Professional Documents
Culture Documents
System Security I:
Operating Systems and
Networks
IT Auditing, Hall, 3e
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Operating Systems
Perform three main tasks:
◦ translates high-level languages
into the machine-level language
◦ allocates computer resources to
user applications
◦ manages the tasks of job
scheduling and multiprogramming
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 2
Why OS security is an important internal
control issue?
If operating system integrity is compromised,
then…
◦ controls within individual accounting applications
may also be circumvented or neutralized.
Because the OS is common to all users, the
larger the computer facility…
◦ the greater the scale of potential damage.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 3
Requirements for Effective Operating Systems
Performance
accidental corruption
Safeguard its own programs from accidental
corruption
Protect itself from power failures and other
disasters
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 4
Operating Systems Security
Log-On Procedure
◦ first line of defense – user IDs and passwords
Access Token
◦ contains key information about the user
Access Control List
◦ defines access privileges of users
Discretionary Access Control
◦ allows user to grant access to another user
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 5
Operating Systems Controls
ACCESS PRIVILEGES
Audit objectives: verify that access privileges are
consistent with separation of incompatible functions
and organization policies
Q: Should a cash receipts clerk be granted the right to
access and make changes to A/R file?
Audit procedures: review or verify…
◦ policies for separating incompatible functions
◦ a sample of user privileges, especially access to data
and programs
◦ security clearance checks of privileged employees
◦ formal acknowledgements to maintain confidentiality
of data
◦ users’ log-on times
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 6
Operating Systems Controls
PASSWORD CONTROL
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 7
Operating Systems Controls
PASSWORD CONTROL
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 8
Operating Systems Controls
MALICIOUS & DESTRUCTIVE PROGRAMS
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 10
Operating System Controls
AUDIT TRAIL CONTROLS
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 11
Auditing Networks
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 12
[Computer] Network
A computer network is a set of computers
sharing resources located on or provided by
network nodes. The computers use common
communication protocols over digital
interconnections to communicate with each
other.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 13
Auditing Networks
Q: What risk does reliance on networks for
business communications pose?
◦ Unauthorized access to confidential information
◦ Exposure to computer hackers, vandals, thieves and
industrial spies both internally and from around the
world
Q: What are the important considerations of
every network?
◦ Control access to shared resources
◦ Management should constantly seek balance
between increased access and the associated
business risks
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 14
Internet and Intranet Risks
The communications component is a
unique aspect of computer networks:
◦ different than processing (applications) or data
storage (databases)
Network topologies – configurations of:
◦ communications lines (twisted-pair wires,
coaxial cable, microwaves, fiber optics)
◦ hardware components (modems, multiplexers,
servers, front-end processors)
◦ software (protocols, network control systems)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 15
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 16
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 17
Intranet Risks
Intercepting network messages
◦ sniffing: interception of user IDs, passwords,
confidential e-mails, and financial data files
Accessing corporate databases
◦ connections to central databases increase the
risk that data will be accessible by employees
Privileged employees (managers & IS
employees)
◦ override privileges may allow unauthorized
access to mission-critical data
Reluctance to prosecute
◦ fear of negative publicity leads to such
reluctance but encourages criminal behavior
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 18
Internet Risks to Consumers
How serious is the risk?
◦ National Consumer League: Internet fraud rose
by 600% between 1997 and 1998
◦ SEC: e-mail complaints alleging fraud rose from
12 per day in 1997 to 200-300 per day in 1999
Major areas of concern:
◦ Theft of credit card numbers
◦ Phishing
◦ Theft of passwords
◦ Consumer privacy—cookies
◦ Malwares
◦ Cryptojacking
◦ Iot Attacks
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 19
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 20
Internet Risks to Businesses
IP spoofing: masquerading to gain access to a
Web server and/or to perpetrate an unlawful
act without revealing one’s identity
Denial of service (DOS) attacks: assaulting a
Web server to prevent it from servicing users
◦ particularly devastating to business entities that
cannot receive and process business transactions
Other malicious programs: viruses, worms,
logic bombs, and Trojan horses pose a threat
to both Internet and Intranet users
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 21
Risks from Equipment Failure
Include:
◦ Disrupting, destroying, or
corrupting transmissions between
senders and receivers
◦ Loss of databases and programs
stored on network servers
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 26
IC for Subversive Threats
Firewalls provide security by channeling all
network connections through a control
gateway.
Network level firewalls
◦ Low cost and low security access control
◦ Do not explicitly authenticate outside users
◦ Filter junk or improperly routed messages
◦ Experienced hackers can easily penetrate the
system
Application level firewalls
◦ Customizable network security, but expensive
◦ Sophisticated functions such as logging or user
authentication
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 27
What is a firewall?
