Chapter 3: Security Part I: Auditing Operating System and Networks

Auditing Operating System

Operating System is the computer’s control program. It allows users and their applications to
share & access common computer resources, such as processors, main memory, databases, &
printers.

Operating System Control Objectives

 Protect itself from users. User application must not able to gain control of, or damage in
anyway.
 Protect users from each other. One user must not able to access, destroy, or corrupt the
data of another user’.
 Protect users from themselves. A user’s application may consist of several modules
stored in separate memory locations, each with its own data.
 Protected from itself. No modules should be allowed to destroy or corrupt other modules.
 Protect from its environment including power failures and other disasters.

Operating Systems Security:

 Log-On Procedure the first line of defense against unauthorized access consisting of
user IDs and passwords.
 Access Token contains key information about the user which is used to approve actions
attempted during the session.
 Access Control List assigned to each IT resource and used to control access to the
resources.
 Discretionary Access Privileges allows user to grant access to another user.

Threats to Operating System Integrity

Accidental threats include hardware failures and errors in user applications.

Intentional threats are often attempts to illegally access data or violate privacy for financial gain.
Growing threat is destructive programs with no apparent gain, which come from three sources:
 Privileged personnel who abuse their authority.
 Individuals who browse the operating system to identify and exploit security flaws.
 Individuals who insert viruses or other destructive programs into the operating system,
either intentionally or unintentionally.

Operating Systems Controls

Access Privileges - Audit Objectives:

 Verify that access privileges are consistent with separation of incompatible functions and
organization policies.
 Access Privileges - Audit Procedures:
 Review policies for separating incompatible functions.
 Review a sample of user privileges, especially access to data and programs.
 Review security clearance checks of privileged employees in compliance of
company policy.
 Review employee records to determine if users have formally acknowledged their
responsibility to maintain data confidentiality.
 Review users’ permitted log-on times.

Password Controls

Password is a secret code user enters to gain access to system, data files or server.
Common contra-security behaviors:
 Forgetting passwords and being locked out of the system.
 Failing to change password on frequent basis
 Post-it-syndrome which puts passwords on display.
 Simplistic passwords that a computer criminals easily anticipates.
Most common method passwords are reusable.
  To improve access control, management should require changes and disallow weak
ones.
One-time passwords designed to overcome aforementioned problems. The user’s password
changes continuously.

Controlling Against Malicious & Destructive Programs

Organizations can reduce threats:

 Purchase software from reputable vendors in original packages.
 Issue an entity-wide policy pertaining to unauthorized or illegal software.
 Examine upgrades and public-domain software for viruses before implementation
 Inspect all public-domain software for virus infection before using.
 Establish entity-wide procedures for making changes to production programs.
 Establish an educational program to raise user awareness regarding threats from
viruses and malicious program.
 Install all new applications on a stand-alone computer.
 Implement procedures for changing programs.
 Routinely make back copies.
 Limit users to read and execute rights only.
 Require protocols to bypass Trojan horses
 Use antiviral software (also called vaccines) to examine application and operating
system programs.

Viruses & Destructive Programs - Audit objectives:

• Verify effectiveness of procedures to protect against programs such as viruses, worms,
back doors, logic bombs, and Trojan horses.

Viruses & Destructive Programs - Audit procedures:

• Interviews to determine that operations personnel have been properly educated and
are aware of risks.
• Verify new software is tested on standalone workstations prior to being implemented.
• Verify that antiviral software is current and that upgrades are frequency downloaded.

System Audit Trail Controls

System audit trails are logs that record activity at the system, application and use level.
Two types of audit logs:
• Keystroke monitoring involves recording user’s keystrokes and the system’s
response.
•Event monitoring summarizes key activities related to system resources.

Audit trails can be used to:

 Detect unauthorized access can occur in real time or after the fact.
 Reconstructing events can be used to reconstruct the steps that led to events such as
system failure or security violations.
 Personal accountability can be used to monitor user activity at lowest level of detail.

