Professional Documents
Culture Documents
Toaz - Info Chapter 3 Security Part I Auditing Operating System and Networks PR
Toaz - Info Chapter 3 Security Part I Auditing Operating System and Networks PR
Operating System is the computer’s control program. It allows users and their applications to
share & access common computer resources, such as processors, main memory, databases, &
printers.
Protect itself from users. User application must not able to gain control of, or damage in
anyway.
Protect users from each other. One user must not able to access, destroy, or corrupt the
data of another user’.
Protect users from themselves. A user’s application may consist of several modules
stored in separate memory locations, each with its own data.
Protected from itself. No modules should be allowed to destroy or corrupt other modules.
Protect from its environment including power failures and other disasters.
Password Controls
Password is a secret code user enters to gain access to system, data files or server.
Common contra-security behaviors:
Forgetting passwords and being locked out of the system.
Failing to change password on frequent basis
Post-it-syndrome which puts passwords on display.
Simplistic passwords that a computer criminals easily anticipates.
Most common method passwords are reusable.
To improve access control, management should require changes and disallow weak
ones.
One-time passwords designed to overcome aforementioned problems. The user’s password
changes continuously.
System audit trails are logs that record activity at the system, application and use level.
Two types of audit logs:
• Keystroke monitoring involves recording user’s keystrokes and the system’s
response.
•Event monitoring summarizes key activities related to system resources.
Intranets consist of small LANs and large WANs that may contain thousands of individual
nodes. It is used to connect employees within single building, between buildings on same
physical campus, and between geographically locations.
Privileged employees:
Overrides may allow unauthorized access critical data.
Organizations reluctance to prosecute.
Negligent hiring liability requires employers to check employee backgrounds. Courts
holding employers responsible for employee criminal acts that could have been
prevented with background check.
Internet Risks
Denial of service (DOS) attack is an assault on a Web server to prevent it from servicing
users. Particularly devastating to business entities that cannot receive and process business
transactions.
1. SYN Flood When the three-way handshake needed to establish an Internet connection
occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the
receiving server while it waits.
2. Smurf Attack Involves three parties: the perpetrator, the intermediary, and the victim. DOS
attacker uses numerous intermediary computers to flood the target computer with test
messages, “pings” causing network congestion.
3. Distributed Denial of Service (DDos) attack. May take the form of Smurf or SYN attacks,
but distinguished by the vast number of zombie computers hijacked to launch the attacks. The
perpetrator of a DDos attack may employ a virtual army so called zombie or bot (robot)
computers. Internet relay chat (IRC) popular interactive service on the Internet that engage in
real-time communications via their computers. These collections of compromised computers
are known as botnets.
Firewall is a system that enforces access control between two networks. To accomplish this:
All traffic between the outside network and organization’s intranet must pass through the
firewall.
Only authorized traffic is allowed to pass through the firewall
The firewall must be immune to penetration from both outside and inside organization.
Application-level firewalls provide higher, customizable network security, but add overhead
cost. A high level of firewall security is possible using a dual-homed system.
Controlling Denial of Service Attacks
Smurf attacks: Organizations can program firewalls to ignore identified attacking site.
To counteract DDos attacks organizations use intrusion prevention systems (IPS) that employ
deep packet inspection (DPI).
Works as a filter that removes malicious packets from the flow before they can affect
servers and networks.
Encryption is conversion of data into a secret code for storage and transmission. The sender
uses an encryption algorithm to convert the original message called cleartext message into a
coded equivalent ciphertext which is decoded at receiving end.
Caesar cipher earliest encryption method.
Advance encryption standard (AES) is a 128-bit encryption technique that has become a U.S.
government standard for private key encryption. The AES algorithm uses a single key known to
both sender and the receiver of the message.
Digital signature is electronic authentication that cannot be forged. The sender uses a one-way
hashing algorithm to calculate a digest of the text message. The digest is a mathematical value
calculated from text content of the message.
Verifying the sender’s identity requires a digital certificate which is issued by a trusted third
party called a certification authority (CA). A digital certificate is used in conjunction with a
public key encryption system to authenticate the sender of a message.
Public key encryption is central to digital authentication making public key management an
important internal control issue. Public key infrastructure (PKI) constitutes policies and
procedures for administering this activity. Consist of:
Message sequence numbering inserts a sequence number in each message to
prevent attempts to delete, change or duplicate a message.
Message transaction log records all attempted accesses with user ID, time of access
and location.
Request-response technique sends control messages and responses randomly
making it difficult for an intruder to circumvent.
Call-back device requires a dial-in user to enter and password and be identified.
Controlling Risks from Equipment Failure
Audit objective is to verify integrity of transactions by determining controls are in place to detect
and correct message loss.
Audit procedures include examining a sample of messages for garbled content and verifying all
corrupted messages were retransmitted.
Communications Links
Companies may have internal EDI translation/communication software and hardware.
They may subscribe to VANs to perform this function without having to invest in
personnel, software, and hardware.
Overview of EDI
Benefit of EDI:
Reduction or elimination of data entry
Reduction of errors
Reduction of paper
Reduction of paper processing and postage
Reduction of inventories (via JIT systems)
EDI Controls:
Access Control
To guard against unauthorized access, each company must establish valid vendor and
customer files. Inquiries against databases can thus be validated, and unauthorized attempts at
access can be rejected.