A firewall is a security device — computer
hardware or software — that can help protect
your network by filtering traffic and blocking
outsiders from gaining unauthorized access
to the private data on your computer.
Not only does a firewall block unwanted
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 28
Dual-Homed Firewall
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 29
IC for Subversive Threats
Denial-of-service (DOS) attacks
◦ Security software searches for
connections which have been
half-open for a period of time.
Encryption
◦ Computer program transforms a
clear message into a coded
(cipher) text form using an
algorithm.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 30
Encryption
The conversion of data into a secret code for
storage and transmission
The sender uses an encryption algorithm to
convert the original cleartext message into a
coded ciphertext.
The receiver decodes / decrypts the ciphertext
back into cleartext.
Encryption algorithms use keys
◦ Typically 56 to 128 bits in length
◦ The more bits in the key the stronger the encryption
method.
Two general approaches to encryption are private
key and public key encryption.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 32
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 33
IC for Subversive Threats
Digital signature – electronic authentication
technique to ensure that…
◦ transmitted message originated with the authorized
sender
◦ message was not tampered with after the signature
was applied
Digital certificate – like an electronic
identification card used with a public key
encryption system
◦ Verifies the authenticity of the message sender
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 34
Digital Signature
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. 35
IC for Subversive Threats
Message sequence numbering – sequence
number used to detect missing messages
Message transaction log – listing of all
incoming and outgoing messages to detect
the efforts of hackers
Request-response technique – random
control messages are sent from the sender
to ensure messages are received
Call-back devices – receiver calls the sender
back at a pre-authorized phone number
before transmission is completed
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 36
Auditing Procedures for Subversive Threats
unauthorized calls
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 37
IC for Equipment Failure
Line errors are data errors from
communications noise.
Two techniques to detect and correct
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 39
Auditing Procedures for Equipment Failure
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 40
Electronic Data Interchange
Electronic data interchange (EDI) uses
computer-to-computer communications
technologies to automate B2B purchases.
Audit objectives:
1. Transactions are authorized, validated, and in
compliance with the trading partner
agreement.
2. No unauthorized organizations can gain
access to database
3. Authorized trading partners have access only
to approved data.
4. Adequate controls are in place to ensure a
complete audit trail.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 41
Advantages of EDI
Reduction or elimination of data
entry
Reduction of errors
Reduction of paper
Reduction of paper processing and
postage
Reduction of inventories (via JIT
systems)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 42
EDI Risks
Authorization
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 43
EDI Controls
Authorization
◦ use of passwords and value added
networks (VAN) to ensure valid partner
Access
◦ software to specify what can be
accessed and at what level
Audit trail
◦ control log records the transaction’s
flow through each phase of the
transaction processing
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 44
EDI System
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 45
EDI System using Transaction
Control Log for Audit Trail
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 46
Auditing Procedures for EDI
Tests of Authorization and Validation Controls
◦ Review procedures for verifying trading partner
identification codes
◦ Review agreements with VAN
◦ Review trading partner files
Tests of Access Controls
◦ Verify limited access to vendor and customer files
◦ Verify limited access of vendors to database
◦ Test EDI controls by simulation
Tests of Audit Trail Controls
◦ Verify existence of transaction logs
◦ Review a sample of transactions
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 47
Personal Computer Systems
PC operating systems
PC systems risks & controls
In general:
Relatively simple to operate and program
Controlled and operated by end users
Interactive data processing vs. batch
Commercial applications vs. custom
Often used to access data on mainframe or
network
Allows users to develop their own applications
Operating Systems:
Are located on the PC (decentralized)
O/S family dictates applications (e.g.,
Windows)
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 48
Personal Computer Systems
Controls
Risk assessment
Inherent weaknesses
Weak access control
Inadequate segregation of duties
Multilevel password control – multifaceted access
control
Risk of physical loss
Laptops, etc. can “walk off”
Risk of data loss
Easy for multiple users to access data
End user can steal, destroy, manipulate
Inadequate backup procedures
Local backups on appropriate medium
Dual hard drives on PC
External/removable hard drive on PC
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 49
IC Personal Computer Systems
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 50
Audit Objectives: Personal
Computer Systems
Verify controls are in place to protect data, programs,
and computers from unauthorized access, manipulation,
destruction, and theft
Verify that adequate supervision and operating
procedures exist to compensate for lack of segregation
between the duties of users, programmers, and operators
Verify that backup procedures are in place to prevent
data and program loss due to system failures, errors
Verify that systems selection and acquisition procedures
produce applications that are high quality, and protected
from unauthorized changes
Verify the system is free from viruses and adequately
protected to minimize the risk of becoming infected with
a virus or similar object
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 51
Audit Procedures: Personal
Computer Systems
Verify that microcomputers and their files are
physically controlled
Verify from organizational charts, job
descriptions, and observation that the
programmers of applications performing
financially significant functions do not also
operate those systems.