Benefits of audit logs must be balanced against costs.

System Audit Trails- Audit objectives:

 Ensure established system audit trail is adequate for preventing and detecting abuses,
reconstructing key events and planning resource allocation.

System Audit Trails- Audit procedures:

 Verify audit trail has been activated per company policy.
 Use data extraction tools to search for defined conditions such as: unauthorized users;
periods of inactivity; periods of activity including log-on and log-off times; failed log-on
attempts; and specific access.
 Sample security violation cases and evaluate their disposition to assess security group
effectiveness.
Intranet Risks

Intranets consist of small LANs and large WANs that may contain thousands of individual
nodes. It is used to connect employees within single building, between buildings on same
physical campus, and between geographically locations.

Intercepting network messages:

 Sniffing the unauthorized interception of this information of a node on the network

Accessing corporate databases:

 Connections to central databases increase risk data will be accessible to employees.

Privileged employees:
 Overrides may allow unauthorized access critical data.
 Organizations reluctance to prosecute.
 Negligent hiring liability requires employers to check employee backgrounds. Courts
holding employers responsible for employee criminal acts that could have been
prevented with background check.

Internet Risks

IP spoofing is masquerading to gain access to a Web server and/or to perpetrate an unlawful

act without revealing one’s identity.

Denial of service (DOS) attack is an assault on a Web server to prevent it from servicing
users. Particularly devastating to business entities that cannot receive and process business
transactions.

Three Common Types of DOS Attacks:

1. SYN Flood When the three-way handshake needed to establish an Internet connection
occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying-up the
receiving server while it waits.

2. Smurf Attack Involves three parties: the perpetrator, the intermediary, and the victim. DOS
attacker uses numerous intermediary computers to flood the target computer with test
messages, “pings” causing network congestion.
3. Distributed Denial of Service (DDos) attack. May take the form of Smurf or SYN attacks,
but distinguished by the vast number of zombie computers hijacked to launch the attacks. The
perpetrator of a DDos attack may employ a virtual army so called zombie or bot (robot)
computers. Internet relay chat (IRC) popular interactive service on the Internet that engage in
real-time communications via their computers. These collections of compromised computers
are known as botnets.

Controlling Risks from Subversive Threats

Firewall is a system that enforces access control between two networks. To accomplish this:
 All traffic between the outside network and organization’s intranet must pass through the
firewall.
 Only authorized traffic is allowed to pass through the firewall
 The firewall must be immune to penetration from both outside and inside organization.

Network-level firewalls provide efficient, low security control. It consists of:

 Screening router examines source and destination addresses attached to incoming
message packets but does not explicitly authenticate outside users.

Application-level firewalls provide higher, customizable network security, but add overhead
cost. A high level of firewall security is possible using a dual-homed system.
Controlling Denial of Service Attacks

Smurf attacks: Organizations can program firewalls to ignore identified attacking site.

SYN flood attacks have two tactics:

 Get Internet hosts to use firewalls that block invalid IP addresses.
 Use security software to scan for half-open connections.

To counteract DDos attacks organizations use intrusion prevention systems (IPS) that employ
deep packet inspection (DPI).
 Works as a filter that removes malicious packets from the flow before they can affect
servers and networks.

Encryption is conversion of data into a secret code for storage and transmission. The sender
uses an encryption algorithm to convert the original message called cleartext message into a
coded equivalent ciphertext which is decoded at receiving end.
Caesar cipher earliest encryption method.

Two fundamental components:

 Key is a mathematical value sender selects.
 Algorithm is procedure of shifting letters in clear text message number of positions key
value indicates.
Private Key and public key encryption are two commonly used methods.

Private Key Encryption

Advance encryption standard (AES) is a 128-bit encryption technique that has become a U.S.
government standard for private key encryption. The AES algorithm uses a single key known to
both sender and the receiver of the message.

Triple-DES encryption is an enhancement to an older encryption technique called the data

encryption standard (DES).

