify his/her level
of access authority, and then direct the user to the program, data or service
requested
- can be grouped into two types:
 Network-level firewalls – provide efficient but low-security access control
- consists of screen router that examines the source and destination
addresses that are attached to incoming message packets
- accepts or denies access requests based on filtering rules that have been
programmed into it and directs incoming calls to the correct internal
receiving mode
- insecure because they are designed to facilitate free flow of information
rather than restrict it
 Application-level firewalls – provide higher level of customizable network
security, but they add overhead to connectivity
- configured to run security applications called proxies that permit
routine services, such as email to pass through the firewall but
can perform sophisticated functions such as user authentication
for specific tasks
- provide comprehensive transmission logging and auditing tools
for reporting unauthorized activity
2. Controlling Denial of Service Attacks
 For smurf attacks: the targeted organization can program its firewall to
ignore all communication from the attacking site, once the attacker’s IP
address is determined.
 For SYN flood attacks:
o Internet hosts must embrace policy of social responsibility by
programming their firewalls to block outbound message packets
that contain invalid internal IP addresses
o Security software is available for the targeted sites that scan half-
open conncections
 For distributed denial of service attacks:
o Many organizations have invested in intrusion prevention system
(IPS) that employ deep packet inspection (DPI) to determine
whether an attack is in progress
o DPI – uses a variety of analytical and statistical techniques to
evaluate the contents of message packets
- searches the individual packets for protocol non-compliance
and employs predefined criteria to decide if a packet can
proceed to its destination
- can identify malicious packets based on a database of known
attack signatures
o IPS – works in line with a firewall at the perimeter of the network
to act as a filter that removes malicious packets from the flow
before they can affect servers and networks
- provides additional protection against careless laptop users
who have been unknowingly infected with Trojan horse or
worm while working outside the protected network
environment
3. Encryption – the conversion of data into a secret code for storage in databases and
transmission over networks
- the sender uses an encryption algorithm to convert the original message (called
cleartext) into a coded equivalent (called ciphertext) which is then decoded
(decrypted) back into cleartext at the receiving end
 Key – mathematical value that the sender selects
 Algorithm – procedure of shifting each letter in the cleartext message the
number of positions that the key value indicates
 Two methods of encryption:
 Private Key Encryption
o Advance encryption standard (AES) – a 128-bit encryption technique
that has become a U.S. government standard for private key
encryption
- uses a single key known to both the sender and the receiver of
the message
o Triple-DES encryption – an enhancement to an older encryption
technique called data encryption standard (DES)
- provides considerably improved security over most single
encryption technique and whose two forms are:
a. EEE3 – uses three different keys to encrypt the message
three times
b. EDE3 – uses one key to encrypt the message; a second key
is used to decode it, which is then garbled (because of the
difference in decoding and encrypting); and a third key is
used to encrypt the garbled message
 Public Key Encryption – uses two different keys: one for encoding messages
and the other for decoding them
- each recipient has a private key that is kept secret and a public key that is
published
- the sender of a message uses the receiver’s public key to encrypt the
message and the receiver then uses his/her private key to decode the
message
o Rivest-Shamir-Adleman (RSA) – highly secure public key
cryptography method that is computationally intensive and much
slower than the standard DES encryption
o Digital Envelope – where RSA and DES are used together
- the actual message is encrypted using DES to provide fasted
decoding
- the DES private key needed to decrypt the message is
encrypted using RSA and transmitted along with the message
- the receiver first decodes the DES key, which is then used to
decode the message
