Professional Documents
Culture Documents
Security Part I: Auditing Operating Systems and Networks: IT Auditing, Hall, 4e
Security Part I: Auditing Operating Systems and Networks: IT Auditing, Hall, 4e
© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
16/01/2017 0
Learning Objectives
16/01/2017 1
Operating System Control Objectives
16/01/2017 2
Operating Systems Security
• Log-On Procedure:
• First line of defense against unauthorized access consisting of user IDs and
passwords.
• Access Token:
• Contains key information about the user which is used to approve actions
attempted during the session.
• Access Control List:
• Assigned to each IT resource and used to control access to the resource.
• Discretionary Access Privileges:
• Allows user to grant access to another user.
16/01/2017 3
Threats to Operating System Integrity
16/01/2017 4
Operating Systems Controls
16/01/2017 5
Password Controls
16/01/2017 6
Operating Systems Controls
16/01/2017 7
Controlling Against Malicious & Destructive
Programs
• Organizations can reduce threats:
• Purchase software from reputable vendors in original packages.
• Policy pertaining to unauthorized or illegal software.
• Examine upgrades and public-domain software for viruses before
implementation and use.
• Implement procedures for changing programs.
• Educate users regarding threats.
• Test all applications before implementation.
• Make frequent backups and limit users to read and execute rights only
whenever possible.
• Require protocols to bypass Trojan horses and use antiviral software.
16/01/2017 8
Operating System Controls
16/01/2017 9
System Audit Trail Controls
• System audit trails are logs that record activity at the system,
application and use level.
• Two types of audit logs:
• Keystroke monitoring involves recording user’s keystrokes and the system’s
response.
• Event monitoring summarizes key activities related to system resources.
• Audit trails can be used to: detect unauthorized access, reconstruct
events and promote personal accountability.
• Benefits must be balanced against costs.
16/01/2017 10
Operating System Controls
16/01/2017 11
Intranet Risks
16/01/2017 12
Internet Risks
16/01/2017 13
Three Common Types of DOS Attacks
16/01/2017 14
SMURF Attack
15
Distributed Denial of Service Attack
16
Controlling Risks from Subversive Threats
17
Dual-Homed Firewall
18
Controlling DOS Attacks
19
Encryption
16/01/2017 20
EE3 and ED3 Encryption
21
Public Key Encryption
22
Digital Signatures & Certificate
16/01/2017 23
Digital Signature
24
Other Subversive Threat Controls
16/01/2017 25
Operating Systems Controls
16/01/2017 26
Controlling Risks from Equipment Failure
16/01/2017 27
Vertical Parity Bit
28
Auditing Electronic Data Interchange (EDI)
16/01/2017 29
Overview of EDI
30
Value-added Network and EDI
31
Auditing Electronic Data Interchange (EDI)
32
EFT Transactions Between Trading Partners
33
Auditing Electronic Data Interchange (EDI)
34
EFT System Using Transaction Control Log for
Audi Trail
35
Auditing Procedures for EDI
36
PC Accounting System Modules
37
PC Systems Risks and Controls
38
Audit Objectives Associated with PC Security
39
Audit Procedures Associated with PC Security
40
Internet & Intranet
Technologies and Malicious
& Destructive Programs
Appendix
16/01/2017 41
Internet Technologies
• Packet switching:
• Messages divided into small packets where each packet of the message may
take a different routes.
• Virtual private network (VPN) is a private network within a public
network.
• Extranet is a password controlled network for private users.
• World Wide Web (WWW) is an Internet facility that links users locally
and globally.
• Web pages are maintained at Web sites which are computer servers that
support HTTP.
42
Message Packet Switching
43
Internet Addresses
• E-mail addresses:
• Format is USERNAME@DOMAIN NAME
• URL address:
• Defines the path to a facility or file on the Web.
• Subdirectories can be several levels deep.
• IP address:
• Every computer node and host attached to the Internet must have a unique
Internet protocol (IP) address.
44
Protocols
45
Internet Protocols
16/01/2017 46
Intranet Technologies
16/01/2017 47
LAN with File and Print Servers
16/01/2017 48
Bridges and Gateways Linking LANs & WANs
16/01/2017 49
Star Topology
16/01/2017 50
Star Network
Kansas
City Central Data
POS
POS Dallas
Tulsa
Local Data
Local Data
POS
POS
POS
16/01/2017 51
Hierarchical Topology
Corporate Production
Level Planning System
Production
Regional Scheduling
Regional
Level System Sales System
16/01/2017 52
Ring Topology
16/01/2017 53
Ring Topology
16/01/2017 54
Bus Topology
16/01/2017 55
Client-Server Topology
16/01/2017 56
Client-Server Topology
16/01/2017 57
Network Control
16/01/2017 58
Pooling Method of Controlling Data Collisions
16/01/2017 59
Token-Passing Approach to Controlling Data
Collisions
16/01/2017 60
Carrier Sensing
16/01/2017 61
Malicious & Destructive Programs
16/01/2017 62