Two forms of triple-DES encryption:

 EEE3 uses three key is used to decode it.
 EDE3 uses one key to encrypt the message.

Public Key Encryption uses two different keys:

 One for decoding messages
 For decoding them

RSA (Rivest-Shamir-Adleman) is a highly secure public key cryptography method.

Digital signature is electronic authentication that cannot be forged. The sender uses a one-way
hashing algorithm to calculate a digest of the text message. The digest is a mathematical value
calculated from text content of the message.

Verifying the sender’s identity requires a digital certificate which is issued by a trusted third
party called a certification authority (CA). A digital certificate is used in conjunction with a
public key encryption system to authenticate the sender of a message.

Public key encryption is central to digital authentication making public key management an
important internal control issue. Public key infrastructure (PKI) constitutes policies and
procedures for administering this activity. Consist of:
 Message sequence numbering inserts a sequence number in each message to
prevent attempts to delete, change or duplicate a message.
 Message transaction log records all attempted accesses with user ID, time of access
and location.
 Request-response technique sends control messages and responses randomly
making it difficult for an intruder to circumvent.
 Call-back device requires a dial-in user to enter and password and be identified.
Controlling Risks from Equipment Failure

Line errors are losses from communications noise.

Techniques to detect and correct data errors:

 Echo check - receiver returns the message to the sender.
 Parity check - extra bit is added onto each byte of data similar to check digits.

Audit objective is to verify integrity of transactions by determining controls are in place to detect
and correct message loss.
Audit procedures include examining a sample of messages for garbled content and verifying all
corrupted messages were retransmitted.

Auditing Electronic Data Interchange (EDI)

EDI is the intercompany exchange of computer- processible business information in standard

format.
Key to EDI success is use of standard format for messaging between dissimilar systems.

Communications Links
 Companies may have internal EDI translation/communication software and hardware.
 They may subscribe to VANs to perform this function without having to invest in
personnel, software, and hardware.

Overview of EDI
Benefit of EDI:
 Reduction or elimination of data entry
 Reduction of errors
 Reduction of paper
 Reduction of paper processing and postage
 Reduction of inventories (via JIT systems)

EDI Controls:

Transaction Authorization and Validation

Both the customer and the supplier must establish that the transaction being processed is to (or
form) a valid trading partner and is authorized.

Access Control
To guard against unauthorized access, each company must establish valid vendor and
customer files. Inquiries against databases can thus be validated, and unauthorized attempts at
access can be rejected.

Auditing PC-Based Accounting Systems

PC Systems Risks and Control

Operating System Weakness

PCs provide only minimal security for data files and programs contained with them. The data
stored on microcomputers that are shared by multiple are exposed to unauthorized access,
manipulation, and destruction. Once a computer criminal gains access to the user’s PC, there
may be little or nothing in the way of control to prevent him from stealing or manipulating the
data stored on the internal hard drive.

Weak Access Control

Security software that provides logon procedures is available for PC’s. Most of these programs,
however, become active only when the computer is booted from the hard drive.

Inadequate Segregation of Duties

The exposure is compounded when the operator is also responsible for the development
(programming) of the applications that he runs. In a small-company operations, there may be
difficult to eliminate these inherent conflict of duties.

Multilevel Password Control

Multilevel password control is used to restrict employees who are sharing the same
computers to specific directories, programs, and data files. Under this approach, different
passwords are used to access different functions.
Risk of Theft
Formal policies should be in place to restrict financial and other sensitive data to desktop PCs
only. The organization should provide employee training about appropriate computer usage.
Also antitheft security locks can be effective.

Weak backup Procedures

Computer failure, usually disk failure, is primary cause of data loss in PC environments.
Organizations need formal back up procedures. Another excellent option is to contract with an
online backup service that encrypts and copies the PC-housed data to a secure location. The
backup is automatically performed whenever the PC is connected to the Internet.

Risk of Virus Infection

Virus Infection is one of most common threats to PC integrity and system availability.
The organization must also ensure that effective antivirus software is installed on the PCs and
key up-to-date.