4. Digital Signatures – electronic authentication that cannot be forged and ensures that
the message or document that the sender transmitted was not tampered with after
the signature was applied
5. Digital Certificate – issued by a trusted certification authority (CA) and is used in
conjunction with a public key encryption system to authenticate the sender of a
message
- transmitted with the encrypted message to authenticate the sender
- the receiver uses the CA’s public key, which is widely publicized, to decrypt the
sender’s public key attached to the message
- the sender’s public key is then used to decrypt the message
 Public key infrastructure (PKI) – constitutes the policy and procedures for
administering the activity and consists of:
o A CA that issues and revokes the digital certificate.
o A registration authority that verifies the identity of certificate
applicants.
o A certification repository, which is publicly accessible database
that contains current information about current certificates and a
certification revocation list of certificates that have been revoked
and the reasons for revocation.
6. Message Sequence Numbering – a sequence number is inserted in each message,
and any attempt of deleting a message from a stream of messages, changing the
order of message received or duplicating a message, will become apparent at the
receiving end
7. Message Transaction Log – records all incoming and outgoing messages,, as well as
attempted (failed access), to prevent an intruder from penetrating the system by
trying different password and user ID combinations
- should record the user ID, time of the access, and the terminal location or
telephone number from which the access originated
8. Request-Response Technique – a control message from the sender and a response
from the receiver are sent at periodic, synchronized intervals to avoid intruder’s
attempt to prevent or delay the receipt of a message from the sender
9. Call-Back Devices – requires the dial-in user to enter a password and be identified,
then the system breaks the connection to perform user authentication
- dials the caller’s number to establish new connection if the caller is authorized
- restricts access to unauthorized terminals or telephone numbers and prevents
an intruder in masquerading as a legitimate user
Controlling Risks from Equipment Failures
Line Errors – causes data loss which is the most common problem in data communications
- the bit structure of the message can be corrupted through noise on the
communication lines, which is made up of random signals that can interfere with
the message signal when why reach a certain level
Two techniques commonly used to detect and correct such data errors:
1. Echo Check – involves the receiver of the message returning the message to the
sender
 - the sender compares the returned message with a stored copy of the original  On the payment date, the buyer’s system automatically makes an EFT to its
and if there is a discrepancy, the message is retransmitted originating back (OBK).
2. Parity Check – incorporates an extra bit (the parity bit) into a structure of a bit string  OBK – removes funds from the buyer’s account and transmits them electronically to
when it is created or transmitted the automatic clearing house (ACH) bank
 ACH – transfers the funds from the OBK to the receiving bank (RBK), which in turn
AUDITING ELECTRONIC DATA INTERCHANGE (EDI) applies the funds to the seller’s account
Electronic Data Interchange (EDI) – intercompany exchange of computer-processable business EDI Controls
information in standard format
Transaction Authorization and Validation – can be accomplished in three points in the
Several important features: process:
1. EDI is an interorganization endeavour. 1. Some VANS have the capability of validating passwords and user ID codes for the
2. The information systems of the trading partners automatically process the vendor by matching these against a valid customer file. The VAN rejects any
transaction. unauthorized trading partner transactions before they reach the vendor’s system.
3. Transaction information is transmitted in a standardized format 2. Before being converted, the translation software can validate the trading partner’s ID
EDI Standards and password against a validation file in the firm’s database.
3. Before processing, the trading partner’s application software references the valid
American National Standards Institute (ANSI) X.12 format– standard in the United States customer and vendor files to validate the transaction.