Confirm that reports of processed transactions,
listings of updated accounts, and control totals
are prepared, distributed, and reconciled by
appropriate management at regular and timely
intervals.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 52
Audit Procedures: Personal
Computer Systems
Determine that multilevel password control
or multifaceted access control is used to
limit access to data and applications, where
applicable.
Verify that the drives are removed and
stored in a secure location when not in use,
where applicable.
Verify that backup procedures are being
followed.
Verify that application source code is
physically secured (such as in a locked
safe) and that only the compiled version is
stored on the microcomputer.
Review systems selection and acquisition
controls
Review virus control techniques.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 53
Appendix
Internet Technologies
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 54
Internet Technologies
Packet switching
◦ messages are divided into small packets
◦ each packet of the message takes a different routes
Virtual private network (VPN)
◦ a private network within a public network
Extranets
◦ a password controlled network for private users
World Wide Web
◦ an Internet facility that links users locally and globally
Internet addresses
◦ e-mail address
◦ URL address
◦ IP address
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 55
Protocol Functions…
facilitate the physical connection
between the network devices.
synchronize the transfer of data
devices.
promote network designs that are
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 56
Internet Protocols
Transfer Control Protocol/Internet Protocol
(TCP/IP) - controls how individual packets of
data are formatted, transmitted, and received
Hypertext Transfer Protocol (HTTP) - controls
web browsers
File Transfer Protocol (FTP) - used to transfer
files across the internet
Simple Network Mail Protocol (SNMP) - e-
mail
Secure Sockets Layer (SSL) and Secure
Electronic Transmission (SET) - encryption
schemes
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 57
Local Area Networks (LAN)
A federation of computers located close together
(on the same floor or in the same building)
linked together to share data and hardware
The physical connection of workstations to the
LAN is achieved through a network interface card
(NIC) which fits into a PC’s expansion slot and
contains the circuitry necessary for inter-node
communications.
A server is used to store the network operating
system, application programs, and data to be
shared.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 58
LAN Files
File Server
Node
Node
LAN
Printer
Node
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e
59
Wide Area Network (WAN)
A WAN is a network that is dispersed over
a wider geographic area than a LAN. It
typically requires the use of:
◦ gateways to connect different types of
LANs
◦ bridges to connect same-type LANs
WANs may use common carrier facilities,
such as telephone lines, or they may use a
Value Added Network (VAN).
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 60
WAN
Bridge
LAN
LAN
Gateway
Gateway
LAN
WAN
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 61
Star Topology
A network of IPUs with a large central
computer (the host)
The host computer has direct
mainframe computing.
All communications must go through
Kansas
City Central Data
POS
POS
Dallas
Tulsa
Local Data
POS
Local Data
POS
POS
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 63
Hierarchical Topology
A host computer is connected to several
levels of subordinate smaller computers
in a master-slave relationship.
Corporate Production
Level Planning System
Production
Regional Scheduling
Regional
Level System Sales System
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 64
Ring Topology
This configuration eliminates the central
site. All nodes in this configuration are
of equal status (peers).
Responsibility for managing
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 65
Ring Topology
Figure 12-10
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 66
Bus Topology
The nodes are all connected to a
common cable - the bus.
Communications and file transfers
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 67
Bus Topology
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 68
Client-Server Topology
This configuration distributes the
processing between the user’s (client’s)
computer and the central file server.
Both types of computers are part of the
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 69
Client-Server Topology
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 70
Network Control Objectives
establish a communications session
between the sender and the receiver
manage the flow of data across the
network
detect errors in data caused by line
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 71
Pooling Method of Controlling Data Collisions
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 72
Token-Passing Approach to Controlling Data
Collisions
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 73
Carrier Sensing
A random access technique that detects collisions
when they occur
This technique is widely used--found on Ethernets.
The node wishing to transmit listens to the line to
determine if in use. If it is, it waits a pre-specified
time to transmit.
Collisions occur when nodes listen, hear no
transmissions, and then simultaneously transmit.
Data collides and the nodes are instructed to hang
up and try again.
Disadvantage: The line may not be used optimally
when multiple nodes are trying to transmit
simultaneously.
© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 74