X-12 electronic envelope – contains the electronic address of the receiver, communications
protocols, and control information
Functional group – a collection of transaction sets (electronic documents) for a particular
business application, such as a group of sales invoice or POs
Access Control
 To guard against unauthorized access, each company must establish valid vendor and
customer files. Inquiries against databases can thus be validated, and unauthorized
attempts at access can be rejected.

Transaction set – composed of data segments and data elements EDI Audit Trail – one technique is to maintain a control log, which records the transaction’s
flow through each phase of the EDI system
Benefits of EDI
AUDITING PC-BASED ACCOUNTING SYSTEMS
Common EDI savings that justify the approach:
PC applications – tend to be general-purpose systems that serve a wide range of needs and
 Data keying
allows software vendors to mass-produce low-cost and error-free standard products
 Error reduction
 Reduction of paper PC Systems Risks and Controls:
 Postage
 Automated procedures 1. Operating System Weakness – PCs provide only minimal security for data files and
 Inventory reduction programs contained within them
2. Weak Access Control – a computer criminal attempting to circumvent the log-on
Financial EDI procedure may do so by forcing the computer to boot from CD-ROM, whereby an
uncontrolled operating system can be loaded into the computer’s memory
Electronic Funds Transfer – used for cash disbursement and cash receipts processing and is
3. Inadequate Segregation of Duties – employees in PC environments may have access
more complicated than using EDI for purchasing and selling activities
to multiple applications that constitute incompatible tasks
 The buyer’s EDI system receives the purchase invoices and automatically approves 4. Multilevel Password – used to restrict employees who are sharing the same
them for payment. computers to specific directories, programs and data files
 5. Risk of Theft – because of their size, PCs are objects of theft and the portability of
laptops places them at the highest risk
6. Weak Backup Procedures – primary cause of data loss in PC environments
7. Risk of Virus Infection – one of the most common threats to PC integrity and system
availability
APPENDIX
Section A: Internet Technologies
Internet – was developed for the U.S. military and later became used widely for academic and
government research whose growth is attributed to three factors:
1. In 1995, national commercial telecommunications companies took control of the
backbone elements of the Internet and have continued to enhance their
infrastructures. Large Internet service providers (ISPs) can link into these backbones
to connect their subscribers, and smaller ISPs can connect directly to the national
backbones or into one of their larger ISPs.
2. Online services connect to the internet for e-mail, which enables users of different
services to communicate with each other.
3. The development of graphics-based Web browsers has made accessing the Internet a
simple task.
Components:
1. Packet Switching – basis for communications technologies
2. Virtual Private Networks – private network within a public network
3. Extranets – password-controlled network for private users rather than the general
public
4. World Wide Web – an Internet facility that links user sites locally and around the
world
5. Internet Addresses – uses three types of addresses for communications:
 E-mail addresses – the format is USER NAME@DOMAIN NAME, from which
there are no spaces between any of the words
 Web site URL addresses – the address that defines the path to a facility or file
of the Web
 Internet Protocol (IP) addresses of individual computers attached to a
network – currently represented by a 32-bit data packet
- the general format is four sets of number separated by periods
- the decomposition of the code into its component varies depending on
the class to which it is assigned
Protocols – rules and standards governing the design of hardware and software that permit
users of networks, which different vendors have manufactured, to communicate and share
data
 What Functions Do Protocols Perform?
1. They facilitate the physical connection between network devices.
2. They synchronize the transfer of data between physical devices.
3. They provide a basis for error checking and measuring network performance.
4. They promote compatibility among network devices.
5. They promote network designs that area flexible, expandable, and cost-effective.
 The Layered Approach to Network Protocol – its purpose is to create a modular
environment that reduces complexity and permits changes to one layer without
adversely affecting another
o Open system interface (OSI) – layered set of protocols developed the data
communication community through International Standards Organization
Internet Protocols
Transfer control protocol/Internet protocol (TCP/IP) – basic protocol that permits
communication between Internet sites
- controls how individual packets of data are formatted, transmitted, and received
- ensures that the total number of data bytes transmitted was received
Common protocols that area used for specific tasks:
1. File Transfer Protocols (FTP) – used to transfer text files, programs, spreadsheets,
and databases across the internet
 TELNET – terminal emulation protocol used in TCP/IP-based networks, that
allows to run programs and review data from a remote terminal or computer
2. Mail Protocols
 Simple network mail protocol (SNMP) – the most popular protocol for
transmitting e-mail messages
 Post office protocol (POP) and Internet message access protocol (IMAP) –
other e-mail protocols
3. Security Protocols
 Security sockets layer (SSL) - low-level encryption scheme used to secure
transmissions in higher-level HTTP format
 Private communications technology (PCT) – a security protocol that provides
secure transactions over the Web
 Secure electronic transmission (SET) – an encryption scheme developed by a
consortium of technology firms and banks to ensure credit card transactions
  Privacy enhanced mail (PEM) – standard for secure e-mail on the Internet that
supports encryption, digital signatures, and digital certificates, as well as both
private and public key methods
4. Network News Transfer Protocol (NNTP) – used to connect to Usenet groups on the
Internet
5. HTTP and HTTP-NG
 HTTP – controls Web browsers that access the Web
- when the user clicks on a link to a Web page, a connection is established
and the Web page is displayed, then the connection is broken
 HTTP-NG – stands for Hypertext transport protocol-next generation
- an enhanced version of HTTP protocol that maintains the simplicity of
HTTP while adding important features such as security and authentication
6. HTML – stands for Hypertext markup language
- a document format used to produce Web pages and is used to lay out
information for display in an appealing manner
Section B: Intranet Technologies
NETWORK TOPOLOGIES – the physical arrangement of the components of the network
Local Area Networks and Wide Area Networks
 LANs – often confined to a single room in a building, or they may link several
buildings within close geographic, but can cover distances of several miles and
connect hundreds of users
o Nodes – components connected to LAN
 WANs – when networks exceed the geographic limitations of the LAN, and are
often commercial networks that the organization leases because of the distances
involved and high cost of telecommunication infrastructure
Network Interface Cards (NIC) – achieves the physical connection of workstations to the LAN,
which fits into one of the expansion slots in the microcomputer
Servers – special-purpose computers that manage common resources shared by LAN modes
Five Basic Network Topologies:
1. Star Topology – describes a network of computers with a large central computer (the
host) at the hub that has direct connections to a periphery of smaller computers
2. Hierarchical Topology – one in which a host computer is connected to several levels
of subordinate, smaller computers in a master-slave relationship
3. Ring Topology – a peer-to-peer arrangement in which all nodes are of equal status;
thus, responsibility for managing communications is distributed among nodes
4. Bus Topology – most popular LAN topology and is named because the nodes are all
connected to a common cable – the bus, wherein one or more servers centrally
control communications and file transfers between workstations
5. Client-Server Topology – distributes the processing between client’s computer and
the central file server
NETWORK CONTROL – majority resides with software in the host computer, but control
resides in servers and terminals at the nodes and in the switches located throughout the
network
Purpose is to perform the following tasks:
1. Establish communications sessions between the sender and receiver.
2. Manage the flow of data across the network.
3. Detect and resolve data collisions between competing nodes.
4. Detect errors in data that line failure or signal degeneration cause.
Data Collision – two or more signals transmitted simultaneously that destroy both manages
Three basic methods of controlling data collusion
1. Polling – one site, designated the master, polls the other slave sites to determine if
they have data to transmit
- if a slave responds in the affirmative, the master site locks the network while the
data are transmitted and the remaining sites must wait until they are polled
before they can transmit
Advantages:
 Polling is noncontentious, meaning, because nodes can send data only when
the master nodes request, two nodes can never access the network at the
same time.
 An organization can set priorities for data communications across the
network
2. Token Passing – involves transmitting a special signal – the token – around the
network from node to node in a specific sequence
- each node on the network receives the token, regenerates it, and passes it to the
next node from which only the node processing the token is allowed to transmit
data
Advantage: its deterministic access method, which avoids data collisions
3. Carrier Sensing – a random access technique that detects collisions when they occur
- formally labelled carrier-sensed multiple access with collision detection
(CSMA/CD) and is used with bus topology
 - the node wishing to transmit, listens to the bus to determine if it is in use, and
transmits its message if it senses no transmission
 Ethernet – best-known LAN software that uses CSMA/CD
Advantages over token ring:
1. The technology, being relatively simple, is well suited to the less costly
twisted-pair cabling.
2. The network interface cards that Ethernet uses are much less
expensive.
3. Ethernet uses a bus topology, which is easier to expand.

Section C: Malicious and Destructive Programs

VIRUS – a program that attaches itself to legitimate program to penetrate the operating
system and destroy application programs, data files, and the operating system itself. I

Files where virus programs attach:

1. An .EXE or .COM program file

2. An .OVL (overlay) program file
3. The boot sector of the disk
4. A device driver program

WORM – a software program that virtually burrows into the computer’s memory and
replicates itself into areas of idle memory

LOGIC BOMB – a destructive program that some predetermined event triggers

BACK DOOR – a software program that allows unauthorized access to a system without going
through the normal log-on procedure

TROJAN HORSE – a program whose purpose is to capture IDs and passwords from
unsuspecting users